date:20180425

[rsyslog] Facing issues with rsyslog configuration

2018-04-25 Thread eswar472 via rsyslog

 Hi,

I am trying to test remote logging between two ubuntu machines. In the
ubuntu machine which i wanted to make it as server, i changed the
/etc/rsyslog.conf as below. After that i restarted service with "sudo
service rsyslog restart" then checked netstat. I dont see 514 port is open.
As per some suggestions in internet i tried with ports 10514 and 20514, but
no luck.

Commands I executed after changing configuration file

rreddy@rreddy-node2:~$ sudo service rsyslog restart
rsyslog stop/waiting
rsyslog start/running
rreddy@rreddy-node2:~$ netstat | grep 514
unix  3  [ ] STREAM CONNECTED 30472
@/tmp/.ICE-unix/25149
unix  3  [ ] STREAM CONNECTED 73514
unix  3  [ ] STREAM CONNECTED 23293
@/tmp/.ICE-unix/25149


Below is the content of my /etc/rsyslog file

#  /etc/rsyslog.confConfiguration file for rsyslog.
#
#   For more information see
#   /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#
 MODULES 
#

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

$AllowedSender TCP, 127.0.0.1, 10.22.42.115
$template Incoming-logs,"/var/log/test.log"

###
 GLOBAL DIRECTIVES 
###

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


Can you help me in finding what is wrong with this configuration.

Thank you,
Eshwar
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Filter on priority from docker

2018-04-25 Thread Rainer Gerhards

Not sure - the config snippet looks differently. Probably we need full
config and description of what is logging where if this on a concentrator...

Rainer

Sent from phone, thus brief.

David Lang  schrieb am Mi., 25. Apr. 2018, 19:28:

> On Wed, 25 Apr 2018, Rainer Gerhards wrote:
>
> > 2018-04-25 9:29 GMT+02:00 Flo Rance :
> >> Ok, but if ".err" means "err and above", why does it forward messages
> with
> >> the severity INFO as in the example ?
> >
> > pls post the raw message - how do you know it is INFO?
>
> in the docker world, the 'standard' is that messages get dumped to stdout,
> not
> in any standard format, so INFO: in the message body is the indication.
>
> It looks like these logs should be parsed with mmnormalize to extract the
> various fields (potentially as a parser on the input)
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] server received messages but rsyslog did not write them into a file

2018-04-25 Thread David Lang


On Wed, 25 Apr 2018, sophie.loewenthal--- via rsyslog wrote:


From a rsyslog view what sort of acknowledgement should it receive to know the 
destination servers are filling up?  The destinations run Logstash.


when you are delivering messages via TCP (as you are in this case), your only 
indication is that the TCP buffers fill up, and the output then gets suspended. 
But if all your logs run through the same flow, the logs showing that the output 
is suspended are stuck behind the messages waiting to be delivered :-/



what I do is to define impstats to use a different ruleset (with it's own queue, 
so it doesn't get stuck in the main queue)


something like:


module(load="impstats" interval="60" format="json" ruleset="high-p")
ruleset(name="high-p" queue.type="array" queue.size="1000" queue.fileiname="high-p" 
queue.saveonshutdown="on" ){
action(name="high-p-parse" type="mmnormalize" 
rule=["version=2","rule=stats:%.:json%","rule=stats:%-:whitespace%%.:json%"])
@destination;format
/var/log/pstats
}

This will process your stats data to a file and (if not too busy) a remote 
system so that you can then alert on queues filling up

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Urgent, need help with correct usage of local variables in an action

2018-04-25 Thread David Lang


On Wed, 25 Apr 2018, putcha narayana wrote:


set $.configuredSeverity = "6";
if ($syslogseverity <= $.configuredSeverity) -- this is allowed and we can add 
to the documentation.


Yes, this is allowed, any variable comparison is allowed

you can also do

if ($syslogseverity <= "6")

I'm not sure what would need to be added to the documentation, but if it's not 
clear that both of these would be allowed, please submit a PR (or even just an 
issue with suggested new wording) to help us make it clear


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Resend: rsyslog v8.x server config with tls

2018-04-25 Thread Li, Mike via rsyslog




Hi all,
We are migrating from rsyslog v5 to v8
We have followed information for v5
$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /rsyslog/protected/ca.pem
$DefaultNetstreamDriverCertFile /rsyslog/protected/machine-cert.pem
$DefaultNetstreamDriverKeyFile /rsyslog/protected/machine-key.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.net
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514 # start up listener at port 10514

