Sorry, I don't remember that old version. It's too long dead... Sent from phone, thus brief. Am 04.05.2016 21:55 schrieb "Singh, Radesh" <[email protected]>:
> I'm trying this config: > > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > $ModLoad imudp > $UDPServerRun 514 > $ModLoad imtcp > $InputTCPServerRun 514 > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > $IncludeConfig /etc/rsyslog.d/*.conf > $template > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > $template > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > $template > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > $template > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > $template > remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" > $template > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > $template > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > $template > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > user.*;daemon.*;syslog.* /var/log/messages > kern.* /var/log/kernel > *.emerg /var/log/emerg > authpriv.* /var/log/secure > mail.* /var/log/maillog > cron.* /var/log/cron > uucp,news.crit /var/log/spool > local7.* /var/log/bootlog > $RuleSet tcpremote > user.*;daemon.*;syslog.* ?remote-messages > kern.* ?remote-kernel > *.emerg ?remote-emerg > authpriv.* ?remote-secure > mail.* -?remote-maillog > cron.* ?remote-cron > uucp,news.crit ?remote-spooler > local7.* ?remote-bootlog > & ~ > $RuleSet udpremote > user.*;daemon.*;syslog.* ?remote-messages > kern.* ?remote-kernel > *.emerg ?remote-emerg > authpriv.* ?remote-secure > mail.* -?remote-maillog > cron.* ?remote-cron > uucp,news.crit ?remote-spooler > local7.* ?remote-bootlog > & ~ > $InputTCPServerBindRuleset tcpremote > $InputUDPServerBindRuleset udpremote > > It validates, but remotes are still getting into local messages file. > Also, messages from remotes are no longer getting written to their > respective file. > What am I missing? > > > R. Singh > Sr. Systems Administrator > Middleware/PTC Support > 904-633-5745 > > RC Offering: SC07507098 > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > "Give instruction to a wise man, and he will be yet wiser : teach a just > man, and he will increase in learning." - Proverbs 9:9 > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Rainer Gerhards > Sent: Wednesday, May 04, 2016 3:49 PM > To: rsyslog-users > Subject: Re: [rsyslog] Remote messages getting into local logs > > It looks like you found the link to the doc for v5. The feature should > basically be there. I only remember that it is very important to follow the > instructions very closely, as this was almost impossible to do right in v5. > Especially the order of statements is very important and very unintuitive. > This was actually one reason why we finally changed the config language. > > Rainer > > Sent from phone, thus brief. > Am 04.05.2016 21:42 schrieb "Singh, Radesh" <[email protected]>: > > > Bummer... so can I do what we want to do without upgrading? > > > > R. Singh > > Sr. Systems Administrator > > Middleware/PTC Support > > 904-633-5745 > > > > RC Offering: SC07507098 > > > > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > > > "Give instruction to a wise man, and he will be yet wiser : teach a > > just man, and he will increase in learning." - Proverbs 9:9 > > > > > > -----Original Message----- > > From: [email protected] [mailto: > > [email protected]] On Behalf Of David Lang > > Sent: Wednesday, May 04, 2016 3:37 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Remote messages getting into local logs > > > > Yes, you need to be using at least 7.x (current is 8.18) > > > > David Lang > > > > On Wed, 4 May 2016, Singh, Radesh wrote: > > > > > Date: Wed, 4 May 2016 19:32:18 +0000 > > > From: "Singh, Radesh" <[email protected]> > > > Reply-To: rsyslog-users <[email protected]> > > > To: rsyslog-users <[email protected]> > > > Subject: Re: [rsyslog] Remote messages getting into local logs > > > > > > Rsyslog doesn't like my syntax: > > > > > > [root at PTC_UAT_LOGHOST rsyslog.d]$ rsyslogd -N2 > > > rsyslogd: version 5.8.10, config validation run (level 2), master > > > config /etc/rsyslog.conf > > > rsyslogd: WARNING: rsyslogd is running in compatibility mode. > > Automatically generated config directives may interfer with your > > rsyslog.conf settings. We suggest upgrading your config and adding -c5 > > as the first rsyslogd option. > > > rsyslogd: unknown priority name "" [try > > > http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmK > > > i3 > > > xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_ > > > k5 > > > vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhR > > > R- > > > FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25fe > > > Iw > > > be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1 > > > Y6 > > > Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http > > > %3 > > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] > > > rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, > > > line > > 10:"input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > > port="514" ruleset="inbound")" > > > rsyslogd: warning: selector line without actions will be discarded > > > rsyslogd: unknown priority name "type="FixedArray"){" [try > > > http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmK > > > i3 > > > xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_ > > > k5 > > > vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhR > > > R- > > > FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25fe > > > Iw > > > be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1 > > > Y6 > > > Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http > > > %3 > > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] > > > rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, > > > line > > 12:"ruleset(name="inbound" queue.type="FixedArray"){" > > > rsyslogd: warning: selector line without actions will be discarded > > > rsyslogd: unknown priority name "" [try > > > http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmK > > > i3 > > > xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_ > > > k5 > > > vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhR > > > R- > > > FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25fe > > > Iw > > > be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1 > > > Y6 > > > Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http > > > %3 > > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] > > > rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, > > > line > > 21:"}" > > > rsyslogd: warning: selector line without actions will be discarded > > > rsyslogd: the last error occured in /etc/rsyslog.conf, line > > 35:"$IncludeConfig /etc/rsyslog.d/*.conf" > > > rsyslogd: CONFIG ERROR: could not interpret master config file > > > '/etc/rsyslog.conf'. [try > > > http://secure-web.cisco.com/1ya_3awlRyHJY4pJ5xBdaeSbabU9qq7ruMBPltDd > > > ob > > > SsjyLK54oipjv28RxNybQ3emKl-zj2JI6XtLziIny1mNnXLMbGRJZIqAbeqLXHc2FIMr > > > DT > > > 10luKHUvdFvku1UgbkN0Hf2bMHGyNxTltCoV11fYMeAfZZvDseCcZHgdFeb-CxvcwRfB > > > n4 > > > kzJjQbBrFiE4Yrrlksw4AYSCWsS3z8faLUJC2_BXSjvahTN6YzdVsva0RIQxEYHwyk6t > > > VY > > > aq1NVifFmm0A5HxY1hwPpB7drYvjifI8vC_J8gDSzKhzfjswzov514INMzAoE9mUnUPT > > > JU > > > -A_gZ61LKqLS--TSIbY4JklHqrskGNSnKLFzr01cx3JTk1GE9T0vyvMZ6Rbt0iX/http > > > %3 > > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F2124 ] > > > rsyslogd: Warning: backward compatibility layer added to following > > > directive to rsyslog.conf: ModLoad immark > > > rsyslogd: Warning: backward compatibility layer added to following > > > directive to rsyslog.conf: MarkMessagePeriod 1200 > > > rsyslogd: Warning: backward compatibility layer added to following > > > directive to rsyslog.conf: ModLoad imuxsock > > > > > > $template > > > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > > > > > > input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > > > port="514" ruleset="inbound") > > > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > > user.