Date: Wed, 4 May 2016 19:32:18 +0000
From: "Singh, Radesh" <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Remote messages getting into local logs
Rsyslog doesn't like my syntax:
[root at PTC_UAT_LOGHOST rsyslog.d]$ rsyslogd -N2
rsyslogd: version 5.8.10, config validation run (level 2), master config
/etc/rsyslog.conf
rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically
generated config directives may interfer with your rsyslog.conf settings. We
suggest upgrading your config and adding -c5 as the first rsyslogd option.
rsyslogd: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line 10:"input(type="imtcp" port="514"
ruleset="inbound") input(type="imudp" port="514" ruleset="inbound")"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd: unknown priority name "type="FixedArray"){" [try
http://www.rsyslog.com/e/3000 ]
rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line
12:"ruleset(name="inbound" queue.type="FixedArray"){"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line 21:"}"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd: the last error occured in /etc/rsyslog.conf, line 35:"$IncludeConfig
/etc/rsyslog.d/*.conf"
rsyslogd: CONFIG ERROR: could not interpret master config file
'/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
rsyslogd: Warning: backward compatibility layer added to following directive to
rsyslog.conf: ModLoad immark
rsyslogd: Warning: backward compatibility layer added to following directive to
rsyslog.conf: MarkMessagePeriod 1200
rsyslogd: Warning: backward compatibility layer added to following directive to
rsyslog.conf: ModLoad imuxsock
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" port="514"
ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
I'm betting this is b/c I'm using using 5.8.10.
Going to try some syntax I see here:
http://www.rsyslog.com/doc/v5-stable/concepts/multi_ruleset.html
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a just man, and he
will increase in learning." - Proverbs 9:9
-----Original Message-----
From: Singh, Radesh
Sent: Wednesday, May 04, 2016 3:15 PM
To: 'rsyslog-users'
Subject: RE: [rsyslog] Remote messages getting into local logs
David,
So, this is the config I've got in mind:
# rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig
/etc/rsyslog.d/*.conf
user.*;daemon.*;syslog.* /var/log/messages
kern.* /var/log/kernel
*.emerg /var/log/emerg
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
uucp,news.crit /var/log/spool
local7.* /var/log/bootlog
# rsyslog.d/remote.conf
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" port="514"
ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
Am I still over thinking it?
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a just man, and he
will increase in learning." - Proverbs 9:9
-----Original Message-----
From: Singh, Radesh
Sent: Wednesday, May 04, 2016 2:40 PM
To: [email protected]
Subject: RE: [rsyslog] Remote messages getting into local logs
David,
Thank you for clarifying all of that.
Based on what we are trying to do, I think we'd want to go the route of using a
ruleset.
So, using something like:
input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" port="514"
ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
actions
}
I'm translating that to:
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" port="514"
ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
That should result in me capturing all messages that come in over TCP or UDP,
and separate them out.
What tells rsyslog to log local (those not coming in via TCP or UDP) messages
to /var/log/...?
Thanks,
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a just man, and he
will increase in learning." - Proverbs 9:9
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Wednesday, May 04, 2016 1:06 PM
To: [email protected]
Subject: Re: [rsyslog] Remote messages getting into local logs
I'll bet that if you do rsyslogd -N2 it will report a lot of errors in the
config
you are mising filter types (and in any case, working harder than you need to)
there are three classes of filters
traditional pri filters
user.* action
old rsyslog filters
:var, test, value action
rainerscript filters
if test then action
you are trying to use the old rsyslog filters in rainerscript syntax, that
doesn't work
if $hostname == $$myhostname then {
actions
} else {
actions
}
would be what you are trying to do.
But if you really want to separate the traffic that arrives from remote
systems completely from the traffic that is produced locally, the best way to
do that is with a ruleset
input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" port="514"
ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
actions
}
will effectivly split rsyslog into two complete stacks, one that processes
locally generated messages with all the rules not defined in the inbound
ruleset (and using the main queue), and a second that processes all messages
that arrive via tcp or udp using the rules in the inbound ruleset (and using a
separate queue)
David Lang
On Wed, 4 May 2016 16:38:34 +0000, Singh, Radesh wrote:
Hello,
Perhaps I'm overthinking this, but as I've confused myself pretty
good, I'm reaching out to you guys.
We noticed that our remote clients messages are flooding several of
our local log files (messages,kernel,bootlog) on our central rsyslog
server.
