On Tue, 14 Feb 2017, Christian Ramseyer wrote:
Hi guysI have the following setup: 1 instance of /usr/sbin/rsyslogd 8.4 which comes with SLES and which I want to use as local syslog for the system, does not listen on network, managed by systems people 1 instance of a self-compiled, more modern /opt/rsyslog/sbin/rsyslogd 8.23 which I want to use as a central syslog destination for all our network gear using imudp only, managed by our team This works ok so far except for one thing: I would like to get internal error messages etc. from the /opt/rsyslog into a file handled by said /opt/rsyslog, without mixing it with the /usr rsyslog messages in /var/log. I had it working at one point in 8.18 with this configuration: -------------------------------------------------------------------- module(load="imudp") module(load="/opt/rsyslog/lib/rsyslog/ompgsql") input(type="imudp" address="10.102.125.201" port="514" ruleset="remote") # as I understand rulesets, this is the only rule in the default ruleset # and should catch the rsyslog internal messages syslog.* /data/nco/rsyslog-internal.log ruleset(name="remote"){ # many lines of Rainerscript to process UDP events } # EOF -------------------------------------------------------------------- But then I upgraded to 8.23 and suddenly there were no more messages in rsyslog-internal.log. I got it half-working again by loading imuxsock in the /opt/rsyslog config, but then the /usr rsyslog stopped logging since apparently only one rsyslog can consume the system log socket, and when it's my /opt/rsyslog it obviously doesn't have rules to do something with any other facility then syslog.*. All of this seems kinda weird since the doc says SysSock.IgnoreOwnMessages is default on, so I'm not even sure why imuxsock gives me the messages back. Also SysSock.Use seems like it could be doing something for me but 8.23 complained about this being an unknown option. I would be very glad for a hint what I could be changing to get the expected behaviour back.
in recent versions, rsyslog changed how the internal messages are logged. I believe that the $input variable will show a good value to filter on, set it up to log messages with the format RSYSLOG_DebugFormat and look at the variables that are defined, you should be able to see what to filter on pretty quickly.
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
