Thanks for all the help, i have got it working perfectly On Fri, Sep 7, 2018 at 2:10 PM David Lang <da...@lang.hm> wrote:
> you need to setup a template and use dynafile, not file > > David Lang > > On Fri, 7 Sep 2018, Adam Barnett via rsyslog wrote: > > > Date: Fri, 7 Sep 2018 11:45:40 +0100 > > From: Adam Barnett via rsyslog <rsyslog@lists.adiscon.com> > > To: rgerha...@hq.adiscon.com > > Cc: Adam Barnett <adambarnet...@gmail.com>, rsyslog@lists.adiscon.com > > Subject: Re: [rsyslog] filter rules > > > > Yeh, i only got those two lines as output ....strange, i will make a bug > > report > > > > I've got anotjer qusetion ( sorry ) > > In the ruleset, i have %HOSTNAME% and %NOW% which are not being honoured, > > is the syntax wrong? > > I just end up with a directory called %HOSTNAME% and not the hostname of > > the sender > > > > Thanks > > Adam > > > > On Fri, Sep 7, 2018 at 11:43 AM Rainer Gerhards < > rgerha...@hq.adiscon.com> > > wrote: > > > >> El vie., 7 sept. 2018 a las 12:40, Adam Barnett > >> (<adambarnet...@gmail.com>) escribió: > >> > > >> > Doh, thanks for that, did not spot my typo > >> > The file now passes the checks :) > >> > >> ... but no error message on the module name? That would be a bug ... > >> because such typos are very hard to spot ;-) > >> > >> Rainer > >> > > >> > > >> > On Fri, Sep 7, 2018 at 11:32 AM Rainer Gerhards < > >> rgerha...@hq.adiscon.com> wrote: > >> >> > >> >> you should get a message that module impudp does not exist. Strange > >> >> this doesn't happen. But that's the root problem. > >> >> > >> >> Rainer > >> >> El vie., 7 sept. 2018 a las 12:26, Adam Barnett via rsyslog > >> >> (<rsyslog@lists.adiscon.com>) escribió: > >> >> > > >> >> > so i looked at the docs, i think migrating over to the new style > is a > >> good > >> >> > idea, i did the following > >> >> > > >> >> > $ModLoad imtcp > >> >> > $ModLoad imudp > >> >> > $ModLoad omruleset > >> >> > > >> >> > # Server ruleset > >> >> > ruleset(name="server514"){ > >> >> > action(type="omfile" > >> >> > file="/user_data3/SITE/syslog/server/%HOSTNAME%/%$NOW%-syslog.log") > >> >> > } > >> >> > > >> >> > input(type="impudp" port="514" ruleset="server514") > >> >> > ~ > >> >> > > >> >> > But i am getting some errors with syntax checing the file > >> >> > > >> >> > rsyslogd: error during parsing file /etc/rsyslog.d/98.conf, on or > >> before > >> >> > line 15: parameter 'ruleset' not known -- typo in config file? > >> [v8.24.0 try > >> >> > http://www.rsyslog.com/e/2207 ] > >> >> > rsyslogd: error during parsing file /etc/rsyslog.d/98.conf, on or > >> before > >> >> > line 15: parameter 'port' not known -- typo in config file? > [v8.24.0 > >> try > >> >> > http://www.rsyslog.com/e/2207 ] > >> >> > > >> >> > Have i done something wrong? > >> >> > > >> >> > > >> >> > On Thu, Sep 6, 2018 at 7:41 PM Rainer Gerhards < > >> rgerha...@hq.adiscon.com> > >> >> > wrote: > >> >> > > >> >> > > David Lang <da...@lang.hm> schrieb am Do., 6. Sep. 2018, 20:38: > >> >> > > > >> >> > > > but nothing resets the ruleset after that point, so everything > >> after the > >> >> > > > 'include' would be part of the server ruleset, right? > >> >> > > > > >> >> > > > >> >> > > Yes (of course, lol) > >> >> > > > >> >> > > > >> >> > > > (another reason to use the current syntax) > >> >> > > > > >> >> > > > >> >> > > Actually this was one of the two use cases that finally convinced > >> me that > >> >> > > we need a different format. I admit I usually do not get this > >> obsolete > >> >> > > format ruleset binding right. ;-) > >> >> > > > >> >> > > Rainer > >> >> > > > >> >> > > > >> >> > > > David Lang > >> >> > > > > >> >> > > > On Thu, 6 Sep 2018, Rainer Gerhards wrote: > >> >> > > > > >> >> > > > > Date: Thu, 6 Sep 2018 20:33:50 +0200 > >> >> > > > > From: Rainer Gerhards <rgerha...