Flo,
Thanks for the quick reply .. I didn't get what you mean by "disabling the main
queue" ..
also I don't understand why its still being written on local files even after
putting the stop .
as same in the examples ..
if $fromhost-ip == '172.X.X.X' then {action(type="omfile"
file="/opt/apps/syslog/fw2.log")stop}
Thanks in Advance,Haary.
On Monday, May 7, 2018, 2:34:54 PM EDT, David Lang <[email protected]> wrote:
Why are you disabling the main queue (setting it to direct)? that will cripple
your log processing performance.
it looks like your message got corrupted around the end. If the last file is
really:
#
local4.notice /var/log/usercommands
local4.notice;auth.*;authpriv.* @remotesyslogserver
Then messages would be written to /var/log/messages and /var/log/usercommands
as
long as messages match both filters.
Rsyslog delivers messages to all destinations that have filters that match,
unless you issue a stop.
On Mon, 7 May 2018, Haary rock via rsyslog wrote:
> Date: Mon, 7 May 2018 17:14:13 +0000 (UTC)
> From: Haary rock via rsyslog <[email protected]>
> To: Flo Rance <[email protected]>
> Cc: Haary rock <[email protected]>,
> rsyslog-users <[email protected]>
> Subject: Re: [rsyslog] stop message processing is stoping the local messages
> as well.
>
> Flo,
> I followed the same syntax as you mentioned .. however it doesn't stop
> sending those remote logs to the local logs as well ..
> this is my /etc/rsyslog.conf file looks like
>
> $ModLoad imuxsock # provides support for local system logging (e.g. via
> logger command)
>
> $ModLoad imjournal # provides access to the systemd journal
>
> $ModLoad imudp
>
> $UDPServerRun 514
>
> $MainMsgQueueType Direct
>
> $WorkDirectory /var/lib/rsyslog
>
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> $umask 0000
>
> $IncludeConfig /etc/rsyslog.d/*.conf
>
> $FileCreateMode 0600
>
> $OmitLocalLogging on
>
> $IMJournalStateFile imjournal.state
>
>
>
>
> *.info;local4.!notice;mail.none;authpriv.none;cron.none /var/log/messages
>
> authpriv.* /var/log/secure
>
> mail.* -/var/log/maillog
>
> cron.* /var/log/cron
>
> *.emerg :omusrmsg:*
>
> uucp,news.crit /var/log/spooler
>
> local7.* /var/log/boot.log
>
>
> and my remote log files under /etc/rsyslog.d. looks just as below (pasted
> only few lines ,but I have exact few more similar entries.)
>
> #This will allow this server to log the remotely forwarded logs
>
> $FileCreateMode 0664
>
> $fileOwner netman
>
> $FileGroup cscworks
>
> $dirOwner netman
>
> if $fromhost-ip == '10.X.X.X’ then {action(type="omfile"
> file="/opt/apps/syslog/fw1-admin.log")
>
> stop
>
> }
>
> if $fromhost-ip == '10.X.X.X' then {action(type="omfile"
> file="/opt/apps/syslog/fw1-comm-core.log")
>
> stop
>
> }
>
> if $fromhost-ip == '10.X.X.X' then {action(type="omfile"
> file="/opt/apps/syslog/fw1-comm-dist.log")
>
> stop
> }
> and I have one more .conf file under /etc/rsyslog.d which is just like the
> below
> # local4.notice
> /var/log/usercommandslocal4.notice;auth.*;authpriv.*
> @remotesyslogserver
>
> aslo
> listen.conf$SystemLogSocketName /run/systemd/journal/syslog
> The file are being written on both /var/log/messages and
> /var/log/usercommands as well in addition to the files under
> /opt/apps/syslog.
> Really appreciate any suggestion/fix to this .
> ThanksHaary.
> On Friday, May 4, 2018, 4:02:28 AM EDT, Flo Rance <[email protected]>
>wrote:
>
> If you want to use multiple instructions, you may want to use this syntax:
> if $fromhost-ip == '10.XX.X' then { action(type="omfile"
> file="/opt/apps/syslog/fw1-admin.log")
> stop
> }
> There's an example there in the doc:
> https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html
>
> Maybe that one might work as well, but I haven't tested yet.
