Thanks for all the help, i have got it working perfectly
On Fri, Sep 7, 2018 at 2:10 PM David Lang <da...@lang.hm> wrote:
> you need to setup a template and use dynafile, not file
>
> David Lang
>
> On Fri, 7 Sep 2018, Adam Barnett via rsyslog wrote:
>
> > Date: Fri, 7 Sep 2018 11:45:40 +0100
> > From: Adam Barnett via rsyslog <rsyslog@lists.adiscon.com>
> > To: rgerha...@hq.adiscon.com
> > Cc: Adam Barnett <adambarnet...@gmail.com>, rsyslog@lists.adiscon.com
> > Subject: Re: [rsyslog] filter rules
> >
> > Yeh, i only got those two lines as output ....strange, i will make a bug
> > report
> >
> > I've got anotjer qusetion ( sorry )
> > In the ruleset, i have %HOSTNAME% and %NOW% which are not being honoured,
> > is the syntax wrong?
> > I just end up with a directory called %HOSTNAME% and not the hostname of
> > the sender
> >
> > Thanks
> > Adam
> >
> > On Fri, Sep 7, 2018 at 11:43 AM Rainer Gerhards <
> rgerha...@hq.adiscon.com>
> > wrote:
> >
> >> El vie., 7 sept. 2018 a las 12:40, Adam Barnett
> >> (<adambarnet...@gmail.com>) escribió:
> >> >
> >> > Doh, thanks for that, did not spot my typo
> >> > The file now passes the checks :)
> >>
> >> ... but no error message on the module name? That would be a bug ...
> >> because such typos are very hard to spot ;-)
> >>
> >> Rainer
> >> >
> >> >
> >> > On Fri, Sep 7, 2018 at 11:32 AM Rainer Gerhards <
> >> rgerha...@hq.adiscon.com> wrote:
> >> >>
> >> >> you should get a message that module impudp does not exist. Strange
> >> >> this doesn't happen. But that's the root problem.
> >> >>
> >> >> Rainer
> >> >> El vie., 7 sept. 2018 a las 12:26, Adam Barnett via rsyslog
> >> >> (<rsyslog@lists.adiscon.com>) escribió:
> >> >> >
> >> >> > so i looked at the docs, i think migrating over to the new style
> is a
> >> good
> >> >> > idea, i did the following
> >> >> >
> >> >> > $ModLoad imtcp
> >> >> > $ModLoad imudp
> >> >> > $ModLoad omruleset
> >> >> >
> >> >> > # Server ruleset
> >> >> > ruleset(name="server514"){
> >> >> > action(type="omfile"
> >> >> > file="/user_data3/SITE/syslog/server/%HOSTNAME%/%$NOW%-syslog.log")
> >> >> > }
> >> >> >
> >> >> > input(type="impudp" port="514" ruleset="server514")
> >> >> > ~
> >> >> >
> >> >> > But i am getting some errors with syntax checing the file
> >> >> >
> >> >> > rsyslogd: error during parsing file /etc/rsyslog.d/98.conf, on or
> >> before
> >> >> > line 15: parameter 'ruleset' not known -- typo in config file?
> >> [v8.24.0 try
> >> >> > http://www.rsyslog.com/e/2207 ]
> >> >> > rsyslogd: error during parsing file /etc/rsyslog.d/98.conf, on or
> >> before
> >> >> > line 15: parameter 'port' not known -- typo in config file?
> [v8.24.0
> >> try
> >> >> > http://www.rsyslog.com/e/2207 ]
> >> >> >
> >> >> > Have i done something wrong?
> >> >> >
> >> >> >
> >> >> > On Thu, Sep 6, 2018 at 7:41 PM Rainer Gerhards <
> >> rgerha...@hq.adiscon.com>
> >> >> > wrote:
> >> >> >
> >> >> > > David Lang <da...@lang.hm> schrieb am Do., 6. Sep. 2018, 20:38:
> >> >> > >
> >> >> > > > but nothing resets the ruleset after that point, so everything
> >> after the
> >> >> > > > 'include' would be part of the server ruleset, right?
