you can put a queue on a ruleset and then all your actions in that ruleset.
David Lang
On Thu, 18 Sep 2025, Raymond Chang via rsyslog wrote:
Date: Thu, 18 Sep 2025 12:14:43 -0700
From: Raymond Chang via rsyslog
To: rsyslog@lists.adiscon.com
Cc: Raymond Chang
Subject: [rsyslog] Shared action
been splitting pages
up, I'm not sure if he's dont impstats yet))
David Lang
____
From: rsyslog on behalf of David Lang via rsyslog
Sent: Monday, September 15, 2025 12:27 PM
To: David Lang via rsyslog
Cc: David Lang
Subject: Re: [rsyslog] Code C
a couple more things
1. make sure you update the documentation along with your feature
2. work from the git repo rather than a stable release snapshot.
David Lang
On Sun, 14 Sep 2025, David Lang via rsyslog wrote:
Date: Sun, 14 Sep 2025 19:23:57 -0700 (PDT)
From: David Lang via rsyslog
To
to maintain backwards compatibility. Rsyslog goes to a lot of
trouble to make sure that people can upgrade without knowing about new features
and modules and not have their system break.
David Lang
___
rsyslog mailing list
https://lists.adisco
mission of the year!
mmnormalize is MUCH faster than regex matching
Anyway, I hope this describes what I'm up to, and I'm sure you can easily
point out if the mmnormalize strategy will work.
sorry for such a quick/short answer that doesn't go into details, hopefully this
helps and if
ts the message
fall through to the next parser (it saved me having to duplicate all the normal
parser functionality)
you currently are identifying the messages by their source ip, but can you
identify them by content?
David Lang
___
rsyslo
Michael Richards wrote:
Can a log message be re-parsed once it is in the pipeline?
you can use mmnormalize to parse a in the ruleset (you can parse any variable,
including rawmsg)
David Lang
___
rsyslog mailing list
https://lists.adiscon.net
are you parsing the rawmsg or the msg body?
if you think you are doing mmnormalize on the rawmesg but you are really doing
it on the msg body (which I think is the default, but my memory could be faulty)
David Lang
On Mon, 7 Jul 2025, Klaus Pichert via rsyslog wrote:
Date: Mon, 7 Jul 2025
On Wed, 25 Jun 2025, Mehmet Avcioglu via rsyslog wrote:
How does rsyslog decide whether to use gnutls or openssl?
in your config you specify the module to use.
David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
le(load="imrelp")
input(type="imrelp" port="515" ruleset="fw_dist")
#
# https://www.rsyslog.com/how-to-use-impstats/
#
if $syslogtag contains 'rsyslogd-pstats' then {
action(name="FW_PSTATS" type=&qu
ntly.
sorry I don't have time to go into more detail at the moment, but this should
help you find what to read up on.
David Lang
On Tue, 3 Jun 2025, Brendan Kearney via rsyslog wrote:
Date: Tue, 3 Jun 2025 14:18:09 -0400
From: Brendan Kearney via rsyslog
To: rsyslog@lists.adiscon.com
ffect)
I don't spot anything obviously wrong with your new version, but do rsyslog -N1
to get a syntax check.
I suspect that the new OS builds have different firewall rules in place that are
blocking 514 TCP
David Lang
P.S. with the new filter syntax, you can have multiple statements
l problem with technology
(something that's a very easy trap for people to fall into)
David Lang
From: David Lang
Ralph Moeritz wrote:
I have an Rsyslog server to which I am forwarding logs from several machines,
currently using UDP via omfwd. The problem with this is that it's insecur
allow IPs that you don't manage to send
messages to your syslog server?
Even if you do implement cert checking, exposing rsyslog like this gives your
attackers a way to DOS you by forcing you to spend a lot of CPU checking the
certs.
David Lang
nable impstats (with a short reporting time)
and see what it shows is happening during the shutdown/startup process.
