Hi,
I've tested that part and it works perfectly on 8.38. But it was not
working until I change the owner of the rsyslog directory to be
syslog:syslog.
template(name="dynaName" type="string"
string="/soft/rsyslog/%hostname%.log")
*.debug {
action (
type="omfile"
name="debugActionName"
template="dynaName"
dynafile="dynaName"
)
}
However, note that the template in action might not be desirable, otherwise
you'll get something like this:
sudo tail -f /home/rsyslog/myhost.log
/home/rsyslog/sc005827.myhost.log/home/rsyslog/myhost.log/home/rsyslog/myhost.log/home/rsyslog/myhost.log
On Tue, Oct 30, 2018 at 5:18 PM sophie.loewenthal--- via rsyslog <
[email protected]> wrote:
> Hi Flo,
> Yes it is:
>
> # rsyslog Templates
> template(name="ElasticSearchTemplate"
> type="list"
> option.json="on") {
> constant(value="{")
> constant(value="\"timestamp\":\"") property(name="timereported"
> dateFormat="rfc3339")
> constant(value="\",\"message\":\"") property(name="msg")
> constant(value="\",\"host\":\"") property(name="hostname")
> constant(value="\",\"severity\":\"")
> property(name="syslogseverity-text")
> constant(value="\",\"facility\":\"")
> property(name="syslogfacility-text")
> constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
> constant(value="\"}")
> }
>
>
>
> Best wishes,
> Sophie
> From: Flo Rance [mailto:[email protected]]
> Sent: Tuesday, October 30, 2018 5:16 PM
> To: rsyslog-users
> Cc: LOEWENTHAL Sophie
> Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile
> and severity levels
>
> Hi,
>
> Is your template "ElasticSearchTemplate" defined somewhere ?
>
> It's specified in action, but no definition is visible.
>
> Flo
>
> On Tue, Oct 30, 2018 at 4:22 PM sophie.loewenthal--- via rsyslog <
> [email protected]<mailto:[email protected]>> wrote:
> Hi John,
>
> > You'll get the hang of it. Enjoy.
> I don't think I'll get the hang of this.
>
> I tried with a copy and paste of your example & had nothing. So I tried
> modifying this to be,
> # Default RuleSet
> *.info { action (type="omelasticsearch"
> server="el7"
> serverport="10514"
> searchIndex="unix"
> bulkmode="on"
> template="ElasticSearchTemplate")
> }
> *.info { action (type="omelasticsearch"
> server="el8"
> serverport="10514"
> searchIndex="unix"
> bulkmode="on"
> template="ElasticSearchTemplate")
> }
>
> template(name="dynaName" type="string"
> string="/soft/rsyslog/%hostname%.log")
>
> *.debug {
> action (
> type="omfile"
> name="debugActionName"
> template="dynaName"
> dynafile="dynaName"
> )
> }
>
> *.warn {
> action (
> type="omfile"
> name="infoActionName"
> #template="templateName"
> file="/soft/rsyslog/everything.warn.log"
> )
> }
>
> And this wrote nothing to any file.
>
>
>
> > -----Original Message-----
> > From: rsyslog [mailto:[email protected]<mailto:
> [email protected]>] On Behalf Of John
> > Chivian
> > Sent: Tuesday, October 30, 2018 3:24 PM
> > To: sophie.loewenthal--- via rsyslog
> > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax -
> dynafile and
> > severity levels
> >
> > template(name="dynaName" type="string"
> > string="/soft/rsyslog/%hostname%.log")
> >
> > *.debug {
> > action(
> > type="omfile"
> > name="debugActionName"
> > template="templateName"
> > dynafile="dynaName"
> > )
> > }
> >
> > *.info {
> > action(
> > type="omfile"
> > name="infoActionName"
> > template="templateName"
> > file="/soft/rsyslog/everything.warn.log"
> > )
> > }
> >
> > You'll get the hang of it. Enjoy.
> >
> >
> >
> > On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote:
> > > Hi,
> > >
> > > I'm trying to change the rsyslog server to the new format, and decided
> to use
> > the config generator on the rsyslogd.com<http://rsyslogd.com> website.
> > >
> > > Previously I used Dynafile to send logs into %HOSTNAME%.log, but I
> don't see
> > DynaFile available in the config generator.
> > > Also I had set up different severities to be sent to different files.
> Can this
> > filtering be achieved the the new format?
> > > .eg
> > > $template DynaFile,"/soft/rsyslog/%HOSTNAME%.log"
> > > *.debug ?DynaFile
> > >
> > > Also I had set up this but cannot see yow to do this with the new
> format. I tried
> > with omfile, but this did not work. What is the recommended way?
