Hi, According to the documentation: "Note that “rulesetname” must be the name of a ruleset that is already defined at the time the bind directive is given."
https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html Flo On Wed, Oct 31, 2018 at 12:12 PM sophie.loewenthal--- via rsyslog < [email protected]> wrote: > I tried this instead, but ended up with no logs. > > # rsyslog Input Modules > input(type="imtcp" port="514" ruleset="r_hostname") > input(type="imudp" port="514" ruleset="r_hostname") > > template(name="t_hostname" type="string" > string="/soft/rsyslog/%HOSTNAME%:::secpath-replace%.log" > ) > > ruleset(name="r_hostname"){ > *.debug action(type="omfile" DynaFile="t_hostname") > } > > > > And to think I could achieve this before with something like this: > $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format > $template DynaFile,"/var/spool/rsyslog/%HOSTNAME%.log" > $RuleSet Remote > *.info ?DynaFile > *.warn /var/spool/rsyslog/everything.warn.log > & stop > $DefaultRuleset Remote > $InputTCPServerBindRuleset Remote > $InputTCPServerRun 514 > $InputUDPServerBindRuleset Remote > $UDPServerRun 514 > > > Best wishes, > Sophie > > Not working on Mondays/ Travailler sauf le lundi > Team mailbox : [email protected] > or direct [email protected] > > > > > > -----Original Message----- > > From: rsyslog [mailto:[email protected]] On Behalf Of > > sophie.loewenthal--- via rsyslog > > Sent: Wednesday, October 31, 2018 10:51 AM > > To: rsyslog-users > > Cc: LOEWENTHAL Sophie > > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - > dynafile and > > severity levels > > > > Hi, > > > > I fixed the /soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log by removing > the > > template. I don’t think I need a template for admins to read the syslog > messages. > > > > The queue message is strange, because this parameter is specified on the > rsyslog > > website: > > https://www.rsyslog.com/tag/queues/ > > > > The action suspended messages tell me little other than something has > blocked > > something, but I'm unsure what. > > > > # /usr/sbin/rsyslogd -d -n -f rsyslog.conf > > 9284.058189344:main Q:Reg/w0 : executing action 0 > > 9284.058193628:main Q:Reg/w0 : action 'action 0': called, logging to > > omelasticsearch (susp 0/0, direct q 1) > > 9284.058210131:main Q:Reg/w0 : action 'action 0': is transactional - > executing > > in commit phase > > 9284.058215928:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a > > new action worker instance for action 0 > > 9284.058296151:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker > > instance 1 for action 0 > > 9284.058301257:main Q:Reg/w0 : Action 0 transitioned to state: itx > > 9284.058305212:main Q:Reg/w0 : action 'action 0': set suspended state > to 0 > > 9284.058308849:main Q:Reg/w0 : PRIFILT '*.info' > > 9284.058315576:main Q:Reg/w0 : pmask: 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F > 7F 7F > > 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F > > 9284.058365958:main Q:Reg/w0 : PRIFILT condition result is 1 > > 9284.058369166:main Q:Reg/w0 : ACTION 1 > > [omelasticsearch:action(type="omelasticsearch" ...)] > > 9284.058376191:main Q:Reg/w0 : executing action 1 > > 9284.058380045:main Q:Reg/w0 : action 'action 1': called, logging to > > omelasticsearch (susp 0/0, direct q 1) > > 9284.058387080:main Q:Reg/w0 : action 'action 1': is transactional - > executing > > in commit phase > > 9284.058390875:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a > > new action worker instance for action 1 > > 9284.058447349:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker > > instance 1 for action 1 > > 9284.058451628:main Q:Reg/w0 : Action 1 transitioned to state: itx > > 9284.058455063:main Q:Reg/w0 : action 'action 1': set suspended state > to 0 > > 9284.058458487:main Q:Reg/w0 : ACTION 2 > > [builtin:omfile:action(type="builtin:omfile" ...)] > > 9284.058465640:main Q:Reg/w0 : executing action 2 > > 9284.058469343:main Q:Reg/w0 : action 'debugActionName': called, > logging to > > builtin:omfile (susp 0/0, direct q 1) > > 9284.058474010:main Q:Reg/w0 : action 'debugActionName': is > transactional - > > executing in commit phase > > 9284.058477578:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a > > new action worker instance for action 2 > > 9284.058481584:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker > > instance 1 for action 2 > > 9284.058485138:main Q:Reg/w0 : Action 2 transitioned to state: itx > > 9284.058488730:main Q:Reg/w0 : action 'debugActionName': set