David Lang
On Wed, 26 Mar 2025, Mehmet Avcioglu via rsyslog wrote:
Date: Wed, 26 Mar 2025 15:11:18 +0300
From: Mehmet Avcioglu via rsyslog
To: rsyslog@lists.adiscon.com
Cc: M
at if you just send the logs to a file rather than through
omprog you do not lose any messages?
David Lang
вс, 23 мар. 2025 г. в 06:38, David Lang :
Alexey Rudenko-Desnyak wrote:
VERSION. I have the latest version of rsyslog installed on Ubuntu:
===
rsyslogd -v
rsyslogd 8.2112.0 (aka 20
to ask Ubuntu for assistance. Please upgrade to at least
8.2412 if not to a 8.25xx version
I would suggest that you setup impstats so that you can see how many events are
being processed vs how many are being queued.
David Lang
CONFIG. Config is minimal:
===
local5.info action(
type="o
look at the dynastats capability, it lets you addd stats that will show up in
impstats and add to them as needed
https://www.rsyslog.com/doc/configuration/dyn_stats.html
David Lang
On Tue, 11 Mar 2025, John Chivian via rsyslog wrote:
Date: Tue, 11 Mar 2025 15:11:36 -0500
From: John Chivian
with when they are all in one file
David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a
into and just put them in /var/log/messages
David Lang
____
From: David Lang
could you send me your full configs again?
start rsyslog with the option -o /path/to/file
and rsyslog will combine all the config files into that file (which is much
easier to look at an
correct that the (DA) files are representing the disk file.
I suspect that you don't have the config that you think you have (I mentioned
the need to replace all the $foo queue related things that you had in the config
you posted before with parameters inside the action() statement)
David
is we think its simply being overloaded when our
syslog server sends syslogs over to MariaDB.
that sounds very plausible. you can increase the size of the main queue or add a
queue to the database action so that rsyslog doesn't fill it's main queue and
stop accepting new messages.
Da
ocessed, etc as running totals (there is a race
condition with zeroing the stats in a multi-threaded environment that can cause
them to be slightly off, but I tend to zero them as it's easier to understand.
David Lang
I'm doing further testing by disabling our outputs temporaril
one of the biggest reasons why this format is depreiciated, it's hard even for
experts to keep track of what's happening, especially when the config is spread
across multiple files
David Lang
On Wed, 5 Feb 2025, Levi Wilbert wrote:
Date: Wed, 5 Feb 2025 20:52:18 +0000
From: Le
will pause. The logs
will get queued up (to the limits of your queues) and be delivered later. But if
your queues get overrun, you may lose logs.
I would suggest that you enable impstats, writing to a local file, and see what
it shows during the time that log processing isn't happening.
tly backup runs somewhere? other big batch job?
David Lang
On Wed, 5 Feb 2025, Levi Wilbert via rsyslog wrote:
Date: Wed, 5 Feb 2025 16:18:15 +
From: Levi Wilbert via rsyslog
To: "rsyslog@lists.adiscon.com"
Cc: Levi Wilbert
Subject: [rsyslog] Rsyslog Losing Messages
Greetings,
We are
s would be processed independently
of all other log messages.
you could then send them to an external program (like Simple Event Correlator)
that could reformat them into a single message and then log that message to
syslog or send it to zabbix (in either case, watch out for maximum message
length
s
($!time, $!host, etc) and then create a templste that sends the message with $!
in the body.
David Lang
On Mon, 20 Jan 2025, Redbourne,Michael wrote:
Date: Mon, 20 Jan 2025 03:35:56 +
From: "Redbourne,Michael"
To: David Lang
Cc: "Redbourne,Michael via rsyslog"
S
what is it that you are sending the message to that needs all those newlines in
the json message?
David Lang
On Sun, 19 Jan 2025, David Lang wrote:
Date: Sun, 19 Jan 2025 17:44:56 -0800 (PST)
From: David Lang
To: "Redbourne,Michael"
Cc: David Lang ,
"Redbourne,Mich
valid json.
start with the format that includes the best json for your use, and then you can
parse the output and manipulate it with your own logic and output template
however, adding in all the newlines that you want may be harder than you think.
