Thanks David
Yes, my bad, i was still trying to load the "imtcp" module instead of
the "imptcp" module. The rsyslog syntax is now valid, which is a good
start.
And yes, I'm constrained by what I can pull from redhat. Not my choice!
So, my entire config now looks like the below:
$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command)
$ModLoad imjournal # provides access to the systemd journal
$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
$template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
$template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
$template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
$template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
template (name="TmplCiscoFirewallFormat" type="string"
string="%TIMESTAMP% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
template (name="TmplCiscoFirewallFile" type="string"
string="/var/log/remote/cisco/firewalllog"
)
$ModLoad imudp
$RuleSet remoteudp1
:programname, isequal, "SFIMS"
?TmplCiscoFirewallFile;TmplCiscoFirewallFormat
& ~
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputUDPServerBindRuleset remoteudp1
$UDPServerRun 514
$ModLoad imptcp
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplVPXMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local7.notice /var/log/cmd.log
It's a mish-mash of old and new styles.
The logs for the templated "TmplVPXMsg" "TmplAppfwMsg"
"TmplCiscoRouterMsg" are working nicely.
My issue is still how to pick out the remaining logs coming in over
514/TCP (ruleset="remote1") and stash them into the templated
"TmplAuthpriv" "TmplMsg" "TmplCron" "TmplMail" "TmplCmd".
I don't know the correct syntax for catching these within the
"remote1" ruleset!
Within previous iterations we had something like:
# Provides TCP syslog reception
$ModLoad imtcp
$RuleSet remote1
:msg, regex , "[Zz][SsUu][Vv][Pp][Xx]"
?TmplNetscalerFile;TmplNetcalerFormat
& ~
authpriv.* ?TmplAuthpriv
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
cron.* ?TmplCron
mail.* ?TmplMail
local7.notice ?TmplCmd
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back
to the default rule set
$InputTCPServerBindRuleset remote1 #Define a new input and bind it to
the "remote1" rule set
$InputTCPServerRun 514
Pointers appreciated!
TIA
Pete
--
Quoting David Lang <[email protected]>:
> please post your full config, the example config does not have 101
> lines, so it doesn't match the error you are posting.
>
> Also be aware that 8.24 is no about 5 years old and unsupported by
> the community, you are running something unique to redhat.
>
> that said, the imptcp module should be available, but they may have
> put it in a different package, but you should get similar results
> with the imtcp module
>
> David Lang
>
> On Fri, 10 Sep 2021, lists--- via rsyslog wrote:
>
>> Date: Fri, 10 Sep 2021 02:41:02 +0100
>> From: lists--- via rsyslog <[email protected]>
>> To: Yuri Bushmelev <[email protected]>
>> Cc: [email protected], rsyslog-users <[email protected]>
>> Subject: Re: [rsyslog] Struggling with the basics - trying to filter on
text
>> AND have logs go to /var/log/remote/yadayada
>>
>> Quoting Yuri Bushmelev <[email protected]>:
>>
>>> Hello!
>>>
>>> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will
make
>>> your life miserable" (c) Reiner Gerhards .. There is nice new syntax
made
>>> more than 10 years ago.
>>>
>>> I guess this is more or less what you're looking for:
>>>
>>> ```
>>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>>>
>>> template(name="TmplVPXMsg" type="string"
>>> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
>>> template(name="TmplAppfwMsg" type="string"
>>> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
>>> template(name="TmplCiscoRouterMsg" type="string"
>>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>>
>>> ruleset(name="remote1") {
>>> if $msg contains 'VPX' then {
>>> action(type="omfile" name="netscaler_vpx_file"
>>> dynaFile="TmplNetscalerMsg")
>>> } else if $msg contains 'br01' then {
>>> action(type="omfile" name="cisco_router_file"
>>> dynaFile="TmplCiscoRouterMsg")
>>> } else if $msg contains 'appfw' then {
>>> action(type="omfile" name="netscaler_appfw_file"
>>> dynaFile="TmplAppfwMsg")
>>> }
>>> }
>>> ```
>>>
>>> There is still some space for improvements though. I'd suggest creating
>>> different inputs for different kinds of logs. This way you can speedup
>>> processing a bit (because `if $msg contains ...` is slow). Do not
overuse
>>> local variables though ($.something).