> > > *.info /soft/rsyslog/everything.warn.log
> > > *.debuf /soft/rsyslog/everything.all.log
> > >
> > > Lastly, I don't think the bulk method for elasticsearch is correctly
> set:
> > > bulkmode="1"
> > > Because of the message: "error during parsing file
> /etc/rsyslog.conf, on or
> > before line 41: parameter 'bulkmode' must be "on" or "off" but is
> neither.
> > Results unpredictable."
> > > Setting this to bulkmode="on" silenced the error message, but I don't
> know if
> > this is correct.
> > >
> > > My rsyslog version: # rsyslogd -v
> > > rsyslogd 8.24.0/ x86_64-redhat-linux-gnu
> > >
> > > Help, like usual, greatly appricated.
> > >
> > > Best wishes,
> > > Sophie
> > >
> > >
> > > -------------------------------------------------------
> > > # This configuration has been generated by using the
> > > # rsyslog Configuration Builder which can be found at:
> > > # http://www.rsyslog.com/rsyslog-configuration-builder/
> > > #
> > > # Default Settings
> > >
> > > # Load Modules
> > > module(load="imtcp")
> > > module(load="imudp")
> > > module(load="omelasticsearch")
> > > module(load="imuxsock")
> > >
> > > # rsyslog Templates
> > > template(name="ElasticSearchTemplate"
> > > type="list"
> > > option.json="on") {
> > > constant(value="{")
> > > constant(value="\"timestamp\":\"") property(name="timereported"
> > dateFormat="rfc3339")
> > > constant(value="\",\"message\":\"") property(name="msg")
> > > constant(value="\",\"host\":\"") property(name="hostname")
> > > constant(value="\",\"severity\":\"")
> property(name="syslogseverity-text")
> > > constant(value="\",\"facility\":\"")
> property(name="syslogfacility-text")
> > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
> > > constant(value="\"}")
> > > }
> > > template(name="ElasticSearchTemplate"
> > > type="list"
> > > option.json="on") {
> > > constant(value="{")
> > > constant(value="\"timestamp\":\"") property(name="timereported"
> > dateFormat="rfc3339")
> > > constant(value="\",\"message\":\"") property(name="msg")
> > > constant(value="\",\"host\":\"") property(name="hostname")
> > > constant(value="\",\"severity\":\"")
> property(name="syslogseverity-text")
> > > constant(value="\",\"facility\":\"")
> property(name="syslogfacility-text")
> > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
> > > constant(value="\"}")
> > > }
> > >
> > > # rsyslog Input Modules
> > > input(type="imtcp"
> > > port="")
> > > input(type="imudp"
> > > port="")
> > >
> > > # rsyslog RuleSets
> > > # Default RuleSet
> > > action(type="omelasticsearch"
> > > server="el8 "
> > > serverport="10514"
> > > searchIndex="unix"
> > > bulkmode="1"
> > > template="ElasticSearchTemplate")
> > > action(type="omelasticsearch"
> > > server="el7 "
> > > serverport="10514"
> > > searchIndex="unix"
> > > bulkmode="1"
> > > template="ElasticSearchTemplate")
> > > action(type="omfile"
> > > File="/soft/rsyslog/%HOSTNAME%.log"
> > > template="RSYSLOG_ForwardFormat")
> > >
> > > # This configuration was generated on '2018-10-30 10:52:54'
> > >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> > LIKE THAT.
> This message and any attachments (the "message") is
> intended solely for the intended addressees and is confidential.
> If you receive this message in error,or are not the intended recipient(s),
> please delete it and any copies from your systems and immediately notify
> the sender. Any unauthorized view, use that does not comply with its
> purpose,
> dissemination or disclosure, either whole or partial, is prohibited. Since
> the internet
> cannot guarantee the integrity of this message which may not be reliable,
> BNP PARIBAS
> (and its subsidiaries) shall not be liable for the message if modified,
> changed or falsified.
> Do not print this message unless it is necessary, consider the environment.
>
>
> ----------------------------------------------------------------------------------------------------------------------------------
>
> Ce message et toutes les pieces jointes (ci-apres le "message")
> sont etablis a l'intention exclusive de ses destinataires et sont
> confidentiels.
> Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation
> de
> ce message qui n'est pas conforme a sa destination, toute diffusion ou
> toute
> publication, totale ou partielle, est interdite. L'Internet ne permettant
> pas d'assurer
> l'integrite de ce message electronique susceptible d'alteration, BNP
> Paribas
> (et ses filiales) decline(nt) toute responsabilite au titre de ce message
> dans l'hypothese
> ou il aurait ete modifie, deforme ou falsifie.
> N'imprimez ce message que si necessaire, pensez a l'environnement.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