David Lang
On Mon, 20 Jan 2025, Redbourne,Mic
option replaces those dots by the bang
(“!”) character. So “discarded.full” becomes “discarded!full”. Options:
json/json-elasticsearch/cee/legacy
David Lang
On Mon, 20 Jan 2025, Redbourne,Michael via
rsyslog wrote:
Date: Mon, 20 Jan 2025 01:01:47 +
From: "Redbourne,Michael via rsyslog
tware with rsyslog there to fix the log format.
David Lang
On Wed, 8 Jan 2025, Alberto via rsyslog wrote:
Date: Wed, 8 Jan 2025 15:25:37 +0100
From: Alberto via rsyslog
To: 'rsyslog-users'
Cc: Alberto
Subject: [rsyslog] Remote log files without Line separator
Hi everybody:
I h
I would look at using mmnormalize to parse the message and then make an output
template that puts the message back together.
David Lang
On Wed, 27 Nov 2024, Möller, Roman (extern) via rsyslog wrote:
Date: Wed, 27 Nov 2024 17:43:29 +
From: "Möller, Roman (extern) via rsyslog
bably a config bug
David Lang
On Sun, 3 Nov 2024, Chris Jenkins via rsyslog wrote:
Date: Sun, 3 Nov 2024 11:17:20 +
From: Chris Jenkins via rsyslog
To: Rsyslog mailing list
Cc: Chris Jenkins
Subject: [rsyslog] Problem with filtering by IP address
I'm having some problems filter
are there any errors in the MariaDB logs?
David Lang
On Mon, 7 Oct 2024, João Carlos Garcia via rsyslog wrote:
Date: Mon, 7 Oct 2024 23:16:28 +
From: João Carlos Garcia via rsyslog
To: rsyslog-users
Cc: João Carlos Garcia
Subject: Re: [rsyslog] rsyslog + MariaDB + Fortigate
Brendan
will show the combination of all of the config as rsyslog sees it.
your problem may be the capitalization of options (tag vs Tag for example)
David Lang
On Wed, 2 Oct 2024, Amey via rsyslog wrote:
Date: Wed, 2 Oct 2024 17:23:44 +0200
From: Amey via rsyslog
To: rsyslog-users
Cc: Amey
Subject
nginx-proxy-*.log but that isn't writing log properly and
showing errors for a couple of modules.
tell us more, that seems like it should work. what is the error you are getting?
David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mai
your question is, but the statefile keeps track of what has
been retrieved from journald so that when you start, it can get all messages
since the last time rsyslog shutdown rather than just messages starting at that
point in time.
David Lang
___
template that you use
but per https://www.rsyslog.com/doc/configuration/modules/omjournal.html
it looks like omjournal doesn't use a very extensive template, I don't know if
you could change the timestamp via the template or not.
David Lang
_
I would look at playing around with setting up a separate queue for the network
connection (probably a good idea anyway) and configure it not to be saved on
shutdown
you may also need to play around with timeouts and retries to shorten the
shutdown time when the network is down.
David Lang
I would guess that it's trying to get info on the process connecting to it to
get full metadata. But I wouldn't expect that if you are using imjournal.
full rsyslog config please?
David Lang
On Tue, 20 Aug 2024, Andreas Hasenack via rsyslog wrote:
Date: Tue, 20 Aug 2024 11:58:24
On Tue, 13 Aug 2024, David Lang wrote:
by default, ethernet packets are limited to 1500 bytes, most OSs will
fragment UDP messages >1500 bytes across multiple packets. As I noted before,
this means that if one of the packets of a message get lost, the entore
message is lost
Rsyslog suppo
lse in your environment is
not allowing it.
the fact that you are seeing the messages via tcpdump still confuses me. But I'm
glad you got things working
David Lang
On Tue, 13 Aug 2024, Drumm, Daniel wrote:
Date: Tue, 13 Aug 2024 23:19:42 +
From: "Drumm, Daniel"
To: David
I will also point out that templates in rsyslog are for output only, they have
no effect at all on parsing input.
