I'm trying this config: $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $template remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" $template remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" $template remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" $template remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" $template remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" $template remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" $template remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" $template remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" user.*;daemon.*;syslog.* /var/log/messages kern.* /var/log/kernel *.emerg /var/log/emerg authpriv.* /var/log/secure mail.* /var/log/maillog cron.* /var/log/cron uucp,news.crit /var/log/spool local7.* /var/log/bootlog $RuleSet tcpremote user.*;daemon.*;syslog.* ?remote-messages kern.* ?remote-kernel *.emerg ?remote-emerg authpriv.* ?remote-secure mail.* -?remote-maillog cron.* ?remote-cron uucp,news.crit ?remote-spooler local7.* ?remote-bootlog & ~ $RuleSet udpremote user.*;daemon.*;syslog.* ?remote-messages kern.* ?remote-kernel *.emerg ?remote-emerg authpriv.* ?remote-secure mail.* -?remote-maillog cron.* ?remote-cron uucp,news.crit ?remote-spooler local7.* ?remote-bootlog & ~ $InputTCPServerBindRuleset tcpremote $InputUDPServerBindRuleset udpremote
It validates, but remotes are still getting into local messages file. Also, messages from remotes are no longer getting written to their respective file. What am I missing? R. Singh Sr. Systems Administrator Middleware/PTC Support 904-633-5745 RC Offering: SC07507098 H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 "Give instruction to a wise man, and he will be yet wiser : teach a just man, and he will increase in learning." - Proverbs 9:9 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rainer Gerhards Sent: Wednesday, May 04, 2016 3:49 PM To: rsyslog-users Subject: Re: [rsyslog] Remote messages getting into local logs It looks like you found the link to the doc for v5. The feature should basically be there. I only remember that it is very important to follow the instructions very closely, as this was almost impossible to do right in v5. Especially the order of statements is very important and very unintuitive. This was actually one reason why we finally changed the config language. Rainer Sent from phone, thus brief. Am 04.05.2016 21:42 schrieb "Singh, Radesh" <[email protected]>: > Bummer... so can I do what we want to do without upgrading? > > R. Singh > Sr. Systems Administrator > Middleware/PTC Support > 904-633-5745 > > RC Offering: SC07507098 > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > "Give instruction to a wise man, and he will be yet wiser : teach a > just man, and he will increase in learning." - Proverbs 9:9 > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of David Lang > Sent: Wednesday, May 04, 2016 3:37 PM > To: rsyslog-users > Subject: Re: [rsyslog] Remote messages getting into local logs > > Yes, you need to be using at least 7.x (current is 8.18) > > David Lang > > On Wed, 4 May 2016, Singh, Radesh wrote: > > > Date: Wed, 4 May 2016 19:32:18 +0000 > > From: "Singh, Radesh" <[email protected]> > > Reply-To: rsyslog-users <[email protected]> > > To: rsyslog-users <[email protected]> > > Subject: Re: [rsyslog] Remote messages getting into local logs > > > > Rsyslog doesn't like my syntax: > > > > [root at PTC_UAT_LOGHOST rsyslog.d]$ rsyslogd -N2 > > rsyslogd: version 5.8.10, config validation run (level 2), master > > config /etc/rsyslog.conf > > rsyslogd: WARNING: rsyslogd is running in compatibility mode. > Automatically generated config directives may interfer with your > rsyslog.conf settings. We suggest upgrading your config and adding -c5 > as the first rsyslogd option. > > rsyslogd: unknown priority name "" [try > > http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmK > > i3 > > xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_ > > k5 > > vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhR > > R- > > FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25fe > > Iw > > be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1 > > Y6 > > Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http > > %3 > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] > > rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, > > line > 10:"input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > port="514" ruleset="inbound")" > > rsyslogd: warning: selector line without actions will be discarded > > rsyslogd: unknown priority name "type="FixedArray"){" [try > > http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmK > > i3 > > xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_ > > k5 > > vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhR > > R- > > FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25fe > > Iw > > be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1 > > Y6 > > Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http > > %3 > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] > > rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, > > line > 12:"ruleset(name="inbound" queue.type="FixedArray"){" > > rsyslogd: warning: selector line without actions will be discarded > > rsyslogd: unknown priority name "" [try > > http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmK > > i3 > > xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_ > > k5 > > vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhR > > R- > > FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25fe > > Iw > > be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1 > > Y6 > > Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http > > %3 > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] > > rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, > > line > 21:"}" > > rsyslogd: warning: selector line without actions will be discarded > > rsyslogd: the last error occured in /etc/rsyslog.conf, line > 35:"$IncludeConfig /etc/rsyslog.d/*.conf" > > rsyslogd: CONFIG ERROR: could not interpret master config file > > '/etc/rsyslog.conf'. [try > > http://secure-web.cisco.com/1ya_3awlRyHJY4pJ5xBdaeSbabU9qq7ruMBPltDd > > ob > > SsjyLK54oipjv28RxNybQ3emKl-zj2JI6XtLziIny1mNnXLMbGRJZIqAbeqLXHc2FIMr > > DT > > 10luKHUvdFvku1UgbkN0Hf2bMHGyNxTltCoV11fYMeAfZZvDseCcZHgdFeb-CxvcwRfB > > n4 > > kzJjQbBrFiE4Yrrlksw4AYSCWsS3z8faLUJC2_BXSjvahTN6YzdVsva0RIQxEYHwyk6t > > VY > > aq1NVifFmm0A5HxY1hwPpB7drYvjifI8vC_J8gDSzKhzfjswzov514INMzAoE9mUnUPT > > JU > > -A_gZ61LKqLS--TSIbY4JklHqrskGNSnKLFzr01cx3JTk1GE9T0vyvMZ6Rbt0iX/http > > %3 > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F2124 ] > > rsyslogd: Warning: backward compatibility layer added to following > > directive to rsyslog.conf: ModLoad immark > > rsyslogd: Warning: backward compatibility layer added to following > > directive to rsyslog.conf: MarkMessagePeriod 1200 > > rsyslogd: Warning: backward compatibility layer added to following > > directive to rsyslog.conf: ModLoad imuxsock > > > > $template > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > > $template > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > > $template > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > > $template > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > > $template > remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" > > $template > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > > $template > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > > $template > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > > > > input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > > port="514" ruleset="inbound") > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > user.*;daemon.*;syslog.* ?remote-messages > > kern.* ?remote-kernel > > *.emerg ?remote-emerg > > authpriv.* ?remote-secure > > mail.* -?remote-maillog > > cron.* ?remote-cron > > uucp,news.crit ?remote-spooler > > local7.* ?remote-bootlog > > } > > > > I'm betting this is b/c I'm using using 5.8.10. > > > > Going to try some syntax I see here: > > > > http://secure-web.cisco.com/100Kd-K2EYkolEJwOYRrKISwA9ClF699uhqvzh9I > > _i > > qJsuH6lQ5ALgzXFJBBPtNS8NT8Jlr91S0ctW7vJegQjTnPY0mrJOOcT4FY7kFpM5XWd3 > > P2 > > oM1NuRoP7KRe5TvQL7K5D1bYOqd8V68Ki28e11GQGpEhtWmpcvNrgPWBCETJw1n4FK_6 > > Ux > > c2nDb7ZK6IR-BnI_5YsOuZ9y7WOlI2WlTSBsWd3GTri1cjX40S_3LC64eVWcCIw4uzTk > > 9q > > Yu3IvuyFH57YnSFdK20QMZTGVSWfDpm3dMYR-NAd0k1oudQUHHnw9Ruoj5B19goW9WsQ > > qF > > htmCyOD3Wm3ffHOIL6RwRFpI3Oib0QRTHcC0Sap8DTT-9AKEnLLtxYqha62oYKC/http > > %3 > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv5-stable%2Fconcep > > ts%2Fmulti_ruleset.ht > > ml > > > > R. Singh > > Sr. Systems Administrator > > Middleware/PTC Support > > 904-633-5745 > > > > RC Offering: SC07507098 > > > > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > > > "Give instruction to a wise man, and he will be yet wiser : teach a > > just man, and he will increase in learning." - Proverbs 9:9 > > > > > > -----Original Message----- > > From: Singh, Radesh > > Sent: Wednesday, May 04, 2016 3:15 PM > > To: 'rsyslog-users' > > Subject: RE: [rsyslog] Remote messages getting into local logs > > > > David, > > > > So, this is the config I've got in mind: > > > > # rsyslog.conf > > $ModLoad imuxsock # provides support for local system logging (e.g. > > via > logger command) > > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > > $ModLoad imudp > > $UDPServerRun 514 > > $ModLoad imtcp > > $InputTCPServerRun 514 > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > $IncludeConfig /etc/rsyslog.d/*.conf > > user.*;daemon.*;syslog.* /var/log/messages > > kern.* /var/log/kernel > > *.emerg /var/log/emerg > > authpriv.* /var/log/secure > > mail.* /var/log/maillog > > cron.* /var/log/cron > > uucp,news.crit /var/log/spool > > local7.* /var/log/bootlog > > > > # rsyslog.d/remote.conf > > $template > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > > $template > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > > $template > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > > $template > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > > $template > remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" > > $template > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > > $template > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > > $template > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > > > > input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > > port="514" ruleset="inbound") > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > user.*;daemon.*;syslog.* ?remote-messages > > kern.* ?remote-kernel > > *.emerg ?remote-emerg > > authpriv.* ?remote-secure > > mail.* -?remote-maillog > > cron.