suspended > > state to 0 > > 9284.058492085:main Q:Reg/w0 : PRIFILT '*.warn' > > 9284.058498603:main Q:Reg/w0 : pmask: 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F > 1F 1F > > 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F > > 9284.058548638:main Q:Reg/w0 : PRIFILT condition result is 1 > > 9284.058551882:main Q:Reg/w0 : ACTION 3 > > [builtin:omfile:action(type="builtin:omfile" ...)] > > 9284.058558715:main Q:Reg/w0 : executing action 3 > > 9284.058562538:main Q:Reg/w0 : action 'infoActionName': called, logging > to > > builtin:omfile (susp 0/0, direct q 1) > > 9284.058566508:main Q:Reg/w0 : action 'infoActionName': is > transactional - > > executing in commit phase > > 9284.058570136:main Q:Reg/w0 : wti 0x55a7b4c455c0: we need to create a > > new action worker instance for action 3 > > 9284.058573779:main Q:Reg/w0 : wti 0x55a7b4c455c0: created action worker > > instance 1 for action 3 > > 9284.058577339:main Q:Reg/w0 : Action 3 transitioned to state: itx > > 9284.058580739:main Q:Reg/w0 : action 'infoActionName': set suspended > > state to 0 > > 9284.058584539:main Q:Reg/w0 : END batch execution phase, entering to > > commit phase [processed 1 of 1 messages] > > 9284.058588492:main Q:Reg/w0 : actionCommitAllDirect: action 0, state > 1, nbr > > to commit 1 isTransactional 1 > > 9284.058592392:main Q:Reg/w0 : doTransaction: action 0, currIParam 1 > > 9284.058596085:main Q:Reg/w0 : entering actionCalldoAction(), state: > itx, > > actionNbr 0 > > 9284.058601779:main Q:Reg/w0 : omelasticsearch: submitBatch, batch: > > '{"index":{"_index": "unix","_type":"events"}} > > {"timestamp":"2018-10-31T10:48:04.055039+01:00","message":" error during > > config processing: parameter 'queue.debatchsize' not known -- typo in > config > > file? [v8.24.0 try http://www.rsyslog.com/e/2207 ]","host":"be-s3006- > > msl","severity":"err","facility":"syslog","syslogtag":"rsyslogd:"} > > > > > > My rsyslog.conf has : > > > > module(load="imtcp" MaxSessions="5000") > > module(load="imudp") > > module(load="omelasticsearch") > > module(load="imuxsock") > > $CreateDirs on > > $fileOwner root > > $fileGroup uxadmin > > $omfileForceChown on > > main_queue( > > queue.size="1000000" > > queue.debatchsize="1000" > > queue.workerthreads="2") > > module( > > load="impstats" > > interval="10" > > log.file="/soft/rsyslog/stats" > > log.syslog="off" > > ) > > input(type="imtcp" port="514") > > input(type="imudp" port="514") > > template(name="ElasticSearchTemplate" > > type="list" > > option.json="on") { > > constant(value="{") > > constant(value="\"timestamp\":\"") property(name="timereported" > > dateFormat="rfc3339") > > constant(value="\",\"message\":\"") property(name="msg") > > constant(value="\",\"host\":\"") property(name="hostname") > > constant(value="\",\"severity\":\"") > property(name="syslogseverity-text") > > constant(value="\",\"facility\":\"") > property(name="syslogfacility-text") > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > constant(value="\"}") > > } > > *.info { action (type="omelasticsearch" > > server="el8" > > serverport="10514" > > searchIndex="unix" > > bulkmode="on" > > template="ElasticSearchTemplate") > > } > > *.info { action (type="omelasticsearch" > > server="el7" > > serverport="10514" > > searchIndex="unix" > > bulkmode="on" > > template="ElasticSearchTemplate") > > } > > *.debug { > > action( > > type="omfile" > > name="debugActionName" > > dynafile="dynaName" > > file="/soft/rsyslog/%hostname%.log" > > ) > > } > > *.warn { > > action( > > type="omfile" > > name="infoActionName" > > #template="templateName" > > file="/soft/rsyslog/everything.warn.log" > > ) > > } > > > > Best wishes, > > Sophie > > > > > > > > > > -------------------------------------------------------------- > > From: Flo Rance [mailto:[email protected]] > > Sent: Wednesday, October 31, 2018 9:52 AM > > To: rsyslog-users > > Cc: LOEWENTHAL Sophie > > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - > dynafile and > > severity levels > > > > Hi, > > > > I've tested that part and it works perfectly on 8.38. But it was not > working until I > > change the owner of the rsyslog directory to be syslog:syslog. > > > > template(name="dynaName" type="string" > > string="/soft/rsyslog/%hostname%.log") > > > > *.debug { > > action ( > > type="omfile" > > name="debugActionName" > > template="dynaName" > > dynafile="dynaName" > > ) > > } > > > > However, note that the template in action might not be desirable, > otherwise > > you'll get something like this: > > > > sudo