David Lang
On Tue, 13 Aug 2024, David Lang wrote:
Date: Tue, 13 Aug 2024 13:42:38 -0700 (PDT)
From: David Lang
To: "Drumm, Daniel"
Cc: David Lang , rsyslog-users
S
e run this test and show the results.
David Lang
Daniel Drumm, CISSP
Information Security Officer
Texas Department of Banking
512-475-1328
daniel.dr...@dob.texas.gov
-Original Message-----
From: David Lang
Sent: Tuesday, August 13, 2024 2:20 PM
To: Drumm, Daniel
Cc: David Lang ; rsy
it to a
file? we may end up wanting to get a debug log if it still fails there.
David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https:/
try sending it to a copy of rsyslog that is not sending it to a database, just
to a file, if your database is not accepting the message, that could be blocking
other processing of the message (I don't expect this to be the case, but trying
to work through the various possibilities)
David
=0#012PanOSDGl2=0 PanOSDGl3=0
PanOSDGl4=0#012PanOSVsysName= dvchost=DOB-FW-HA-1
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T18:23:59.046-05:00'
$!:
$.:
$/:
TRAFFIC messages are not processed despite hitting the VNIC.
did you get this by logging *.* to a file? or by
try logging all traffic with the template RSYSLOG_DebugFormat for a short time
(long enough that it should have some of these TRAFFIC messages) and find the
messages in there it could be that the messages is not showing up as you would
expect
David Lang
On Mon, 12 Aug 2024, Drumm, Daniel
On Mon, 12 Aug 2024, Drumm, Daniel wrote:
Date: Mon, 12 Aug 2024 22:41:21 +
From: "Drumm, Daniel"
To: David Lang
Cc: "Drumm, Daniel via rsyslog"
Subject: RE: [rsyslog] Formatting CEF to log.
Here is that file with the -o flag:
root@syslog-server-vni
clause looking at the
fromhost-ip
David Lang
On Mon, 12 Aug 2024, Drumm, Daniel wrote:
Date: Mon, 12 Aug 2024 22:18:02 +
From: "Drumm, Daniel"
To: David Lang ,
"Drumm, Daniel via rsyslog"
Subject: RE: [rsyslog] Formatting CEF to log.
Thank you, I should have
are not
being logged anywhere and I do not know why not since the PAN-OS system logs
are being logged.
well, you have anything arriving from that IP address being written to
/var/log/rsyslog/DOB-FW-HA-1.OCI/%programname%.log and then you throw away the
log, so it would never get down to the
way UDP packets where you don't have a route to the source IP
David Lang
3. I'm not familiar with the question mark syntax, but you have
"firepower_systemevents" there. Even assuming it should be a name of the
template, you have your template defined as "systemev
ed to set this higher than the number of expected
connections. Also, you may need to add resources to the tcp stack at the OS
level for such a busy server. (tcp bufferss, etc)
David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/lis
to another person's thread rather than starting your
own?
David Lang
On Thu, 1 Aug 2024, Drumm, Daniel via rsyslog wrote:
Date: Thu, 1 Aug 2024 16:02:11 +
From: "Drumm, Daniel via rsyslog"
To: rsyslog-users
Cc: "Drumm, Daniel"
Subject: Re: [rsyslog] rsyslog -
You could use something like Simple Event Correlator to combine logs like this.
There is not a good way to do so inside rsyslog (and trying to do so would cause
all sorts of grief with locking and multi-threaded processing)
best to do the combining before the logs go to rsyslog.
David Lang
t of cpu.
Is there a firewall/router/switch that could be dropping packets in the path?
tcp timeouts/retries could account for delays
David Lang
On Tue, 16 Jul 2024, Jesper Skou Jensen via rsyslog wrote:
Date: Tue, 16 Jul 2024 08:20:51 +
From: Jesper Skou Jensen via rsyslog
To: "
be a problem.
journald deliberately refuses to pass data to rsyslog using the ForwardToSyslog
method that is available via the imjournal module, so I would suggest comparing
the two.
