I tried this instead, but ended up with no logs.
# rsyslog Input Modules
input(type="imtcp" port="514" ruleset="r_hostname")
input(type="imudp" port="514" ruleset="r_hostname")
template(name="t_hostname" type="string"
string="/soft/rsyslog/%HOSTNAME%:::secpath-replace%.log"
)
ruleset(name="r_hostname"){
*.debug action(type="omfile" DynaFile="t_hostname")
}
And to think I could achieve this before with something like this:
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
$template DynaFile,"/var/spool/rsyslog/%HOSTNAME%.log"
$RuleSet Remote
*.info ?DynaFile
*.warn /var/spool/rsyslog/everything.warn.log
& stop
$DefaultRuleset Remote
$InputTCPServerBindRuleset Remote
$InputTCPServerRun 514
$InputUDPServerBindRuleset Remote
$UDPServerRun 514
Best wishes,
Sophie
Not working on Mondays/ Travailler sauf le lundi
Team mailbox : [email protected]
or direct [email protected]
> -----Original Message-----
> From: rsyslog [mailto:[email protected]] On Behalf Of
> sophie.loewenthal--- via rsyslog
> Sent: Wednesday, October 31, 2018 10:51 AM
> To: rsyslog-users
> Cc: LOEWENTHAL Sophie
> Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and
> severity levels
>
> Hi,
>
> I fixed the /soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log by removing the
> template. I don’t think I need a template for admins to read the syslog
> messages.
>
> The queue message is strange, because this parameter is specified on the
> rsyslog
> website:
> https://www.rsyslog.com/tag/queues/
>
> The action suspended messages tell me little other than something has blocked
> something, but I'm unsure what.
>
> # /usr/sbin/rsyslogd -d -n -f rsyslog.conf
> 9284.058189344:main Q:Reg/w0 : executing action 0
> 9284.058193628:main Q:Reg/w0 : action 'action 0': called, logging to
> omelasticsearch (susp 0/0, direct q 1)
> 9284.058210131:main Q:Reg/w0 : action 'action 0': is transactional -
> executing
> in commit phase
> 9284.058215928:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a
> new action worker instance for action 0
> 9284.058296151:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker
> instance 1 for action 0
> 9284.058301257:main Q:Reg/w0 : Action 0 transitioned to state: itx
> 9284.058305212:main Q:Reg/w0 : action 'action 0': set suspended state to 0
> 9284.058308849:main Q:Reg/w0 : PRIFILT '*.info'
> 9284.058315576:main Q:Reg/w0 : pmask: 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
> 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
> 9284.058365958:main Q:Reg/w0 : PRIFILT condition result is 1
> 9284.058369166:main Q:Reg/w0 : ACTION 1
> [omelasticsearch:action(type="omelasticsearch" ...)]
> 9284.058376191:main Q:Reg/w0 : executing action 1
> 9284.058380045:main Q:Reg/w0 : action 'action 1': called, logging to
> omelasticsearch (susp 0/0, direct q 1)
> 9284.058387080:main Q:Reg/w0 : action 'action 1': is transactional -
> executing
> in commit phase
> 9284.058390875:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a
> new action worker instance for action 1
> 9284.058447349:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker
> instance 1 for action 1
> 9284.058451628:main Q:Reg/w0 : Action 1 transitioned to state: itx
> 9284.058455063:main Q:Reg/w0 : action 'action 1': set suspended state to 0
> 9284.058458487:main Q:Reg/w0 : ACTION 2
> [builtin:omfile:action(type="builtin:omfile" ...)]
> 9284.058465640:main Q:Reg/w0 : executing action 2
> 9284.058469343:main Q:Reg/w0 : action 'debugActionName': called, logging to
> builtin:omfile (susp 0/0, direct q 1)
> 9284.058474010:main Q:Reg/w0 : action 'debugActionName': is transactional -
> executing in commit phase
> 9284.058477578:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a
> new action worker instance for action 2
> 9284.058481584:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker
> instance 1 for action 2
> 9284.058485138:main Q:Reg/w0 : Action 2 transitioned to state: itx
> 9284.058488730:main Q:Reg/w0 : action 'debugActionName': set suspended
> state to 0
> 9284.058492085:main Q:Reg/w0 : PRIFILT '*.warn'
> 9284.058498603:main Q:Reg/w0 : pmask: 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F
> 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F
> 9284.058548638:main Q:Reg/w0 : PRIFILT condition result is 1
> 9284.058551882:main Q:Reg/w0 : ACTION 3
> [builtin:omfile:action(type="builtin:omfile" ...)]