We've been try to craft some rules to tell the rsyslog server that the
hostname is not your hostname, use a specific block to separate the
messages into their appropriate files, else, do the same type of
separation, but store the messages locally...
I tried...
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
$template local-messages,"/var/log/messages"
$template local-kernel,"/var/log/kernel"
$template local-emerg,"/var/log/emerg"
$template local-secure,"/var/log/secure"
$template local-maillog,"/var/log/maillog"
$template local-cron,"/var/log/cron"
$template local-spooler,"/var/log/spooler"
$template local-bootlog,"/var/log/bootlog"
if :hostname,!isequal,$myhostname then {
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
else if :hostname,isequal,$myhostname then {
user.*;daemon.*;syslog.* ?local-messages
kern.* ?local-kernel
*.emerg ?local-emerg
authpriv.* ?local-secure
mail.* -?local-maillog
cron.* ?local-cron
uucp,news.crit ?local-spooler
local7.* ?local-bootlog
}
But messages from remote hosts get written to /var/log/messages, even
though I thought I was telling rsyslog to filter on hostname, and if
the hostname is not my hostname use one of my ?remote definitions.
I tried using & ~ after my first line, but I find that if I do that
... nothing gets written to the local messages file.
I'm doing this on RHEL 6.2, and rsyslog version is 5.8.10.
Thank you,
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
[chessie]
|-| () \/\/ ~|~ () |\/| () /? /? () \/\/ |\/| () \/ [- _\~
This email transmission and any accompanying attachments may contain
CSX privileged and confidential information intended only for the use
of the intended addressee. Any dissemination, distribution, copying or
action taken in reliance on the contents of this email by anyone other
than the intended recipient is strictly prohibited. If you have
received this email in error please immediately delete it and notify
sender at the above CSX email address. Sender and CSX accept no
liability for any damage caused directly or indirectly by receipt of
this email.
_______________________________________________
rsyslog mailing list
BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED
http://secure-web.cisco.com/1xGGnjSh9RR0y9rgx38zhuymGGNvuKuRCAR_z7i9J4Yn4zD1vrveKaihdGx3JedcKCvkNFBxiQQjmCOd0j1txaq0XXfVbdukHhfiSCcWgPOP25byT1N_28l_4ON11xwTa2os6nW2bRAbUYXssRPv3wvQnrvm8ZzCXtOHwGONSA3SCjiMSNi08MM6TaKzaOkD03_s7wi9z7XCSLiEBsRnnCqwRSU2U2EJwHK9Y45_VeoyaLJ8gYj2bCZYXes3riOxEZtfn4nwdnJ3x1ksA5LhDiPYPqvwksTkgOXeGl-RsALio_xvt06uQ1x-Qs1VKm6HuRR-wPUlI6tPrvOprmD2kB8IcTPvtPxBkfjtVU5BpEZVIgCJmZSTxU2CCM44nyhVa/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F
What's up with rsyslog? Follow
https://secure-web.cisco.com/1np2M_O7l4WbuSPzutBL7wHs1T4AvXY5sEAi6R9jFAd6xpP66MUvIDoL0kz8Ve9JiKraHbyNUChDGTNv4qEvQcUG__9hAYAhKR4E7GDpM7wUS99eOBMAmpT0YQBJJZ44RAmUnlV8l-ReDvo5lBRbln2K5LdY7r8SRhRWxukHXXBpb6QWRw33ltg4-0dFF4WarzNF0TNyG2pbowTpBDBRxUksgFg8Lsc_RMfr5SOW4BoGup_lZ-eLAZ53p3cH3LfhD_ziZoSyK89jd0Q7d_ny6io7hXw3xTTVKazGM8-ONaWmTt_sBkl5zVxGHpN50EViW9719-Se7Kxyx4OohnoDRd-aGEzfx6novzYQqXjR_L8OSY4mtnLsxciyfHoPOmjkMKz5PZF1Pv7jlvGXdl0E5Eg/https%3A%2F%2Ftwitter.com%2Frgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
This email transmission and any accompanying attachments may contain CSX
privileged and confidential information intended only for the use of the
intended addressee. Any dissemination, distribution, copying or action taken in
reliance on the contents of this email by anyone other than the intended
recipient is strictly prohibited. If you have received this email in error
please immediately delete it and notify sender at the above CSX email address.
Sender and CSX accept no liability for any damage caused directly or indirectly
by receipt of this email.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