David Lang
-Sean
On Mon, Jul 1, 2024 at 5:47 AM Ricardo Esteves via rsyslog <
rsyslog@lists.adiscon.com&g
specify more than one facility in a message
Also, this would break many 3rd party parsers who are setup for a particular
message for a given facility to be only their specific messages.
What is it that you are trying to accomplish?
David Lang
anything about restarts, unresponsive, suspended, etc?
David Lang
On Tue, 4 Jun 2024, Johan Ryberg wrote:
Date: Tue, 4 Jun 2024 20:18:41 +0200
From: Johan Ryberg
To: David Lang
Cc: Johan Ryberg via rsyslog
Subject: Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs
to see what's happening with the queues, enable impstats so you can see queue
and other performance stats.
David Lang
On Tue, 4 Jun 2024, Johan Ryberg via rsyslog wrote:
Date: Tue, 4 Jun 2024 16:16:27 +0200
From: Johan Ryberg via rsyslog
To: rsyslog-users
Cc: Johan Ryberg
Subjec
mething to the action statement?
That is the default, you don't need to use it (you still can use that format
ahead of an action statement if you want, but *.* or a bare action of any format
will do the same thing)
David Lang
___
rsyslog mai
when the queue hits full, you you aren't yet losing a message, it's the next
message that arrives while the queue is full that is lost.
David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.r
resending the configs
On Tue, 28 May 2024, David Lang wrote:
let's simplify this to the minimum needed
*Server**
# I've tried both with and without the line below
$ModLoad imtcp
$InputTCPServerRun 12345
$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog%
remove the PermittedPeer line.
that only applies to the encryption settings on the server receiving TLS
connections.
and I don't think you need to set the NetStreamDriver, so I would remove those
liens from both configs.
David Lang
On Thu, 30 May 2024, Kathy Lyons wrote:
Date: Th
On Thu, 30 May 2024, Kathy Lyons wrote:
Here is my server conf file:
global(defaultNetStreamDriver="ptcp")
there needs to be more than that.
have you tried the configs that I posted?
David Lang
On Wed, May 29, 2024 at 12:12 PM David Lang wrote:
you still have some encryptio
it can be matched, it's just not what you thought it was.
log with the RSYSLOG_DebugFormat template and you will see what $syslogtag
contains.
David Lang
On Wed, 29 May 2024, sacawulu via rsyslog wrote:
ok...
but then... what's the use of being able to assign a tag with "
eed to see the complete log file (which includes all included
files), if you start rsyslog with -o /path/to/file it will write the combine
config file as it sees it into that file which makes it much easier to see how
all the config snippets combine.
David Lang
On Wed, 29 May 2024, cyus
you still have some encryption settings left in the file, please post your full
config again so we can see what you have left.
I already posted the minimal config that removed all the encryption settings.
David Lang
On Wed, 29 May 2024, Kathy Lyons wrote:
Date: Wed, 29 May 2024 06:35:44
On Wed, 29 May 2024, Kathy Lyons wrote:
which part sets encryption? I thought these options set encryption to 0,
or disabled.
leave out all the encryption settings to have them be disabled, setting the mode
to anon turns on encryption, but accepting any cert.
David Lang
On Tue, May 28
iscouraged, it's better to use the newer action() syntax that
sets all those things explicitly in the one place.
David Lang
On 5/28/2024 5:42 PM, David Lang wrote:
your message is badly linewrapped, can you please try again?
also note that while you can ping between the systems, that
v.*;cron.*;daemon.*;kern.*;local0.*;local4.*
@@10.10.10.10.1:12345;LDSTmpl
if you do a tcpdump on port 12345 what do you see happening on each side?
David Lang
On 5/28/2024 5:42 PM, David Lang wrote:
your message is badly linewrapped, can you please try again?
also note that while you can
your message is badly linewrapped, can you please try again?
also note that while you can ping between the systems, that doesn't mean that
port 514 (TCP or UDP) can get through, either due to firewalls at the network
layer or iptables on the systems
David Lang
On Tue, 28 May 2024,
uld be far better for you to update to a current version.