> 9284.058558715:main Q:Reg/w0 : executing action 3
> 9284.058562538:main Q:Reg/w0 : action 'infoActionName': called, logging to
> builtin:omfile (susp 0/0, direct q 1)
> 9284.058566508:main Q:Reg/w0 : action 'infoActionName': is transactional -
> executing in commit phase
> 9284.058570136:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a
> new action worker instance for action 3
> 9284.058573779:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker
> instance 1 for action 3
> 9284.058577339:main Q:Reg/w0 : Action 3 transitioned to state: itx
> 9284.058580739:main Q:Reg/w0 : action 'infoActionName': set suspended
> state to 0
> 9284.058584539:main Q:Reg/w0 : END batch execution phase, entering to
> commit phase [processed 1 of 1 messages]
> 9284.058588492:main Q:Reg/w0 : actionCommitAllDirect: action 0, state 1, nbr
> to commit 1 isTransactional 1
> 9284.058592392:main Q:Reg/w0 : doTransaction: action 0, currIParam 1
> 9284.058596085:main Q:Reg/w0 : entering actionCalldoAction(), state: itx,
> actionNbr 0
> 9284.058601779:main Q:Reg/w0 : omelasticsearch: submitBatch, batch:
> '{"index":{"_index": "unix","_type":"events"}}
> {"timestamp":"2018-10-31T10:48:04.055039+01:00","message":" error during
> config processing: parameter 'queue.debatchsize' not known -- typo in config
> file? [v8.24.0 try http://www.rsyslog.com/e/2207 ]","host":"be-s3006-
> msl","severity":"err","facility":"syslog","syslogtag":"rsyslogd:"}
>
>
> My rsyslog.conf has :
>
> module(load="imtcp" MaxSessions="5000")
> module(load="imudp")
> module(load="omelasticsearch")
> module(load="imuxsock")
> $CreateDirs on
> $fileOwner root
> $fileGroup uxadmin
> $omfileForceChown on
> main_queue(
> queue.size="1000000"
> queue.debatchsize="1000"
> queue.workerthreads="2")
> module(
> load="impstats"
> interval="10"
> log.file="/soft/rsyslog/stats"
> log.syslog="off"
> )
> input(type="imtcp" port="514")
> input(type="imudp" port="514")
> template(name="ElasticSearchTemplate"
> type="list"
> option.json="on") {
> constant(value="{")
> constant(value="\"timestamp\":\"") property(name="timereported"
> dateFormat="rfc3339")
> constant(value="\",\"message\":\"") property(name="msg")
> constant(value="\",\"host\":\"") property(name="hostname")
> constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
> constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
> constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
> constant(value="\"}")
> }
> *.info { action (type="omelasticsearch"
> server="el8"
> serverport="10514"
> searchIndex="unix"
> bulkmode="on"
> template="ElasticSearchTemplate")
> }
> *.info { action (type="omelasticsearch"
> server="el7"
> serverport="10514"
> searchIndex="unix"
> bulkmode="on"
> template="ElasticSearchTemplate")
> }
> *.debug {
> action(
> type="omfile"
> name="debugActionName"
> dynafile="dynaName"
> file="/soft/rsyslog/%hostname%.log"
> )
> }
> *.warn {
> action(
> type="omfile"
> name="infoActionName"
> #template="templateName"
> file="/soft/rsyslog/everything.warn.log"
> )
> }
>
> Best wishes,
> Sophie
>
>
>
>
> --------------------------------------------------------------
> From: Flo Rance [mailto:[email protected]]
> Sent: Wednesday, October 31, 2018 9:52 AM
> To: rsyslog-users
> Cc: LOEWENTHAL Sophie
> Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and
> severity levels
>
> Hi,
>
> I've tested that part and it works perfectly on 8.38. But it was not working
> until I
> change the owner of the rsyslog directory to be syslog:syslog.