* ?remote-cron > > uucp,news.crit ?remote-spooler > > local7.* ?remote-bootlog > > } > > > > Am I still over thinking it? > > > > R. Singh > > Sr. Systems Administrator > > Middleware/PTC Support > > 904-633-5745 > > > > RC Offering: SC07507098 > > > > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > > > "Give instruction to a wise man, and he will be yet wiser : teach a > > just man, and he will increase in learning." - Proverbs 9:9 > > > > > > -----Original Message----- > > From: Singh, Radesh > > Sent: Wednesday, May 04, 2016 2:40 PM > > To: [email protected] > > Subject: RE: [rsyslog] Remote messages getting into local logs > > > > David, > > > > Thank you for clarifying all of that. > > > > Based on what we are trying to do, I think we'd want to go the route > > of > using a ruleset. > > > > So, using something like: > > input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" > > port="514" ruleset="inbound") > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > actions > > } > > > > I'm translating that to: > > > > $template > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > > $template > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > > $template > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > > $template > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > > $template > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > > $template > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > > $template > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > > > > input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > > port="514" ruleset="inbound") > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > user.*;daemon.*;syslog.* ?remote-messages > > kern.* ?remote-kernel > > *.emerg ?remote-emerg > > authpriv.* ?remote-secure > > mail.* -?remote-maillog > > cron.* ?remote-cron > > uucp,news.crit ?remote-spooler > > local7.* ?remote-bootlog > > } > > > > That should result in me capturing all messages that come in over > > TCP or > UDP, and separate them out. > > > > What tells rsyslog to log local (those not coming in via TCP or UDP) > messages to /var/log/...? > > > > Thanks, > > > > R. Singh > > Sr. Systems Administrator > > Middleware/PTC Support > > 904-633-5745 > > > > RC Offering: SC07507098 > > > > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > > > "Give instruction to a wise man, and he will be yet wiser : teach a > > just man, and he will increase in learning." - Proverbs 9:9 > > > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of David Lang > > Sent: Wednesday, May 04, 2016 1:06 PM > > To: [email protected] > > Subject: Re: [rsyslog] Remote messages getting into local logs > > > > I'll bet that if you do rsyslogd -N2 it will report a lot of errors > > in the config > > > > you are mising filter types (and in any case, working harder than > > you need to) > > > > there are three classes of filters > > > > traditional pri filters > > > > user.* action > > > > old rsyslog filters > > > > :var, test, value action > > > > rainerscript filters > > > > if test then action > > > > you are trying to use the old rsyslog filters in rainerscript > > syntax, that doesn't work > > > > if $hostname == $$myhostname then { > > actions > > } else { > > actions > > } > > > > would be what you are trying to do. > > > > But if you really want to separate the traffic that arrives from > > remote systems completely from the traffic that is produced > > locally, the best way to do that is with a ruleset > > > > input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" > > port="514" ruleset="inbound") > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > actions > > } > > > > will effectivly split rsyslog into two complete stacks, one that > > processes locally generated messages with all the rules not defined > > in the inbound ruleset (and using the main queue), and a second that > > processes all messages that arrive via tcp or udp using the rules in > > the inbound ruleset (and using a separate queue) > > > > David Lang > > > > On Wed, 4 May 2016 16:38:34 +0000, Singh, Radesh wrote: > >> Hello, > >> > >> Perhaps I'm overthinking this, but as I've confused myself pretty > >> good, I'm reaching out to you guys. > >> > >> We noticed that our remote clients messages are flooding several of > >> our local log files (messages,kernel,bootlog) on our central > >> rsyslog server. > >> > >> We've been try to craft some rules to tell the rsyslog server that > >> the hostname is not your hostname, use a specific block to separate > >> the messages into their appropriate files, else, do the same type > >> of separation, but store the messages locally... > >> > >> I tried... > >> > >> $template > >> > >> > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > >> $template > >> > >> > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > >> $template > >> > >> > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > >> $template > >> > >> > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > >> $template > >> > >> > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > >> $template > >> > >> > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > >> $template > >> > >> > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > >> > >> $template local-messages,"/var/log/messages" > >> $template local-kernel,"/var/log/kernel" > >> $template local-emerg,"/var/log/emerg" > >> $template local-secure,"/var/log/secure" > >> $template local-maillog,"/var/log/maillog" > >> $template local-cron,"/var/log/cron" > >> $template local-spooler,"/var/log/spooler" > >> $template local-bootlog,"/var/log/bootlog" > >> > >> if :hostname,!isequal,$myhostname then { > >> user.*;daemon.*;syslog.* ?remote-messages > >> kern.* ?remote-kernel > >> *.emerg ?remote-emerg > >> authpriv.* ?remote-secure > >> mail.* -?remote-maillog > >> cron.* ?remote-cron > >> uucp,news.crit ?remote-spooler > >> local7.* ?remote-bootlog > >> } > >> else if :hostname,isequal,$myhostname then { > >> user.*;daemon.*;syslog.* ?local-messages > >> kern.* ?local-kernel > >> *.emerg ?local-emerg > >> authpriv.* ?local-secure > >> mail.* -?local-maillog > >> cron.* ?local-cron > >> uucp,news.crit ?local-spooler > >> local7.* ?local-bootlog > >> } > >> > >> But messages from remote hosts get written to /var/log/messages, > >> even though I thought I was telling rsyslog to filter on hostname, > >> and if the hostname is not my hostname use one of my ?remote definitions. > >> I tried using & ~ after my first line, but I find that if I do that > >> ... nothing gets written to the local messages file. > >> I'm doing this on RHEL 6.2, and rsyslog version is 5.8.10. > >> > >> Thank you, > >> > >> R. Singh > >> Sr. Systems Administrator > >> Middleware/PTC Support > >> 904-633-5745 > >> > >> RC Offering: SC07507098 > >> > >> [chessie] > >> |-| () \/\/ ~|~ () |\/| () /? /? () \/\/ |\/| () \/ [- _\~ > >> > >> > >> > >> > >> This email transmission and any accompanying attachments may > >> contain CSX privileged and confidential information intended only > >> for the use of the intended addressee. Any dissemination, > >> distribution, copying or action taken in reliance on the contents > >> of this email by anyone other than the intended recipient is > >> strictly prohibited. If you have received this email in error > >> please immediately delete it and notify sender at the above CSX > >> email address. Sender and CSX accept no liability for any damage > >> caused directly or indirectly by receipt of this email. > > > > _______________________________________________ > > rsyslog mailing list > > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > http://secure-web.cisco.com/1xGGnjSh9RR0y9rgx38zhuymGGNvuKuRCAR_z7i9 > > J4 > > Yn4zD1vrveKaihdGx3JedcKCvkNFBxiQQjmCOd0j1txaq0XXfVbdukHhfiSCcWgPOP25 > > by > > T1N_28l_4ON11xwTa2os6nW2bRAbUYXssRPv3wvQnrvm8ZzCXtOHwGONSA3SCjiMSNi0 > > 8M > > M6TaKzaOkD03_s7wi9z7XCSLiEBsRnnCqwRSU2U2EJwHK9Y45_VeoyaLJ8gYj2bCZYXe > > s3 > > riOxEZtfn4nwdnJ3x1ksA5LhDiPYPqvwksTkgOXeGl-RsALio_xvt06uQ1x-Qs1VKm6H > > uR > > R-wPUlI6tPrvOprmD2kB8IcTPvtPxBkfjtVU5BpEZVIgCJmZSTxU2CCM44nyhVa/http > > %3 > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > > What's up with rsyslog? Follow > > https://secure-web.cisco.com/1np2M_O7l4WbuSPzutBL7wHs1T4AvXY5sEAi6R9 > > jF > > Ad6xpP66MUvIDoL0kz8Ve9JiKraHbyNUChDGTNv4qEvQcUG__9hAYAhKR4E7GDpM7wUS > > 99 > > eOBMAmpT0YQBJJZ44RAmUnlV8l-ReDvo5lBRbln2K5LdY7r8SRhRWxukHXXBpb6QWRw3 > > 3l > > tg4-0dFF4WarzNF0TNyG2pbowTpBDBRxUksgFg8Lsc_RMfr5SOW4BoGup_lZ-eLAZ53p > > 3c > > H3LfhD_ziZoSyK89jd0Q7d_ny6io7hXw3xTTVKazGM8-ONaWmTt_sBkl5zVxGHpN50EV > > iW > > 9719-Se7Kxyx4OohnoDRd-aGEzfx6novzYQqXjR_L8OSY4mtnLsxciyfHoPOmjkMKz5P > > ZF 1Pv7jlvGXdl0E5Eg/https%3A%2F%2Ftwitter.com%2Frgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > > > > > > > > This email transmission and any accompanying attachments may contain > > CSX > privileged and confidential information intended only for the use of > the intended addressee. Any dissemination, distribution, copying or > action taken in reliance on the contents of this email by anyone other > than the intended recipient is strictly prohibited. If you have > received this email in error please immediately delete it and notify > sender at the above CSX email address. Sender and CSX accept no > liability for any damage caused directly or indirectly by receipt of this > email. > > > > _______________________________________________ > > rsyslog mailing list > > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > http://secure-web.cisco.com/1VFleKFU62iSgxqNp7l4hUrALjZPNml1KX8H5whJ > > a5 > > oq_EIR7mVvq0PfpjqvVRT7kK0VmKBVB4AqyW1kdMcUq8aUtz_WqttYsnMELiLEgsZ9ku > > kE > > 2qyWFcZsSBn8CFlvUF-skZIaIwiF0ajFqoZNZMGwOKGbOrB4ir28NlMIRH8X4nUYHFPQ > > ol > > bDK9JlX3sDBGgMokxaETlthu6VFA7oB3m7qdps4AinoI4vEC5GaRumv7j9XF9LfVXSbQ > > lU > > lLGkoA1O0QO-iDWIG29n1Ax0-1ehb-PB5FMXGUoV0MBJ1Ihj20CoP2MqKTTvTX_1zeYM > > Dc > > P3e3Qj5iQwpplCbxx1bTXJ0HYDqxmwkpSWQj5e0QWC0qSxgaZ8aBAfUCp7dqVRI/http > > %3 > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > > What's up with rsyslog? Follow > > https://secure-web.cisco.com/1rQW9huc5s4E2rR8Jgt3WDPXRhEnsyncI4KzmYV > > 0r > > WfuNxxWQA2tJNmd73u_cwcmtrESyPxNL7o1R6F9PurmRw2wy6Bau5loGMOQwjOmJ__VZ > > 67 > > 8C0xz-z4KHAWn32ESCSEFTV1ivD5xFxua7uyfDcF9LxDrrkNxZePI56Oy5thHbg27ZYz > > OX > > nkoi_jl_NDAb5mkjCrLA5Jw9Dr-5VGa1g-taZjxBLHcyINLwvFBINfDnEicRO_IpmRmz > > Oo > > EjmIwU7gX7Dn4qWD_VCFA71qk1ArL3KwRTuJl9YlclJ89yALDVePU18OBMkdA7XxlrH4 > > Li > > d7jDDCVtC5eeF7cLkGIU9dodJbRGvxsSHyx1Zy4i_vGNIM-o-C5XGRmhojMF1VzLTMo2 > > 9t FfUkGXpMR9-0wcbw/https%3A%2F%2Ftwitter.com%2Frgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > http://secure-web.cisco.com/1VFleKFU62iSgxqNp7l4hUrALjZPNml1KX8H5whJa5 > oq_EIR7mVvq0PfpjqvVRT7kK0VmKBVB4AqyW1kdMcUq8aUtz_WqttYsnMELiLEgsZ9kukE > 