*;daemon.*;syslog.* ?remote-messages > > > kern.* ?remote-kernel > > > *.emerg ?remote-emerg > > > authpriv.* ?remote-secure > > > mail.* -?remote-maillog > > > cron.* ?remote-cron > > > uucp,news.crit ?remote-spooler > > > local7.* ?remote-bootlog > > > } > > > > > > I'm betting this is b/c I'm using using 5.8.10. > > > > > > Going to try some syntax I see here: > > > > > > http://secure-web.cisco.com/100Kd-K2EYkolEJwOYRrKISwA9ClF699uhqvzh9I > > > _i > > > qJsuH6lQ5ALgzXFJBBPtNS8NT8Jlr91S0ctW7vJegQjTnPY0mrJOOcT4FY7kFpM5XWd3 > > > P2 > > > oM1NuRoP7KRe5TvQL7K5D1bYOqd8V68Ki28e11GQGpEhtWmpcvNrgPWBCETJw1n4FK_6 > > > Ux > > > c2nDb7ZK6IR-BnI_5YsOuZ9y7WOlI2WlTSBsWd3GTri1cjX40S_3LC64eVWcCIw4uzTk > > > 9q > > > Yu3IvuyFH57YnSFdK20QMZTGVSWfDpm3dMYR-NAd0k1oudQUHHnw9Ruoj5B19goW9WsQ > > > qF > > > htmCyOD3Wm3ffHOIL6RwRFpI3Oib0QRTHcC0Sap8DTT-9AKEnLLtxYqha62oYKC/http > > > %3 > > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv5-stable%2Fconcep > > > ts%2Fmulti_ruleset.ht > > > ml > > > > > > R. Singh > > > Sr. Systems Administrator > > > Middleware/PTC Support > > > 904-633-5745 > > > > > > RC Offering: SC07507098 > > > > > > > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > > > > > "Give instruction to a wise man, and he will be yet wiser : teach a > > > just man, and he will increase in learning." - Proverbs 9:9 > > > > > > > > > -----Original Message----- > > > From: Singh, Radesh > > > Sent: Wednesday, May 04, 2016 3:15 PM > > > To: 'rsyslog-users' > > > Subject: RE: [rsyslog] Remote messages getting into local logs > > > > > > David, > > > > > > So, this is the config I've got in mind: > > > > > > # rsyslog.conf > > > $ModLoad imuxsock # provides support for local system logging (e.g. > > > via > > logger command) > > > $ModLoad imklog # provides kernel logging support (previously done by > > rklogd) > > > $ModLoad imudp > > > $UDPServerRun 514 > > > $ModLoad imtcp > > > $InputTCPServerRun 514 > > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > > $IncludeConfig /etc/rsyslog.d/*.conf > > > user.*;daemon.*;syslog.* /var/log/messages > > > kern.* /var/log/kernel > > > *.emerg /var/log/emerg > > > authpriv.* /var/log/secure > > > mail.* /var/log/maillog > > > cron.* /var/log/cron > > > uucp,news.crit /var/log/spool > > > local7.* /var/log/bootlog > > > > > > # rsyslog.d/remote.conf > > > $template > > > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > > > > > > input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > > > port="514" ruleset="inbound") > > > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > > user.*;daemon.*;syslog.* ?remote-messages > > > kern.* ?remote-kernel > > > *.emerg ?remote-emerg > > > authpriv.* ?remote-secure > > > mail.* -?remote-maillog > > > cron.* ?remote-cron > > > uucp,news.crit ?remote-spooler > > > local7.