Hi, Following advice from this list, I've added the adiscom repository to the rocky linux, installed rsyslog and rsyslog-pmciscoios and restarted rsyslog service.
*[root@svpasr1logp01 rsyslog.d]# rpm -qi rsyslogName : rsyslogVersion : 8.2310.0.masterRelease : 1694045281Architecture: x86_64Install Date: Thu 07 Sep 2023 12:34:27 PM WESTGroup : System Environment/DaemonsSize : 2664591License : (GPLv3+ and ASL 2.0)Signature : RSA/SHA256, Thu 07 Sep 2023 01:19:35 AM WEST, Key ID 6b11d5c78f67ef64Source RPM : rsyslog-8.2310.0.master-1694045281.src.rpmBuild Date : Thu 07 Sep 2023 01:19:32 AM WESTBuild Host : cb116f7368f7Relocations : (not relocatable)URL : http://www.rsyslog.com/ <http://www.rsyslog.com/>Summary : Enhanced system logging and kernel message trapping daemonDescription :Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,and fine grain output format control. It is compatible with stock sysklogdand can be used as a drop-in replacement. Rsyslog is simple to set up, withadvanced features suitable for enterprise-class, encryption-protected syslogrelay chains.[root@svpasr1logp01 rsyslog.d]# rpm -qi rsyslog-pmciscoiosName : rsyslog-pmciscoiosVersion : 8.2310.0.masterRelease : 1694045281Architecture: x86_64Install Date: Thu 07 Sep 2023 04:05:39 PM WESTGroup : System Environment/DaemonsSize : 17000License : (GPLv3+ and ASL 2.0)Signature : RSA/SHA256, Thu 07 Sep 2023 01:19:36 AM WEST, Key ID 6b11d5c78f67ef64Source RPM : rsyslog-8.2310.0.master-1694045281.src.rpmBuild Date : Thu 07 Sep 2023 01:19:32 AM WESTBuild Host : cb116f7368f7Relocations : (not relocatable)URL : http://www.rsyslog.com/ <http://www.rsyslog.com/>Summary : pmciscoios supportDescription :Parser module which supports various Cisco IOS formats.* Then I've populated a file named switches.conf in /etc/rsyslog.d/ with the following content: *$template TmplAuth, "/var/log/remote-syslog/testswitch1.log"#Modulesmodule(load="imtcp")module(load="pmciscoios")#Inputsinput(type="imtcp" port="20514" ruleset="rsyslogswitchs")#Parsersparser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")#Rulesruleset(name="rsyslogswitchs" parser=["custom.ciscoios.withOrigin", "rsyslog.ciscoios"]){ *.* action(type="omfile" DynaFile="TmplAuth"* Unfortunately it's not possible to load this file/input: *[root@svpasr1logp01 rsyslog.d]# rsyslogd -f /etc/rsyslog.conf -N3rsyslogd: version 8.2310.0.master, config validation run (level 3), master config /etc/rsyslog.confrsyslogd: module 'imtcp' already in this config, cannot be added [v8.2310.0.master try https://www.rsyslog.com/e/2221 <https://www.rsyslog.com/e/2221> ]rsyslogd: error during parsing file /etc/rsyslog.d/switches.conf, on or before line 19: invalid character '}' in object definition - is there an invalid escape sequence somewhere? [v8.2310.0.master try https://www.rsyslog.com/e/2207 <https://www.rsyslog.com/e/2207> ]rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 40: invalid character '$' in object definition - is there an invalid escape sequence somewhere? [v8.2310.0.master try https://www.rsyslog.com/e/2207 <https://www.rsyslog.com/e/2207> ]rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 40: syntax error on token 'on' [v8.2310.0.master try https://www.rsyslog.com/e/2207 <https://www.rsyslog.com/e/2207> ]rsyslogd: could not interpret master config file '/etc/rsyslog.conf'. [v8.2310.0.master try https://www.rsyslog.com/e/2207 <https://www.rsyslog.com/e/2207> ]rsyslogd: imtcp: ruleset 'rsyslogswitchs' for port 20514 not found - using default ruleset instead [v8.2310.0.master]* If the new file is removed, rsyslog is able to start without this warnings, so I presume the error may lie in the added configuration. Any help would be appreciated. Best, Pedro _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
