2016-06-16 16:06 GMT+02:00 Christopher Racky <[email protected]>: > Thank you so much Rainer... :) > Indeed this seems to be missing in the ruleset documentation.
updates are appreciated ;) > > I wonder if there is no way to define this generally. I think currently not > My assumption was that if I defined this for the Default this Default > is used as long it is not overwritten... It is the "default ruleset" (the ruleset that is being used if no other is specified), not "defaults" for rulesets (parameters to be applied by default to new rulesets). I hope this makes sense. Rainer > > regards > Chris > > 2016-06-16 15:55 GMT+02:00 Rainer Gerhards <[email protected]>: >> You need to specify them in the ruleset object, e.g. >> >> ruleset(name="remote" parser=["rsyslog.srcipinject","rsyslog.lastline", ... >> ]); >> >> I think this is not well documented. >> >> Rainer >> >> 2016-06-16 15:28 GMT+02:00 Christopher Racky <[email protected]>: >>> Hello, >>> >>> I have the issue, that with rulesets only the 2 default Parsers are >>> used, but without rulesets the load parsers are applied. >>> Is this a missconfiguration or understanding issue? >>> Do you have some hints? >>> >>> regards >>> Chris >>> >>> >>> I have the following configuration: >>> ------------------------------------rsyslog.conf------------------------------------ >>> global ( >>> net.enabledns="off" >>> ) >>> $modload pmsrcipinject >>> $modload pmlastmsg >>> $modload pmaixforwardedfrom >>> $rulesetparser rsyslog.srcipinject >>> $rulesetparser rsyslog.lastline >>> $rulesetparser rsyslog.aixforwardedfrom >>> $rulesetparser rsyslog.rfc5424 >>> $rulesetparser rsyslog.rfc3164 >>> module(load="imuxsock") # provides support for local system logging >>> (e.g. via logger command) >>> module(load="imklog") # provides kernel logging support (previously >>> done by rklogd) >>> module(load="imudp") >>> input (type="imudp" port="514" ruleset="remote") >>> #### GLOBAL DIRECTIVES #### >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>> ruleset(name="remote"){ >>> $rulesetparser rsyslog.srcipinject >>> $rulesetparser rsyslog.lastline >>> $rulesetparser rsyslog.aixforwardedfrom >>> $rulesetparser rsyslog.rfc5424 >>> $rulesetparser rsyslog.rfc3164 >>> *.* /var/log/output.log;RSYSLOG_DebugFormat >>> stop >>> } >>> ------------------------------------------------------------------------------------------------ >>> >>> When I do not use rulesets, the output.message is correctly processing >>> the all 5 message-parsers. >>> But when I use rulsets in debug I can see for the ruleset only the 2 >>> Default Parsers are processed. >>> >>> See here: >>> ------------------------------------------------------------------------------------------------ >>> 9125.288246895:main thread : processinternalmessages: (unset) >>> 9125.288268911:main thread : cnf:global:cfsysline: $modload pmsrcipinject >>> 9125.288284929:main thread : Requested to load module 'pmsrcipinject' >>> 9125.288289686:main thread : loading module >>> '/lib64/rsyslog/pmsrcipinject.so' >>> 9125.288343939:main thread : srcipinject parser init called, >>> compiled with version 8.18.0 >>> 9125.288350754:main thread : module pmsrcipinject of type 3 being >>> loaded (keepType=0). >>> 9125.288354029:main thread : entry point 'setModCnf' not present in >>> module >>> 9125.288356922:main thread : entry point 'getModCnfName' not >>> present in module >>> 9125.288359713:main thread : entry point 'beginCnfLoad' not present in >>> module >>> 9125.288362387:main thread : entry point 'parse2' not present in module >>> 9125.288366220:main thread : DDDDD: added parser >>> 'rsyslog.srcipinject' to list 0x7fb63f0899a8 >>> 9125.288369035:main thread : Parser 'rsyslog.srcipinject' added to >>> list of available parsers. >>> 9125.288374739:main thread : cnf:global:cfsysline: $modload pmlastmsg >>> 9125.288380281:main thread : Requested to load module 'pmlastmsg' >>> 9125.288383695:main thread : loading module '/lib64/rsyslog/pmlastmsg.so' >>> 9125.288438324:main thread : lastmsg parser init called, compiled >>> with version 8.18.0 >>> 9125.288545207:main thread : module pmlastmsg of type 3 being >>> loaded (keepType=0). >>> 9125.288551770:main thread : entry point 'setModCnf' not present in >>> module >>> 9125.288554637:main thread : entry point 'getModCnfName' not >>> present in module >>> 9125.288567701:main thread : entry point 'beginCnfLoad' not present in >>> module >>> 9125.288570612:main thread : entry point 'parse2' not present in module >>> 9125.288581066:main thread : DDDDD: added parser 'rsyslog.lastline' >>> to list 0x7fb63f0899a8 >>> 9125.288584073:main thread : Parser 'rsyslog.lastline' added to >>> list of available parsers. >>> 9125.288590302:main thread : cnf:global:cfsysline: $modload >>> pmaixforwardedfrom >>> 9125.288596316:main thread : Requested to load module >>> 