Re: [rsyslog] stop message processing is stoping the local messages as well.

Mon, 07 May 2018 11:35:14 -0700

Why are you disabling the main queue (setting it to direct)? that will cripple your log processing performance.
it looks like your message got corrupted around the end. If the last file is really: 

#
local4.notice                           /var/log/usercommands
local4.notice;auth.*;authpriv.*         @remotesyslogserver


Then messages would be written to /var/log/messages and /var/log/usercommands as 
long as messages match both filters.



Rsyslog delivers messages to all destinations that have filters that match, 
unless you issue a stop.



On Mon, 7 May 2018, Haary rock via rsyslog wrote:


Date: Mon, 7 May 2018 17:14:13 +0000 (UTC)
From: Haary rock via rsyslog <[email protected]>
To: Flo Rance <[email protected]>
Cc: Haary rock <[email protected]>,
    rsyslog-users <[email protected]>
Subject: Re: [rsyslog] stop message processing is stoping the local messages
    as well.

Flo,
I followed the same syntax as you mentioned .. however it doesn't stop sending 
those remote logs to the local logs as well ..
this is my /etc/rsyslog.conf file looks like 

$ModLoad imuxsock # provides support for local system logging (e.g. via logger 
command)

$ModLoad imjournal # provides access to the systemd journal

$ModLoad imudp

$UDPServerRun 514

$MainMsgQueueType Direct

$WorkDirectory /var/lib/rsyslog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$umask 0000

$IncludeConfig /etc/rsyslog.d/*.conf

$FileCreateMode 0600

$OmitLocalLogging on

$IMJournalStateFile imjournal.state




*.info;local4.!notice;mail.none;authpriv.none;cron.none /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 :omusrmsg:*

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log


and my remote log files under /etc/rsyslog.d. looks just as below (pasted only 
few lines ,but I have exact few more similar entries.)

#This will allow this server to log the remotely forwarded logs

$FileCreateMode 0664

$fileOwner netman

$FileGroup cscworks

$dirOwner netman

if $fromhost-ip == '10.X.X.X’ then {action(type="omfile" 
file="/opt/apps/syslog/fw1-admin.log")

stop

}

if $fromhost-ip == '10.X.X.X' then {action(type="omfile" 
file="/opt/apps/syslog/fw1-comm-core.log")

stop

}

if $fromhost-ip == '10.X.X.X' then {action(type="omfile" 
file="/opt/apps/syslog/fw1-comm-dist.log")

stop
}
and I have one more  .conf file under /etc/rsyslog.d which is just like the 
below
# local4.notice                           
/var/log/usercommandslocal4.notice;auth.*;authpriv.*         @remotesyslogserver

aslo 
listen.conf$SystemLogSocketName /run/systemd/journal/syslog
The file are being written on both /var/log/messages and /var/log/usercommands  
as well in addition to the files under /opt/apps/syslog.
Really appreciate any suggestion/fix to this .
ThanksHaary.

   On Friday, May 4, 2018, 4:02:28 AM EDT, Flo Rance <[email protected]> wrote: 


If you want to use multiple instructions, you may want to use this syntax:
if $fromhost-ip == '10.XX.X' then {  action(type="omfile" 
file="/opt/apps/syslog/fw1-admin.log")
  stop
}
There's an example there in the doc: 
https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html

Maybe that one might work as well, but I haven't tested yet.
if $fromhost-ip == '10.XX.X' then {  /opt/apps/syslog/fw1-admin.log
  stop
}
Flo


On Thu, May 3, 2018 at 6:48 PM, Haary rock <[email protected]> wrote:

Flo,
I tried that then I started getting this error while I restart the service

May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector line - 
';template' expected [v8.24.0]
May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file 
/etc/rsyslog.d/remotelog.conf, on or before line 54: errors occured in file 
'/etc/rsyslog.d/remotelog. conf' around line 54 [v8.24.0 try 
http://www.rsyslog.com/e/2207 ]
May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector line - 
';template' expected [v8.24.0]
May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file 
/etc/rsyslog.d/remotelog.conf, on or before line 55: errors occured in file 
'/etc/rsyslog.d/remotelog. conf' around line 55 [v8.24.0 try 
http://www.rsyslog.com/e/2207 ]
This is what I added in the .conf file
if $fromhost-ip == '10.XX.X' then /opt/apps/syslog/fw1-admin. log.  stop if 
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm- core.log stopif 
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm- dist.log stopif 
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-admin.log stopif 
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-comm- core.log stop
but as soon as I remove the stop its started the service without the error ... 
may be I am syntax is not correct ..?
Thanks in advance for any help ,really appreciated 
RegardsHaary