> >> >> > > >
> >> >> > >
> >> >> > > Yes (of course, lol)
> >> >> > >
> >> >> > >
> >> >> > > > (another reason to use the current syntax)
> >> >> > > >
> >> >> > >
> >> >> > > Actually this was one of the two use cases that finally convinced
> >> me that
> >> >> > > we need a different format. I admit I usually do not get this
> >> obsolete
> >> >> > > format ruleset binding right. ;-)
> >> >> > >
> >> >> > > Rainer
> >> >> > >
> >> >> > >
> >> >> > > > David Lang
> >> >> > > >
> >> >> > > > On Thu, 6 Sep 2018, Rainer Gerhards wrote:
> >> >> > > >
> >> >> > > > > Date: Thu, 6 Sep 2018 20:33:50 +0200
> >> >> > > > > From: Rainer Gerhards <rgerha...@hq.adiscon.com>
> >> >> > > > > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> >> >> > > > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> >> >> > > > > Subject: Re: [rsyslog] filter rules
> >> >> > > > >
> >> >> > > > > If I see correctly, the inputs are bound to ruleset server,
> >> which seems
> >> >> > > > to
> >> >> > > > > be in 98-...
> >> >> > > > >
> >> >> > > > > So the other rules are not hit.
> >> >> > > > >
> >> >> > > > > Side note: current config format would greatly enhance
> >> readability and
> >> >> > > > > reduce error probability.
> >> >> > > > >
> >> >> > > > > Rainer
> >> >> > > > >
> >> >> > > > > Sent from phone, thus brief.
> >> >> > > > >
> >> >> > > > > David Lang <da...@lang.hm> schrieb am Do., 6. Sep. 2018,
> 20:23:
> >> >> > > > >
> >> >> > > > >> First off, different files don't isolate processing, the
> >> include makes
> >> >> > > > it
> >> >> > > > >> as if
> >> >> > > > >> you did a cut-n-paste of the contents of the file into the
> main
> >> >> > > > >> rsyslog.conf
> >> >> > > > >> file at that point, so all logs are going to hit all rules
> in
> >> all
> >> >> > > > include
> >> >> > > > >> files
> >> >> > > > >>
> >> >> > > > >> when you have bad messages, log them to a file with the
> >> template
> >> >> > > > >> RSYSLOG_DebugFormat, that will provide a lot of information
> to
> >> help us
> >> >> > > > >> figure
> >> >> > > > >> out how to deal with the bad messages.
> >> >> > > > >>
> >> >> > > > >> David Lang
> >> >> > > > >>
> >> >> > > > >> On Thu, 6 Sep 2018, Adam Barnett via rsyslog wrote:
> >> >> > > > >>
> >> >> > > > >>> Date: Thu, 6 Sep 2018 15:58:09 +0100
> >> >> > > > >>> From: Adam Barnett via rsyslog <rsyslog@lists.adiscon.com>
> >> >> > > > >>> To: rsyslog@lists.adiscon.com
> >> >> > > > >>> Cc: Adam Barnett <adambarnet...@gmail.com>
> >> >> > > > >>> Subject: [rsyslog] filter rules
> >> >> > > > >>>
> >> >> > > > >>> Hi All
> >> >> > > > >>>
> >> >> > > > >>> I am having an issue with Rsyslog and it driving my up the
> >> wall.
> >> >> > > > >>> I have a few hosts that don't send logging that is
> correctly
> >> >> > > formatted
> >> >> > > > (
> >> >> > > > >> it
> >> >> > > > >>> changes depending on the error they generate , sigh )
> >> >> > > > >>>
> >> >> > > > >>> I have the following config
> >> >> > > > >>>
> >> >> > > > >>> /etc/rsyslog.conf:
> >> >> > > > >>> $MaxMessageSize 32k
> >> >> > > > >>>
> >> >> > > > >>> $ModLoad imuxsock.so # provides support for local system
> >> logging
> >> >> > > (e.g.