Now in rsyslogv8, we tried with above v5 config and setps in 
https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_server.html and 
https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html but got

rsyslogd: invalid or yet-unknown config file command 
'InputTCPServerStreamDriverAuthMode' - have you forgotten to load a module? 
[v8.34.0 try http://www.rsyslog.com/e/3003 ]
rsyslogd: invalid or yet-unknown config file command 
'InputTCPServerStreamDriverPermittedPeer' - have you forgotten to load a 
module? [v8.34.0 try http://www.rsyslog.com/e/3003 ]
rsyslogd: invalid or yet-unknown config file command 
'InputTCPServerStreamDriverMode' - have you forgotten to load a module? 
[v8.34.0 try http://www.rsyslog.com/e/3003 ]
rsyslogd: invalid or yet-unknown config file command 
'InputTCPServerStreamDriverAuthMode' - have you forgotten to load a module? 
[v8.34.0 try http://www.rsyslog.com/e/3003 ]
rsyslogd: invalid or yet-unknown config file command 'InputTCPServerRun' - have 
you forgotten to load a module? [v8.34.0 try http://www.rsyslog.com/e/3003 ]

We tried with  input(type="imtcp" port="10514") using example from 
https://www.rsyslog.com/using-tls-with-relp/
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 57: 
parameter 'tls.permittedpeer' not known -- typo in config file? [v8.34.0 try 
http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 57: 
parameter 'tls.authMode' not known -- typo in config file? [v8.34.0 try 
http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 57: 
parameter 'tls.myPrivKey' not known -- typo in config file? [v8.34.0 try 
http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 57: 
parameter 'tls.myCert' not known -- typo in config file? [v8.34.0 try 
http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 57: 
parameter 'tls.caCert' not known -- typo in config file? [v8.34.0 try 
http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 57: 
parameter 'tls' not known -- typo in config file? [v8.34.0 try 
http://www.rsyslog.com/e/2207 ]
Please advise how to tls configuration work in rsyslog V8.34? How to combine 
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html#gnutlsprioritystring
 ?

Thanks.
Best Regards,
Mike Li

Confidentiality Notice::  This email, including attachments, may include 
non-public, proprietary, confidential or legally privileged information.  If 
you are not an intended recipient or an authorized agent of an intended 
recipient, you are hereby notified that any dissemination, distribution or 
copying of the information contained in or transmitted with this e-mail is 
unauthorized and strictly prohibited.  If you have received this email in 
error, please notify the sender by replying to this message and permanently 
delete this e-mail, its attachments, and any copies of it immediately.  You 
should not retain, copy or use this e-mail or any attachment for any purpose, 
nor disclose all or any part of the contents to any other person. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Filter on priority from docker

2018-04-25 Thread David Lang


On Wed, 25 Apr 2018, Rainer Gerhards wrote:


2018-04-25 9:29 GMT+02:00 Flo Rance :

Ok, but if ".err" means "err and above", why does it forward messages with
the severity INFO as in the example ?


pls post the raw message - how do you know it is INFO?


in the docker world, the 'standard' is that messages get dumped to stdout, not 
in any standard format, so INFO: in the message body is the indication.


It looks like these logs should be parsed with mmnormalize to extract the 
various fields (potentially as a parser on the input)

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] server received messages but rsyslog did not write them into a file

2018-04-25 Thread sophie.loewenthal--- via rsyslog

Hi,

>From a rsyslog view what sort of acknowledgement should it receive to know the 
>destination servers are filling up?  The destinations run Logstash.


