Date: Wed, 4 May 2016 19:32:18 +0000
From: "Singh, Radesh" <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Remote messages getting into local logs
Rsyslog doesn't like my syntax:
[root at PTC_UAT_LOGHOST rsyslog.d]$ rsyslogd -N2
rsyslogd: version 5.8.10, config validation run (level 2), master
config /etc/rsyslog.conf
rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically
generated config directives may interfer with your rsyslog.conf settings. We
suggest upgrading your config and adding -c5 as the first rsyslogd option.
rsyslogd: unknown priority name "" [try
http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmKi3
xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_k5
vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhRR-
FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25feIw
be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1Y6
Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http%3
A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ]
rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line 10:"input(type="imtcp" port="514"
ruleset="inbound") input(type="imudp" port="514" ruleset="inbound")"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd: unknown priority name "type="FixedArray"){" [try
http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmKi3
xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_k5
vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhRR-
FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25feIw
be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1Y6
Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http%3
A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ]
rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line
12:"ruleset(name="inbound" queue.type="FixedArray"){"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd: unknown priority name "" [try
http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmKi3
xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_k5
vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhRR-
FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25feIw
be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1Y6
Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http%3
A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ]
rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line 21:"}"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd: the last error occured in /etc/rsyslog.conf, line 35:"$IncludeConfig
/etc/rsyslog.d/*.conf"
rsyslogd: CONFIG ERROR: could not interpret master config file
'/etc/rsyslog.conf'. [try
http://secure-web.cisco.com/1ya_3awlRyHJY4pJ5xBdaeSbabU9qq7ruMBPltDdob
SsjyLK54oipjv28RxNybQ3emKl-zj2JI6XtLziIny1mNnXLMbGRJZIqAbeqLXHc2FIMrDT
10luKHUvdFvku1UgbkN0Hf2bMHGyNxTltCoV11fYMeAfZZvDseCcZHgdFeb-CxvcwRfBn4
kzJjQbBrFiE4Yrrlksw4AYSCWsS3z8faLUJC2_BXSjvahTN6YzdVsva0RIQxEYHwyk6tVY
aq1NVifFmm0A5HxY1hwPpB7drYvjifI8vC_J8gDSzKhzfjswzov514INMzAoE9mUnUPTJU
-A_gZ61LKqLS--TSIbY4JklHqrskGNSnKLFzr01cx3JTk1GE9T0vyvMZ6Rbt0iX/http%3
A%2F%2Fwww.rsyslog.com%2Fe%2F2124 ]
rsyslogd: Warning: backward compatibility layer added to following
directive to rsyslog.conf: ModLoad immark
rsyslogd: Warning: backward compatibility layer added to following
directive to rsyslog.conf: MarkMessagePeriod 1200
rsyslogd: Warning: backward compatibility layer added to following
directive to rsyslog.conf: ModLoad imuxsock
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
input(type="imtcp" port="514" ruleset="inbound") input(type="imudp"
port="514" ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
I'm betting this is b/c I'm using using 5.8.10.
Going to try some syntax I see here:
http://secure-web.cisco.com/100Kd-K2EYkolEJwOYRrKISwA9ClF699uhqvzh9I_i
qJsuH6lQ5ALgzXFJBBPtNS8NT8Jlr91S0ctW7vJegQjTnPY0mrJOOcT4FY7kFpM5XWd3P2
oM1NuRoP7KRe5TvQL7K5D1bYOqd8V68Ki28e11GQGpEhtWmpcvNrgPWBCETJw1n4FK_6Ux
c2nDb7ZK6IR-BnI_5YsOuZ9y7WOlI2WlTSBsWd3GTri1cjX40S_3LC64eVWcCIw4uzTk9q
Yu3IvuyFH57YnSFdK20QMZTGVSWfDpm3dMYR-NAd0k1oudQUHHnw9Ruoj5B19goW9WsQqF
htmCyOD3Wm3ffHOIL6RwRFpI3Oib0QRTHcC0Sap8DTT-9AKEnLLtxYqha62oYKC/http%3
A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv5-stable%2Fconcepts%2Fmulti_ruleset.ht
ml
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a
just man, and he will increase in learning." - Proverbs 9:9
-----Original Message-----
From: Singh, Radesh
Sent: Wednesday, May 04, 2016 3:15 PM
To: 'rsyslog-users'
Subject: RE: [rsyslog] Remote messages getting into local logs
David,
So, this is the config I've got in mind:
# rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
user.*;daemon.*;syslog.* /var/log/messages
kern.* /var/log/kernel
*.emerg /var/log/emerg
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
uucp,news.crit /var/log/spool
local7.* /var/log/bootlog
# rsyslog.d/remote.conf
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
input(type="imtcp" port="514" ruleset="inbound") input(type="imudp"
port="514" ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
Am I still over thinking it?
