Formatting got changed a bit after sending email. Resending.
Hi Asif, I had rsyslog v7. OS was amazon linux. I'm forwarding to my graylog2
server for anylysis.
##My tomcat-ryslog file
#/etc/rsyslog.d/44-tomcat.conf
$ModLoad imfile
$InputFilePollInterval 10
$WorkDirectory /var/spool/rsyslog
# tomcat log as input file
$InputFileName /var/log/tomcat7/catalina.out
$InputFileTag TomCat7
$InputFileStateFile stat-TomCat7
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
#configure template name
template(name="tomcat-template" type="string"
string="%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name%
%procid% %msgid% %msg%\n")
#forward logs
if $programname == 'TomCat7' then action(type="omfwd" protocol="tcp"
target="10.10.11.50" port="30514" template=" tomcat-template ") if $programname
== ' TomCat7' then ~
#My tomcat catalina.out file was daily rorated with logrorate. There was a
config file for it in /etc/logrotate.d/tomcat Included my postroate action from
sharedscripts to endscript.
#/etc/logrorate.d/tomcat
/var/log/tomcat7/catalina.out {
rotate 7
daily
maxage 30
missingok
notifempty
copytruncate
compress
create 0644 tomcat tomcat
sharedscripts
postrotate
service rsyslog stop
rm -rf /var/spool/rsyslog/ stat-TomCat7
service rsyslog start
endscript
}
Hope this helps.
Thanks,
Ashish
-----Original Message-----
From: Ashish Barmase
Sent: Monday, April 25, 2016 12:30 PM
To: rsyslog-users <[email protected]>
Subject: RE: [rsyslog] rsyslog issue with new modsec_audit.log
Hi Asif, I had rsyslog v7. OS was amazon linux. I'm forwarding to my graylog2
server for anylysis.
##My tomcat-ryslog file
#/etc/rsyslog.d/44-tomcat.conf
$ModLoad imfile
$InputFilePollInterval 10
$WorkDirectory /var/spool/rsyslog
# tomcat log as input file
$InputFileName /var/log/tomcat7/catalina.out $InputFileTag TomCat7
$InputFileStateFile stat-TomCat7 $InputFileSeverity info
$InputFilePersistStateInterval 20000 $InputRunFileMonitor
#configure template name
template(name="tomcat-template" type="string"
string="%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name%
%procid% %msgid% %msg%\n")
#forward logs
if $programname == 'TomCat7' then action(type="omfwd" protocol="tcp"
target="10.10.11.50" port="30514" template=" tomcat-template ") if $programname
== ' TomCat7' then ~
#My tomcat catalina.out file was daily rorated with logrorate. There was a
config file for it in /etc/logrotate.d/tomcat Included my postroate action from
sharedscripts to endscript.
#/etc/logrorate.d/tomcat
/var/log/tomcat7/catalina.out {
rotate 7
daily
maxage 30
missingok
notifempty
copytruncate
compress
create 0644 tomcat tomcat
sharedscripts
postrotate
service rsyslog stop
rm -rf /var/spool/rsyslog/ stat-TomCat7
service rsyslog start
endscript
}
Hope this helps.
Thanks,
Ashish
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Muhammad Asif
Sent: Monday, April 25, 2016 3:32 AM
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] rsyslog issue with new modsec_audit.log
Hi Geeks,
In my case no state file is being created. Even when i set is it through
following error. I am using rsyslog-8.18.
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line
69: parameter 'statefile' deprecated but accepted, consider removing or
replacing it
On Mon, Apr 25, 2016 at 12:00 PM, Muhammad Asif <[email protected]>
wrote:
> Dear Ashish, Thanks for reply. How you did this exactally. Any cron
> job or some thing else?
>
> Regards
> M.Asif
>
> On Fri, Apr 22, 2016 at 10:08 PM, Ashish Barmase <
> [email protected]> wrote:
>
>> Hi Asif, not sure your's and mine problem is same, but look like I
>> had similar issue. I used to monitor catalina.out file of tomcat, but
>> after log rotation runs of each day, the more logs stopped forwarding.
>>
>> What I did was use a postroate action to delete the rsyslog stat file
>> and restart the rsyslog, which did the trick.
>>
>> Thanks,
>> Ashish
>>
>> -----Original Message-----
>> From: [email protected] [mailto:
>> [email protected]] On Behalf Of Muhammad Asif
>> Sent: Friday, April 22, 2016 3:28 AM
>> To: rsyslog-users <[email protected]>
>> Subject: [rsyslog] rsyslog issue with new modsec_audit.log
>>
>> Hi geeks,
>>
>> We are facing a problem with modsec_audit.log. Let me discuss a scenario.
>> On start of a day modsecurity create a file with name modsec_audit.log.
>> Throughout the day it contain 1000 logs which is sent by rsyslog to
>> remote server.
>> The next day modsecurity rename the previous file as
>> modsec_audit.log.1 and create a new file modsec_audit.log. Now
>> problem starts. Since fIlename is same so rsyslog pointer is stand at
>> 1001 line. But first 1000 logs of next day do not process.
>>
>> How we can handle this issue.
>>
>> REgards
>> M.Asif
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
