On 2/19/2018 9:29 AM, sophie.loewenthal--- via rsyslog wrote:

Does this configuration look ok begore I let this configuration rip in 

A server running rsyslog 8.7.4 on Solaris 11 that receives TCP and UDP messages 
from a mixture of syslog and rsyslog clients .
  Each client has a %HOST.log created on the server file system.
The rsyslog server forwards all those incoming messages into an ElasticSearch 
via a JSON template server listening on a remote server on port 10514.

The configuration I wrote successfully receives the UDP and TCP messages on the 

Can anybody see any configuration there that could cause undue processing, or 
errors. So far the testing has gone well.
I've posted the configuration below.

Others can speak to specifics, but one word of warning regarding expectations: %HOSTNAME% may sometimes have trash values if the remote sender doesn't properly format the message (or include reliable information).

We have a vulnerability scanner here that intentionally introduces bogus values and to override that behavior I've setup a lookup_table to map its source IP to a known value. Depending on your environment you may need to do something similar if you need to have reliable values in that field.

Two suggestions:

* If you run into problems it may be worth converting your configuration to use the current configuration syntax. That format has a lot of challenges that usually result in rsyslog not working as intended (directive order being just one)

* Consider upgrading to a current version of rsyslog. I recall you mentioning on the forums that you've stuck using that version, but there have been a lot of changes since rsyslog 8.7 was released and you may encounter issues that have long since been fixed.

I recall you saying that you couldn't reach GitHub, so here is a copy of the Changelog from the dev's Git server:

rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 

Reply via email to