[rsyslog] Rsyslog Arrays not Working as Expected

2016-09-16 Thread Shane Lawrence 
When I use this syntax, arrays work just fine:
if ($fromhost-ip == ["127.0.0.1", "1.1.1.1"]) then {

but when I use this syntax, it only matches the first item in the array:
set $/ARCSIGHT_WHITELIST = ["127.0.0.1", "1.1.1.1"];
if ($fromhost-ip == $ARCSIGHT_WHITELIST) then {

There are no syntax errors when I check rsyslogd -N1. I am using v8.21.0 on
CentOS 7.

I believe both of these should have the same result. If arrays can't be
used in this way, they should generate an error.

Is there a workaround?
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Newbie: I'm not able to forward RELP to Redis. Any clue?

2016-09-16 Thread mosto...@gmail.com 
After HOURS and at the edge of craziness I realized I missed 
/serverpassword/ property.


Damn code blindness.


El 16/09/16 a las 12:08, mosto...@gmail.com escribió:

Hi


I'm trying to forward RELP messages to REDIS, but I haven't succeeded 
so far.


*That's my /etc/rsyslog.conf (default's ugly-legacy format):*

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done 
by rklogd)

#$ModLoad immark  # provides --MARK-- message capability

$MaxMessageSize 2k

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirOwner syslog
$DirGroup adm
$DirCreateMode 0755
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf

*.emerg:omusrmsg:*


*And that's my pretty /etc/rsyslog.d/repl2redis.conf:*

global(workDirectory="/var/spool/rsyslog")

# http://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html
module(load="imrelp")
input(
port="20514"
type="imrelp"
name="imrelp"
ruleset="toredis"
)

# http://www.rsyslog.com/doc/master/configuration/modules/omhiredis.html
module(load="omhiredis")
ruleset(name="toredis"){
# http://www.rsyslog.com/doc/v8-stable/configuration/actions.html
action(
mode="queue"
name="omhiredis"
serverport="6379"
server="myserver"
type="omhiredis"
key="foo"
action.resumeRetryCount="-1"
action.reportSuspension="on"
queue.maxdiskspace="1G"
queue.type="LinkedList"
queue.filename="omhiredis"
queue.SaveOnShutdown="on"
)
}


I expected rsyslog to LPUSH every message to key "foo", but It's not 
working.


Is there anything wrong with this configuration? Am I missing something?
Thanks for your kind help.

Regards



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Newbie: I'm not able to forward RELP to Redis. Any clue?

2016-09-16 Thread mosto...@gmail.com 

Related to this:

http://www.rsyslog.com/doc/master/configuration/modules/omhiredis.html 
has a few erratas on examples, where it states */port/* instead of 
/*serverport*/.


Does it worth to open an issue? Where?

Regards


El 16/09/16 a las 12:08, mosto...@gmail.com escribió:

Hi


I'm trying to forward RELP messages to REDIS, but I haven't succeeded 
so far.


*That's my /etc/rsyslog.conf (default's ugly-legacy format):*

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done 
by rklogd)

#$ModLoad immark  # provides --MARK-- message capability

$MaxMessageSize 2k

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirOwner syslog
$DirGroup adm
$DirCreateMode 0755
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf

*.emerg:omusrmsg:*


*And that's my pretty /etc/rsyslog.d/repl2redis.conf:*

global(workDirectory="/var/spool/rsyslog")

# http://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html
module(load="imrelp")
input(
port="20514"
type="imrelp"
name="imrelp"
ruleset="toredis"
)

# http://www.rsyslog.com/doc/master/configuration/modules/omhiredis.html
module(load="omhiredis")
ruleset(name="toredis"){
# http://www.rsyslog.com/doc/v8-stable/configuration/actions.html
action(
mode="queue"
name="omhiredis"
serverport="6379"
server="myserver"
type="omhiredis"
key="foo"
action.resumeRetryCount="-1"
action.reportSuspension="on"
queue.maxdiskspace="1G"
queue.type="LinkedList"
queue.filename="omhiredis"
queue.SaveOnShutdown="on"
)
}


I expected rsyslog to LPUSH every message to key "foo", but It's not 
working.


Is there anything wrong with this configuration? Am I missing something?
Thanks for your kind help.

Regards



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Newbie: I'm not able to forward RELP to Redis. Any clue?

2016-09-16 Thread mosto...@gmail.com 

Hi


I'm trying to forward RELP messages to REDIS, but I haven't succeeded so 
far.


*That's my /etc/rsyslog.conf (default's ugly-legacy format):*

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by 
rklogd)

#$ModLoad immark  # provides --MARK-- message capability

$MaxMessageSize 2k

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirOwner syslog
$DirGroup adm
$DirCreateMode 0755
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf

*.emerg:omusrmsg:*


*And that's my pretty /etc/rsyslog.d/repl2redis.conf:*

global(workDirectory="/var/spool/rsyslog")

# http://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html
module(load="imrelp")
input(
port="20514"
type="imrelp"
name="imrelp"
ruleset="toredis"
)

# http://www.rsyslog.com/doc/master/configuration/modules/omhiredis.html
module(load="omhiredis")
ruleset(name="toredis"){
# http://www.rsyslog.com/doc/v8-stable/configuration/actions.html
action(
mode="queue"
name="omhiredis"
serverport="6379"
server="myserver"
type="omhiredis"
key="foo"
action.resumeRetryCount="-1"
action.reportSuspension="on"
queue.maxdiskspace="1G"
queue.type="LinkedList"
queue.filename="omhiredis"
queue.SaveOnShutdown="on"
)
}


I expected rsyslog to LPUSH every message to key "foo", but It's not 
working.


