I'm not certain whether it's better to post here or github, and so to be
certain am re-posting here.
I found a bit of a synthesis of the issue I posted about a few days ago
concerning otherwise functional rules failing when in an imuxsock ruleset,
and a second issue about which I posted, concerning imrelp binding on
restart but not on boot.
Certain rules in an imuxsock ruleset fail on boot but succeed after restart.
Several observations:
. Again, the rules are in an imuxsock ruleset.
. The rules are commented as "Version G" in the attached
rsyslog.conf file.
. The now-successful rules are either a conditional expression or
begin with a property-based filter.
. Both now-successful rules implement the omfile-specified template
but the property-based filter rule ignores all other omfile-specified
parameters.
. Other rules in the same ruleset that also are either a conditional
expression or begin with a property-based filter (Versions A and B) continue
to fail. The only distinctions are (a) the failing rules test msg and the
operating rules test programname; and (b) the failing rules use the contains
operator and the operating rules use the == operator.
. Tinkering with the Restart= directive in rsyslog.service (as
detailed in my RELP-related issue) has no effect.
I'm still not certain what to make of this or how to get things working but
any suggestions would be most gratefully welcome.
-ERB
Eric Blomquist | Blomquist & Company, LLC | San Francisco, California
Resolving the Complexity of Growth sm
T: +1 415 765 1720 | M: +1 415 786 3590 | E: <mailto:[email protected]>
[email protected]
# /etc/rsyslog.conf
###########
# MODULES #
###########
module(
load="imklog"
permitnonkernelfacility="on"
)
module(
load="immark"
interval="300"
)
module(
load="imrelp"
)
module(
load="imudp"
)
module(
load="imuxsock"
syssock.annotate="on"
syssock.parseHostname="on"
syssock.useSpecialParser="off"
)
module(
load="builtin:omfile"
DirCreateMode="0755"
DirGroup="adm"
DirOwner="syslog"
FileCreateMode="0640"
FileGroup="adm"
FileOwner="syslog"
Template="tpl.msg-basic"
)
#####################
# GLOBAL DIRECTIVES #
#####################
global(
debug.logFile="/var/log/rsyslog.debug"
internalmsg.severity="debug"
operatingStateFile="/var/log/rsyslog.opg-state"
senders.keepTrack="on"
senders.reportGoneAway="on"
senders.reportNew="on"
senders.timeoutAfter="86400"
umask="0022"
workDirectory="/var/spool/rsyslog"
)
#$DebugLevel 1
#$PrivDropToUser syslog
#$PrivDropToGroup adm
#############
# TEMPLATES #
#############
template(
name="tpl.df-remote"
type="string"
string="/var/log/%hostname%-remote.log"
)
template(
name="tpl.df"
type="string"
string="/var/log/%hostname%-%programname%.log"
)
template(
name="tpl.df-local-A"
type="string"
string="/var/log/%hostname%-local-A.log"
)
template(
name="tpl.df-local-B"
type="string"
string="/var/log/%hostname%-local-B.log"
)
template(
name="tpl.df-local-C"
type="string"
string="/var/log/%hostname%-local-C.log"
)
template(
name="tpl.df-local-D"
type="string"
string="/var/log/%hostname%-local-D.log"
)
template(
name="tpl.df-local-E"
type="string"
string="/var/log/%hostname%-local-E.log"
)
template(
name="tpl.df-local-F"
type="string"
string="/var/log/%hostname%-local-F.log"
)
template(
name="tpl.UFW"
type="string"
string="/var/log/%hostname%-UFW.log"
)
template(
name="tpl.msg-basic"
type="string"
string="%timereported% | %pri-text% | %hostname% | %syslogtag% | %msg%
\n"
)
############
# RULESETS #
############
ruleset(name="rst.remote"){
if $hostname contains 'obi' then {
action(name="act.obi-file" type="omfile"
file="/var/log/obiB.log")
action(name="act.obi-dyn" type="omfile"
dynaFile="tpl.df-remote")
}
if $hostname contains 'waypoint' then {
action(name="act.wypt-file" type="omfile"
file="/var/log/wyptB.log")
action(name="act.wypt-dyn" type="omfile"
dynaFile="tpl.df-remote")
}
}
# stop
# stop
ruleset(name="rst.local"){
# VERSION A:
:msg,contains,"iptb" /var/log/iptables-local-A.log
:msg,contains,"iptb" ?tpl.df-local-A
# VERSION B:
if $msg contains "iptb" then {
action(
name="act.ipt-file"
type="omfile"
file="/var/log/iptables-local-B.log"
action.errorFile="ipt-file.error"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
action.resumeInterval="10"
action.resumeIntervalMax="180"
action.resumeRetryCount="-1"
queue.checkpointInterval="200"
queue.filename="ipt-file.queue"
queue.highWatermark="6000"
queue.lowWatermark="1"
queue.maxFileSize="1m"
queue.saveOnShutdown="on"
queue.size="10000"
queue.spoolDirectory="/var/log"
queue.syncQueueFiles="on"
queue.type="Disk"
)
}
if $msg contains "iptb" then {
action(
name="act.ipt-dyn"
type="omfile"
dynaFile="tpl.df-local-B"
)
}
if $msg contains "[UFW" then {
action(
name="act.UFW-file"
type="omfile"
file="/var/log/ufw.log"
)
}
if $msg contains "[UFW" then {
action(
name="act.UFW-dyn"
type="omfile"
dynaFile="tpl.UFW"
)
}
# VERSION G (conditional expression; see below for property-based filter
counterpart):
if $programname == "rsyslogd" then {
action(
name="act.rsyslogd"
type="omfile"
file="/var/log/rsyslog.log"
)
}
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
kern.* -/var/log/kern.log
# VERSION C:
kern.* ?tpl.df-local-C
# VERSION D:
kern.* action(name="act.df-local-dyn"
type="omfile" dynafile="tpl.df-local-D")
mail.* -/var/log/mail.log
mail.err /var/log/mail.err
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
*.emerg :omusrmsg:*
# :msg,contains,"rsyslog" /var/log/rsyslog.log
# VERSION G (property-based filter; see above for conditional expression
counterpart):
:programname,isequal,"rsyslogd" /var/log/rsyslog-basic.log
}
# stop
##########
# INPUTS #
##########
input(
type="imrelp"
address="192.168.1.2"
# port="601"
port="20514"
ruleset="rst.remote"
keepalive="on"
tls="off"
)
input(
type="imudp"
port="514"
ruleset="rst.remote"
)
input(
type="imuxsock"
ruleset="rst.local"
socket="/run/systemd/journal/syslog"
)
#input(
# type="imuxsock"
# ruleset="rst.local"
# socket="/dev/log"
#)
# VERSION E:
:msg,contains,"iptb" /var/log/iptables-local-E.log
:msg,contains,"iptb" ?tpl.df-local-E
# VERSION F:
if $msg contains "iptb" then {
action(
name="act.ipt-file-F"
type="omfile"
file="/var/log/iptables-local-F.log"
action.errorFile="ipt-file.error-F"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
action.resumeInterval="10"
action.resumeIntervalMax="180"
action.resumeRetryCount="-1"
queue.checkpointInterval="200"
queue.filename="ipt-file.queue-F"
queue.highWatermark="6000"
queue.lowWatermark="1"
queue.maxFileSize="1m"
queue.saveOnShutdown="on"
queue.size="10000"
queue.spoolDirectory="/var/log"
queue.syncQueueFiles="on"
queue.type="Disk"
)
}
if $msg contains "iptb" then {
action(
name="act.ipt-dyn"
type="omfile"
dynaFile="tpl.df-local-F"
)
}
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
