[rsyslog] message parsers with rulesets

Christopher Racky Thu, 16 Jun 2016 06:29:20 -0700

Hello,

I have the issue, that with rulesets only the 2 default Parsers are
used, but without rulesets the load parsers are applied.
Is this a missconfiguration or understanding issue?
Do you have some hints?


regards
Chris


 I have the following configuration:
------------------------------------rsyslog.conf------------------------------------
global (
net.enabledns="off"
)
$modload pmsrcipinject
$modload pmlastmsg
$modload pmaixforwardedfrom
$rulesetparser rsyslog.srcipinject
$rulesetparser rsyslog.lastline
$rulesetparser rsyslog.aixforwardedfrom
$rulesetparser rsyslog.rfc5424
$rulesetparser rsyslog.rfc3164
module(load="imuxsock") # provides support for local system logging
(e.g. via logger command)
module(load="imklog")   # provides kernel logging support (previously
done by rklogd)
module(load="imudp")
input (type="imudp" port="514" ruleset="remote")
#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
ruleset(name="remote"){
$rulesetparser rsyslog.srcipinject
$rulesetparser rsyslog.lastline
$rulesetparser rsyslog.aixforwardedfrom
$rulesetparser rsyslog.rfc5424
$rulesetparser rsyslog.rfc3164
        *.*     /var/log/output.log;RSYSLOG_DebugFormat
        stop
}
------------------------------------------------------------------------------------------------

When I do not use rulesets, the output.message is correctly processing
the all 5 message-parsers.
But when I use rulsets in debug I can see for the ruleset only the 2
Default Parsers are processed.

See here:
------------------------------------------------------------------------------------------------
9125.288246895:main thread    : processinternalmessages: (unset)
9125.288268911:main thread    : cnf:global:cfsysline: $modload pmsrcipinject
9125.288284929:main thread    : Requested to load module 'pmsrcipinject'
9125.288289686:main thread    : loading module '/lib64/rsyslog/pmsrcipinject.so'
9125.288343939:main thread    : srcipinject parser init called,
compiled with version 8.18.0
9125.288350754:main thread    : module pmsrcipinject of type 3 being
loaded (keepType=0).
9125.288354029:main thread    : entry point 'setModCnf' not present in module
9125.288356922:main thread    : entry point 'getModCnfName' not
present in module
9125.288359713:main thread    : entry point 'beginCnfLoad' not present in module
9125.288362387:main thread    : entry point 'parse2' not present in module
9125.288366220:main thread    : DDDDD: added parser
'rsyslog.srcipinject' to list 0x7fb63f0899a8
9125.288369035:main thread    : Parser 'rsyslog.srcipinject' added to
list of available parsers.
9125.288374739:main thread    : cnf:global:cfsysline: $modload pmlastmsg
9125.288380281:main thread    : Requested to load module 'pmlastmsg'
9125.288383695:main thread    : loading module '/lib64/rsyslog/pmlastmsg.so'
9125.288438324:main thread    : lastmsg parser init called, compiled
with version 8.18.0
9125.288545207:main thread    : module pmlastmsg of type 3 being
loaded (keepType=0).
9125.288551770:main thread    : entry point 'setModCnf' not present in module
9125.288554637:main thread    : entry point 'getModCnfName' not
present in module
9125.288567701:main thread    : entry point 'beginCnfLoad' not present in module
9125.288570612:main thread    : entry point 'parse2' not present in module
9125.288581066:main thread    : DDDDD: added parser 'rsyslog.lastline'
to list 0x7fb63f0899a8
9125.288584073:main thread    : Parser 'rsyslog.lastline' added to
list of available parsers.
9125.288590302:main thread    : cnf:global:cfsysline: $modload
pmaixforwardedfrom
9125.288596316:main thread    : Requested to load module 'pmaixforwardedfrom'
9125.288600167:main thread    : loading module
'/lib64/rsyslog/pmaixforwardedfrom.so'
9125.288660648:main thread    : aixforwardedfrom parser init called,
compiled with version 8.18.0
9125.288668453:main thread    : module pmaixforwardedfrom of type 3
being loaded (keepType=0).
9125.288671692:main thread    : entry point 'setModCnf' not present in module
9125.288674407:main thread    : entry point 'getModCnfName' not
present in module
9125.288677039:main thread    : entry point 'beginCnfLoad' not present in module
9125.288679686:main thread    : entry point 'parse2' not present in module
9125.288683583:main thread    : DDDDD: added parser
'rsyslog.aixforwardedfrom' to list 0x7fb63f0899a8
9125.288686410:main thread    : Parser 'rsyslog.aixforwardedfrom'
added to list of available parsers.
 