> >> >> > > > >> via
> >> >> > > > >>> logger command)
> >> >> > > > >>> $ModLoad imjournal # provides access to the systemd
> >> journal
> >> >> > > > >>> $WorkDirectory /var/lib/rsyslog
> >> >> > > > >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >> >> > > > >>> $OmitLocalLogging on
> >> >> > > > >>> $IMJournalStateFile imjournal.state
> >> >> > > > >>> $IncludeConfig /etc/rsyslog.d/*.conf
> >> >> > > > >>>
> >> >> > > > >>> /etc/rsyslog.d/1-rules.conf:
> >> >> > > > >>>
> >> >> > > > >>> $ModLoad imtcp
> >> >> > > > >>> $ModLoad imudp
> >> >> > > > >>>
> >> >> > > > >>> if $fromhost-ip == 'XXXXXX' then {
> >> >> > > > >>> action(type="omfile" file="/var/log/host1/test.log")
> >> >> > > > >>> }
> >> >> > > > >>>
> >> >> > > > >>> /etc/rsyslog.d/98-rules.conf:
> >> >> > > > >>> $ModLoad imtcp
> >> >> > > > >>> $ModLoad imudp
> >> >> > > > >>>
> >> >> > > > >>> # Server logs
> >> >> > > > >>> $template
> >> >> > > > >>
> >> Server,"/user_data3//syslog/server/%HOSTNAME%/%$NOW%-syslog.log"
> >> >> > > > >>> $RuleSet server
> >> >> > > > >>> *.* ?Server
> >> >> > > > >>>
> >> >> > > > >>> $InputTCPServerBindRuleset server
> >> >> > > > >>> $InputUDPServerBindRuleset server
> >> >> > > > >>> $UDPServerRun 514
> >> >> > > > >>> $InputTCPServerRun 5514
> >> >> > > > >>>
> >> >> > > > >>>
> >> >> > > > >>> On my test host i send the following
> >> >> > > > >>>
> >> >> > > > >>> echo -n " test12434 sdcsd sdcvdscds sdfds " | nc -4u -w1
> >> >> > > syslogserver
> >> >> > > > >>> 514
> >> >> > > > >>>
> >> >> > > > >>> but no mater what i do the messages alawys go to
> >> >> > > > >>> /user_data3//syslog/server/%HOSTNAME%/%$NOW%-syslog.log",
> >> seems like
> >> >> > > it
> >> >> > > > >> is
> >> >> > > > >>> hitting 98-rules.conf
> >> >> > > > >>>
> >> >> > > > >>> any suggestions
> >> >> > > > >>>
> >> >> > > > >>> Thanks
> >> >> > > > >>>
> >> >> > > > >>>
> >> >> > > > >> _______________________________________________
> >> >> > > > >> rsyslog mailing list
> >> >> > > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> > > > >> http://www.rsyslog.com/professional-services/
> >> >> > > > >> What's up with rsyslog? Follow
> https://twitter.com/rgerhards
> >> >> > > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
> >> by a
> >> >> > > myriad
> >> >> > > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you
> >> >> > > > >> DON'T LIKE THAT.
> >> >> > > > >>
> >> >> > > > > _______________________________________________
> >> >> > > > > rsyslog mailing list
> >> >> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> > > > > http://www.rsyslog.com/professional-services/
> >> >> > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> >> > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
> by
> >> a
> >> >> > > myriad
> >> >> > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >> if you
> >> >> > > > DON'T LIKE THAT.
> >> >> > > > >
> >> >> > > > _______________________________________________
> >> >> > > > rsyslog mailing list
> >> >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> > > > http://www.rsyslog.com/professional-services/
> >> >> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> >> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
> by a
> >> myriad
> >> >> > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >> if you
> >> >> > > > DON'T LIKE THAT.
> >> >> > > >
> >> >> > > _______________________________________________
> >> >> > > rsyslog mailing list
> >> >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> > > http://www.rsyslog.com/professional-services/
> >> >> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> >> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad
> >> >> > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if
> >> you
> >> >> > > DON'T LIKE THAT.
> >> >> > >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Adam Barnett
> >> >> > _______________________________________________
> >> >> > rsyslog mailing list
> >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> > http://www.rsyslog.com/professional-services/
> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if
> >> you DON'T LIKE THAT.
> >> >
> >> >
> >> >
> >> > --
> >> > Adam Barnett
> >>
> >
> >
> > --
> > Adam Barnett
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
--
Adam Barnett
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