   On Thursday, May 3, 2018, 12:25:29 PM EDT, Haary rock via rsyslog <[email protected]> wrote: 


 Thanks I will try that for each entries ... 
RegardsHarry..

    On Thursday, May 3, 2018, 10:36:07 AM EDT, Flo Rance <[email protected]> wrote:  


You should give a condition, otherwise it will stop processing for all messages.

E.g. if $fromhost-ip contains '10..x.x.x' then stop

On Thu, May 3, 2018 at 3:55 PM, Haary rock via rsyslog 
<[email protected]> wrote:

 Sorry I am reposting since it got mangled the texts ..

the problem is if I use the  &~ at the end of the line .. its doesn't stop 
sending the logs to /var/log/messages ..

but if I use the "stop" at the end of the file .. its stops sending messages to 
/var/log/messages completely .

&~  used to work on previous version of syslog ..but its not working on the 
rsyslogd 8.24.0 (RHEL 7.0)
I have my .conf file here 

#This will allow this server to log the remotely forwarded logs

$FileCreateMode 0664

$fileOwner xxxx

$FileGroup xxx

$dirOwner xxxx

#

$template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"

if $fromhost-ip startswith '192.168.' then -?FilenameTemplateOne

#

$template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"

if $fromhost-ip startswith '209.95.224.' then -?FilenameTemplateOne

#

if $fromhost-ip == '10.x.x.x’ then /opt/apps/syslog/Fw1.log

if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/fw2.log

if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/mainsw1.log

if $fromhost-ip == '10..x.x.x’' then /opt/apps/syslog/secswitch.log

stop

&~ used to work on previous version of syslog ..but its not working on the 
rsyslogd 8.24.0 (RHEL 7.0)

it gives the warning when I restart the syslog 
rsyslogd[25517]: warning: ~ action is deprecated, consider using the 'stop' 
statement instead

Any help would be greatly appreciated 

ThanksHaary.    On Wednesday, May 2, 2018, 5:24:14 PM EDT, David Lang <[email protected]> wrote:  


 On Wed, 2 May 2018, Haary rock via rsyslog wrote:


#This will allow this server to log the remotely forwarded logs$FileCreateMode 0664$fileOwner 
netman$FileGroup cscworks$dirOwner netman#$template FilenameTemplateOne,"/opt/ 
apps/syslog/%HOSTNAME%.log"if $fromhost-ip startswith '192.x.' then -?FilenameTemplateOne#$ 
template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"if $fromhost-ip startswith 
'x.x.x..' then -?FilenameTemplateOne#if $fromhost-ip == '10.x.x.1' then /opt/apps/syslog/Firewall1- 
admin.logif $fromhost-ip == '10.x.x.x' then /opt/apps/syslog/firewall- core.logif $fromhost-ip == 
'10.x.x.x' then /opt/apps/syslog/switch1.logif $fromhost-ip == '10.x.x.x' then 
/opt/apps/syslog/switch2- admin.log
there are few more similar entries from all the Ip's I wanted to create the 
logs ..
the problem is if I use the  &~ at the end of the line .. its doesn't stop 
sending the logs to /var/log/messages ..
but if I use the "stop" at the end of the file .. its stops sending messages to 
/var/log/messages completely .
&~ used to work on previous version of syslog ..but its not working on the 
rsyslogd 8.24.0 (RHEL 7.0)


please retry your post, as you can see, it mangled the files you were posting

______________________________ _________________
rsyslog mailing list
http://lists.adiscon.net/ mailman/listinfo/rsyslog
http://www.rsyslog.com/ professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


  
______________________________ _________________

rsyslog mailing list
http://lists.adiscon.net/ mailman/listinfo/rsyslog
http://www.rsyslog.com/ professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. 



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to