The problem might be related to the beauty of "unnecessary include files" - the problem construct could be in the file that is included before this one.
I suggest to take the content of asa.conf and copy&paste it verbatim to the spont in rsyslog.conf itself where you want it. At a minimum, this makes troubleshooting easier. Rainer El mié., 13 may. 2020 a las 12:32, Soham Chakraborty via rsyslog (<[email protected]>) escribió: > > Hi David, > > Thanks for your input. > > I am now trying to modify the config to use action() syntax and I > think I am getting it wrong. > > # cat asa.conf > input(type="imtcp" port="8514" ruleset="asa_logs") > > template(name="asa-logs" > string="/opt/data/syslog/asa/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > type="string") > > ruleset(name="asa_logs") { > action( > queue.type="fixedArray" > queue.size="250000" > queue.dequeueBatchSize="4096" > queue.workerThreads="4" > queue.workerThreadMinimumMessages="60000" > type="omfile" > DynaFile="asa-logs" > dirCreateMode="0755" > fileCreateMode="0640" > dirGroup="splunk" > dirOwner="splunk" > fileOwner="splunk" > fileGroup="splunk") > } > > When I run "rsyslogd -N1" it throws me a error in parsing the config > file. The errors are: > > Error during parsing file /etc/rsyslog.d/asa.conf, on or before line > 5: invalid property ' ' [rsyslog version try > http://rsyslog.com/e/2207] > Error during parsing file /etc/rsyslog.d/asa.conf, on or before line > 5: error parsing template object [rsyslog version try > http://rsyslog.com/e/2207] > rsyslogd: Could not find template 1 "asa-logs" - action disabled > [rsyslog version try http://rsyslog.com/e/3003] > Error during parsing file /etc/rsyslog.d/asa.conf, on or before line > 20: errors occurred in file '/etc/rsyslog.d/asa.conf' around line 20 > [rsyslog version try http://rsyslog.com/e/2207] > > What I am getting wrong? Syntactically? > > Thanks, > > On Wed, May 13, 2020 at 8:00 AM David Lang <[email protected]> wrote: > > > > dynafile2 is just a string, so your example using cyberark instead is valid > > > > look at the action() syntax rather than having all the $foo lines, the new > > syntax was created to make it far easier to understand. > > > > you may also want to try the -o filename option when you start rsyslog, > > this has > > rsyslog write out it's config as it understands it. I believe it writes it > > out > > in the new syntax, so this may do some of the conversion work for you. > > > > David Lang > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
