Hi, I fixed the /soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log by removing the template. I don’t think I need a template for admins to read the syslog messages.
The queue message is strange, because this parameter is specified on the rsyslog website: https://www.rsyslog.com/tag/queues/ The action suspended messages tell me little other than something has blocked something, but I'm unsure what. # /usr/sbin/rsyslogd -d -n -f rsyslog.conf 9284.058189344:main Q:Reg/w0 : executing action 0 9284.058193628:main Q:Reg/w0 : action 'action 0': called, logging to omelasticsearch (susp 0/0, direct q 1) 9284.058210131:main Q:Reg/w0 : action 'action 0': is transactional - executing in commit phase 9284.058215928:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a new action worker instance for action 0 9284.058296151:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker instance 1 for action 0 9284.058301257:main Q:Reg/w0 : Action 0 transitioned to state: itx 9284.058305212:main Q:Reg/w0 : action 'action 0': set suspended state to 0 9284.058308849:main Q:Reg/w0 : PRIFILT '*.info' 9284.058315576:main Q:Reg/w0 : pmask: 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 9284.058365958:main Q:Reg/w0 : PRIFILT condition result is 1 9284.058369166:main Q:Reg/w0 : ACTION 1 [omelasticsearch:action(type="omelasticsearch" ...)] 9284.058376191:main Q:Reg/w0 : executing action 1 9284.058380045:main Q:Reg/w0 : action 'action 1': called, logging to omelasticsearch (susp 0/0, direct q 1) 9284.058387080:main Q:Reg/w0 : action 'action 1': is transactional - executing in commit phase 9284.058390875:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a new action worker instance for action 1 9284.058447349:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker instance 1 for action 1 9284.058451628:main Q:Reg/w0 : Action 1 transitioned to state: itx 9284.058455063:main Q:Reg/w0 : action 'action 1': set suspended state to 0 9284.058458487:main Q:Reg/w0 : ACTION 2 [builtin:omfile:action(type="builtin:omfile" ...)] 9284.058465640:main Q:Reg/w0 : executing action 2 9284.058469343:main Q:Reg/w0 : action 'debugActionName': called, logging to builtin:omfile (susp 0/0, direct q 1) 9284.058474010:main Q:Reg/w0 : action 'debugActionName': is transactional - executing in commit phase 9284.058477578:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a new action worker instance for action 2 9284.058481584:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker instance 1 for action 2 9284.058485138:main Q:Reg/w0 : Action 2 transitioned to state: itx 9284.058488730:main Q:Reg/w0 : action 'debugActionName': set suspended state to 0 9284.058492085:main Q:Reg/w0 : PRIFILT '*.warn' 9284.058498603:main Q:Reg/w0 : pmask: 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 9284.058548638:main Q:Reg/w0 : PRIFILT condition result is 1 9284.058551882:main Q:Reg/w0 : ACTION 3 [builtin:omfile:action(type="builtin:omfile" ...)] 9284.058558715:main Q:Reg/w0 : executing action 3 9284.058562538:main Q:Reg/w0 : action 'infoActionName': called, logging to builtin:omfile (susp 0/0, direct q 1) 9284.058566508:main Q:Reg/w0 : action 'infoActionName': is transactional - executing in commit phase 9284.058570136:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a new action worker instance for action 3 9284.058573779:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker instance 1 for action 3 9284.058577339:main Q:Reg/w0 : Action 3 transitioned to state: itx 9284.058580739:main Q:Reg/w0 : action 'infoActionName': set suspended state to 0 9284.058584539:main Q:Reg/w0 : END batch execution phase, entering to commit phase [processed 1 of 1 messages] 9284.058588492:main Q:Reg/w0 : actionCommitAllDirect: action 0, state 1, nbr to commit 1 isTransactional 1 9284.058592392:main Q:Reg/w0 : doTransaction: action 0, currIParam 1 9284.058596085:main Q:Reg/w0 : entering actionCalldoAction(), state: itx, actionNbr 0 9284.058601779:main Q:Reg/w0 : omelasticsearch: submitBatch, batch: '{"index":{"_index": "unix","_type":"events"}} {"timestamp":"2018-10-31T10:48:04.055039+01:00","message":" error during config processing: parameter 'queue.debatchsize' not known -- typo in config file? [v8.24.0 try http://www.rsyslog.com/e/2207 ]","host":"be-s3006-msl","severity":"err","facility":"syslog","syslogtag":"rsyslogd:"} My rsyslog.conf has : module(load="imtcp" MaxSessions="5000") module(load="imudp") module(load="omelasticsearch") module(load="imuxsock") $CreateDirs on $fileOwner root $fileGroup uxadmin $omfileForceChown on