David Lang
On Tue, 28 May 2024, Chun-An Lee via rsyslog wrote:
Date: Tue, 28 May 2024 10:31:54 +0800
From: Chun-An Lee via rsyslog
To: rsyslog@lists.adiscon.com
Cc: Chun-An Lee
Subject: [rsyslog] need help with rsyslog
Dear All,
I ins
If you specify omprog in your config and then try to start rsyslog, do you get
any error messages? if the omprog module is not installed, you should get an
error trying to load it.
David Lang
On Fri, 24 May 2024, Mårten Persson via rsyslog wrote:
Date: Fri, 24 May 2024 21:03:56 +0200
From
for some things.
David Lang
On Fri, 24 May 2024, Thomas Raef wrote:
Date: Fri, 24 May 2024 12:37:15 -0400
From: Thomas Raef
To: David Lang
Cc: Rainer Gerhards via rsyslog ,
Rainer Gerhards
Subject: Re: [rsyslog] Stop actions
I created a lower numbered rules file with just this in it
or you have other actions in the config that happen before your stop takes
place.
David Lang
On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:
Date: Fri, 24 May 2024 13:57:07 +0200
From: Rainer Gerhards via rsyslog
To: Thomas Raef
Cc: Rainer Gerhards ,
rsyslog-users
Subject: Re
e can help.
I'm not part of adiscon (the company formed by the Rainer, the initial author to
maintain rsyslog), you would have to ask him.
David Lang
On 5/22/24 09:49, David Lang wrote:
8.24 was released back in 2017. RedHat has backported some fixes and
features from newer versions of rsys
or
offered to sponsor development of it. (adiscon is a very small company, a half
dozen or fewer people AFAIK)
David Lang
On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:
Date: Wed, 22 May 2024 09:31:49 +0200
From: Adam Cecile via rsyslog
To: rsyslog-users
Cc: Adam Cecile
Subject: Re: [rsys
make it
nested, fix capitalization, deal with duplicates, etc)
David Lang
Thanks a lot for your help !
Btw, do you have any suggestion about how to re-compose date-time object
from the individual fields, I'd like to hear from you
On 5/22/24 00:38, David Lang wrote:
if you do rsyslogd
if you do rsyslogd -N1 does it complain about anything?
David Lang
On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:
Date: Wed, 22 May 2024 00:32:25 +0200
From: Adam Cecile via rsyslog
To: Adam Cecile via rsyslog
Cc: Adam Cecile
Subject: Re: [rsyslog] Unable to re-use variable generated
if you post that exact text into your liblognorm test, what do you get?
David Lang
On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:
Date: Wed, 22 May 2024 00:24:08 +0200
From: Adam Cecile via rsyslog
To: Adam Cecile via rsyslog
Cc: Adam Cecile
Subject: Re: [rsyslog] Unable to re-use
if you look at the msg field in the RSYSLOG_DebugFormat output, you will see
that it does have a leading space. your pattern doesn't
David Lang
On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:
Date: Tue, 21 May 2024 23:58:23 +0200
From: Adam Cecile via rsyslog
To: Adam Cecile via rs
log the message with RSYSLOG_DebugFormat so that you can see the variables that
exist.
my guess is that your rule needs a leading space, because the msg field you are
parsing starts with a space (a very common problem when you are starting to use
mmnormalize)
David Lang
On Tue, 21 May 2024
On Sun, 5 May 2024, Alberto via rsyslog wrote:
El 5/5/24 a las 22:02, David Lang escribió:
...
I only need filter by source, but all fields (FROMHOST, HOSTNAME,
FROMHOST-IP...) that can give me any information are useless because
appears Docker host IP, not real source host IP, and I cannot
annot populate
fromhost (I've probed, anyway).
which end is on docker? the sender or the receiver?
if fromhost-ip isn't useful, then fromhost won't be either as it's a lookup from
fromhost-ip
what is the sending system?
