On 09/07/2021 02:32, David Lang wrote:
> 8.32 is quite a bit older than 8.1911 (2-3 years)
>
> Please log a message with the template RSYSLOG_DebugFormat on both so we
> can see what's different
>
This came from CentOS 8.1 with RSYSLOG_DebugFormat:
Debug line with all properties:
FROMHOST: 'something', fromhost-ip: '127.0.0.1', HOSTNAME: 'something',
PRI: 30,
syslogtag 'lt-reConServer[12456]:', programname: 'lt-reConServer',
APP-NAME: 'lt-reConServer', PROCID: '12456', MSGID: '-',
TIMESTAMP: 'Jul 9 02:38:08', STRUCTURED-DATA: '-',
msg: '@cee:
{"hostname":"something.example.org","pri":"DEBUG","syslog!pri":6,"time":"2021-07-09T00:38:08.262005743Z","pname":"lt-reConServer","subsys":"RECON","proc!id":12456,"proc!tid":139979031448192,"file!name":"Conversation.cxx","file!line":45,"msg":"Conversation
created, handle=1"}'
escaped msg: '@cee:
{"hostname":"something.example.org","pri":"DEBUG","syslog!pri":6,"time":"2021-07-09T00:38:08.262005743Z","pname":"lt-reConServer","subsys":"RECON","proc!id":12456,"proc!tid":139979031448192,"file!name":"Conversation.cxx","file!line":45,"msg":"Conversation
created, handle=1"}'
inputname: imjournal rawmsg: '@cee:
{"hostname":"something.example.org","pri":"DEBUG","syslog!pri":6,"time":"2021-07-09T00:38:08.262005743Z","pname":"lt-reConServer","subsys":"RECON","proc!id":12456,"proc!tid":139979031448192,"file!name":"Conversation.cxx","file!line":45,"msg":"Conversation
created, handle=1"}'
$!:{ "_BOOT_ID": "94fbf657a095412d80b4c387cbd90230", "_MACHINE_ID":
"e339bc1ec88911eb92d2fb6499360034", "PRIORITY": "6", "SYSLOG_FACILITY":
"3", "_TRANSPORT": "syslog", "_CAP_EFFECTIVE": "0", "_HOSTNAME":
"something.example.org", "_AUDIT_LOGINUID": "1000",
"_SYSTEMD_OWNER_UID": "1000", "_SYSTEMD_SLICE": "user-1000.slice",
"_SYSTEMD_USER_SLICE": "-.slice", "_UID": "1000", "_GID": "1000",
"_SELINUX_CONTEXT":
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
"SYSLOG_IDENTIFIER": "lt-reConServer", "_COMM": "lt-reConServer",
"_EXE":
"\/home\/daniel\/ws\/resiprocate\/resip-github\/apps\/reConServer\/.libs\/lt-reConServer",
"_CMDLINE":
"\/home\/daniel\/ws\/resiprocate\/resip-github\/apps\/reConServer\/.libs\/lt-reConServer
apps\/reConServer\/reConServer.config.test-local", "_AUDIT_SESSION":
"3", "_SYSTEMD_CGROUP":
"\/user.slice\/user-1000.slice\/session-3.scope", "_SYSTEMD_SESSION":
"3", "_SYSTEMD_UNIT": "session-3.scope", "_SYSTEMD_INVOCATION_ID":
"f2e7e38ea3374a869ee7f51eaf745e1d", "SYSLOG_PID": "12456", "_PID":
"12456", "MESSAGE": "@cee:
{\"hostname\":\"something.example.org\",\"pri\":\"DEBUG\",\"syslog!pri\":6,\"time\":\"2021-07-09T00:38:08.262005743Z\",\"pname\":\"lt-reConServer\",\"subsys\":\"RECON\",\"proc!id\":12456,\"proc!tid\":139979031448192,\"file!name\":\"Conversation.cxx\",\"file!line\":45,\"msg\":\"Conversation
created, handle=1\"}", "_SOURCE_REALTIME_TIMESTAMP": "1625791088262026" }
$.:
$/:
> I also don't know what the default rsyslog.conf is on every system, so
> please include that as well.
>
> on 8.1911 you can start rsyslog with the command line option -o
> /path/to/file and that file will then contain the combined config
> (including ny included files)
>
> At this point, I suspect that what is different is where the include is
> for the different distros, one including the file before it writes
> things to the default files and the other after, but that's a guess
> without seeing the full configs.
>
Please find the output from -o underneath
It includes both omelasticsearch and omfwd
The omfwd is working for me if I send it over TCP to the newer rsyslog
## full conf created by rsyslog version 8.1911.0-7.el8_4.2 at 2021-07-09
02:41:25 ##
##### BEGIN CONFIG: /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock"
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal"
StateFile="imjournal.state") # File to store the position in the
journal
#module(load="imklog") # reads kernel messages (the same are read from
journald)
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
##### BEGIN CONFIG: /etc/rsyslog.d/reConServer-test.conf
# sudo dnf install rsyslog-elasticsearch
module(load="mmjsonparse")
*.* :mmjsonparse:
template(name="isJSON" type="list") {
property(name="$!all-json")
}
#module(load="omelasticsearch")
#*.* action(type="omelasticsearch"
# template="isJSON"
# server="my-host"
# serverport="9200"
# searchIndex="log"
# searchType="_doc"
# uid="admin"
# pwd="secret")
*.* /tmp/debugfmt;RSYSLOG_DebugFormat
##### END CONFIG: /etc/rsyslog.d/reConServer-test.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### sample forwarding rule ###
*.* action(type="omfwd"
queue.filename="fwdRule1"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
queue.type="LinkedList"
action.resumeRetryCount="-1"
Target="my-host" Port="514" Protocol="tcp")
##### END CONFIG: /etc/rsyslog.conf
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