>
> template(name="dynaName" type="string"
> string="/soft/rsyslog/%hostname%.log")
>
> *.debug {
> action (
> type="omfile"
> name="debugActionName"
> template="dynaName"
> dynafile="dynaName"
> )
> }
>
> However, note that the template in action might not be desirable, otherwise
> you'll get something like this:
>
> sudo tail -f /home/rsyslog/myhost.log
> /home/rsyslog/sc005827.myhost.log/home/rsyslog/myhost.log/home/rsyslog/
> myhost.log/home/rsyslog/myhost.log
>
> On Tue, Oct 30, 2018 at 5:18 PM sophie.loewenthal--- via rsyslog
> <[email protected]> wrote:
> Hi Flo,
> Yes it is:
>
> # rsyslog Templates
> template(name="ElasticSearchTemplate"
> type="list"
> option.json="on") {
> constant(value="{")
> constant(value="\"timestamp\":\"") property(name="timereported"
> dateFormat="rfc3339")
> constant(value="\",\"message\":\"") property(name="msg")
> constant(value="\",\"host\":\"") property(name="hostname")
> constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
> constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
> constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
> constant(value="\"}")
> }
>
>
>
> Best wishes,
> Sophie
> From: Flo Rance [mailto:[email protected]]
> Sent: Tuesday, October 30, 2018 5:16 PM
> To: rsyslog-users
> Cc: LOEWENTHAL Sophie
> Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and
> severity levels
>
> Hi,
>
> Is your template "ElasticSearchTemplate" defined somewhere ?
>
> It's specified in action, but no definition is visible.
>
> Flo
>
> On Tue, Oct 30, 2018 at 4:22 PM sophie.loewenthal--- via rsyslog
> <[email protected]<mailto:[email protected]>> wrote:
> Hi John,
>
> > You'll get the hang of it. Enjoy.
> I don't think I'll get the hang of this.
>
> I tried with a copy and paste of your example & had nothing. So I tried
> modifying this to be,
> # Default RuleSet
> *.info { action (type="omelasticsearch"
> server="el7"
> serverport="10514"
> searchIndex="unix"
> bulkmode="on"
> template="ElasticSearchTemplate")
> }
> *.info { action (type="omelasticsearch"
> server="el8"
> serverport="10514"
> searchIndex="unix"
> bulkmode="on"
> template="ElasticSearchTemplate")
> }
>
> template(name="dynaName" type="string"
> string="/soft/rsyslog/%hostname%.log")
>
> *.debug {
> action (
> type="omfile"
> name="debugActionName"
> template="dynaName"
> dynafile="dynaName"
> )
> }
>
> *.warn {
> action (
> type="omfile"
> name="infoActionName"
> #template="templateName"
> file="/soft/rsyslog/everything.warn.log"
> )
> }
>
> And this wrote nothing to any file.
>
>
>
> > -----Original Message-----
> > From: rsyslog [mailto:[email protected]<mailto:rsyslog-
> [email protected]>] On Behalf Of John
> > Chivian
> > Sent: Tuesday, October 30, 2018 3:24 PM
> > To: sophie.loewenthal--- via rsyslog
> > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile
> > and
> > severity levels
> >
> > template(name="dynaName" type="string"
> > string="/soft/rsyslog/%hostname%.log")
> >
> > *.debug {
> > action(
> > type="omfile"
> > name="debugActionName"
> > template="templateName"
> > dynafile="dynaName"
> > )
> > }
> >
> > *.info {
> > action(
> > type="omfile"
> > name="infoActionName"
> > template="templateName"
> > file="/soft/rsyslog/everything.warn.log"
> > )
> > }
> >
> > You'll get the hang of it. Enjoy.
> >
> >
> >
> > On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote:
> > > Hi,
> > >
> > > I'm trying to change the rsyslog server to the new format, and decided to
> > > use
> > the config generator on the rsyslogd.com<http://rsyslogd.com> website.
> > >
> > > Previously I used Dynafile to send logs into %HOSTNAME%.log, but I don't
> see
> > DynaFile available in the config generator.
> > > Also I had set up different severities to be sent to different files.
> > > Can this
> > filtering be achieved the the new format?
> > > .eg
> > > $template DynaFile,"/soft/rsyslog/%HOSTNAME%.log"
> > > *.debug ?DynaFile
> > >
> > > Also I had set up this but cannot see yow to do this with the new format.
> > > I
> tried
> > with omfile, but this did not work. What is the recommended way?
> > > *.info /soft/rsyslog/everything.warn.log
> > > *.debuf /soft/rsyslog/everything.all.log
> > >
> > > Lastly, I don't think the bulk method for elasticsearch is correctly set:
> > > bulkmode="1"
> > > Because of the message: "error during parsing file /etc/rsyslog.conf,
> > > on or
> > before line 41: parameter 'bulkmode' must be "on" or "off" but is neither.