@hq.adiscon.com> > >> >> > > > > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > >> >> > > > > To: rsyslog-users <rsyslog@lists.adiscon.com> > >> >> > > > > Subject: Re: [rsyslog] filter rules > >> >> > > > > > >> >> > > > > If I see correctly, the inputs are bound to ruleset server, > >> which seems > >> >> > > > to > >> >> > > > > be in 98-... > >> >> > > > > > >> >> > > > > So the other rules are not hit. > >> >> > > > > > >> >> > > > > Side note: current config format would greatly enhance > >> readability and > >> >> > > > > reduce error probability. > >> >> > > > > > >> >> > > > > Rainer > >> >> > > > > > >> >> > > > > Sent from phone, thus brief. > >> >> > > > > > >> >> > > > > David Lang <da...@lang.hm> schrieb am Do., 6. Sep. 2018, > 20:23: > >> >> > > > > > >> >> > > > >> First off, different files don't isolate processing, the > >> include makes > >> >> > > > it > >> >> > > > >> as if > >> >> > > > >> you did a cut-n-paste of the contents of the file into the > main > >> >> > > > >> rsyslog.conf > >> >> > > > >> file at that point, so all logs are going to hit all rules > in > >> all > >> >> > > > include > >> >> > > > >> files > >> >> > > > >> > >> >> > > > >> when you have bad messages, log them to a file with the > >> template > >> >> > > > >> RSYSLOG_DebugFormat, that will provide a lot of information > to > >> help us > >> >> > > > >> figure > >> >> > > > >> out how to deal with the bad messages. > >> >> > > > >> > >> >> > > > >> David Lang > >> >> > > > >> > >> >> > > > >> On Thu, 6 Sep 2018, Adam Barnett via rsyslog wrote: > >> >> > > > >> > >> >> > > > >>> Date: Thu, 6 Sep 2018 15:58:09 +0100 > >> >> > > > >>> From: Adam Barnett via rsyslog <rsyslog@lists.adiscon.com> > >> >> > > > >>> To: rsyslog@lists.adiscon.com > >> >> > > > >>> Cc: Adam Barnett <adambarnet...@gmail.com> > >> >> > > > >>> Subject: [rsyslog] filter rules > >> >> > > > >>> > >> >> > > > >>> Hi All > >> >> > > > >>> > >> >> > > > >>> I am having an issue with Rsyslog and it driving my up the > >> wall. > >> >> > > > >>> I have a few hosts that don't send logging that is > correctly > >> >> > > formatted > >> >> > > > ( > >> >> > > > >> it > >> >> > > > >>> changes depending on the error they generate , sigh ) > >> >> > > > >>> > >> >> > > > >>> I have the following config > >> >> > > > >>> > >> >> > > > >>> /etc/rsyslog.conf: > >> >> > > > >>> $MaxMessageSize 32k > >> >> > > > >>> > >> >> > > > >>> $ModLoad imuxsock.so # provides support for local system > >> logging > >> >> > > (e.g. > >> >> > > > >> via > >> >> > > > >>> logger command) > >> >> > > > >>> $ModLoad imjournal # provides access to the systemd > >> journal > >> >> > > > >>> $WorkDirectory /var/lib/rsyslog > >> >> > > > >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >> >> > > > >>> $OmitLocalLogging on > >> >> > > > >>> $IMJournalStateFile imjournal.state > >> >> > > > >>> $IncludeConfig /etc/rsyslog.d/*.conf > >> >> > > > >>> > >> >> > > > >>> /etc/rsyslog.d/1-rules.conf: > >> >> > > > >>> > >> >> > > > >>> $ModLoad imtcp > >> >> > > > >>> $ModLoad imudp > >> >> > > > >>> > >> >> > > > >>> if $fromhost-ip == 'XXXXXX' then { > >> >> > > > >>> action(type="omfile" file="/var/log/host1/test.log") > >> >> > > > >>> } > >> >> > > > >>> > >> >> > > > >>> /etc/rsyslog.d/98-rules.conf: > >> >> > > > >>> $ModLoad imtcp > >> >> > > > >>> $ModLoad imudp > >> >> > > > >>> > >> >> > > > >>> # Server logs > >> >> > > > >>> $template > >> >> > > > >> > >> Server,"/user_data3//syslog/server/%HOSTNAME%/%$NOW%-syslog.log" > >> >> > > > >>> $RuleSet server > >> >> > > > >>> *.