> -Original Message-
> From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of
> sophie.loewenthal--- via rsyslog
> Sent: Wednesday, April 25, 2018 9:31 AM
> To: rsyslog-users
> Cc: LOEWENTHAL Sophie
> Subject: Re: [rsyslog] server received messages but rsyslog did not write them
> into a file
> 
> > ... the main queue will start to fill up.
> 
> Thanks, this would make sense.
> 
> Does anyone know of a compiled version of impstats in a package available for
> Solaris 11 space sun4v?
> 
> 
> > -Original Message-
> > From: David Lang [mailto:da...@lang.hm]
> > Sent: Wednesday, April 25, 2018 5:21 AM
> > To: sophie.loewenthal--- via rsyslog
> > Cc: LOEWENTHAL Sophie
> > Subject: Re: [rsyslog] server received messages but rsyslog did not write 
> > them
> > into a file
> >
> > On Tue, 24 Apr 2018, sophie.loewenthal--- via rsyslog wrote:
> >
> > > *.info @@(o)b111l:10514;json-template2
> > > *.info @@(o)b112l:10514;json-template2
> >
> > If the destination servers can't keep up, this server will stop logging and 
> > the
> > main queue will start to fill up.
> >
> > we can't tell for sure without the output from impstats.
> >
> > David Lang
> This message and any attachments (the "message") is
> intended solely for the intended addressees and is confidential.
> If you receive this message in error,or are not the intended recipient(s),
> please delete it and any copies from your systems and immediately notify
> the sender. Any unauthorized view, use that does not comply with its purpose,
> dissemination or disclosure, either whole or partial, is prohibited. Since the
> internet
> cannot guarantee the integrity of this message which may not be reliable, BNP
> PARIBAS
> (and its subsidiaries) shall not be liable for the message if modified, 
> changed or
> falsified.
> Do not print this message unless it is necessary, consider the environment.
> 
> --
> 
> 
> Ce message et toutes les pieces jointes (ci-apres le "message")
> sont etablis a l'intention exclusive de ses destinataires et sont 
> confidentiels.
> Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de
> ce message qui n'est pas conforme a sa destination, toute diffusion ou toute
> publication, totale ou partielle, est interdite. L'Internet ne permettant pas
> d'assurer
> l'integrite de ce message electronique susceptible d'alteration, BNP Paribas
> (et ses filiales) decline(nt) toute responsabilite au titre de ce message dans
> l'hypothese
> ou il aurait ete modifie, deforme ou falsifie.
> N'imprimez ce message que si necessaire, pensez a l'environnement.
> 
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Urgent, need help with correct usage of local variables in an action

2018-04-25 Thread putcha narayana via rsyslog

David, I understand your point and the complexity.


set $.configuredSeverity = "6";
if ($syslogseverity <= $.configuredSeverity) -- this is allowed and we can add 
to the documentation.


I will pull such from my experience and add to the doc and get it reviewed.


Appreciate the time and support.


Thanks and Regards

Lak.



From: David Lang 
Sent: Wednesday, April 25, 2018 5:20 AM
To: putcha narayana
Cc: Rainer Gerhards; rsyslog-users; David Lang
Subject: Re: [rsyslog] Urgent, need help with correct usage of local variables 
in an action

not every string in a rsyslog config can be replaced with a variable of any
kind.

you can compare two variables in an if..then statement, but you cannot use a
variable in a facility/severity filter (you can't say *.$!foo)

the rsyslog config gets compiled at startup, not interpreted with each log
that's processed. Rsyslog keeps connections to remote systems open (as well as
files)

with fixed IP/port pairs, rsyslog can open the connection and keep it open. With
these being variable, rsyslog will have to either close/open them each time
(which is _extremely_ expensive), or will have to implement a mechanism to track
a bunch of connectons, deal with them timing out and closing on you, etc. That's
a lot of infrastructure to have to add and maintain over time. That's a lot of
overhead you are asking for, with a large ask you need to provide a lot of
justification, and so far that's been missing.

David Lang

  On Wed, 25 Apr 2018, putcha narayana wrote:

> Date: Wed, 25 Apr 2018 04:22:03 +
> From: putcha narayana 
> To: Rainer Gerhards 
> Cc: rsyslog-users , David Lang 
> Subject: Re: [rsyslog] Urgent,
> need help with correct usage of local variables in an action
>
> Hi,
>
>
> We are having parallel mail chains so i will paste David's input here and 
> share my inputs.
>
>
> Rainer's mail added in ""
>
> 1) "Your contribution is happily accepted at 
> https://github.com/rsyslog/rsyslog-doc -"

[https://avatars1.githubusercontent.com/u/6178456?s=400=4]

GitHub - rsyslog/rsyslog-doc: documentation for the 
...
github.com
README.md rsyslog-docs Documentation for the rsyslog project. Documentation for 
rsyslog is generated with the (Python) Sphinx documentation processor.