Is there anything wrong with this configuration? Am I missing something?
Thanks for your kind help.

Regards

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Fwd: Re: rsyslog kills entire system => force reboot

2016-09-16 Thread singh.janmejay 
How long does it take to go thru one cycle of verifying the problem exists?
I was wondering if bisecting would be viable?

May not be required though, stats, entire config and all thread backtrace
will likely give you/us enough clues.

On Sep 16, 2016 12:30 PM, "Raffael Sahli"  wrote:

> yep, I can confirm that the problem is gone.
> Downgrade back to 8.20 solved the problem.
>
> Anybody with the same problem?
>
>
>  Forwarded Message 
> Subject: Re: [rsyslog] rsyslog kills entire system => force reboot
> Date: Mon, 12 Sep 2016 11:03:58 +0200
> From: Raffael Sahli 
> To: rsyslog@lists.adiscon.com
>
> fyi since the downgrade to 8.20 (from 8.21), we didn't notice any problems.
>
>
>
> On 09.09.2016 15:48, Raffael Sahli wrote:
>
>> On 09.09.2016 15:09, David Lang wrote:
>>  > On Fri, 9 Sep 2016, Raffael Sahli wrote:
>>
>>  >>
>>  >> Actually I tried $ActionResumeRetryCount with a value 10, @see 2nd
>>  >> configuration. But faced the same problem.
>>  >>
>>  >>
>>  >> Strange thing is, I deployed new rsyslog configs without the remote
>>  >> forwarding, but this morning one server was unresponsive again, same
>>  >> problem.
>>  >>
>>  >> Does anybody know, can this also happen without remote forwarding?
>>  >
>>  > where are your local logs being written? is there any chance that it's
>>  > running out of space or otherwise falling behind (think of a slow NFS
>>  > server)
>>  >
>>  > remember that even with retries = 10 rsyslog won't stop completely, but
>>  > it will slow things down drastically so that it appears to be dead.
>>
>> No, just the local filesystem.
>> And the fs and disk i/o is fine.
>>
>>
>>  >
>>  >> Maybe this more a general syslog problem, as far as I know the RFC,
>>  >> since syslog should never loose any messages by default.
>>  >> I just like to know what rsyslog config I should use with remote
>>  >> forwarding, but without any timeout for syslog services if syslog is
>>  >> somehow unresponsive.
>>  >
>>  > per the syslog spec it should block forever if it can't deliver the
>>  > message.
>>
>> Yeah thats the point, I don't get that
>>
>>  >
>>  > But to really see what's going on, configure impstats and have it write
>>  > to a local file, that will let you see what's going on when it appears
>>  > to stalls.
>>
>> Mhm will try it out, or/and try downgrade to an earlier version since I
>> did not have such problems before.
>>
>>
>>
>>
>>
>
> --
> Raffael Sahli
>
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Fwd: Re: rsyslog kills entire system => force reboot

2016-09-16 Thread Raffael Sahli 

yep, I can confirm that the problem is gone.
Downgrade back to 8.20 solved the problem.

Anybody with the same problem?


 Forwarded Message 
Subject: Re: [rsyslog] rsyslog kills entire system => force reboot
Date: Mon, 12 Sep 2016 11:03:58 +0200
From: Raffael Sahli 
To: rsyslog@lists.adiscon.com

fyi since the downgrade to 8.20 (from 8.21), we didn't notice any problems.



On 09.09.2016 15:48, Raffael Sahli wrote:

On 09.09.2016 15:09, David Lang wrote:
 > On Fri, 9 Sep 2016, Raffael Sahli wrote:

 >>
 >> Actually I tried $ActionResumeRetryCount with a value 10, @see 2nd
 >> configuration. But faced the same problem.
 >>
 >>
 >> Strange thing is, I deployed new rsyslog configs without the remote
 >> forwarding, but this morning one server was unresponsive again, same
 >> problem.
 >>
 >> Does anybody know, can this also happen without remote forwarding?
 >
 > where are your local logs being written? is there any chance that it's
 > running out of space or otherwise falling behind (think of a slow NFS
 > server)
 >
 > remember that even with retries = 10 rsyslog won't stop completely, but
 > it will slow things down drastically so that it appears to be dead.

No, just the local filesystem.
And the fs and disk i/o is fine.


 >
 >> Maybe this more a general syslog problem, as far as I know the RFC,
 >> since syslog should never loose any messages by default.
 >> I just like to know what rsyslog config I should use with remote
 >> forwarding, but without any timeout for syslog services if syslog is
 >> somehow unresponsive.
 >
 > per the syslog spec it should block forever if it can't deliver the
 > message.

Yeah thats the point, I don't get that

 >
 > But to really see what's going on, configure impstats and have it write
 > to a local file, that will let you see what's going on when it appears
 > to stalls.

Mhm will try it out, or/and try downgrade to an earlier version since I
did not have such problems before.







--
Raffael Sahli


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.