Regarding the tagging of messages, we can't really add anything due to the way the SEIM parses. If we change the format of the message from the default we lose manageability. I was told there may be compliance issues with that, also.
Regarding impstat, I don't get any stats for either the port=514 action or the port=10000 action. In my test scenario I am receiving about 50-100 EPS so there should be something there. The directory permissions are set to 755. There is no stats.log file at all. ________________________________________ From: [email protected] [[email protected]] on behalf of David Lang [[email protected]] Sent: Thursday, October 08, 2015 3:13 PM To: rsyslog-users Subject: Re: [rsyslog] Complex forwarding and spoofing question On Thu, 8 Oct 2015, Randy Baca wrote: > That is a correct assessment of the flow. There is no impstats output. The > line in the conf is: > module (load="impstats" log.file="/var/spool/rsyslog/stats.log") > > There is no file created whether on 514 or 10000. so the impstats line for that action shows 0 messages processed? that means that nothing ended up calling that ruleset. Rsyslog won't connect until it has the first message to deliver. David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