>
> [[LAK]]: I will take time and share my inputs for this. You guys are doing so 
> much, i really appreciate that.
>
>
> 2) "I would really like to understand why you think global constants (there 
> are NOT variable, right?) would make sense. Maybe we are overlooking 
> something... "
>
> [[LAK]]: I called them variables because that is what they were called in 
> David's document. 
> https://www.usenix.org/publications/login/october-2013-volume-38-number-5/log-filtering-rsyslog
>
> We can call them as constants as they are not run-time modifiable.
>
>
> 3) Regarding the backticks option.
>
> [[Lak]]: Does it support pipes and awk. Say i have rsyslogserver_config_file 
> with content as
>
> IPADDRESS1=10.40.60.50
> IPADDRESS2=10.50.70.60
>
> `grep  IPADDRESS1 rsyslogserver_config_file| awk -F= '{print $2}'`   -- Does 
> this work?
>
>
> 4) "I would really like to understand why you think global constants (there 
> are NOT variable, right?) would make sense. Maybe we are overlooking 
> something..."
>
> [[LAK]]: I felt that global constants could be part of one of the config 
> files loaded when rsyslogd starts or restarted. that way they are still part 
> of rsyslogd. May be an example of how and where global constants must be used 
> can enlighten me and others like me.
>
>
> David's mail enclosed below and my responses are inline:
>
> 1) When you are already editing the config file and restarting syslog to 
> implement
> your change, why should we suffer the cost of making this a variable?
> [[Lak]]: We can merge bullet-3 and bullet-4 above.
>
> Backticks provides an alternate way. Current document opens up lot of 
> questions as to what all one can do with that. Is the current support 
> extended to everything that can be done using backticks. Note, i could write 
> whole bunch of script and run it using backticks. It could have ';' and is 
> that acceptable.
>
> It's not just the cost of a variable lookup, it's the cost of maintaining a
> table of connectons, expiring them, figuring out how to re-use connections, 
> etc.
> We do this with filenames using the dynafile mechanism, and it's a significant
> enough overhead that it has to be explicitly opted in to each time it's used
> (and misuse of this feature and it's settings is a very common cause of
> horrifically bad performance)
>
> [[LAK]]: Recommended usage in the document and references to tickets which 
> caused bad performance due to bad usage can help users understand it better 
> and not repeat the mistakes.
>
>

Re: [rsyslog] Filter on priority from docker

2018-04-25 Thread Flo Rance via rsyslog

The message above is what is sent from the docker daemon:

Apr 24 12:55:44 hostname docker_pgbarman[1039]: 2018-04-24 12:55:44,400
[33] barman.wal_archiver INFO: No xlog segments found from streaming for
db_stream.

So I was thinking that "INFO:" is the severity.

On Wed, Apr 25, 2018 at 9:33 AM, Rainer Gerhards 
wrote:

> 2018-04-25 9:29 GMT+02:00 Flo Rance :
> > Ok, but if ".err" means "err and above", why does it forward messages
> with
> > the severity INFO as in the example ?
>
> pls post the raw message - how do you know it is INFO?
>
> Rainer
>
> >
> > On Tue, Apr 24, 2018 at 5:18 PM, Rainer Gerhards <
> rgerha...@hq.adiscon.com>
> > wrote:
> >>
> >> Dot is "err and above". Just err is ".=" IIRC out of my head (the doc
> has
> >> it under sysklogd format).
> >>
> >> HTH Rainer
> >>
> >> Sent from phone, thus brief.
> >>
> >> Flo Rance via rsyslog  schrieb am Di., 24.
> Apr.
> >> 2018, 16:29:
> >>>
> >>> Hi,
> >>>
> >>> I'm using docker which is sending logs using syslog driver with the
> >>> parameter "syslog-facility: local3". Here's an example:
> >>>
> >>> Apr 24 12:55:44 hostname docker_pgbarman[1039]: 2018-04-24 12:55:44,400
> >>> [33] barman.wal_archiver INFO: No xlog segments found from streaming
> for
> >>> db_stream.
> >>>
> >>> I try to forward logs that have a priority 'err' and facility 'local3'
> to
> >>> graylog using the following expression:
> >>>
> >>> local3.err action(type="omfwd" target="company.graylog" port="12514"
> >>> protocol="tcp" template="RSYSLOG_SyslogProtocol23Format")
> >>>
> >>> However, everything is forwarded, independently of the priority.
> >>>
> >>> Can anyone give me some hints on how to forward those messages based on
> >>> priority ?
> >>>
> >>> Thanks,
> >>> Flo
> >>> ___
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T
> >>> LIKE THAT.
> >
> >
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Avoid invld PRI and force a valid PRI

2018-04-25 Thread Rainer Gerhards

Let's take a simple approach: try 8.34. If it has a problem, let us
know and I see that can look at it.

IIRC I was refering to this issue and associated fix:
https://www.rsyslog.com/remote-syslog-pri-vulnerability/

given the age, it should probably be available since 8.4.2. But again,
I don't remember that old stuff. Doesn't make sense to look more at
it, it just block me from doing work to move forward. If you need the
old cruft, consider opening a bug report with Ubunutu or purchasing
professional support.

Again, if the issues exists in 8.34 let me know.