>>>
>>> ```
>>> # Assuming VPX and appfw logs are coming from the same device
>>> # Otherwise easier to create one more input and remove `if $msg
contains`
>>> completely
>>> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
>>>
>>> input(type="imptcp" name="cisco_router" port="2515"
ruleset="cisco_router")
>>>
>>> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
>>> template(name="TmplNetscalerMsg" type="list" {
>>> constant(value="/var/log/remote/netscaler/")
>>> property(name="hostname")
>>> constant(value="/")
>>> property(name="$.ns_type")
>>> constant(value="log")
>>> }
>>>
>>> template(name="TmplCiscoRouterMsg" type="string"
>>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>>
>>> ruleset(name="netscaler") {
>>> if $msg contains 'VPX' then {
>>> set $.ns_type = "vpx";
>>> } else if $msg contains 'appfw' then {
>>> set $.ns_type = "appfw";
>>> } else {
>>> set $.ns_type = "UNKNOWN";
>>> }
>>> action(type="omfile" name="netscaler_appfw_file"
>>> dynaFile="TmplNetscalerMsg")
>>> }
>>>
>>> ruleset(name="cisco_router") {
>>> action(type="omfile" name="cisco_router_file"
>>> dynaFile="TmplCiscoRouterMsg")
>>> }
>>> ```
>>>
>>> All this knowledge I got from reading the Rsyslog docs here:
>>> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
>>> Yes, it's not that well structured but still worth reading if you're
using
>>> Rsyslog a lot.
>>>
>>>
>>> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
>>> [email protected]> wrote:
>>>
>>>> I can successfully have logs going to the correct files under
>>>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>>>>
>>>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>>>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
>>>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
>>>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
>>>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>>>>
>>>> and following ruleset:
>>>>
>>>> $RuleSet justlogs
>>>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
>>>> $RuleSet RSYSLOG_DefaultRuleset
>>>> $InputTCPServerBindRuleset justlogs
>>>> $InputTCPServerRun 514
>>>>
>>>>
>>>> And direct some logs into specific folders, a la:
>>>>
>>>> ruleset(name="remote1"){
>>>> if $msg contains 'VPX' then {
>>>> action(type="omfile"
>>>> file="/var/log/remote/netscaler/netscalerlog")
>>>> }
>>>> if $msg contains 'br01' then {
>>>> action(type="omfile"
>>>> file="/var/log/remote/cisco/router/routerlog")
>>>> }
>>>> if $msg contains 'appfw' then {
>>>> action(type="omfile"
>>>> file="/var/log/remote/netscaler/appfwlog")
>>>> }
>>>> }
>>>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
>>>> back to the default rule set
>>>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
>>>> to the "remote1" rule set
>>>> $InputTCPServerRun 514
>>>>
>>>> But not both at the same time! I've tried smashing the rulesets
>>>> together, but no joy.
>>>>
>>>> Reading the manual makes my brain hurt. And the online rsyslog.conf
>>>> builder isn't working for me.
>>>>
>>>> Pointers appreciated!
>>>>
>>>> TIA
>>>>
>>>> Pete
>>>> --
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>
>>>
>>> --
>>> Yury Bushmelev
>>>
>>
>> Thanks Yuri
>>
>> This is all good, but rsyslog doesn't like the config!
>>
>> rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level
>> 1), master config /etc/rsyslog.conf |
>> rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
>> try http://www.rsyslog.com/e/2209 ] |
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'ruleset' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http
>> ://www.rsyslog.com/e/2207 ]
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'port' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http://
>> www.rsyslog.com/e/2207 ]
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'name' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http://
>> www.rsyslog.com/e/2207 ]
>>
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>