> if $fromhost-ip == '10.XX.X' then { /opt/apps/syslog/fw1-admin.log
> stop
> }
> Flo
>
>
> On Thu, May 3, 2018 at 6:48 PM, Haary rock <[email protected]> wrote:
>
> Flo,
> I tried that then I started getting this error while I restart the service
>
> May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector line
> - ';template' expected [v8.24.0]
> May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file
> /etc/rsyslog.d/remotelog.conf, on or before line 54: errors occured in file
> '/etc/rsyslog.d/remotelog. conf' around line 54 [v8.24.0 try
> http://www.rsyslog.com/e/2207 ]
> May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector line
> - ';template' expected [v8.24.0]
> May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file
> /etc/rsyslog.d/remotelog.conf, on or before line 55: errors occured in file
> '/etc/rsyslog.d/remotelog. conf' around line 55 [v8.24.0 try
> http://www.rsyslog.com/e/2207 ]
> This is what I added in the .conf file
> if $fromhost-ip == '10.XX.X' then /opt/apps/syslog/fw1-admin. log. stop if
> $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm- core.log stopif
> $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm- dist.log stopif
> $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-admin.log stopif
> $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-comm- core.log stop
> but as soon as I remove the stop its started the service without the error
> ... may be I am syntax is not correct ..?
> Thanks in advance for any help ,really appreciated
> RegardsHaary
> On Thursday, May 3, 2018, 12:25:29 PM EDT, Haary rock via rsyslog
><[email protected]> wrote:
>
> Thanks I will try that for each entries ...
> RegardsHarry..
> On Thursday, May 3, 2018, 10:36:07 AM EDT, Flo Rance
> <[email protected]> wrote:
>
> You should give a condition, otherwise it will stop processing for all
> messages.
>
> E.g. if $fromhost-ip contains '10..x.x.x' then stop
>
> On Thu, May 3, 2018 at 3:55 PM, Haary rock via rsyslog
> <[email protected]> wrote:
>
> Sorry I am reposting since it got mangled the texts ..
>
> the problem is if I use the &~ at the end of the line .. its doesn't stop
> sending the logs to /var/log/messages ..
>
> but if I use the "stop" at the end of the file .. its stops sending messages
> to /var/log/messages completely .
>
> &~ used to work on previous version of syslog ..but its not working on the
> rsyslogd 8.24.0 (RHEL 7.0)
> I have my .conf file here
>
> #This will allow this server to log the remotely forwarded logs
>
> $FileCreateMode 0664
>
> $fileOwner xxxx
>
> $FileGroup xxx
>
> $dirOwner xxxx
>
> #
>
> $template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"
>
> if $fromhost-ip startswith '192.168.' then -?FilenameTemplateOne
>
> #
>
> $template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"
>
> if $fromhost-ip startswith '209.95.224.' then -?FilenameTemplateOne
>
> #
>
> if $fromhost-ip == '10.x.x.x’ then /opt/apps/syslog/Fw1.log
>
> if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/fw2.log
>
> if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/mainsw1.log
>
> if $fromhost-ip == '10..x.x.x’' then /opt/apps/syslog/secswitch.log
>
> stop
>
> &~ used to work on previous version of syslog ..but its not working on the
> rsyslogd 8.24.0 (RHEL 7.0)
>
> it gives the warning when I restart the syslog
> rsyslogd[25517]: warning: ~ action is deprecated, consider using the 'stop'
> statement instead
>
> Any help would be greatly appreciated
> ThanksHaary. On Wednesday, May 2, 2018, 5:24:14 PM EDT, David Lang
> <[email protected]> wrote:
>
> On Wed, 2 May 2018, Haary rock via rsyslog wrote:
>
>> #This will allow this server to log the remotely forwarded
>> logs$FileCreateMode 0664$fileOwner netman$FileGroup cscworks$dirOwner
>> netman#$template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"if
>> $fromhost-ip startswith '192.x.' then -?FilenameTemplateOne#$ template
>> FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"if $fromhost-ip
>> startswith 'x.x.x..' then -?FilenameTemplateOne#if $fromhost-ip ==
>> '10.x.x.1' then /opt/apps/syslog/Firewall1- admin.logif $fromhost-ip ==
>> '10.x.x.x' then /opt/apps/syslog/firewall- core.logif $fromhost-ip ==
>> '10.x.x.x' then /opt/apps/syslog/switch1.logif $fromhost-ip == '10.x.x.x'
>> then /opt/apps/syslog/switch2- admin.log
>> there are few more similar entries from all the Ip's I wanted to create the
>> logs ..
>> the problem is if I use the &~ at the end of the line .. its doesn't stop
>> sending the logs to /var/log/messages ..
>> but if I use the "stop" at the end of the file .. its stops sending messages
>> to /var/log/messages completely .
>> &~ used to work on previous version of syslog ..but its not working on the
>> rsyslogd 8.24.0 (RHEL 7.0)
>
> please retry your post, as you can see, it mangled the files you were posting
>
> ______________________________ _________________
> rsyslog mailing list
> http://lists.adiscon.net/ mailman/listinfo/rsyslog
> http://www.rsyslog.com/ professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
>
> ______________________________ _________________
> rsyslog mailing list
> http://lists.adiscon.net/ mailman/listinfo/rsyslog
> http://www.rsyslog.com/ professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