Rainer

2018-04-25 9:30 GMT+02:00 David Lang :
> 8.16 was 3 years ago, so it's not going to be a 'recent' version.
>
> I am not sure what feature Rainer is talking about either, but I would start
> looking at the current documentation, starting with the function list and
> the property replacer capablities.
>
> Or you can detect the situation and have an if statement to use a different
> template that hard-codes the fix.
>
> look at exactly what is contained in every variable by logging a few
> messages with RSYSLOG_DebugFormat
>
> And if you aren't going to be willing to replace your LTS version with a
> current version, the template approach is all you are going to be able to
> do, and you will need to check the docs shipped with that version, as the
> current docs will include a lot of things that your version won't
>
> David Lang
>
>  On Wed, 25 Apr 2018, Simon Lundström wrote:
>
>> Date: Wed, 25 Apr 2018 09:19:19 +0200
>>
>> From: Simon Lundström 
>> Reply-To: rsyslog-users 
>> To: rsyslog-users 
>> Subject: Re: [rsyslog] Avoid invld PRI and force a valid PRI
>>
>> Ah, I'm sorry I wasn't clear. We're only running Ubuntu LTSes so  8.16.0
>> is the highest version which an LTS supports.
>>
>> I'm not yet sure what the feature is, I've seen no documentation of it and
>> I don't know what it's called even. I can't find anything when searching for
>> "rsyslog replace capability".
>>
>> What is this feature called so I can search for it? Or what is it called
>> in the code so I can see when it was implemented?
>>
>> BR,
>> - Simon
>>
>> On Wed, 2018-04-25 at 00:04:03 -0700, David Lang wrote:
>>>
>>> that list includes versions going back 6 years, which are not going to
>>> have the features.
>>>
>>> Test with the latest 8.34 version, and if you get everything working to
>>> your satsfaction, you can either see which of the other versions support the
>>> needed features, or upgrade your systems to the current version
>>>
>>> David Lang
>>>
>>> On Wed, 25 Apr 2018, Simon Lundström wrote:
>>>
 Date: Wed, 25 Apr 2018 08:32:34 +0200
 From: Simon Lundström 
 Reply-To: rsyslog-users 
 To: rsyslog-users 
 Subject: Re: [rsyslog] Avoid invld PRI and force a valid PRI

 Any idea how to use the replace capability, automatic or not, in the
 versions specified at the ubuntu page below?

 BR,
 - Simon

 On Mon, 2018-04-23 at 08:34:11 +0200, Simon Lundström wrote:
>
> On Fri, 2018-04-20 at 10:53:46 +0200, Rainer Gerhards wrote:
>>
>> which rsyslog version do you have? I think current ones have an
>> automatic replace capability, but I am not 100% sure.
>
>
> That wildly differs, but everything available in Ubuntu e.g, so that's
> everything listed here: 
>
> BR,
> - Simon
>
>> 2018-04-20 10:32 GMT+02:00 Simon Lundström :
>>>
>>> Hey all!
>>>
>>> We have some devices which can't be easily fixed which uses an
>>> invalid/incorrect syslog PRI. rsyslogd sets these as  e.g.:
>>> 2018-04-20T10:19:49.973793+02:00 central.syslog.server
>>> 2018-04-20T10:19:49+02:00 server.which.syslogged  <198>Apr 20
>>> 10:19:49 server.which.syslogged program: message
>>>
>>> Is it possible for rsyslog just to set a valid PRI instead of
>>> "reporting"
>>> it.
>>> Can "central.syslog.server" do it? Or must "server.which.syslogged"
>>> do it?
>>>
>>> Thanks!
>>>
>>> BR,
>>> - Simon
>>> ___
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T
>>> LIKE THAT.
>>
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards

Re: [rsyslog] Filter on priority from docker

2018-04-25 Thread Rainer Gerhards

2018-04-25 9:29 GMT+02:00 Flo Rance :
> Ok, but if ".err" means "err and above", why does it forward messages with
> the severity INFO as in the example ?

pls post the raw message - how do you know it is INFO?