main_queue( queue.size="1000000" queue.debatchsize="1000" queue.workerthreads="2") module( load="impstats" interval="10" log.file="/soft/rsyslog/stats" log.syslog="off" ) input(type="imtcp" port="514") input(type="imudp" port="514") template(name="ElasticSearchTemplate" type="list" option.json="on") { constant(value="{") constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",\"message\":\"") property(name="msg") constant(value="\",\"host\":\"") property(name="hostname") constant(value="\",\"severity\":\"") property(name="syslogseverity-text") constant(value="\",\"facility\":\"") property(name="syslogfacility-text") constant(value="\",\"syslogtag\":\"") property(name="syslogtag") constant(value="\"}") } *.info { action (type="omelasticsearch" server="el8" serverport="10514" searchIndex="unix" bulkmode="on" template="ElasticSearchTemplate") } *.info { action (type="omelasticsearch" server="el7" serverport="10514" searchIndex="unix" bulkmode="on" template="ElasticSearchTemplate") } *.debug { action( type="omfile" name="debugActionName" dynafile="dynaName" file="/soft/rsyslog/%hostname%.log" ) } *.warn { action( type="omfile" name="infoActionName" #template="templateName" file="/soft/rsyslog/everything.warn.log" ) } Best wishes, Sophie -------------------------------------------------------------- From: Flo Rance [mailto:[email protected]] Sent: Wednesday, October 31, 2018 9:52 AM To: rsyslog-users Cc: LOEWENTHAL Sophie Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and severity levels Hi, I've tested that part and it works perfectly on 8.38. But it was not working until I change the owner of the rsyslog directory to be syslog:syslog. template(name="dynaName" type="string" string="/soft/rsyslog/%hostname%.log") *.debug { action ( type="omfile" name="debugActionName" template="dynaName" dynafile="dynaName" ) } However, note that the template in action might not be desirable, otherwise you'll get something like this: sudo tail -f /home/rsyslog/myhost.log /home/rsyslog/sc005827.myhost.log/home/rsyslog/myhost.log/home/rsyslog/myhost.log/home/rsyslog/myhost.log On Tue, Oct 30, 2018 at 5:18 PM sophie.loewenthal--- via rsyslog <[email protected]> wrote: Hi Flo, Yes it is: # rsyslog Templates template(name="ElasticSearchTemplate" type="list" option.json="on") { constant(value="{") constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",\"message\":\"") property(name="msg") constant(value="\",\"host\":\"") property(name="hostname") constant(value="\",\"severity\":\"") property(name="syslogseverity-text") constant(value="\",\"facility\":\"") property(name="syslogfacility-text") constant(value="\",\"syslogtag\":\"") property(name="syslogtag") constant(value="\"}") } Best wishes, Sophie From: Flo Rance [mailto:[email protected]] Sent: Tuesday, October 30, 2018 5:16 PM To: rsyslog-users Cc: LOEWENTHAL Sophie Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and severity levels Hi, Is your template "ElasticSearchTemplate" defined somewhere ? It's specified in action, but no definition is visible. Flo On Tue, Oct 30, 2018 at 4:22 PM sophie.loewenthal--- via rsyslog <[email protected]<mailto:[email protected]>> wrote: Hi John, > You'll get the hang of it. Enjoy. I don't think I'll get the hang of this. I tried with a copy and paste of your example & had nothing. So I tried modifying this to be, # Default RuleSet *.info { action (type="omelasticsearch" server="el7" serverport="10514" searchIndex="unix" bulkmode="on" template="ElasticSearchTemplate") } *.info { action (type="omelasticsearch" server="el8" serverport="10514" searchIndex="unix" bulkmode="on" template="ElasticSearchTemplate") } template(name="dynaName" type="string" string="/soft/rsyslog/%hostname%.log") *.debug { action ( type="omfile" name="debugActionName" template="dynaName" dynafile="dynaName" ) } *.warn { action ( type="omfile" name="infoActionName" #template="templateName" file="/soft/rsyslog/everything.warn.log" ) } And this wrote nothing to any file. > -----Original Message----- > From: rsyslog > [mailto:[email protected]<mailto:[email protected]>] > On Behalf Of John > Chivian > Sent: Tuesday, October 30, 2018 3:24 PM > To: sophie.loewenthal--- via rsyslog > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and > severity levels > > template(name="dynaName" type="string" > string="/soft/rsyslog/%hostname%.log") > > *.debug { > action( > type="omfile" > name="debugActionName" > template="templateName" > dynafile="dynaName" > ) > } > > *.info { > action( > type="omfile" > name="infoActionName" > template="templateName" > file="/soft/rsyslog/everything.warn.log" > ) > } > > You'll get the hang of it. Enjoy. > > > > On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote: > > Hi, > > > > I'm trying to change the rsyslog server to the new format, and decided to > > use > the config generator on the rsyslogd.com<http://rsyslogd.com> website. > > > > Previously I used Dynafile to send logs into %HOSTNAME%.log, but I don't see > DynaFile available in the config