2qyWFcZsSBn8CFlvUF-skZIaIwiF0ajFqoZNZMGwOKGbOrB4ir28NlMIRH8X4nUYHFPQol > bDK9JlX3sDBGgMokxaETlthu6VFA7oB3m7qdps4AinoI4vEC5GaRumv7j9XF9LfVXSbQlU > lLGkoA1O0QO-iDWIG29n1Ax0-1ehb-PB5FMXGUoV0MBJ1Ihj20CoP2MqKTTvTX_1zeYMDc > P3e3Qj5iQwpplCbxx1bTXJ0HYDqxmwkpSWQj5e0QWC0qSxgaZ8aBAfUCp7dqVRI/http%3 > A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > What's up with rsyslog? Follow > https://secure-web.cisco.com/1rQW9huc5s4E2rR8Jgt3WDPXRhEnsyncI4KzmYV0r > WfuNxxWQA2tJNmd73u_cwcmtrESyPxNL7o1R6F9PurmRw2wy6Bau5loGMOQwjOmJ__VZ67 > 8C0xz-z4KHAWn32ESCSEFTV1ivD5xFxua7uyfDcF9LxDrrkNxZePI56Oy5thHbg27ZYzOX > nkoi_jl_NDAb5mkjCrLA5Jw9Dr-5VGa1g-taZjxBLHcyINLwvFBINfDnEicRO_IpmRmzOo > EjmIwU7gX7Dn4qWD_VCFA71qk1ArL3KwRTuJl9YlclJ89yALDVePU18OBMkdA7XxlrH4Li > d7jDDCVtC5eeF7cLkGIU9dodJbRGvxsSHyx1Zy4i_vGNIM-o-C5XGRmhojMF1VzLTMo29t > FfUkGXpMR9-0wcbw/https%3A%2F%2Ftwitter.com%2Frgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. > > _______________________________________________ > rsyslog mailing list > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > http://secure-web.cisco.com/1SMZFnbWr3CJiXeRMmT7DdiUd0w92OLHR7dL1rJiWF > _4Z7p85srU6aVwXM12AIMd9xSD_aOcOB7D-YmU8FhhnFEaF3PVeZElB3nHiH5c5N5fhMPA > rDCf79r82HaB2DBXcpuBLCatA0kYIyeOmPTTwX05wr_MEU2zi3YhxC95aI3J0XU6FdWage > 0wGbhAVtBOA7gAiru4LiP940QsINd7xShx-rlIZCuzDLRWUwYAliyd6_mreGPneubc7SRR > xlRtU5wbLKE_jIHYzBZ8DpICZVUChE5qWz4a0VOB0s4ZrWic2Flos5Y-Fa13SJg-Ox2VRq > xw8xqUn7RKF4NEixXl4WBphvQ2ahd0XhGBRz7PEkAdLVPcznVUMAbHVAvzfnxsd/http%3 > A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > What's up with rsyslog? Follow > https://secure-web.cisco.com/1MUOcb0lYekonH5542ZI1_n6zOwcz7UhefaJx4VyY > YmXJF94ouQWvpKt74-bS_tHsyhLTXbXryPHOac6U70fscGLjyYaCexqK2JW2lEsZZhS91M > 3Rt0a0lmT8xfSQ9259O-KBDhQ-6mzUzd3iJIaetvdioElxcs7PfYF6QAUYWrqUieAPWzR6 > nM5xHMPcbpmmQy_CgnSbvD4z1w33hpVdqucW64VX52biQCuyBhG7Ljx9R2324PcQ0AbWiZ > tSROEu5Jpn79u_miJb9_wSGrXVkAq9hWgxqPquzuM5XmpmVznow7otzW8nTBPMuEYOb0y6 > jKFC5fHy0X8_MWeoJmvbiLP3UximiEYgP9_s5mazt2fL-ncYTm1JfWa_P2u3yTL57W12IU > jPsrGsKw-j1tsMzQ/https%3A%2F%2Ftwitter.com%2Frgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED http://secure-web.cisco.com/1SMZFnbWr3CJiXeRMmT7DdiUd0w92OLHR7dL1rJiWF_4Z7p85srU6aVwXM12AIMd9xSD_aOcOB7D-YmU8FhhnFEaF3PVeZElB3nHiH5c5N5fhMPArDCf79r82HaB2DBXcpuBLCatA0kYIyeOmPTTwX05wr_MEU2zi3YhxC95aI3J0XU6FdWage0wGbhAVtBOA7gAiru4LiP940QsINd7xShx-rlIZCuzDLRWUwYAliyd6_mreGPneubc7SRRxlRtU5wbLKE_jIHYzBZ8DpICZVUChE5qWz4a0VOB0s4ZrWic2Flos5Y-Fa13SJg-Ox2VRqxw8xqUn7RKF4NEixXl4WBphvQ2ahd0XhGBRz7PEkAdLVPcznVUMAbHVAvzfnxsd/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F What's up with rsyslog? Follow https://secure-web.cisco.com/1h-HGc6jykmmOc0FO7YxB7nkeK2ATFKXI2T9HFw4irezhqw3Z9erfEW9NK0BHNeXISTbtSZ9Q6pjbqYT9peInw7oa4BrZVcPiQVUF5ClE0xH4-sINb2_NeiFh1XVMbujNP3PdpFiYGD5OKCTAPAEvR3pL1TF00AIhXc2P7mIvxFZvaxgbQVhxtw-jl5uIyEFPVAUYrqLPdPa-CKiBvX1K6uYzWfPw0Ii29aEKyb-HrAqSAXxJXmPsB1LsAWN5_WOhkK6_8VwgcwBhzFbdg5WBiseJtThQ2lfwzuH3DpruS09I7CQ6abnTIGbTfDK1d6zn46j2tPAPTsqOdXulTWF00lnpTm5zXQNRa5k415sUpRVXB8n7l0Z7zF11OJuCHggc6GdqSS-7dT5-_vH8hAsPKQ/https%3A%2F%2Ftwitter.com%2Frgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This email transmission and any accompanying attachments may contain CSX privileged and confidential information intended only for the use of the intended addressee. Any dissemination, distribution, copying or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it and notify sender at the above CSX email address. Sender and CSX accept no liability for any damage caused directly or indirectly by receipt of this email. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