Rainer

>
> On Tue, Apr 24, 2018 at 5:18 PM, Rainer Gerhards 
> wrote:
>>
>> Dot is "err and above". Just err is ".=" IIRC out of my head (the doc has
>> it under sysklogd format).
>>
>> HTH Rainer
>>
>> Sent from phone, thus brief.
>>
>> Flo Rance via rsyslog  schrieb am Di., 24. Apr.
>> 2018, 16:29:
>>>
>>> Hi,
>>>
>>> I'm using docker which is sending logs using syslog driver with the
>>> parameter "syslog-facility: local3". Here's an example:
>>>
>>> Apr 24 12:55:44 hostname docker_pgbarman[1039]: 2018-04-24 12:55:44,400
>>> [33] barman.wal_archiver INFO: No xlog segments found from streaming for
>>> db_stream.
>>>
>>> I try to forward logs that have a priority 'err' and facility 'local3' to
>>> graylog using the following expression:
>>>
>>> local3.err action(type="omfwd" target="company.graylog" port="12514"
>>> protocol="tcp" template="RSYSLOG_SyslogProtocol23Format")
>>>
>>> However, everything is forwarded, independently of the priority.
>>>
>>> Can anyone give me some hints on how to forward those messages based on
>>> priority ?
>>>
>>> Thanks,
>>> Flo
>>> ___
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] server received messages but rsyslog did not write them into a file

2018-04-25 Thread sophie.loewenthal--- via rsyslog

> ... the main queue will start to fill up.

Thanks, this would make sense.

Does anyone know of a compiled version of impstats in a package available for 
Solaris 11 space sun4v?

> -Original Message-
> From: David Lang [mailto:da...@lang.hm]
> Sent: Wednesday, April 25, 2018 5:21 AM
> To: sophie.loewenthal--- via rsyslog
> Cc: LOEWENTHAL Sophie
> Subject: Re: [rsyslog] server received messages but rsyslog did not write them
> into a file
> 
> On Tue, 24 Apr 2018, sophie.loewenthal--- via rsyslog wrote:
> 
> > *.info @@(o)b111l:10514;json-template2
> > *.info @@(o)b112l:10514;json-template2
> 
> If the destination servers can't keep up, this server will stop logging and 
> the
> main queue will start to fill up.
> 
> we can't tell for sure without the output from impstats.
> 
> David Lang
This message and any attachments (the "message") is
intended solely for the intended addressees and is confidential. 
If you receive this message in error,or are not the intended recipient(s), 
please delete it and any copies from your systems and immediately notify
the sender. Any unauthorized view, use that does not comply with its purpose, 
dissemination or disclosure, either whole or partial, is prohibited. Since the 
internet 
cannot guarantee the integrity of this message which may not be reliable, BNP 
PARIBAS 
(and its subsidiaries) shall not be liable for the message if modified, changed 
or falsified. 
Do not print this message unless it is necessary, consider the environment.

--

Ce message et toutes les pieces jointes (ci-apres le "message") 
sont etablis a l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de 
ce message qui n'est pas conforme a sa destination, toute diffusion ou toute 
publication, totale ou partielle, est interdite. L'Internet ne permettant pas 
d'assurer
l'integrite de ce message electronique susceptible d'alteration, BNP Paribas 
(et ses filiales) decline(nt) toute responsabilite au titre de ce message dans 
l'hypothese
ou il aurait ete modifie, deforme ou falsifie. 
N'imprimez ce message que si necessaire, pensez a l'environnement.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Avoid invld PRI and force a valid PRI

2018-04-25 Thread David Lang


8.16 was 3 years ago, so it's not going to be a 'recent' version.

I am not sure what feature Rainer is talking about either, but I would start 
looking at the current documentation, starting with the function list and the 
property replacer capablities.


Or you can detect the situation and have an if statement to use a different 
template that hard-codes the fix.


look at exactly what is contained in every variable by logging a few messages 
with RSYSLOG_DebugFormat


And if you aren't going to be willing to replace your LTS version with a current 
version, the template approach is all you are going to be able to do, and you 
will need to check the docs shipped with that version, as the current docs will 
include a lot of things that your version won't


David Lang

 On Wed, 25 Apr 2018, Simon Lundström wrote:


Date: Wed, 25 Apr 2018 09:19:19 +0200
From: Simon Lundström 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] Avoid invld PRI and force a valid PRI

Ah, I'm sorry I wasn't clear. We're only running Ubuntu LTSes so  8.16.0 is 
the highest version which an LTS supports.


I'm not yet sure what the feature is, I've seen no documentation of it and I 
don't know what it's called even. I can't find anything when searching for 
"rsyslog replace capability".


What is this feature called so I can search for it? Or what is it called in 
the code so I can see when it was implemented?


BR,
- Simon

On Wed, 2018-04-25 at 00:04:03 -0700, David Lang wrote:
that list includes versions going back 6 years, which are not going to have 
the features.