generator. > > Also I had set up different severities to be sent to different files. Can > > this > filtering be achieved the the new format? > > .eg > > $template DynaFile,"/soft/rsyslog/%HOSTNAME%.log" > > *.debug ?DynaFile > > > > Also I had set up this but cannot see yow to do this with the new format. I > > tried > with omfile, but this did not work. What is the recommended way? > > *.info /soft/rsyslog/everything.warn.log > > *.debuf /soft/rsyslog/everything.all.log > > > > Lastly, I don't think the bulk method for elasticsearch is correctly set: > > bulkmode="1" > > Because of the message: "error during parsing file /etc/rsyslog.conf, on > > or > before line 41: parameter 'bulkmode' must be "on" or "off" but is neither. > Results unpredictable." > > Setting this to bulkmode="on" silenced the error message, but I don't know > > if > this is correct. > > > > My rsyslog version: # rsyslogd -v > > rsyslogd 8.24.0/ x86_64-redhat-linux-gnu > > > > Help, like usual, greatly appricated. > > > > Best wishes, > > Sophie > > > > > > ------------------------------------------------------- > > # This configuration has been generated by using the > > # rsyslog Configuration Builder which can be found at: > > # http://www.rsyslog.com/rsyslog-configuration-builder/ > > # > > # Default Settings > > > > # Load Modules > > module(load="imtcp") > > module(load="imudp") > > module(load="omelasticsearch") > > module(load="imuxsock") > > > > # rsyslog Templates > > template(name="ElasticSearchTemplate" > > type="list" > > option.json="on") { > > constant(value="{") > > constant(value="\"timestamp\":\"") property(name="timereported" > dateFormat="rfc3339") > > constant(value="\",\"message\":\"") property(name="msg") > > constant(value="\",\"host\":\"") property(name="hostname") > > constant(value="\",\"severity\":\"") > >property(name="syslogseverity-text") > > constant(value="\",\"facility\":\"") > >property(name="syslogfacility-text") > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > constant(value="\"}") > > } > > template(name="ElasticSearchTemplate" > > type="list" > > option.json="on") { > > constant(value="{") > > constant(value="\"timestamp\":\"") property(name="timereported" > dateFormat="rfc3339") > > constant(value="\",\"message\":\"") property(name="msg") > > constant(value="\",\"host\":\"") property(name="hostname") > > constant(value="\",\"severity\":\"") > >property(name="syslogseverity-text") > > constant(value="\",\"facility\":\"") > >property(name="syslogfacility-text") > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > constant(value="\"}") > > } > > > > # rsyslog Input Modules > > input(type="imtcp" > > port="") > > input(type="imudp" > > port="") > > > > # rsyslog RuleSets > > # Default RuleSet > > action(type="omelasticsearch" > > server="el8 " > > serverport="10514" > > searchIndex="unix" > > bulkmode="1" > > template="ElasticSearchTemplate") > > action(type="omelasticsearch" > > server="el7 " > > serverport="10514" > > searchIndex="unix" > > bulkmode="1" > > template="ElasticSearchTemplate") > > action(type="omfile" > > File="/soft/rsyslog/%HOSTNAME%.log" > > template="RSYSLOG_ForwardFormat") > > > > # This configuration was generated on '2018-10-30 10:52:54' > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. This message and any attachments (the "message") is intended solely for the intended addressees and is confidential. If you receive this message in error,or are not the intended recipient(s), please delete it and any copies from your systems and immediately notify the sender. Any unauthorized view, use that does not comply with its purpose, dissemination or disclosure, either whole or partial, is prohibited. Since the internet cannot guarantee the integrity of this message which may not be reliable, BNP PARIBAS (and its subsidiaries) shall not be liable for the message if modified, changed or falsified. Do not print this message unless it is necessary, consider the environment. ---------------------------------------------------------------------------------------------------------------------------------- Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur ou s'il ne vous est pas destine, merci de le detruire ainsi que toute copie de votre systeme et d'en avertir immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de ce message qui n'est pas conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite. L'Internet ne permettant pas d'assurer l'integrite de ce message electronique susceptible d'alteration, BNP Paribas (et ses filiales) decline(nt) toute responsabilite au titre de ce message dans l'hypothese ou il aurait ete modifie, deforme ou falsifie. N'imprimez ce message que si necessaire, pensez a l'environnement. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