tail -f /home/rsyslog/myhost.log > > /home/rsyslog/sc005827.myhost.log/home/rsyslog/myhost.log/home/rsyslog/ > > myhost.log/home/rsyslog/myhost.log > > > > On Tue, Oct 30, 2018 at 5:18 PM sophie.loewenthal--- via rsyslog > > <[email protected]> wrote: > > Hi Flo, > > Yes it is: > > > > # rsyslog Templates > > template(name="ElasticSearchTemplate" > > type="list" > > option.json="on") { > > constant(value="{") > > constant(value="\"timestamp\":\"") property(name="timereported" > > dateFormat="rfc3339") > > constant(value="\",\"message\":\"") property(name="msg") > > constant(value="\",\"host\":\"") property(name="hostname") > > constant(value="\",\"severity\":\"") > property(name="syslogseverity-text") > > constant(value="\",\"facility\":\"") > property(name="syslogfacility-text") > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > constant(value="\"}") > > } > > > > > > > > Best wishes, > > Sophie > > From: Flo Rance [mailto:[email protected]] > > Sent: Tuesday, October 30, 2018 5:16 PM > > To: rsyslog-users > > Cc: LOEWENTHAL Sophie > > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - > dynafile and > > severity levels > > > > Hi, > > > > Is your template "ElasticSearchTemplate" defined somewhere ? > > > > It's specified in action, but no definition is visible. > > > > Flo > > > > On Tue, Oct 30, 2018 at 4:22 PM sophie.loewenthal--- via rsyslog > > <[email protected]<mailto:[email protected]>> wrote: > > Hi John, > > > > > You'll get the hang of it. Enjoy. > > I don't think I'll get the hang of this. > > > > I tried with a copy and paste of your example & had nothing. So I tried > > modifying this to be, > > # Default RuleSet > > *.info { action (type="omelasticsearch" > > server="el7" > > serverport="10514" > > searchIndex="unix" > > bulkmode="on" > > template="ElasticSearchTemplate") > > } > > *.info { action (type="omelasticsearch" > > server="el8" > > serverport="10514" > > searchIndex="unix" > > bulkmode="on" > > template="ElasticSearchTemplate") > > } > > > > template(name="dynaName" type="string" > > string="/soft/rsyslog/%hostname%.log") > > > > *.debug { > > action ( > > type="omfile" > > name="debugActionName" > > template="dynaName" > > dynafile="dynaName" > > ) > > } > > > > *.warn { > > action ( > > type="omfile" > > name="infoActionName" > > #template="templateName" > > file="/soft/rsyslog/everything.warn.log" > > ) > > } > > > > And this wrote nothing to any file. > > > > > > > > > -----Original Message----- > > > From: rsyslog [mailto:[email protected]<mailto: > rsyslog- > > [email protected]>] On Behalf Of John > > > Chivian > > > Sent: Tuesday, October 30, 2018 3:24 PM > > > To: sophie.loewenthal--- via rsyslog > > > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - > dynafile and > > > severity levels > > > > > > template(name="dynaName" type="string" > > > string="/soft/rsyslog/%hostname%.log") > > > > > > *.debug { > > > action( > > > type="omfile" > > > name="debugActionName" > > > template="templateName" > > > dynafile="dynaName" > > > ) > > > } > > > > > > *.info { > > > action( > > > type="omfile" > > > name="infoActionName" > > > template="templateName" > > > file="/soft/rsyslog/everything.warn.log" > > > ) > > > } > > > > > > You'll get the hang of it. Enjoy. > > > > > > > > > > > > On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote: > > > > Hi, > > > > > > > > I'm trying to change the rsyslog server to the new format, and > decided to use > > > the config generator on the rsyslogd.com<http://rsyslogd.com> website. > > > > > > > > Previously I used Dynafile to send logs into %HOSTNAME%.log, but I > don't > > see > > > DynaFile available in the config generator. > > > > Also I had set up different severities to be sent to different > files. Can this > > > filtering be achieved the the new format? > > > > .eg > > > > $template DynaFile,"/soft/rsyslog/%HOSTNAME%.log" > > > > *.debug ?DynaFile > > > > > > > > Also I had set up this but cannot see yow to do this with the new > format. I > > tried > > > with omfile, but this did not work. What is the recommended way? > > > > *.info /soft/rsyslog/everything.warn.log > > > > *.debuf /soft/rsyslog/everything.all.log > > > > > > > > Lastly, I don't think the bulk method for elasticsearch is correctly > set: > > > > bulkmode="1" > > > > Because of the message: "error during parsing file > /etc/rsyslog.conf, on or > > > before line 41: parameter 'bulkmode' must be "on" or "off" but is > neither. > > > Results unpredictable." > > > > Setting this to bulkmode="on" silenced