Test with the latest 8.34 version, and if you get everything working to 
your satsfaction, you can either see which of the other versions support 
the needed features, or upgrade your systems to the current version


David Lang

On Wed, 25 Apr 2018, Simon Lundström wrote:


Date: Wed, 25 Apr 2018 08:32:34 +0200
From: Simon Lundström 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] Avoid invld PRI and force a valid PRI

Any idea how to use the replace capability, automatic or not, in the 
versions specified at the ubuntu page below?


BR,
- Simon

On Mon, 2018-04-23 at 08:34:11 +0200, Simon Lundström wrote:

On Fri, 2018-04-20 at 10:53:46 +0200, Rainer Gerhards wrote:

which rsyslog version do you have? I think current ones have an
automatic replace capability, but I am not 100% sure.


That wildly differs, but everything available in Ubuntu e.g, so that's 
everything listed here: 


BR,
- Simon


2018-04-20 10:32 GMT+02:00 Simon Lundström :

Hey all!

We have some devices which can't be easily fixed which uses an
invalid/incorrect syslog PRI. rsyslogd sets these as  e.g.:
2018-04-20T10:19:49.973793+02:00 central.syslog.server
2018-04-20T10:19:49+02:00 server.which.syslogged  <198>Apr 20
10:19:49 server.which.syslogged program: message

Is it possible for rsyslog just to set a valid PRI instead of 
"reporting"

it.
Can "central.syslog.server" do it? Or must "server.which.syslogged" do 
it?


Thanks!

BR,
- Simon
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
DON'T

LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
DON'T LIKE THAT.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow

Re: [rsyslog] Filter on priority from docker

2018-04-25 Thread Flo Rance via rsyslog

Ok, but if ".err" means "err and above", why does it forward messages with
the severity INFO as in the example ?

On Tue, Apr 24, 2018 at 5:18 PM, Rainer Gerhards 
wrote:

> Dot is "err and above". Just err is ".=" IIRC out of my head (the doc has
> it under sysklogd format).
>
> HTH Rainer
>
> Sent from phone, thus brief.
>
> Flo Rance via rsyslog  schrieb am Di., 24.
> Apr. 2018, 16:29:
>
>> Hi,
>>
>> I'm using docker which is sending logs using syslog driver with the
>> parameter "syslog-facility: local3". Here's an example:
>>
>> Apr 24 12:55:44 hostname docker_pgbarman[1039]: 2018-04-24 12:55:44,400
>> [33] barman.wal_archiver INFO: No xlog segments found from streaming for
>> db_stream.
>>
>> I try to forward logs that have a priority 'err' and facility 'local3' to
>> graylog using the following expression:
>>
>> local3.err action(type="omfwd" target="company.graylog" port="12514"
>> protocol="tcp" template="RSYSLOG_SyslogProtocol23Format")
>>
>> However, everything is forwarded, independently of the priority.
>>
>> Can anyone give me some hints on how to forward those messages based on
>> priority ?
>>
>> Thanks,
>> Flo
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Avoid invld PRI and force a valid PRI

2018-04-25 Thread Simon Lundström

Ah, I'm sorry I wasn't clear. We're only running Ubuntu LTSes so  8.16.0 
is the highest version which an LTS supports.


I'm not yet sure what the feature is, I've seen no documentation of it 
and I don't know what it's called even. I can't find anything when 
searching for "rsyslog replace capability".


What is this feature called so I can search for it? Or what is it called 
in the code so I can see when it was implemented?


BR,
- Simon

On Wed, 2018-04-25 at 00:04:03 -0700, David Lang wrote:
that list includes versions going back 6 years, which are not going to 
have the features.


Test with the latest 8.34 version, and if you get everything working 
to your satsfaction, you can either see which of the other versions 
support the needed features, or upgrade your systems to the current 
version


David Lang

On Wed, 25 Apr 2018, Simon Lundström wrote:


Date: Wed, 25 Apr 2018 08:32:34 +0200
From: Simon Lundström 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] Avoid invld PRI and force a valid PRI

Any idea how to use the replace capability, automatic or not, in the 
versions specified at the ubuntu page below?


BR,
- Simon

On Mon, 2018-04-23 at 08:34:11 +0200, Simon Lundström wrote:

On Fri, 2018-04-20 at 10:53:46 +0200, Rainer Gerhards wrote:

which rsyslog version do you have? I think current ones have an
automatic replace capability, but I am not 100% sure.


That wildly differs, but everything available in Ubuntu e.g, so 
that's everything listed here: 



BR,
- Simon


2018-04-20 10:32 GMT+02:00 Simon Lundström :

Hey all!

