You don't need to load the omfile module at all, unless you're changing
config parameters:
<snip>
Configuration Parameters
<https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html#configuration-parameters>
*Omfile is a built-in module that does not need to be loaded.* In order to
specify module parameters, use
module(load="builtin:omfile" ...parameters...)
</snip>
Don't even bother loading that, it should work without it.
This is how I use omfile:
<snip1>
template(name="json_syslog"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"type\":\"syslog_json")
constant(value="\",\"tag\":\"")
property(name="syslogtag" format="json")
constant(value="\",\"relayhost\":\"")
property(name="fromhost")
constant(value="\",\"relayip\":\"")
property(name="fromhost-ip")
constant(value="\",\"logsource\":\"") property(name="source")
constant(value="\",\"hostname\":\"")
property(name="hostname" caseconversion="lower")
constant(value="\",\"program\":\"")
property(name="programname")
constant(value="\",\"priority\":\"") property(name="pri")
constant(value="\",\"severity\":\"")
property(name="syslogseverity")
constant(value="\",\"facility\":\"")
property(name="syslogfacility")
constant(value="\",\"severity_label\":\"")
property(name="syslogseverity-text")
constant(value="\",\"facility_label\":\"")
property(name="syslogfacility-text")
constant(value="\",\"message\":\"")
property(name="rawmsg" format="json")
constant(value="\",\"end_msg\":\"")
constant(value="\"}\n")
}
action(type="omfile" file="/var/log/fail2ban.log"
template="json_syslog")
action(type="omfile" file="/var/log/suricata.log"
template="json_syslog")
</snip1>
The answer to your question #1 is in green. You do not need to load
the module at all for it to work, so your answer to #2 is "nothing".
HTH
Cheers,
JB
On Tue, Nov 20, 2018 at 11:56 AM Mike Schleif <[email protected]>
wrote:
> On Tue, Nov 20, 2018 at 10:30 AM Jacob Steinberger via rsyslog <
> [email protected]> wrote:
>
> > Technically the documentation says file should be "File", you could give
> > that a try.
> >
> > Are you running Rsyslog 8.39?
> >
>
> Yes, we are running the latest: v8.39.0
>
> The problems I have not overcome are twofold:
>
> 1) How to configure two (2) instances of omfile?
> parameters for built-in module builtin:omfile already set - ignored
> [v8.39.0 try http://www.rsyslog.com/e/2220 ]
>
> 2) How to configure the module line?
> parameter 'template' not known -- typo in config file?
> parameter 'File' not known -- typo in config file?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
