Hi,
Looks like the "/etc/rsyslog.d/custom-rsyslog.conf" in my previous email
response has the "else-if" clause missed (somehow). It checks for "imuxsock"
and then "imjournal" and logs accordingly as you suggested:
if ( $inputname == "imuxsock") then {
action(type="omfile" ...)
} else if ( $inputname == "imjournal" ) then {
action(type="omfile" file="/var/log/syslog/imjournal.log"
template="RSYSLOG_DebugFormat")
}
The problem I've been facing is that there is NO imjournal logs being filed.
I tried also having rsyslog.conf that loads and uses imjournal/mmjsonparse only
(no *.conf include), NO logs have been filed as well. I am trying to figure out
why there is no imjournal log, then the next step is to examine the meta-data
and build the filters.
I assume imjournal is working in rsyslog_v8.1903, and (even though it is not
project supported AFAIK) there is still development happening in imjournal
plug-in
(https://github.com/rsyslog/rsyslog/commits/master/plugins/imjournal/imjournal.c).
Thanks,
Patrick
On Wednesday, February 19, 2020, 05:47:21 a.m. EST, David Lang <[email protected]>
wrote:
On Wed, 19 Feb 2020, Patrick Leung wrote:
> Hi,
> Sorry about the illegible config file content. Please allow me to try again.
> My system is using rsyslog_8.1903 from Yocto meta-openembedded/warrior that
> has systemd-journald_v241 forward to syslog. "/etc/rsyslog.conf" includes a
> custom rsyslog configuration "/etc/rsyslog.d/custom-rsyslog.conf". Please see
> below the configuration files.
>
> Given these configuration files, I obtain ONLY logging entries from imuxsock.
> The "RSYSLOG_DebugFormat" gives me the syslog message, e.g.
>
> Debug line with all properties:
> FROMHOST: 'xxx', fromhost-ip: '127.0.0.1', HOSTNAME: 'xxx', PRI: 30,
> syslogtag 'systemd[1]:', programname: 'systemd', APP-NAME: 'systemd', PROCID:
> '1', MSGID: '-',
> TIMESTAMP: 'Feb 18 16:17:16', STRUCTURED-DATA: '-',
> msg: ' Started machine-id persistence.'
> escaped msg: ' Started machine-id persistence.'
> inputname: imuxsock rawmsg: '<30>Feb 18 16:17:16 systemd[1]: Started
> machine-id persistence.'
> $!:{ "msg": "Started machine-id persistence." }
> $.:
> $/:
>
> I would like to craft a rsyslog configuration such that both imuxsock and
> imjournal are used, and I will have a filtering base on the meta data in
> structured journald log fetched from imjournal.
Ok, now setup similar thing for a log you get from imjournal and look at the
different properties that you get.
I would suggest that you look at what inputname is for each one, that will
probably work for your filtering.
David Lang
> I hope the given information clarifies my approach.
>
>
> Thanks,
> Patrick
> ==============================
> [/etc/rsyslog.conf]
> module(load="imuxsock"
> SysSock.Use="on"
> SysSock.Name="/run/systemd/journal/syslog")
>
> module(load="builtin:omfile"
> dirCreateMode="0755"
> fileCreateMode="0640")
>
> module(load="mmjsonparse")
> action(type="mmjsonparse")
>
> # Set the default permissions
> $FileOwner syslog
> $FileGroup syslog
> $FileCreateMode 0640
> $DirCreateMode 0755
> $Umask 0022
> $PrivDropToUser syslog
> $PrivDropToGroup syslog
>
> include(file="/etc/rsyslog.d/*.conf" mode="required")
>
> ==============================
>
> [/etc/rsyslog.d/custom-rsyslog.conf]
> module(load="imjournal" PersisStateInterval="100")
> action(type="mmjsonparse")
> if ( $inputname == "imuxsock" ) then {
> action(type="omfile" file="/var/log/syslog/imuxsock.log"
> template="RSYSLOG_DebugFormat")
> else if ( $inputname == "imjournal" ) then {
> action(type="omfile" file="/var/log/syslog/imjournal.log"
> template="RSYSLOG_DebugFormat")
> }
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
