Hi John,
Thank-you so much. I changed the debug to info, and the info to warn.
The *.warn code worked, but the *.info code only logged from a few hosts but
not all.
The others were logged into their individual files via *.warn, but not into the
*.info files.
e.g this logs into the $hostname.log for *.info file but not into the
messages.all file for *.warn :
# logger -t user.kern UserIsDead-LongLiveTheProgramme
Something in the configuration must block some hosts from logged to both
queues. I've included the full config below. I did not see any errors.
module(load="imtcp" MaxSessions="5000")
module(load="imudp")
module(load="omelasticsearch")
module(load="imuxsock")
$umask 0000
$CreateDirs on
$fileOwner root
$fileGroup admin
$dirGroup admin
$FileCreateMode 0640
$DynaFileCacheSize 600
global(
workDirectory="/soft/rsyslog"
)
main_queue(
queue.size="1000000"
queue.dequeuebatchsize="1000"
queue.workerthreads="3")
module(
load="impstats"
interval="10"
log.file="/soft/rsyslog/stats"
log.syslog="off"
)
template(name="ElasticSearchTemplate"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported"
dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\"}")
}
*.info { action (type="omelasticsearch"
server="el8"
serverport="10514"
searchIndex="unix"
bulkmode="on"
template="ElasticSearchTemplate"
name="el8-514-out"
queue.size="1024000"
queue.filename="el8-10514.queue"
queue.maxdiskspace="512m"
queue.type="FixedArray"
queue.maxfilesize="10m"
queue.saveonshutdown="on"
queue.discardseverity="8"
Action.ResumeInterval="1"
Action.ResumeRetryCount="-1"
)
}
*.info { action (type="omelasticsearch"
server="el7"
serverport="10514"
searchIndex="unix"
bulkmode="on"
template="ElasticSearchTemplate"
name="el7-514-out"
queue.size="1024000"
queue.filename="el7-10514.queue"
queue.maxdiskspace="512m"
queue.type="FixedArray"
queue.maxfilesize="10m"
queue.saveonshutdown="on"
queue.discardseverity="8"
Action.ResumeInterval="1"
Action.ResumeRetryCount="-1"
)
}
#$template DynaFile,"/soft/rsyslog/%HOSTNAME%.log"
#$template DynaAll,"/soft/rsyslog/everything.warn.log"
template(name="dynaName" type="string"
string="/soft/rsyslog/%hostname%.log")
*.info {
action(
type="omfile"
name="infoActionName"
dynafile="dynaName"
)
}
*.warning {
action(
type="omfile"
name="warnActionName"
file="/soft/rsyslog/messages.all"
)
}
input(type="imtcp" port="514")
input(type="imudp" port="514")
> -----Original Message-----
> From: rsyslog [mailto:[email protected]] On Behalf Of John
> Chivian
> Sent: Wednesday, October 31, 2018 7:22 PM
> To: [email protected]
> Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and
> severity levels
>
> The original examples were provided as pieces of a working configuration...
>
> template(name="dynaName" type="string"
> string="/soft/rsyslog/%hostname%.log")
>
> *.debug {
> action(
> type="omfile"
> name="debugActionName"
> template="templateName"
> dynafile="dynaName"
> )
> }
>
> *.info {
> action(
> type="omfile"
> name="infoActionName"
> template="templateName"
> file="/soft/rsyslog/everything.info.log"
> )
> }
>
> It was corrupted somewhere to...
>
> *.info {
> action(
> type="omfile"
> name="debugActionName"
> template="dynaName"
> dynafile="dynaName"
> )
> }
>
> ...and as noted by others, using "dynaName" as the specification for
> both template and dynafile is causing the behavior you see.
>
> The original example does not provide the code for
> template="templateName". In fact, if you remove the template
> specifications entirely from the original examples perhaps it is easier
> to understand the difference. As such, perhaps this is a better example...
>
> template(name="dynaName" type="string"
> string="/soft/rsyslog/%hostname%.debug.log")
>
> *.debug {
> action(
> type="omfile"
> name="debugActionName"
> dynafile="dynaName"
> )
> }
>
> *.info {
> action(
> type="omfile"
> name="infoActionName"
> file="/soft/rsyslog/everything.info.log"
> )
> }
>
> Regards,
>
>
>
> On 10/31/18 11:22 AM, David Lang wrote:
> > On Wed, 31 Oct 2018, sophie.loewenthal--- via rsyslog wrote:
> >
> >> #2 ----------------------------
> >> *.info {
> >> action(
> >> type="omfile"
> >> name="debugActionName"
> >> template="dynaName"
> >> dynafile="dynaName"
> >> )
> >> }
> >> This above part does not work well ;) The log files per host are
> >> filled with this, where sysl2 is the name of %hostname% and the
> >> template is :
> >> template(name="dynaName" type="string"
> >> string="/soft/rsyslog/%hostname%.log")
> >>
> /soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog
> /sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/so
> ft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sy
> sl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/
> rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2
> .log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsy
> slog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.lo
> g/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.log/soft/rsyslog/sysl2.logbe-s
> >>
> >
> > template is what to write in the file
> > dynafile is the path to write to
> >
> > you are saing to write the path into the file (and with no newline,
> > you get just one long line with the path repeating)
> >
> > David Lang
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > if you DON'T LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
This message and any attachments (the "message") is
intended solely for the intended addressees and is confidential.
If you receive this message in error,or are not the intended recipient(s),
please delete it and any copies from your systems and immediately notify
the sender. Any unauthorized view, use that does not comply with its purpose,
dissemination or disclosure, either whole or partial, is prohibited. Since the
internet
cannot guarantee the integrity of this message which may not be reliable, BNP
PARIBAS
(and its subsidiaries) shall not be liable for the message if modified, changed
or falsified.
Do not print this message unless it is necessary, consider the environment.
----------------------------------------------------------------------------------------------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le "message")
sont etablis a l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de
ce message qui n'est pas conforme a sa destination, toute diffusion ou toute
publication, totale ou partielle, est interdite. L'Internet ne permettant pas
d'assurer
l'integrite de ce message electronique susceptible d'alteration, BNP Paribas
(et ses filiales) decline(nt) toute responsabilite au titre de ce message dans
l'hypothese
ou il aurait ete modifie, deforme ou falsifie.
N'imprimez ce message que si necessaire, pensez a l'environnement.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