David Lang
PROGRAMNAME, SYSLOGTAG, APP-NAME... gi
/var/log/backup.log
*.info;cron.none;user.none;local6.none /var/log/messages
$PreserveFQDN on
*.* @192.168.1.2
$preserveFQED is not valid for syslogd that I know of, what happens if you
remove it?
are there any man pages for syslog.conf on that system?
David Lang
Any
I'm pretty sure this is one of the areas affected by the improvements since 2020
in imfile.
David Lang
On Tue, 23 Apr 2024, Ian Diddams via rsyslog wrote:
Date: Tue, 23 Apr 2024 14:10:32 +
From: Ian Diddams via rsyslog
To: John Chivian ,
rsyslog-users
Cc: Ian Diddams
Subjec
central server??
David Lang
On Mon, 22 Apr 2024, Ian Diddams via rsyslog wrote:
Date: Mon, 22 Apr 2024 08:42:00 +
From: Ian Diddams via rsyslog
To: rsyslog-users
Cc: Ian Diddams
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
upgrade to ubuntu20
specifically
han a
dynamic filename)
David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC ma
individual messages (at least
in some cases), I know rate limiting is based on batches rather than individual
messages, but didn't think queue size checking worked that way.
David Lang
On Fri, 19 Apr 2024, Tan Mientras via rsyslog wrote:
Date: Fri, 19 Apr 2024 14:12:36 +0200
From: T
like you have a longstanding problem of not being able to
deliver your messages (causing the queues to build).
David Lang
On Fri, 19 Apr 2024, Tan Mientras via rsyslog wrote:
Hi.
Long time no see!
A few months ago we deployed an opensearch cluster feeded by rsyslog and
let it running withou
that puts them in different directories based on the hostname.
David Lang
On Fri, 19 Apr 2024, David Lang via rsyslog wrote:
Date: Fri, 19 Apr 2024 03:59:53 -0700 (PDT)
From: David Lang via rsyslog
To: Ian Diddams via rsyslog
Cc: David Lang
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rs
Is there any chance that they are getting logged under a different hostname?
David Lang
On Fri, 19 Apr 2024, Ian Diddams via rsyslog wrote:
Date: Fri, 19 Apr 2024 09:24:03 +
From: Ian Diddams via rsyslog
To: "rsyslog@lists.adiscon.com"
Cc: Ian Diddams
Subject: Re: [rsyslog]
e limited in what we can do with such an old version.
based on your test, it sounds as if imfile is reading things, but not matching
something else on your central system. can you provide more info about the
config there?
David Lang
___
rsyslog mailing
On Wed, 17 Apr 2024, Attila Lakatos via rsyslog wrote:
On Tue, Apr 16, 2024 at 1:17 PM Derek Atkins via rsyslog <
rsyslog@lists.adiscon.com> wrote:
Hi David,
On Tue, April 16, 2024 6:32 am, David Lang via rsyslog wrote:
> Is there any way to duplicate the existing functionality wit
think that we
will need to make the new option work with both.
David Lang
On Tue, 16 Apr 2024, Attila Lakatos via rsyslog wrote:
One approach that comes to my mind is to create a brand new provider using
e.g. openssl. Provide
a new configure option to build that. If the new crypto provider is turn
d create a new template that is identical to
MsgForwardFormat that users $.pri instead of $pri (the outbound message is just
text, so you can make it say anything)
David Lang
On Mon, Apr 8, 2024 at 6:37 PM David Lang wrote:
not easily within rsyslog, with an event correlation engine, you have a
that
gets really ugly really quickly
you would combine it essentially with a if/else type arrangement to only be done
if the prior action didn't take place. I don't know if the onceeveryinterval
will work with that.
David Lang
On Mon, 8 Apr 2024, Prasad Koya wrote:
hreads) is the right thing to do.
David Lang
On Sun, 7 Apr 2024, Prasad Koya via rsyslog wrote:
Thanks for the replies.
My requirement is that I have a daemon that may generate a burst of
syslogs, say, every minute (when a certain subsystem is overloaded).
We do not want to write all these syslogs
1 - 100 of 2468 matches
Mail list logo
