please post your full config, the example config does not have 101 lines, so
it doesn't match the error you are posting.
Also be aware that 8.24 is no about 5 years old and unsupported by the
community, you are running something unique to redhat.
that said, the imptcp module should be available, but they may have put it in a
different package, but you should get similar results with the imtcp module
David Lang
On Fri, 10 Sep 2021, lists--- via rsyslog wrote:
Date: Fri, 10 Sep 2021 02:41:02 +0100
From: lists--- via rsyslog <[email protected]>
To: Yuri Bushmelev <[email protected]>
Cc: [email protected], rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Struggling with the basics - trying to filter on text
AND have logs go to /var/log/remote/yadayada
Quoting Yuri Bushmelev <[email protected]>:
Hello!
Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
more than 10 years ago.
I guess this is more or less what you're looking for:
```
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplNetscalerMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
```
There is still some space for improvements though. I'd suggest creating
different inputs for different kinds of logs. This way you can speedup
processing a bit (because `if $msg contains ...` is slow). Do not overuse
local variables though ($.something).
```
# Assuming VPX and appfw logs are coming from the same device
# Otherwise easier to create one more input and remove `if $msg contains`
completely
input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
input(type="imptcp" name="cisco_router" port="2515" ruleset="cisco_router")
# /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
template(name="TmplNetscalerMsg" type="list" {
constant(value="/var/log/remote/netscaler/")
property(name="hostname")
constant(value="/")
property(name="$.ns_type")
constant(value="log")
}
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
ruleset(name="netscaler") {
if $msg contains 'VPX' then {
set $.ns_type = "vpx";
} else if $msg contains 'appfw' then {
set $.ns_type = "appfw";
} else {
set $.ns_type = "UNKNOWN";
}
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplNetscalerMsg")
}
ruleset(name="cisco_router") {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
}
```
All this knowledge I got from reading the Rsyslog docs here:
https://www.rsyslog.com/doc/v8-stable/configuration/index.html
Yes, it's not that well structured but still worth reading if you're using
Rsyslog a lot.
On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
[email protected]> wrote:
I can successfully have logs going to the correct files under
/var/log/remote/%HOSTNAME%/whatever, with the following template:
$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
$template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
$template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
$template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
$template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
and following ruleset:
$RuleSet justlogs
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputTCPServerBindRuleset justlogs
$InputTCPServerRun 514
And direct some logs into specific folders, a la:
ruleset(name="remote1"){
if $msg contains 'VPX' then {
action(type="omfile"
file="/var/log/remote/netscaler/netscalerlog")
}
if $msg contains 'br01' then {
action(type="omfile"
file="/var/log/remote/cisco/router/routerlog")
}
if $msg contains 'appfw' then {
action(type="omfile"
file="/var/log/remote/netscaler/appfwlog")
}
}
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
back to the default rule set
$InputTCPServerBindRuleset remote1 #Define a new input and bind it
to the "remote1" rule set
$InputTCPServerRun 514
But not both at the same time! I've tried smashing the rulesets
together, but no joy.
Reading the manual makes my brain hurt. And the online rsyslog.conf
builder isn't working for me.
Pointers appreciated!
TIA
Pete
--
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
--
Yury Bushmelev
Thanks Yuri
This is all good, but rsyslog doesn't like the config!
rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level 1), master
config /etc/rsyslog.conf
|
rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1 try
http://www.rsyslog.com/e/2209 ]
|
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 101:
parameter 'ruleset' not known -- typo in config file? [v8.24.0-57.el7_9.1 try
http
://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 101:
parameter 'port' not known -- typo in config file? [v8.24.0-57.el7_9.1 try
http://
www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 101:
parameter 'name' not known -- typo in config file? [v8.24.0-57.el7_9.1 try
http://
www.rsyslog.com/e/2207 ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