'pmaixforwardedfrom' >>> 9125.288600167:main thread : loading module >>> '/lib64/rsyslog/pmaixforwardedfrom.so' >>> 9125.288660648:main thread : aixforwardedfrom parser init called, >>> compiled with version 8.18.0 >>> 9125.288668453:main thread : module pmaixforwardedfrom of type 3 >>> being loaded (keepType=0). >>> 9125.288671692:main thread : entry point 'setModCnf' not present in >>> module >>> 9125.288674407:main thread : entry point 'getModCnfName' not >>> present in module >>> 9125.288677039:main thread : entry point 'beginCnfLoad' not present in >>> module >>> 9125.288679686:main thread : entry point 'parse2' not present in module >>> 9125.288683583:main thread : DDDDD: added parser >>> 'rsyslog.aixforwardedfrom' to list 0x7fb63f0899a8 >>> 9125.288686410:main thread : Parser 'rsyslog.aixforwardedfrom' >>> added to list of available parsers. >>> >>> ------------------------------------------------------------------------------------------------ >>> ... >>> 9125.292019118:main thread : All Rulesets: >>> 9125.292021672:main thread : ruleset 0x7fb63f342170: rsyslog >>> ruleset RSYSLOG_DefaultRuleset: >>> 9125.292024628:main thread : ACTION 0 >>> [builtin:omfile:/var/log/alllog;RSYSLOG_DebugFormat] >>> 9125.292027170:main thread : ruleset 0x7fb63f342170: ruleset >>> RSYSLOG_DefaultRuleset assigned parser list: >>> 9125.292029861:main thread : parser: rsyslog.srcipinject >>> 9125.292032346:main thread : parser: rsyslog.lastline >>> 9125.292034806:main thread : parser: rsyslog.aixforwardedfrom >>> 9125.292037228:main thread : parser: rsyslog.rfc5424 >>> 9125.292039648:main thread : parser: rsyslog.rfc3164 >>> 9125.292042021:main thread : parser: rsyslog.srcipinject >>> 9125.292044382:main thread : parser: rsyslog.lastline >>> 9125.292046759:main thread : parser: rsyslog.aixforwardedfrom >>> 9125.292049162:main thread : parser: rsyslog.rfc5424 >>> 9125.292051499:main thread : parser: rsyslog.rfc3164 >>> 9125.292053896:main thread : ruleset 0x7fb63f355fb0: rsyslog ruleset >>> remote: >>> 9125.292056753:main thread : ACTION 1 >>> [builtin:omfile:/var/log/remotetest.log;RSYSLOG_DebugFormat] >>> 9125.292062732:main thread : STOP >>> 9125.292065419:main thread : ruleset 0x7fb63f355fb0: ruleset remote >>> assigned parser list: >>> 9125.292068039:main thread : End of Rulesets. >>> ------------------------------------------------------------------------------------------------ >>> ... >>> 9125.293007295:main thread : Modules used in this configuration: >>> 9125.293009906:main thread : builtin:omfile >>> 9125.293012352:main thread : builtin:ompipe >>> 9125.293014779:main thread : builtin-shell >>> 9125.293017235:main thread : builtin:omdiscard >>> 9125.293019676:main thread : builtin:omfwd >>> 9125.293022115:main thread : builtin:omusrmsg >>> 9125.293024551:main thread : builtin:pmrfc5424 >>> 9125.293026975:main thread : builtin:pmrfc3164 >>> 9125.293029384:main thread : builtin:smfile >>> 9125.293031817:main thread : builtin:smtradfile >>> 9125.293034258:main thread : builtin:smfwd >>> 9125.293036680:main thread : builtin:smtradfwd >>> 9125.293039073:main thread : pmsrcipinject >>> 9125.293041483:main thread : pmlastmsg >>> 9125.293043963:main thread : pmaixforwardedfrom >>> 9125.293046408:main thread : imuxsock >>> 9125.293048853:main thread : imklog >>> 9125.293051256:main thread : imudp >>> ------------------------------------------------------------------------------------------------ >>> ... >>> The Message processing: >>> ... >>> 9132.357724175:imudp.c : imudp: recvmmsg returned 1 >>> 9132.357735754:imudp.c : recv(5,106),acl:1,msg:<---message here---> >>> 9132.357747524:imudp.c : msg parser: flags 70, from >>> '~NOTRESOLVED~', msg '<---message here---> >>> 9132.357751989:imudp.c : parse using parser list 0x7fb63f341990 >>> (the default list). >>> 9132.357757501:imudp.c : dropped LF at very end of message >>> (DropTrailingLF is set) >>> 9132.357761667:imudp.c : Parser 'rsyslog.rfc5424' returned -2160 >>> 9132.357766965:imudp.c : Message will now be parsed by the >>> legacy syslog parser (one size fits all... ;)). >>> 9132.357772744:imudp.c : Parser 'rsyslog.rfc3164' returned 0 >>> 9132.357788989:imudp.c : imudp: recvmmsg returned -1 >>> 9132.357796825:imudp.c : main Q: qqueueAdd: entry added, size >>> now log 1, phys 1 entries >>> 9132.357807440:imudp.c : main Q: MultiEnqObj advised worker start >>> 9132.357818105:main Q:Reg/w0 : wti 0x7fb63f357360: worker awoke from >>> idle processing >>> 9132.357826204:main Q:Reg/w0 : DeleteProcessedBatch: we deleted 0 >>> objects and enqueued 0 objects >>> 9132.357830151:main Q:Reg/w0 : doDeleteBatch: delete batch from >>> store, new sizes: log 1, phys 1 >>> 9132.357844320:main Q:Reg/w0 : processBATCH: batch of 1 elements must >>> be processed >>> >>> >>> --------------------- >>> Thanks, Chris >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