* ?remote-bootlog > > > } > > > > > > Am I still over thinking it? > > > > > > R. Singh > > > Sr. Systems Administrator > > > Middleware/PTC Support > > > 904-633-5745 > > > > > > RC Offering: SC07507098 > > > > > > > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > > > > > "Give instruction to a wise man, and he will be yet wiser : teach a > > > just man, and he will increase in learning." - Proverbs 9:9 > > > > > > > > > -----Original Message----- > > > From: Singh, Radesh > > > Sent: Wednesday, May 04, 2016 2:40 PM > > > To: [email protected] > > > Subject: RE: [rsyslog] Remote messages getting into local logs > > > > > > David, > > > > > > Thank you for clarifying all of that. > > > > > > Based on what we are trying to do, I think we'd want to go the route > > > of > > using a ruleset. > > > > > > So, using something like: > > > input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" > > > port="514" ruleset="inbound") > > > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > > actions > > > } > > > > > > I'm translating that to: > > > > > > $template > > > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > > > $template > > > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > > > > > > input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" > > > port="514" ruleset="inbound") > > > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > > user.*;daemon.*;syslog.* ?remote-messages > > > kern.* ?remote-kernel > > > *.emerg ?remote-emerg > > > authpriv.* ?remote-secure > > > mail.* -?remote-maillog > > > cron.* ?remote-cron > > > uucp,news.crit ?remote-spooler > > > local7.* ?remote-bootlog > > > } > > > > > > That should result in me capturing all messages that come in over > > > TCP or > > UDP, and separate them out. > > > > > > What tells rsyslog to log local (those not coming in via TCP or UDP) > > messages to /var/log/...? > > > > > > Thanks, > > > > > > R. Singh > > > Sr. Systems Administrator > > > Middleware/PTC Support > > > 904-633-5745 > > > > > > RC Offering: SC07507098 > > > > > > > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > > > > > "Give instruction to a wise man, and he will be yet wiser : teach a > > > just man, and he will increase in learning." - Proverbs 9:9 > > > > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of David Lang > > > Sent: Wednesday, May 04, 2016 1:06 PM > > > To: [email protected] > > > Subject: Re: [rsyslog] Remote messages getting into local logs > > > > > > I'll bet that if you do rsyslogd -N2 it will report a lot of errors > > > in the config > > > > > > you are mising filter types (and in any case, working harder than > > > you need to) > > > > > > there are three classes of filters > > > > > > traditional pri filters > > > > > > user.* action > > > > > > old rsyslog filters > > > > > > :var, test, value action > > > > > > rainerscript filters > > > > > > if test then action > > > > > > you are trying to use the old rsyslog filters in rainerscript > > > syntax, that doesn't work > > > > > > if $hostname == $$myhostname then { > > > actions > > > } else { > > > actions > > > } > > > > > > would be what you are trying to do. > > > > > > But if you really want to separate the traffic that arrives from > > > remote systems completely from the traffic that is produced > > > locally, the best way to do that is with a ruleset > > > > > > input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" > > > port="514" ruleset="inbound") > > > > > > ruleset(name="inbound" queue.type="FixedArray"){ > > > actions > > > } > > > > > > will effectivly split rsyslog into two complete stacks, one that > > > processes locally generated messages with all the rules not defined > > > in the inbound ruleset (and using the main queue), and a second that > > > processes all messages that arrive via tcp or udp using the rules in > > > the inbound ruleset (and using a separate queue) > > > > > > David Lang > > > > > > On Wed, 4 May 2016 16:38:34 +0000, Singh, Radesh wrote: > > >> Hello, > > >> > > >> Perhaps I'm overthinking this, but as I've confused myself pretty > > >> good, I'm reaching out to you guys. > > >> > > >> We noticed that our remote clients messages are flooding several