I think we should first see which errors you got when you used the original config. In general, of configs always with in newer rsyslog versions. But RH might have changed s/t in regard to the journal.
There is no hard need to convert existing configs, albeit it often improves readability. But I think it is best to did the root cause first, so that we know what was wrong. Also, when something did not work, eg need to know the actual error messages in order to help. I hope that helps a bit even though I did not yet dig through all details. Please let us know which errors are generated by your previous config. Rainer Sent from phone, thus brief. warron.french via rsyslog <[email protected]> schrieb am Mi., 17. Dez. 2025, 19:45: > I need to translate rsyslogd-8.24.0-57, used on RHEL7 servers to be > effectively adapted for RHEL8 servers running rsyslogd-8.2102.0-15. > > I have tried to do this on my own, with Python developers (who wrote > Ansible playbooks, etc..) that were in the same environment and for some > reason assumed that the RHEL7*/*rsyslogd-8.24.0-57 rsyslog.conf file could > be used on a RHEL8 server. > > I found issues, I addressed them in the rsyslog.conf in our Dev Lab and > got things working to my expectations. > > However, leaning into the Production environment, I made the assumptions > that I could take my own syntax adaptations and simply drop them into the > factory-fresh (newly installed) rsyslog.conf running on the RHEL8 server we > have in our Production environments. > *This did not work in our Prod environment as expected, like it did in our > Dev Lab.* > > I am hoping that someone can help me, as I attempt to help you help me by > posting details in "sections," such as listeners, modules, templates, and > conditionals (that help parse incoming data into separate log files). > > What I had for RHEL7 rsyslog.conf config changes were the following (which > I got help on this List before to fine tune them): > *Listeners* > I had the following for listeners before: > $ModLoad imudp > $UDPServerRun 514 > > $ModLoad imtcp > $TCPServerRun 514 > > I need to have a UDP and a TCP listener because not all of our devices > transmit over TCP, and we need the syslog-data records to be recorded. > So, what I tried as an adaptation was: > module(load=”imudp”) # needs to be done just once > input(type=”imudp” port=”514” address=”172.20.46.101”) > > module(load=”imtcp”) # needs to be done just once > input(type=”imtcp” port=”514” address=”172.20.46.101”) > > I get listeners up on both protocols (udp & tcp), so I believe that I am > fine here. If you have comments for improvements, please tell me. > > *Modules* > In the RHEL7 rsyslog-8.24.0-57 config file, rsyslog.conf, I used the > following syntax, to ensure that logfiles were created and set to specific > custom ownerships, modes, etc.. etc... > Module(load=”builtin:omfile”) > $CreateDirs on > $DirCreateMode 0700 > $FileCreateMode 0600 > $FileGroupNum 1037 <-- This is what I got > help with last time I reached out to the List; the use/being made aware of > this directive (FleGroupNum). > > So with respect to rsyslog-8.2102.0-15, I adapted the syntax to this > (again, please provide suggestions/corrections if necessary): > module(load="builtin:omfile" dirCreateMode="0700" fileCreateMode="0600" > fileGroupNum="1037") > action(type="omfile" createDirs="on") > > Does this make sense? > > *Templates* > I used templates that also employ Rsyslog properties, specifically I use > %HOSTNAME% so that I can get log files generated on the fly and not have to > hard-code the hostnames. > This is how I addressed the task/configuration in RHEL7 rsyslog-8.24.0-57 > config file, rsyslog.conf: > $template CATC,”/var/log/remote/%HOSTNAME%.log” > $template SECU,”/var/log/remote/%HOSTNAME%/secure” > $template MESG,”/var/log/remote/%HOSTNAME%/messages” > > This is how I *attempted to* address the configuration with the > rsyslog-8.2102.0-15 config file, rsyslog.conf: > template(name="CATC" type="string" string="/var/log/remote/%HOSTNAME%.log") > template(name="SECU" type="string" > string="/var/log/remote/%HOSTNAME%/secure") > template(name="MESG" type="string" > string="/var/log/remote/%HOSTNAME%/messages") > > I start getting lost right around this point, because I see references to > actions for rsyslog-8.2102.0-15 and am not sure what to do. > I honestly do not know, if: > 1. I need to use the template syntax still or not; or is it deprecated > by the action(syntax)? > 2. I also do not know if I can still use the %HOSTNAME% Rsyslog > property or not. > > I definitely need help, inputs, corrections, adjustments that help me > understand the details immediately above. > > *Conditionals* > Finally, I have this syntax for parsing incoming data from various sources, > then depositing it into a logfile using the aforementioned templates (using > %HOSTNAM%) with rsyslog-8.24.0-57: > if ($fromhost-ip startswith ‘172.20.245.5’ or $fromhost-ip contains > ‘172.20.245.101’) then { > authpriv.* > -?SECU > *.info;mail.none;authpriv.none;cron.none > -?MESG > & stop > } else if ( $fromhost contains ‘i42tskvm’ ) then { > *.* > -?MESG > stop > } else { > *.* > /var/log/messages > stop > } > > This syntax works perfectly for me on the older Rsyslog servers. I am > really confused on what to do on RHEL8 rsyslog-8.2102.0-15. > I am not sure what to do with the action(syntax) in combination with the > template(syntax) to make this all come together. > > Thank you for any guidance and suggestions. > > -------------------------- > Warron French > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