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a
just man, and he will increase in learning." - Proverbs 9:9
-----Original Message-----
From: Singh, Radesh
Sent: Wednesday, May 04, 2016 2:40 PM
To: [email protected]
Subject: RE: [rsyslog] Remote messages getting into local logs
David,
Thank you for clarifying all of that.
Based on what we are trying to do, I think we'd want to go the route of using a
ruleset.
So, using something like:
input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp"
port="514" ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
actions
}
I'm translating that to:
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
input(type="imtcp" port="514" ruleset="inbound") input(type="imudp"
port="514" ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
That should result in me capturing all messages that come in over TCP or UDP,
and separate them out.
What tells rsyslog to log local (those not coming in via TCP or UDP) messages
to /var/log/...?
Thanks,
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a
just man, and he will increase in learning." - Proverbs 9:9
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Wednesday, May 04, 2016 1:06 PM
To: [email protected]
Subject: Re: [rsyslog] Remote messages getting into local logs
I'll bet that if you do rsyslogd -N2 it will report a lot of errors in
the config
you are mising filter types (and in any case, working harder than you
need to)
there are three classes of filters
traditional pri filters
user.* action
old rsyslog filters
:var, test, value action
rainerscript filters
if test then action
you are trying to use the old rsyslog filters in rainerscript syntax,
that doesn't work
if $hostname == $$myhostname then {
actions
} else {
actions
}
would be what you are trying to do.
But if you really want to separate the traffic that arrives from
remote systems completely from the traffic that is produced locally,
the best way to do that is with a ruleset
input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp"
port="514" ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
actions
}
will effectivly split rsyslog into two complete stacks, one that
processes locally generated messages with all the rules not defined in
the inbound ruleset (and using the main queue), and a second that
processes all messages that arrive via tcp or udp using the rules in
the inbound ruleset (and using a separate queue)
David Lang
On Wed, 4 May 2016 16:38:34 +0000, Singh, Radesh wrote:
Hello,
Perhaps I'm overthinking this, but as I've confused myself pretty
good, I'm reaching out to you guys.
We noticed that our remote clients messages are flooding several of
our local log files (messages,kernel,bootlog) on our central rsyslog
server.
We've been try to craft some rules to tell the rsyslog server that
the hostname is not your hostname, use a specific block to separate
the messages into their appropriate files, else, do the same type of
separation, but store the messages locally...
I tried...
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
$template local-messages,"/var/log/messages"
$template local-kernel,"/var/log/kernel"
$template local-emerg,"/var/log/emerg"
$template local-secure,"/var/log/secure"
$template local-maillog,"/var/log/maillog"
$template local-cron,"/var/log/cron"
$template local-spooler,"/var/log/spooler"
$template local-bootlog,"/var/log/bootlog"
if :hostname,!isequal,$myhostname then {
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
else if :hostname,isequal,$myhostname then {
user.*;daemon.*;syslog.* ?local-messages
kern.* ?local-kernel
*.emerg ?local-emerg
authpriv.* ?local-secure
mail.* -?local-maillog
cron.* ?local-cron
uucp,news.crit ?local-spooler
local7.* ?local-bootlog
}
But messages from remote hosts get written to /var/log/messages, even
though I thought I was telling rsyslog to filter on hostname, and if
the hostname is not my hostname use one of my ?remote definitions.
I tried using & ~ after my first line, but I find that if I do that
... nothing gets written to the local messages file.
I'm doing this on RHEL 6.2, and rsyslog version is 5.8.10.
Thank you,
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
[chessie]
|-| () \/\/ ~|~ () |\/| () /? /? () \/\/ |\/| () \/ [- _\~
This email transmission and any accompanying attachments may contain
CSX privileged and confidential information intended only for the use
of the intended addressee. Any dissemination, distribution, copying
or action taken in reliance on the contents of this email by anyone
other than the intended recipient is strictly prohibited. If you have
received this email in error please immediately delete it and notify
sender at the above CSX email address. Sender and CSX accept no
liability for any damage caused directly or indirectly by receipt of
this email.
