the config you list has only one action, sending to localhost on TCP 5170
there's nothing in this config that writes to anything else, did you forget to
include something?
the error messages that you show talk about '~', but it doesn't appear anywhere
in the config you provided.
does the user syslog have the rights to create files in the /var/spool/rsyslog
directory?
David Lang
On Thu, 17 Dec 2015, Muhammad Asif wrote:
Date: Thu, 17 Dec 2015 22:53:29 +0500
From: Muhammad Asif <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Every log written in syslog
Dear David,
Please see my rsyslog configs below. Pastbin is not open here so i use
email page.
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog
$template msg,"%msg%"
$template msgonly,"%rawmsg%\n"
main_queue(
queue.filename="main_queue" # write to disk if needed
queue.maxdiskspace="5g" # when to stop writing to disk
queue.highwatermark="1500000" # start spilling to disk at this size
queue.lowwatermark="500000" # stop spilling when it gets back to this size
queue.saveonshutdown="on" # write queue contents to disk on shutdown
queue.dequeueBatchSize="5000"
queue.workerthreads="4"
queue.size="2000000" # absolute max queue size
)
action(type="omfwd" target="127.0.0.1" port="5170" protocol="tcp"
template="msgonly"
queue.filename="forwarding" queue.size="1000000"
queue.maxdiskspace="5g" queue.highwatermark="900000"
queue.lowwatermark= "200000" queue.dequeuebatchsize="1000"
queue.type="LinkedList"
)
if $fromhost-ip == '172.20.16.25' then stop
Please help in these tasks
1- I want to stop logs to be written in syslog file.
2- I am also facing this problem.
Dec 17 22:44:03 rdsaparser rsyslogd: [origin software="rsyslogd"
swVersion="8.14.0" x-pid="659" x-info="http://www.rsyslog.com";] start
Dec 17 22:44:04 rdsaparser rsyslogd-2040: fatal error on disk queue 'main
Q[DA]', emergency switch to direct mode [v8.14.0 try
http://www.rsyslog.com/e/2040 ]
Dec 17 22:44:04 rdsaparser rsyslogd-2040: fatal error on disk queue 'action
4 queue[DA]', emergency switch to direct mode [v8.14.0 try
http://www.rsyslog.com/e/2040 ]
Dec 17 22:44:03 rdsaparser rsyslogd-2307: warning: ~ action is deprecated,
consider using the 'stop' statement instead [v8.14.0 try
http://www.rsyslog.com/e/2307 ]
Dec 17 22:44:03 rdsaparser rsyslogd-2307: warning: ~ action is deprecated,
consider using the 'stop' statement instead [v8.14.0 try
http://www.rsyslog.com/e/2307 ]
Dec 17 22:44:03 rdsaparser rsyslogd: imklog: cannot open kernel log
(/proc/kmsg): Operation not permitted.
Dec 17 22:44:03 rdsaparser rsyslogd-2145: activation of module imklog
failed [v8.14.0 try http://www.rsyslog.com/e/2145 ]
Dec 17 22:44:03 rdsaparser rsyslogd: rsyslogd's groupid changed to 104
Dec 17 22:44:03 rdsaparser rsyslogd: rsyslogd's userid changed to 101
3- I want to emit logs 1000/sec
4- I want impstat on TCP.
Thanks
On Thu, Dec 17, 2015 at 9:41 PM, David Lang <[email protected]> wrote:
On Thu, 17 Dec 2015, Muhammad Asif wrote:
Hi Guys,
I have a rsyslog server which is receiving logs from different sources and
then sending to fluentd. Problem is that our rsyslog sending logs to
fluentd and also writing all logs in syslog file which increases to 20GB.
I don't want to write coming logs in syslog. How can i achieve my goal.
short answer, change your config to not write to the file.
long answer, we can't tell you exactly how to change your config without
knowing more about it.
either remove the lines that write to the file if you don't want anything
there, or have a 'if..then' statement in your config that does a stop after
the log is written to fluentd and before it's written to the file to only
not write to the file sometimes.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