> > Results unpredictable."
> > > Setting this to bulkmode="on" silenced the error message, but I don't
> > > know if
> > this is correct.
> > >
> > > My rsyslog version: # rsyslogd -v
> > > rsyslogd 8.24.0/ x86_64-redhat-linux-gnu
> > >
> > > Help, like usual, greatly appricated.
> > >
> > > Best wishes,
> > > Sophie
> > >
> > >
> > > -------------------------------------------------------
> > > # This configuration has been generated by using the
> > > # rsyslog Configuration Builder which can be found at:
> > > # http://www.rsyslog.com/rsyslog-configuration-builder/
> > > #
> > > # Default Settings
> > >
> > > # Load Modules
> > > module(load="imtcp")
> > > module(load="imudp")
> > > module(load="omelasticsearch")
> > > module(load="imuxsock")
> > >
> > > # rsyslog Templates
> > > template(name="ElasticSearchTemplate"
> > > type="list"
> > > option.json="on") {
> > > constant(value="{")
> > > constant(value="\"timestamp\":\"") property(name="timereported"
> > dateFormat="rfc3339")
> > > constant(value="\",\"message\":\"") property(name="msg")
> > > constant(value="\",\"host\":\"") property(name="hostname")
> > > constant(value="\",\"severity\":\"")
> > >property(name="syslogseverity-text")
> > > constant(value="\",\"facility\":\"")
> > >property(name="syslogfacility-text")
> > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
> > > constant(value="\"}")
> > > }
> > > template(name="ElasticSearchTemplate"
> > > type="list"
> > > option.json="on") {
> > > constant(value="{")
> > > constant(value="\"timestamp\":\"") property(name="timereported"
> > dateFormat="rfc3339")
> > > constant(value="\",\"message\":\"") property(name="msg")
> > > constant(value="\",\"host\":\"") property(name="hostname")
> > > constant(value="\",\"severity\":\"")
> > >property(name="syslogseverity-text")
> > > constant(value="\",\"facility\":\"")
> > >property(name="syslogfacility-text")
> > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
> > > constant(value="\"}")
> > > }
> > >
> > > # rsyslog Input Modules
> > > input(type="imtcp"
> > > port="")
> > > input(type="imudp"
> > > port="")
> > >
> > > # rsyslog RuleSets
> > > # Default RuleSet
> > > action(type="omelasticsearch"
> > > server="el8 "
> > > serverport="10514"
> > > searchIndex="unix"
> > > bulkmode="1"
> > > template="ElasticSearchTemplate")
> > > action(type="omelasticsearch"
> > > server="el7 "
> > > serverport="10514"
> > > searchIndex="unix"
> > > bulkmode="1"
> > > template="ElasticSearchTemplate")
> > > action(type="omfile"
> > > File="/soft/rsyslog/%HOSTNAME%.log"
> > > template="RSYSLOG_ForwardFormat")
> > >
> > > # This configuration was generated on '2018-10-30 10:52:54'
> > >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T
> > LIKE THAT.
> This message and any attachments (the "message") is
> intended solely for the intended addressees and is confidential.
> If you receive this message in error,or are not the intended recipient(s),
> please delete it and any copies from your systems and immediately notify
> the sender. Any unauthorized view, use that does not comply with its purpose,
> dissemination or disclosure, either whole or partial, is prohibited. Since the
> internet
> cannot guarantee the integrity of this message which may not be reliable, BNP
> PARIBAS
> (and its subsidiaries) shall not be liable for the message if modified,
> changed or
> falsified.
> Do not print this message unless it is necessary, consider the environment.
>
> --------------------------------------------------------------------------------------------------
> --------------------------------
>
> Ce message et toutes les pieces jointes (ci-apres le "message")
> sont etablis a l'intention exclusive de ses destinataires et sont
> confidentiels.
> Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de
> ce message qui n'est pas conforme a sa destination, toute diffusion ou toute
> publication, totale ou partielle, est interdite. L'Internet ne permettant pas
> d'assurer
> l'integrite de ce message electronique susceptible d'alteration, BNP Paribas
> (et ses filiales) decline(nt) toute responsabilite au titre de ce message dans
> l'hypothese
> ou il aurait ete modifie, deforme ou falsifie.
> N'imprimez ce message que si necessaire, pensez a l'environnement.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