* ?Server > >> >> > > > >>> > >> >> > > > >>> $InputTCPServerBindRuleset server > >> >> > > > >>> $InputUDPServerBindRuleset server > >> >> > > > >>> $UDPServerRun 514 > >> >> > > > >>> $InputTCPServerRun 5514 > >> >> > > > >>> > >> >> > > > >>> > >> >> > > > >>> On my test host i send the following > >> >> > > > >>> > >> >> > > > >>> echo -n " test12434 sdcsd sdcvdscds sdfds " | nc -4u -w1 > >> >> > > syslogserver > >> >> > > > >>> 514 > >> >> > > > >>> > >> >> > > > >>> but no mater what i do the messages alawys go to > >> >> > > > >>> /user_data3//syslog/server/%HOSTNAME%/%$NOW%-syslog.log", > >> seems like > >> >> > > it > >> >> > > > >> is > >> >> > > > >>> hitting 98-rules.conf > >> >> > > > >>> > >> >> > > > >>> any suggestions > >> >> > > > >>> > >> >> > > > >>> Thanks > >> >> > > > >>> > >> >> > > > >>> > >> >> > > > >> _______________________________________________ > >> >> > > > >> rsyslog mailing list > >> >> > > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> > > > >> http://www.rsyslog.com/professional-services/ > >> >> > > > >> What's up with rsyslog? Follow > https://twitter.com/rgerhards > >> >> > > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > >> by a > >> >> > > myriad > >> >> > > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > >> POST if you > >> >> > > > >> DON'T LIKE THAT. > >> >> > > > >> > >> >> > > > > _______________________________________________ > >> >> > > > > rsyslog mailing list > >> >> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> > > > > http://www.rsyslog.com/professional-services/ > >> >> > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > >> >> > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by > >> a > >> >> > > myriad > >> >> > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > >> if you > >> >> > > > DON'T LIKE THAT. > >> >> > > > > > >> >> > > > _______________________________________________ > >> >> > > > rsyslog mailing list > >> >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> > > > http://www.rsyslog.com/professional-services/ > >> >> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > >> >> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by a > >> myriad > >> >> > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > >> if you > >> >> > > > DON'T LIKE THAT. > >> >> > > > > >> >> > > _______________________________________________ > >> >> > > rsyslog mailing list > >> >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> > > http://www.rsyslog.com/professional-services/ > >> >> > > What's up with rsyslog? Follow https://twitter.com/rgerhards > >> >> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >> myriad > >> >> > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > >> you > >> >> > > DON'T LIKE THAT. > >> >> > > > >> >> > > >> >> > > >> >> > -- > >> >> > Adam Barnett > >> >> > _______________________________________________ > >> >> > rsyslog mailing list > >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> > http://www.rsyslog.com/professional-services/ > >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards > >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > >> you DON'T LIKE THAT. > >> > > >> > > >> > > >> > -- > >> > Adam Barnett > >> > > > > > > -- > > Adam Barnett > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. -- Adam Barnett _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.