Re: [rsyslog] Trying to use mmnormalize results in no output

Tue, 27 Oct 2015 06:26:15 -0700 

As far as I can tell my config files don't contain syntax error



[root@crash rsyslog.d]# rsyslogd -N2
rsyslogd: version 8.8.0, config validation run (level 2), master
config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
[root@crash rsyslog.d]#


I can get a message about "syntax error" by adding a line which just
contains '}' to the config so I assume the absence of such an error
means the config files is OK.


Here's all the configuration files, not just the ones I've written


[root@crash rsyslog.d]# grep -v ^# /etc/rsyslog.conf  | grep -v ^$
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$IMJournalStateFile imjournal.state
$IMJournalIgnorePreviousMessages on
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
[root@crash rsyslog.d]#  for i in *;do echo -e
"\n\n\n--------------------------------------------------------------\n${i}\n--------------------\n";cat
${i};done


--------------------------------------------------------------
spice-vdagentd.conf
--------------------

# A template to for higher precision timestamps + severity logging
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds%
%syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

:programname, startswith, "spice-vdagent"
/var/log/spice-vdagent.log;SpiceTmpl



--------------------------------------------------------------
sshd.rb
--------------------

rule=sshd_accepted_password: Accepted password for %ssh_user:word%
from %remote_ip:ipv4% %-:rest%



--------------------------------------------------------------
tologstash.conf
--------------------

module(load="mmnormalize")

global (
    defaultNetstreamDriverCAFile="/etc/pki/tls/certs/ca-bundle.pem"
)

template(name="logstash" type="list"){
    constant(value="{")
    property(name="msg" outname="message" format="jsonfr" droplastlf="on")
    constant(value=",")
    property(name="pri" outname="priority_code" format="jsonfr")
    constant(value=",")
    property(name="pri-text" outname="priority" format="jsonfr")
    constant(value=",")
    property(name="syslogfacility" outname="facility_code" format="jsonfr")
    constant(value=",")
    property(name="syslogfacility-text" outname="facility" format="jsonfr")
    constant(value=",")
    property(name="syslogseverity" outname="severity_code" format="jsonfr")
    constant(value=",")
    property(name="syslogseverity-text" outname="severity" format="jsonfr")
    constant(value=",")
    property(name="timereported" outname="syslog_timestamp"
format="jsonfr" dateformat="rfc3339")
    constant(value=",")
    property(name="hostname" outname="hostname" format="jsonfr")
    constant(value=",")
    property(name="syslogtag" outname="syslog_tag" format="jsonfr")
    constant(value=",")
    property(name="programname" outname="program" format="jsonfr")
    constant(value="}")

}


action(type="mmnormalize" ruleBase="/etc/rsyslog.d/sshd.rb")
action(type="omfwd"
       target="logstash.hostname"
       port="10515"
       protocol="tcp"
       StreamDriver="gtls"
       StreamDriverMode="1"
       StreamDriverAuthMode="anon"
       queue.filename="logstashqueue"
       queue.spoolDirectory="/var/lib/rsyslog"
       queue.maxdiskspace="1g"
       queue.type="LinkedList"
       queue.saveonshutdown="on"
       queue.size="5000"
       queue.highwatermark="3500"
       queue.lowwatermark="2000"
       queue.discardmark="5000"
       template="logstash"
       action.resumeinterval="60"
       action.resumeretrycount="-1"
)

[root@crash rsyslog.d]#



spice-vdagentd.conf isn't my creation, it's put there by an rpm.
/etc/rsyslog.conf is what's provided by the Fedora rsyslog rpm. I'm
aware the logstash template doesn't reference  ssh_user or remote_ip
mentioned in sshd.rb, I was intending to add them once I'd got past
this hurdle of adding mmnormalize causing no output. Things work as I
expect with the mmnormalize action commented out.





Output of 'rsyslog -dn' is a couple of thousand lines so I've put it at

http://pastebin.com/eXFPcW2q

To exit I pressed Ctrl-C and when after a few minutes it still hadn't
exited I pressed Ctrl-C a few more times then got

^C4505.240557259:main thread    : DoDie called.
^C4515.808704863:main thread    : DoDie called.
^C4516.728759181:main thread    : DoDie called.
^C4517.192784094:main thread    : DoDie called.
Aborted (core dumped)


thanks,

mike
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to