of > > >> our local log files (messages,kernel,bootlog) on our central > > >> rsyslog server. > > >> > > >> We've been try to craft some rules to tell the rsyslog server that > > >> the hostname is not your hostname, use a specific block to separate > > >> the messages into their appropriate files, else, do the same type > > >> of separation, but store the messages locally... > > >> > > >> I tried... > > >> > > >> $template > > >> > > >> > > > remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" > > >> $template > > >> > > >> > > > remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" > > >> $template > > >> > > >> > > > remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" > > >> $template > > >> > > >> > > > remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" > > >> $template > > >> > > >> > > > remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" > > >> $template > > >> > > >> > > > remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" > > >> $template > > >> > > >> > > > remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" > > >> > > >> $template local-messages,"/var/log/messages" > > >> $template local-kernel,"/var/log/kernel" > > >> $template local-emerg,"/var/log/emerg" > > >> $template local-secure,"/var/log/secure" > > >> $template local-maillog,"/var/log/maillog" > > >> $template local-cron,"/var/log/cron" > > >> $template local-spooler,"/var/log/spooler" > > >> $template local-bootlog,"/var/log/bootlog" > > >> > > >> if :hostname,!isequal,$myhostname then { > > >> user.*;daemon.*;syslog.* ?remote-messages > > >> kern.* ?remote-kernel > > >> *.emerg ?remote-emerg > > >> authpriv.* ?remote-secure > > >> mail.* -?remote-maillog > > >> cron.* ?remote-cron > > >> uucp,news.crit ?remote-spooler > > >> local7.* ?remote-bootlog > > >> } > > >> else if :hostname,isequal,$myhostname then { > > >> user.*;daemon.*;syslog.* ?local-messages > > >> kern.* ?local-kernel > > >> *.emerg ?local-emerg > > >> authpriv.* ?local-secure > > >> mail.* -?local-maillog > > >> cron.* ?local-cron > > >> uucp,news.crit ?local-spooler > > >> local7.* ?local-bootlog > > >> } > > >> > > >> But messages from remote hosts get written to /var/log/messages, > > >> even though I thought I was telling rsyslog to filter on hostname, > > >> and if the hostname is not my hostname use one of my ?remote > definitions. > > >> I tried using & ~ after my first line, but I find that if I do that > > >> ... nothing gets written to the local messages file. > > >> I'm doing this on RHEL 6.2, and rsyslog version is 5.8.10. > > >> > > >> Thank you, > > >> > > >> R. Singh > > >> Sr. Systems Administrator > > >> Middleware/PTC Support > > >> 904-633-5745 > > >> > > >> RC Offering: SC07507098 > > >> > > >> [chessie] > > >> |-| () \/\/ ~|~ () |\/| () /? /? () \/\/ |\/| () \/ [- _\~ > > >> > > >> > > >> > > >> > > >> This email transmission and any accompanying attachments may > > >> contain CSX privileged and confidential information intended only > > >> for the use of the intended addressee. Any dissemination, > > >> distribution, copying or action taken in reliance on the contents > > >> of this email by anyone other than the intended recipient is > > >> strictly prohibited. If you have received this email in error > > >> please immediately delete it and notify sender at the above CSX > > >> email address. Sender and CSX accept no liability for any damage > > >> caused directly or indirectly by receipt of this email. > > > > > > _______________________________________________ > > > rsyslog mailing list > > > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > > http://secure-web.cisco.com/1xGGnjSh9RR0y9rgx38zhuymGGNvuKuRCAR_z7i9 > > > J4 > > > Yn4zD1vrveKaihdGx3JedcKCvkNFBxiQQjmCOd0j1txaq0XXfVbdukHhfiSCcWgPOP25 > > > by > > > T1N_28l_4ON11xwTa2os6nW2bRAbUYXssRPv3wvQnrvm8ZzCXtOHwGONSA3SCjiMSNi0 > > > 8M > > > M6TaKzaOkD03_s7wi9z7XCSLiEBsRnnCqwRSU2U2EJwHK9Y45_VeoyaLJ8gYj2bCZYXe > > > s3 > > > riOxEZtfn4nwdnJ3x1ksA5LhDiPYPqvwksTkgOXeGl-RsALio_xvt06uQ1x-Qs1VKm6H > > > uR > > > R-wPUlI6tPrvOprmD2kB8IcTPvtPxBkfjtVU5BpEZVIgCJmZSTxU2CCM44nyhVa/http > > > %3 > > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > > > What's up with rsyslog? Follow > > > https://secure-web.cisco.com/1np2M_O7l4WbuSPzutBL7wHs1T4AvXY5sEAi6R9 > > > jF > > > Ad6xpP66MUvIDoL0kz8Ve9JiKraHbyNUChDGTNv4qEvQcUG__9hAYAhKR4E7GDpM7wUS > > > 99 > > > eOBMAmpT0YQBJJZ44RAmUnlV8l-ReDvo5lBRbln2K5LdY7r8SRhRWxukHXXBpb6QWRw3 > > > 3l > > > tg4-0dFF4WarzNF0TNyG2pbowTpBDBRxUksgFg8Lsc_RMfr5SOW4BoGup_lZ-eLAZ53p > > > 3c > > > H3LfhD_ziZoSyK89jd0Q7d_ny6io7hXw3xTTVKazGM8-ONaWmTt_sBkl5zVxGHpN50EV > > > iW > > > 9719-Se7Kxyx4OohnoDRd-aGEzfx6novzYQqXjR_L8OSY4mtnLsxciyfHoPOmjkMKz5P > > > ZF 1Pv7jlvGXdl0E5Eg/https%3A%2F%2Ftwitter.com%2Frgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > > > > > > > > > > > > > This email transmission and any accompanying attachments may contain > > > CSX > > privileged and confidential information intended only for the use of > > the intended addressee. Any dissemination, distribution, copying or > > action taken in reliance on the contents of this email by anyone other > > than the intended recipient is strictly prohibited. If you have > > received this email in error please immediately delete it and notify > > sender at the above CSX email address. Sender and CSX accept no > > liability for any damage caused directly or indirectly by receipt of > this email. > > > > > > _______________________________________________ > > > rsyslog mailing list > > > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > > http://secure-web.cisco.com/1VFleKFU62iSgxqNp7l4hUrALjZPNml1KX8H5whJ > > > a5 > > > oq_EIR7mVvq0PfpjqvVRT7kK0VmKBVB4AqyW1kdMcUq8aUtz_WqttYsnMELiLEgsZ9ku > > > kE > > > 2qyWFcZsSBn8CFlvUF-skZIaIwiF0ajFqoZNZMGwOKGbOrB4ir28NlMIRH8X4nUYHFPQ > > > ol > > > bDK9JlX3sDBGgMokxaETlthu6VFA7oB3m7qdps4AinoI4vEC5GaRumv7j9XF9LfVXSbQ > > > lU > > > lLGkoA1O0QO-iDWIG29n1Ax0-1ehb-PB5FMXGUoV0MBJ1Ihj20CoP2MqKTTvTX_1zeYM > > > Dc > > > P3e3Qj5iQwpplCbxx1bTXJ0HYDqxmwkpSWQj5e0QWC0qSxgaZ8aBAfUCp7dqVRI/http > > > %3 > > > A%2F%2Fhttp://secure-web.cisco.com/1zBNDKIr13Qd8gbnyVYOrjisVJ9whJd3n > > > M_HEld-N-qM7pAxxq2ExfE3BTnHtFsEsZDfBi5O0lFWZjpTaaXpAcYtzZK1X79BGTu9R > > > ReclGFeOJPRRyBHpe_5mal4_iGvHrN1UYvZfOyT09V_NK08AcQvSVrKwUMsTnJdswL4z > > > 4KKlIh6cQJy2Y9byuoXMOPOaJecBJnvOJxJL0TrgCi58YO_shYSEc9GpjsAa8yS4mplg > > > J_rDgjLzTQGevZVdL83CcTIreMzYk6AYjubMa3Rvsp0Pid4dPRxU5Zx5rmAaw9mTGIQd > > > X00WKzrkyFqsrkGmNT9leOcVUUCGhN5OOrrDr6KUsdGAfUAIN5zHSX9NGUZnVl4ju9ka > > > F9875USrSTwy/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > > > What's up with rsyslog? Follow > > > https://secure-web.cisco.com/1rQW9huc5s4E2rR8Jgt3WDPXRhEnsyncI4KzmYV > > > 0r > > > WfuNxxWQA2tJNmd73u_cwcmtrESyPxNL7o1R6F9PurmRw2wy6Bau5loGMOQwjOmJ__VZ > > > 67 > > > 8C0xz-z4KHAWn32ESCSEFTV1ivD5xFxua7uyfDcF9LxDrrkNxZePI56Oy5thHbg27ZYz > > > OX > > > nkoi_jl_NDAb5mkjCrLA5Jw9Dr-5VGa1g-taZjxBLHcyINLwvFBINfDnEicRO_IpmRmz > > > Oo > > > EjmIwU7gX7Dn4qWD_VCFA71qk1ArL3KwRTuJl9YlclJ89yALDVePU18OBMkdA7XxlrH4 > > > Li > > > d7jDDCVtC5eeF7cLkGIU9dodJbRGvxsSHyx1Zy4i_vGNIM-o-C5XGRmhojMF1VzLTMo2 > > > 9t FfUkGXpMR9-0wcbw/https%3A%2F%2Ftwitter.com%2Frgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > > > http://secure-web.cisco.com/1VFleKFU62iSgxqNp7l4hUrALjZPNml1KX8H5whJa5 > > oq_EIR7mVvq0PfpjqvVRT7kK0VmKBVB4AqyW1kdMcUq8aUtz_WqttYsnMELiLEgsZ9kukE > > 2qyWFcZsSBn8CFlvUF-skZIaIwiF0ajFqoZNZMGwOKGbOrB4ir28NlMIRH8X4nUYHFPQol > > bDK9JlX3sDBGgMokxaETlthu6VFA7oB3m7qdps4AinoI4vEC5GaRumv7j9XF9LfVXSbQlU > > lLGkoA1O0QO-iDWIG29n1Ax0-1ehb-PB5FMXGUoV0MBJ1Ihj20CoP2MqKTTvTX_1zeYMDc > > P3e3Qj5iQwpplCbxx1bTXJ0HYDqxmwkpSWQj5e0QWC0qSxgaZ8aBAfUCp7dqVRI/http%3 > > A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > > What's up with rsyslog? Follow > > https://secure-web.cisco.com/1rQW9huc5s4E2rR8Jgt3WDPXRhEnsyncI4KzmYV0r > > WfuNxxWQA2tJNmd73u_cwcmtrESyPxNL7o1R6F9PurmRw2wy6Bau5loGMOQwjOmJ__VZ67 > > 8C0xz-z4KHAWn32ESCSEFTV1ivD5xFxua7uyfDcF9LxDrrkNxZePI56Oy5thHbg27ZYzOX > > nkoi_jl_NDAb5mkjCrLA5Jw9Dr-5VGa1g-taZjxBLHcyINLwvFBINfDnEicRO_IpmRmzOo > > EjmIwU7gX7Dn4qWD_VCFA71qk1ArL3KwRTuJl9YlclJ89yALDVePU18OBMkdA7XxlrH4Li > > d7jDDCVtC5eeF7cLkGIU9dodJbRGvxsSHyx1Zy4i_vGNIM-o-C5XGRmhojMF1VzLTMo29t > > FfUkGXpMR9-0wcbw/https%3A%2F%2Ftwitter.com%2Frgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if you DON'T LIKE THAT. > > > > _______________________________________________ > > rsyslog mailing list > > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > http://secure-web.cisco.com/1SMZFnbWr3CJiXeRMmT7DdiUd0w92OLHR7dL1rJiWF > > _4Z7p85srU6aVwXM12AIMd9xSD_aOcOB7D-YmU8FhhnFEaF3PVeZElB3nHiH5c5N5fhMPA > > rDCf79r82HaB2DBXcpuBLCatA0kYIyeOmPTTwX05wr_MEU2zi3YhxC95aI3J0XU6FdWage > > 0wGbhAVtBOA7gAiru4LiP940QsINd7xShx-rlIZCuzDLRWUwYAliyd6_mreGPneubc7SRR > > xlRtU5wbLKE_jIHYzBZ8DpICZVUChE5qWz4a0VOB0s4ZrWic2Flos5Y-Fa13SJg-Ox2VRq > > xw8xqUn7RKF4NEixXl4WBphvQ2ahd0XhGBRz7PEkAdLVPcznVUMAbHVAvzfnxsd/http%3 > > A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > > What's up with rsyslog? Follow > > https://secure-web.cisco.com/1MUOcb0lYekonH5542ZI1_n6zOwcz7UhefaJx4VyY > > YmXJF94ouQWvpKt74-bS_tHsyhLTXbXryPHOac6U70fscGLjyYaCexqK2JW2lEsZZhS91M > > 3Rt0a0lmT8xfSQ9259O-KBDhQ-6mzUzd3iJIaetvdioElxcs7PfYF6QAUYWrqUieAPWzR6 > > nM5xHMPcbpmmQy_CgnSbvD4z1w33hpVdqucW64VX52biQCuyBhG7Ljx9R2324PcQ0AbWiZ > > tSROEu5Jpn79u_miJb9_wSGrXVkAq9hWgxqPquzuM5XmpmVznow7otzW8nTBPMuEYOb0y6 > > jKFC5fHy0X8_MWeoJmvbiLP3UximiEYgP9_s5mazt2fL-ncYTm1JfWa_P2u3yTL57W12IU > > jPsrGsKw-j1tsMzQ/https%3A%2F%2Ftwitter.com%2Frgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if you DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > > http://secure-web.cisco.com/1SMZFnbWr3CJiXeRMmT7DdiUd0w92OLHR7dL1rJiWF_4Z7p85srU6aVwXM12AIMd9xSD_aOcOB7D-YmU8FhhnFEaF3PVeZElB3nHiH5c5N5fhMPArDCf79r82HaB2DBXcpuBLCatA0kYIyeOmPTTwX05wr_MEU2zi3YhxC95aI3J0XU6FdWage0wGbhAVtBOA7gAiru4LiP940QsINd7xShx-rlIZCuzDLRWUwYAliyd6_mreGPneubc7SRRxlRtU5wbLKE_jIHYzBZ8DpICZVUChE5qWz4a0VOB0s4ZrWic2Flos5Y-Fa13SJg-Ox2VRqxw8xqUn7RKF4NEixXl4WBphvQ2ahd0XhGBRz7PEkAdLVPcznVUMAbHVAvzfnxsd/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > What's up with rsyslog? Follow > https://secure-web.cisco.com/1h-HGc6jykmmOc0FO7YxB7nkeK2ATFKXI2T9HFw4irezhqw3Z9erfEW9NK0BHNeXISTbtSZ9Q6pjbqYT9peInw7oa4BrZVcPiQVUF5ClE0xH4-sINb2_NeiFh1XVMbujNP3PdpFiYGD5OKCTAPAEvR3pL1TF00AIhXc2P7mIvxFZvaxgbQVhxtw-jl5uIyEFPVAUYrqLPdPa-CKiBvX1K6uYzWfPw0Ii29aEKyb-HrAqSAXxJXmPsB1LsAWN5_WOhkK6_8VwgcwBhzFbdg5WBiseJtThQ2lfwzuH3DpruS09I7CQ6abnTIGbTfDK1d6zn46j2tPAPTsqOdXulTWF00lnpTm5zXQNRa5k415sUpRVXB8n7l0Z7zF11OJuCHggc6GdqSS-7dT5-_vH8hAsPKQ/https%3A%2F%2Ftwitter.com%2Frgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > > > This email transmission and any accompanying attachments may contain CSX > privileged and confidential information intended only for the use of the > intended addressee. Any dissemination, distribution, copying or action > taken in reliance on the contents of this email by anyone other than the > intended recipient is strictly prohibited. If you have received this email > in error please immediately delete it and notify sender at the above CSX > email address. Sender and CSX accept no liability for any damage caused > directly or indirectly by receipt of this email. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