We have some devices which can't be easily fixed which uses an
invalid/incorrect syslog PRI. rsyslogd sets these as  e.g.:
2018-04-20T10:19:49.973793+02:00 central.syslog.server
2018-04-20T10:19:49+02:00 server.which.syslogged  <198>Apr 20
10:19:49 server.which.syslogged program: message

Is it possible for rsyslog just to set a valid PRI instead of "reporting"
it.
Can "central.syslog.server" do it? Or must 
"server.which.syslogged" do it?


Thanks!

BR,
- Simon
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED 
by a myriad of

sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by 
a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO 
NOT POST if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Avoid invld PRI and force a valid PRI

2018-04-25 Thread David Lang

that list includes versions going back 6 years, which are not going to have the 
features.


Test with the latest 8.34 version, and if you get everything working to your 
satsfaction, you can either see which of the other versions support the needed 
features, or upgrade your systems to the current version


David Lang

 On Wed, 25 Apr 2018, 
Simon Lundström wrote:



Date: Wed, 25 Apr 2018 08:32:34 +0200
From: Simon Lundström 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] Avoid invld PRI and force a valid PRI

Any idea how to use the replace capability, automatic or not, in the versions 
specified at the ubuntu page below?


BR,
- Simon

On Mon, 2018-04-23 at 08:34:11 +0200, Simon Lundström wrote:

On Fri, 2018-04-20 at 10:53:46 +0200, Rainer Gerhards wrote:

which rsyslog version do you have? I think current ones have an
automatic replace capability, but I am not 100% sure.


That wildly differs, but everything available in Ubuntu e.g, so that's 
everything listed here: 


BR,
- Simon


2018-04-20 10:32 GMT+02:00 Simon Lundström :

Hey all!

We have some devices which can't be easily fixed which uses an
invalid/incorrect syslog PRI. rsyslogd sets these as  e.g.:
2018-04-20T10:19:49.973793+02:00 central.syslog.server
2018-04-20T10:19:49+02:00 server.which.syslogged  <198>Apr 20
10:19:49 server.which.syslogged program: message

Is it possible for rsyslog just to set a valid PRI instead of "reporting"
it.
Can "central.syslog.server" do it? Or must "server.which.syslogged" do 
it?


Thanks!

BR,
- Simon
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
of

sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Avoid invld PRI and force a valid PRI

2018-04-25 Thread Simon Lundström

Any idea how to use the replace capability, automatic or not, in the 
versions specified at the ubuntu page below?


BR,
- Simon

On Mon, 2018-04-23 at 08:34:11 +0200, Simon Lundström wrote:

On Fri, 2018-04-20 at 10:53:46 +0200, Rainer Gerhards wrote:

which rsyslog version do you have? I think current ones have an
automatic replace capability, but I am not 100% sure.


That wildly differs, but everything available in Ubuntu e.g, so that's 
everything listed here: 



BR,
- Simon


2018-04-20 10:32 GMT+02:00 Simon Lundström :

Hey all!

We have some devices which can't be easily fixed which uses an
invalid/incorrect syslog PRI. rsyslogd sets these as  e.g.:
2018-04-20T10:19:49.973793+02:00 central.syslog.server
2018-04-20T10:19:49+02:00 server.which.syslogged  <198>Apr 20
10:19:49 server.which.syslogged program: message

Is it possible for rsyslog just to set a valid PRI instead of "reporting"
it.
Can "central.syslog.server" do it? Or must "server.which.syslogged" do it?

Thanks!

BR,
- Simon
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Facing issues with rsyslog configuration

Re: [rsyslog] Filter on priority from docker

Re: [rsyslog] server received messages but rsyslog did not write them into a file

Re: [rsyslog] Urgent, need help with correct usage of local variables in an action

[rsyslog] Resend: rsyslog v8.x server config with tls

Re: [rsyslog] Filter on priority from docker

Re: [rsyslog] server received messages but rsyslog did not write them into a file

Re: [rsyslog] Urgent, need help with correct usage of local variables in an action

Re: [rsyslog] Filter on priority from docker

Re: [rsyslog] Avoid invld PRI and force a valid PRI

Re: [rsyslog] Filter on priority from docker

Re: [rsyslog] server received messages but rsyslog did not write them into a file

Re: [rsyslog] Avoid invld PRI and force a valid PRI

Re: [rsyslog] Filter on priority from docker

Re: [rsyslog] Avoid invld PRI and force a valid PRI

Re: [rsyslog] Avoid invld PRI and force a valid PRI

Re: [rsyslog] Avoid invld PRI and force a valid PRI

17 matches

Site Navigation

Mail list logo

Footer information