------------------------------------------------------------------------------------------------
...
9125.292019118:main thread    : All Rulesets:
9125.292021672:main thread    : ruleset 0x7fb63f342170: rsyslog
ruleset RSYSLOG_DefaultRuleset:
9125.292024628:main thread    : ACTION 0
[builtin:omfile:/var/log/alllog;RSYSLOG_DebugFormat]
9125.292027170:main thread    : ruleset 0x7fb63f342170: ruleset
RSYSLOG_DefaultRuleset assigned parser list:
9125.292029861:main thread    : parser: rsyslog.srcipinject
9125.292032346:main thread    : parser: rsyslog.lastline
9125.292034806:main thread    : parser: rsyslog.aixforwardedfrom
9125.292037228:main thread    : parser: rsyslog.rfc5424
9125.292039648:main thread    : parser: rsyslog.rfc3164
9125.292042021:main thread    : parser: rsyslog.srcipinject
9125.292044382:main thread    : parser: rsyslog.lastline
9125.292046759:main thread    : parser: rsyslog.aixforwardedfrom
9125.292049162:main thread    : parser: rsyslog.rfc5424
9125.292051499:main thread    : parser: rsyslog.rfc3164
9125.292053896:main thread    : ruleset 0x7fb63f355fb0: rsyslog ruleset remote:
9125.292056753:main thread    : ACTION 1
[builtin:omfile:/var/log/remotetest.log;RSYSLOG_DebugFormat]
9125.292062732:main thread    : STOP
9125.292065419:main thread    : ruleset 0x7fb63f355fb0: ruleset remote
assigned parser list:
9125.292068039:main thread    : End of Rulesets.
------------------------------------------------------------------------------------------------
...
9125.293007295:main thread    : Modules used in this configuration:
9125.293009906:main thread    :     builtin:omfile
9125.293012352:main thread    :     builtin:ompipe
9125.293014779:main thread    :     builtin-shell
9125.293017235:main thread    :     builtin:omdiscard
9125.293019676:main thread    :     builtin:omfwd
9125.293022115:main thread    :     builtin:omusrmsg
9125.293024551:main thread    :     builtin:pmrfc5424
9125.293026975:main thread    :     builtin:pmrfc3164
9125.293029384:main thread    :     builtin:smfile
9125.293031817:main thread    :     builtin:smtradfile
9125.293034258:main thread    :     builtin:smfwd
9125.293036680:main thread    :     builtin:smtradfwd
9125.293039073:main thread    :     pmsrcipinject
9125.293041483:main thread    :     pmlastmsg
9125.293043963:main thread    :     pmaixforwardedfrom
9125.293046408:main thread    :     imuxsock
9125.293048853:main thread    :     imklog
9125.293051256:main thread    :     imudp
------------------------------------------------------------------------------------------------
...
 The Message processing:
 ...
9132.357724175:imudp.c        : imudp: recvmmsg returned 1
9132.357735754:imudp.c        : recv(5,106),acl:1,msg:<---message here--->
9132.357747524:imudp.c        : msg parser: flags 70, from
'~NOTRESOLVED~', msg '<---message here--->
9132.357751989:imudp.c        : parse using parser list 0x7fb63f341990
(the default list).
9132.357757501:imudp.c        : dropped LF at very end of message
(DropTrailingLF is set)
9132.357761667:imudp.c        : Parser 'rsyslog.rfc5424' returned -2160
9132.357766965:imudp.c        : Message will now be parsed by the
legacy syslog parser (one size fits all... ;)).
9132.357772744:imudp.c        : Parser 'rsyslog.rfc3164' returned 0
9132.357788989:imudp.c        : imudp: recvmmsg returned -1
9132.357796825:imudp.c        : main Q: qqueueAdd: entry added, size
now log 1, phys 1 entries
9132.357807440:imudp.c        : main Q: MultiEnqObj advised worker start
9132.357818105:main Q:Reg/w0  : wti 0x7fb63f357360: worker awoke from
idle processing
9132.357826204:main Q:Reg/w0  : DeleteProcessedBatch: we deleted 0
objects and enqueued 0 objects
9132.357830151:main Q:Reg/w0  : doDeleteBatch: delete batch from
store, new sizes: log 1, phys 1
9132.357844320:main Q:Reg/w0  : processBATCH: batch of 1 elements must
be processed


---------------------
 Thanks, Chris
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] message parsers with rulesets

Reply via email to