the error message, but I > don't know if > > > this is correct. > > > > > > > > My rsyslog version: # rsyslogd -v > > > > rsyslogd 8.24.0/ x86_64-redhat-linux-gnu > > > > > > > > Help, like usual, greatly appricated. > > > > > > > > Best wishes, > > > > Sophie > > > > > > > > > > > > ------------------------------------------------------- > > > > # This configuration has been generated by using the > > > > # rsyslog Configuration Builder which can be found at: > > > > # http://www.rsyslog.com/rsyslog-configuration-builder/ > > > > # > > > > # Default Settings > > > > > > > > # Load Modules > > > > module(load="imtcp") > > > > module(load="imudp") > > > > module(load="omelasticsearch") > > > > module(load="imuxsock") > > > > > > > > # rsyslog Templates > > > > template(name="ElasticSearchTemplate" > > > > type="list" > > > > option.json="on") { > > > > constant(value="{") > > > > constant(value="\"timestamp\":\"") > property(name="timereported" > > > dateFormat="rfc3339") > > > > constant(value="\",\"message\":\"") property(name="msg") > > > > constant(value="\",\"host\":\"") property(name="hostname") > > > > constant(value="\",\"severity\":\"") > property(name="syslogseverity-text") > > > > constant(value="\",\"facility\":\"") > property(name="syslogfacility-text") > > > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > > > constant(value="\"}") > > > > } > > > > template(name="ElasticSearchTemplate" > > > > type="list" > > > > option.json="on") { > > > > constant(value="{") > > > > constant(value="\"timestamp\":\"") > property(name="timereported" > > > dateFormat="rfc3339") > > > > constant(value="\",\"message\":\"") property(name="msg") > > > > constant(value="\",\"host\":\"") property(name="hostname") > > > > constant(value="\",\"severity\":\"") > property(name="syslogseverity-text") > > > > constant(value="\",\"facility\":\"") > property(name="syslogfacility-text") > > > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > > > constant(value="\"}") > > > > } > > > > > > > > # rsyslog Input Modules > > > > input(type="imtcp" > > > > port="") > > > > input(type="imudp" > > > > port="") > > > > > > > > # rsyslog RuleSets > > > > # Default RuleSet > > > > action(type="omelasticsearch" > > > > server="el8 " > > > > serverport="10514" > > > > searchIndex="unix" > > > > bulkmode="1" > > > > template="ElasticSearchTemplate") > > > > action(type="omelasticsearch" > > > > server="el7 " > > > > serverport="10514" > > > > searchIndex="unix" > > > > bulkmode="1" > > > > template="ElasticSearchTemplate") > > > > action(type="omfile" > > > > File="/soft/rsyslog/%HOSTNAME%.log" > > > > template="RSYSLOG_ForwardFormat") > > > > > > > > # This configuration was generated on '2018-10-30 10:52:54' > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T > > > LIKE THAT. > > This message and any attachments (the "message") is > > intended solely for the intended addressees and is confidential. > > If you receive this message in error,or are not the intended > recipient(s), > > please delete it and any copies from your systems and immediately notify > > the sender. Any unauthorized view, use that does not comply with its > purpose, > > dissemination or disclosure, either whole or partial, is prohibited. > Since the > > internet > > cannot guarantee the integrity of this message which may not be > reliable, BNP > > PARIBAS > > (and its subsidiaries) shall not be liable for the message if modified, > changed or > > falsified. > > Do not print this message unless it is necessary, consider the > environment. > > > > > -------------------------------------------------------------------------------------------------- > > -------------------------------- > > > > Ce message et toutes les pieces jointes (ci-apres le "message") > > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > > merci de le detruire ainsi que toute copie de votre systeme et d'en > avertir > > immediatement l'expediteur. Toute lecture non autorisee, toute > utilisation de > > ce message qui n'est pas conforme a sa destination, toute diffusion ou > toute > > publication, totale ou partielle, est interdite. L'Internet ne > permettant pas > > d'assurer > > l'integrite de ce message electronique susceptible d'alteration, BNP > Paribas > > (et ses filiales) decline(nt) toute responsabilite au titre de ce > message dans > > l'hypothese > > ou il aurait ete modifie, deforme ou falsifie. > > N'imprimez ce message que si necessaire, pensez a l'environnement. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