_______________________________________________
rsyslog mailing list
BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED
http://secure-web.cisco.com/1xGGnjSh9RR0y9rgx38zhuymGGNvuKuRCAR_z7i9J4
Yn4zD1vrveKaihdGx3JedcKCvkNFBxiQQjmCOd0j1txaq0XXfVbdukHhfiSCcWgPOP25by
T1N_28l_4ON11xwTa2os6nW2bRAbUYXssRPv3wvQnrvm8ZzCXtOHwGONSA3SCjiMSNi08M
M6TaKzaOkD03_s7wi9z7XCSLiEBsRnnCqwRSU2U2EJwHK9Y45_VeoyaLJ8gYj2bCZYXes3
riOxEZtfn4nwdnJ3x1ksA5LhDiPYPqvwksTkgOXeGl-RsALio_xvt06uQ1x-Qs1VKm6HuR
R-wPUlI6tPrvOprmD2kB8IcTPvtPxBkfjtVU5BpEZVIgCJmZSTxU2CCM44nyhVa/http%3
A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F
What's up with rsyslog? Follow
https://secure-web.cisco.com/1np2M_O7l4WbuSPzutBL7wHs1T4AvXY5sEAi6R9jF
Ad6xpP66MUvIDoL0kz8Ve9JiKraHbyNUChDGTNv4qEvQcUG__9hAYAhKR4E7GDpM7wUS99
eOBMAmpT0YQBJJZ44RAmUnlV8l-ReDvo5lBRbln2K5LdY7r8SRhRWxukHXXBpb6QWRw33l
tg4-0dFF4WarzNF0TNyG2pbowTpBDBRxUksgFg8Lsc_RMfr5SOW4BoGup_lZ-eLAZ53p3c
H3LfhD_ziZoSyK89jd0Q7d_ny6io7hXw3xTTVKazGM8-ONaWmTt_sBkl5zVxGHpN50EViW
9719-Se7Kxyx4OohnoDRd-aGEzfx6novzYQqXjR_L8OSY4mtnLsxciyfHoPOmjkMKz5PZF
1Pv7jlvGXdl0E5Eg/https%3A%2F%2Ftwitter.com%2Frgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
This email transmission and any accompanying attachments may contain CSX
privileged and confidential information intended only for the use of the
intended addressee. Any dissemination, distribution, copying or action taken in
reliance on the contents of this email by anyone other than the intended
recipient is strictly prohibited. If you have received this email in error
please immediately delete it and notify sender at the above CSX email address.
Sender and CSX accept no liability for any damage caused directly or indirectly
by receipt of this email.
_______________________________________________
rsyslog mailing list
BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED
http://secure-web.cisco.com/1VFleKFU62iSgxqNp7l4hUrALjZPNml1KX8H5whJa5
oq_EIR7mVvq0PfpjqvVRT7kK0VmKBVB4AqyW1kdMcUq8aUtz_WqttYsnMELiLEgsZ9kukE
2qyWFcZsSBn8CFlvUF-skZIaIwiF0ajFqoZNZMGwOKGbOrB4ir28NlMIRH8X4nUYHFPQol
bDK9JlX3sDBGgMokxaETlthu6VFA7oB3m7qdps4AinoI4vEC5GaRumv7j9XF9LfVXSbQlU
lLGkoA1O0QO-iDWIG29n1Ax0-1ehb-PB5FMXGUoV0MBJ1Ihj20CoP2MqKTTvTX_1zeYMDc
P3e3Qj5iQwpplCbxx1bTXJ0HYDqxmwkpSWQj5e0QWC0qSxgaZ8aBAfUCp7dqVRI/http%3
A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F
What's up with rsyslog? Follow
https://secure-web.cisco.com/1rQW9huc5s4E2rR8Jgt3WDPXRhEnsyncI4KzmYV0r
WfuNxxWQA2tJNmd73u_cwcmtrESyPxNL7o1R6F9PurmRw2wy6Bau5loGMOQwjOmJ__VZ67
8C0xz-z4KHAWn32ESCSEFTV1ivD5xFxua7uyfDcF9LxDrrkNxZePI56Oy5thHbg27ZYzOX
nkoi_jl_NDAb5mkjCrLA5Jw9Dr-5VGa1g-taZjxBLHcyINLwvFBINfDnEicRO_IpmRmzOo
EjmIwU7gX7Dn4qWD_VCFA71qk1ArL3KwRTuJl9YlclJ89yALDVePU18OBMkdA7XxlrH4Li
d7jDDCVtC5eeF7cLkGIU9dodJbRGvxsSHyx1Zy4i_vGNIM-o-C5XGRmhojMF1VzLTMo29t
FfUkGXpMR9-0wcbw/https%3A%2F%2Ftwitter.com%2Frgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
