On 2/19/2018 9:29 AM, sophie.loewenthal--- via rsyslog wrote:
Does this configuration look ok begore I let this configuration rip in
A server running rsyslog 8.7.4 on Solaris 11 that receives TCP and UDP messages
from a mixture of syslog and rsyslog clients .
Each client has a %HOST.log created on the server file system.
The rsyslog server forwards all those incoming messages into an ElasticSearch
via a JSON template server listening on a remote server on port 10514.
The configuration I wrote successfully receives the UDP and TCP messages on the
Can anybody see any configuration there that could cause undue processing, or
errors. So far the testing has gone well.
I've posted the configuration below.
Others can speak to specifics, but one word of warning regarding
expectations: %HOSTNAME% may sometimes have trash values if the remote
sender doesn't properly format the message (or include reliable
We have a vulnerability scanner here that intentionally introduces bogus
values and to override that behavior I've setup a lookup_table to map
its source IP to a known value. Depending on your environment you may
need to do something similar if you need to have reliable values in that
* If you run into problems it may be worth converting your configuration
to use the current configuration syntax. That format has a lot of
challenges that usually result in rsyslog not working as intended
(directive order being just one)
* Consider upgrading to a current version of rsyslog. I recall you
mentioning on the forums that you've stuck using that version, but there
have been a lot of changes since rsyslog 8.7 was released and you may
encounter issues that have long since been fixed.
I recall you saying that you couldn't reach GitHub, so here is a copy of
the Changelog from the dev's Git server:
rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE