Re: [rsyslog] Lookup Table FH leak?

[singh.janmejay]

Sorry, I meant change log may have a ref(just have a look at master change
log).

On Oct 28, 2016 10:17 AM, "singh.janmejay"  wrote:

> FD leak on reload is fixed upstream already. Can't recall which release.
> Release notes may have a ref.
>
> On Oct 28, 2016 6:15 AM, "David Lang"  wrote:
>
>> I'm catching up on old mail, I think I saw fixes for the lookup table
>> functionality go through recently, can you check with the latest version?
>>
>> David Lang
>>
>> On Mon, 8 Aug 2016, Christian Ramseyer wrote:
>>
>> Date: Mon, 8 Aug 2016 14:31:06 +0200
>>> From: Christian Ramseyer 
>>> Reply-To: rsyslog-users 
>>> To: rsyslog-users 
>>> Subject: [rsyslog] Lookup Table FH leak?
>>>
>>> Hi
>>>
>>> I've been testing the lookup table feature in 8.18.0 for a while now and
>>> it works great, good stuff!
>>>
>>> However there seems to be an issue that reloading the table leaks a
>>> filehandle:
>>>
>>> # config:
>>>
>>> lookup_table(name="mylookup" file="/etc/lookup.json" reloadOnHUP="on")
>>>
>>> # freshly started rsyslog, 1 FH as expected
>>>
>>> #  lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json
>>> rsyslogd 14135 root 3r REG  254,1 8467305  537540076 /etc/lookup.json
>>>
>>> # HUP a few times
>>>
>>> #  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
>>> #  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
>>> #  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
>>>
>>> # results in 1 FH per HUP
>>>
>>> #  lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json
>>> rsyslogd 14135 root  3r REG  254,1 8467305  537540076 /etc/lookup.json
>>> rsyslogd 14135 root 11r REG  254,1 8467305  537540076 /etc/lookup.json
>>> rsyslogd 14135 root 12r REG  254,1 8467305  537540076 /etc/lookup.json
>>> rsyslogd 14135 root 13r REG  254,1 8467305  537540076 /etc/lookup.json
>>>
>>>
>>> Is this a known issue? I've looked at the open issues and commits in
>>> 8.19.0/8.20.0 and couldn't find any mention of it so I didn't try a
>>> newer release for now. But I'm of course willing to upgrade if you guys
>>> think this is addressed already.
>>>
>>> Build Info:
>>>
>>> rsyslogd 8.18.0, compiled with:
>>> PLATFORM:   x86_64-pc-linux-gnu
>>> PLATFORM (lsb_release -d):
>>> FEATURE_REGEXP: Yes
>>> GSSAPI Kerberos 5 support:  No
>>> FEATURE_DEBUG (debug build, slow code): No
>>> 32bit Atomic operations supported:  Yes
>>> 64bit Atomic operations supported:  Yes
>>> memory allocator:   system default
>>> Runtime Instrumentation (slow code):No
>>> uuid support:   Yes
>>> Number of Bits in RainerScript integers: 64
>>>
>>> Thanks
>>> Christian
>>> ___
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Lookup Table FH leak?

[singh.janmejay]

FD leak on reload is fixed upstream already. Can't recall which release.
Release notes may have a ref.

On Oct 28, 2016 6:15 AM, "David Lang"  wrote:

> I'm catching up on old mail, I think I saw fixes for the lookup table
> functionality go through recently, can you check with the latest version?
>
> David Lang
>
> On Mon, 8 Aug 2016, Christian Ramseyer wrote:
>
> Date: Mon, 8 Aug 2016 14:31:06 +0200
>> From: Christian Ramseyer 
>> Reply-To: rsyslog-users 
>> To: rsyslog-users 
>> Subject: [rsyslog] Lookup Table FH leak?
>>
>> Hi
>>
>> I've been testing the lookup table feature in 8.18.0 for a while now and
>> it works great, good stuff!
>>
>> However there seems to be an issue that reloading the table leaks a
>> filehandle:
>>
>> # config:
>>
>> lookup_table(name="mylookup" file="/etc/lookup.json" reloadOnHUP="on")
>>
>> # freshly started rsyslog, 1 FH as expected
>>
>> #  lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json
>> rsyslogd 14135 root 3r REG  254,1 8467305  537540076 /etc/lookup.json
>>
>> # HUP a few times
>>
>> #  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
>> #  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
>> #  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
>>
>> # results in 1 FH per HUP
>>
>> #  lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json
>> rsyslogd 14135 root  3r REG  254,1 8467305  537540076 /etc/lookup.json
>> rsyslogd 14135 root 11r REG  254,1 8467305  537540076 /etc/lookup.json
>> rsyslogd 14135 root 12r REG  254,1 8467305  537540076 /etc/lookup.json
>> rsyslogd 14135 root 13r REG  254,1 8467305  537540076 /etc/lookup.json
>>
>>
>> Is this a known issue? I've looked at the open issues and commits in
>> 8.19.0/8.20.0 and couldn't find any mention of it so I didn't try a
>> newer release for now. But I'm of course willing to upgrade if you guys
>> think this is addressed already.
>>
>> Build Info:
>>
>> rsyslogd 8.18.0, compiled with:
>> PLATFORM:   x86_64-pc-linux-gnu
>> PLATFORM (lsb_release -d):
>> FEATURE_REGEXP: Yes
>> GSSAPI Kerberos 5 support:  No
>> FEATURE_DEBUG (debug build, slow code): No
>> 32bit Atomic operations supported:  Yes
>> 64bit Atomic operations supported:  Yes
>> memory allocator:   system default
>> Runtime Instrumentation (slow code):No
>> uuid support:   Yes
>> Number of Bits in RainerScript integers: 64
>>
>> Thanks
>> Christian
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Lookup Table FH leak?

[David Lang]

I'm catching up on old mail, I think I saw fixes for the lookup table 
functionality go through recently, can you check with the latest version?


David Lang

On Mon, 8 Aug 2016, Christian Ramseyer wrote:


Date: Mon, 8 Aug 2016 14:31:06 +0200
From: Christian Ramseyer 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: [rsyslog] Lookup Table FH leak?

Hi

I've been testing the lookup table feature in 8.18.0 for a while now and
it works great, good stuff!

However there seems to be an issue that reloading the table leaks a
filehandle:

# config:

lookup_table(name="mylookup" file="/etc/lookup.json" reloadOnHUP="on")

# freshly started rsyslog, 1 FH as expected

#  lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json
rsyslogd 14135 root 3r REG  254,1 8467305  537540076 /etc/lookup.json

# HUP a few times

#  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
#  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)
#  kill -1  $(pgrep -f rsyslog/sbin/rsyslogd)

# results in 1 FH per HUP

#  lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json
rsyslogd 14135 root  3r REG  254,1 8467305  537540076 /etc/lookup.json
rsyslogd 14135 root 11r REG  254,1 8467305  537540076 /etc/lookup.json
rsyslogd 14135 root 12r REG  254,1 8467305  537540076 /etc/lookup.json
rsyslogd 14135 root 13r REG  254,1 8467305  537540076 /etc/lookup.json


Is this a known issue? I've looked at the open issues and commits in
8.19.0/8.20.0 and couldn't find any mention of it so I didn't try a
newer release for now. But I'm of course willing to upgrade if you guys
think this is addressed already.

Build Info:

rsyslogd 8.18.0, compiled with:
PLATFORM:   x86_64-pc-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support:  No
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported:  Yes
64bit Atomic operations supported:  Yes
memory allocator:   system default
Runtime Instrumentation (slow code):No
uuid support:   Yes
Number of Bits in RainerScript integers: 64

Thanks
Christian
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Difference b/w old method and new action method

[David Lang]

On Sat, 20 Aug 2016, Muhammad Asif wrote:


If i use following old method, logs sent successfully at receiver.
*.*@@172.20.16.18:5170;msgonly
But if i use below method, it does not send.
action(type="omfwd" target="172.20.16.18" port="5170" protocol="tcp"
template="msgonly" )

I monitor syslog file and found no difference in log but there are two
extra lines.

Aug 20 14:20:59 scene rsyslogd-2359: action 'action 11' resumed (module
'builtin:   omfwd')
[v8.20.0 try http://www.rsyslog.com/e/2359 ]
Aug 20 14:20:59 scene rsyslogd-2359: action 'action 11' resumed (module
'builtin:   omfwd')
[v8.20.0 try http://www.rsyslog.com/e/2359 ]

What is meant by there two logs.


the two log messages say that rsyslog had trouble forwarding the message and 
then later resumed delivery.


the two lines you show look like they should produce identical results to me, 
can you start rsyslog with debug mode enabled to see if there is something 
different that shows up when the two different config lines are processed?


actually, you may try changing the first one to just:

@@172.20.16.18:5170;msgonly

as that removes the redundant filter (which should end up getting optimized out)

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Problems connection journal and rsyslog 7.4.7 on CentOS 7

[David Lang]

On Wed, 24 Aug 2016, adr...@pa0rda.nl wrote:



Hi,
On CentOS 7 I cannot get the connection right between systemd-journal and
rsyslog.
I want to get my mail logs in a separate file but it will not work.
I can read the journal perfectly allrigth with journalctl and the kernel
messages come through OK as well, but the rest seems to disappear
somewhere.
My rsyslog.conf load the following modules:
 MODULES 

# The imjournal module bellow is now used as a message source instead of 
imuxsock.
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imuxsock # provides support for local system logging (e.g. via logger 
command)
$OmitLocalLogging off
$ModLoad imklog # reads kernel messages (the same are read from journald)


What do I do wrong???


we would need to see the rest of your config to see what you do with the 
messages after they arrive.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Rsyslog Arrays not Working as Expected

[David Lang]

On Fri, 16 Sep 2016, Shane Lawrence wrote:


When I use this syntax, arrays work just fine:
   if ($fromhost-ip == ["127.0.0.1", "1.1.1.1"]) then {

but when I use this syntax, it only matches the first item in the array:
   set $/ARCSIGHT_WHITELIST = ["127.0.0.1", "1.1.1.1"];
   if ($fromhost-ip == $ARCSIGHT_WHITELIST) then {

There are no syntax errors when I check rsyslogd -N1. I am using v8.21.0 on
CentOS 7.

I believe both of these should have the same result. If arrays can't be
used in this way, they should generate an error.


The second example isn't an array, it's the string '["127.0.0.1", "1.1.1.1"]'

There is not currently a nice way to create an array in rsyslog


Is there a workaround?


yes, you can create a string and then use mmnormalize to parse it into an array 
(look at the repeat option or make a json string and parse that)


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm, imfile and Java stacktrace logs

[David Lang]

On Tue, 13 Sep 2016, Radu Gheorghe wrote:


But I haven't used mmnormalize/liblognorm on multiline logs. Not sure
if it works as expected even. So I'm looking forward for your findings
:)


mmnormalize won't handle multiline logs, but it will handle lines with escaped 
newlines in it (either escaped as they were created, or escaped via the property 
replacer and an exec_template() call)


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] TCP listener and custom format

[David Lang]

On Fri, 23 Sep 2016, Waqar Khan wrote:


Hello,

I have an application which will send TCP messages as log lines to my imtcp 
listener. I have been able to get the standard RFC formatted messages working 
and can log to a local file using omfile.
However the messages are not standard format. They will look something like 
(this will be the full content of the TCP message, i.e. the data section will 
contain):

FQDN CustomString Date [LogLevelString]:[LogType] Message \n

For example:

Win1.domain.com BLABLAbla 2016-09-23 11:04:54Z [DEBUG]:[SQL] SELECT * FROM 
table limit 1 \n

What I would like to do this this message is to read the above into variables 
to evaluate in a filter and output to file name depending on the FQDN per 
message. So the above message would go into a file called 
/var/log/win1.domain.com-BLABLAbla.log

Additionally I would like to evaluate [LogLevelString]. E.g.

If $LogLevelString == '[ERROR]' then ...ommail

How would I go about creating the $LogLevelString variable per message received?


This is not a good fit for rsyslog as it assumes that incoming messages are in a 
known format.


you may be able to work around this by using mmnormalize with a ruleset to parse 
the raw message.


But the 'right' thing to do is to write (or pay professional services at adiscon 
to write) a parser module that understands this format and parses it correctly.


This is assuming that you can't fix the thing that's generating the log messages 
to format them as a proper syslog message.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Delete log files after sending logs to Elasticsearch

[David Lang]

On Mon, 19 Sep 2016, Alec Swan wrote:


I am using rsyslog to read log files and send logs to Elasticsearch. I am
looking for ideas on how to delete log files after their content is
successfully sent to Elasticsearch.


rsyslog doesn't have any options to remove a file when it's done processing it 
(rsyslog assumes that it's reading a file that something else is writing to).


What I would suggest is to use something like logger to read the file and 
deliver the lines to rsyslog, then remove the file after it's all been delivered 
to rsyslog.


David Lang


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] feature request

[David Lang]

On Tue, 30 Dec 2014, Kendall Green wrote:


Hello and thank you for the example configuration for reparse(), which
would help normalization efforts for parsing windows event messages for
different event ids.

How would the refactoring of reparse affect the new RainerScript functions
warp() and replace(), and also mmnormalize can also work with variable, and
are there any example configuration for these functions.


At my last job I used mmnormalize on variables extensively, I took the message 
that arrived in JSON and created a 'standard' traditional syslog formatted line 
(no matter what format it arrived in) and then did the mmnormalize on that line. 
This included logs from windows systems


However, keep in mind that mmnormalize scales very well with the rule size, so 
you can have as many different rules in one file as you want.


Doing windows logs again, I would create a variable that had the event id as one 
of the early fields in the line (right after the prefix of timestamp, hostname, 
sourcename) which will let mmnormalize immediatly identify the correct parser 
rule(s) to use and then parse the message appropriately with no chance of 
confusing it with a different message type.



The re_extract()
function warning message that it is being deprecated, so I resorted to
using legacy template syntax from the regex generator tool, and assigning
to variable with the exec_template() function. This allows regex to be
used, without putting into the mmnormalize rulebase, but different regex
would be necessary to reparse the subsection of the messages, for
conditions on contents or different events. The spacing depending on the
contents of the message, or event states that affect the formatting
changes, as another challenge, these messages currently have syslog agents
that loose the structure, but can be restored with possibly wrap() and
replace(), to reformat the message parts and mmjsonparse or reparse the key
values into different format, key=value or json, cee, cef, csv. Using
rulebase that is able to define most sections of the message, but the
"iptables" type key=value pairs is limited.


the repeat functionality can help you here, but I agree we need a more general 
key-value and csv type capability (look at what nxlog does for csv for a pretty 
flexible example)



This awesome feature would
provide so much ability if could specify separators, or way to define the
key:value wrappers. Can anyone speak to the ability in example use cases
for new features of mmnormalize? Would output name to separate json paths
logically circumvent caveats regarding unknown results from executing
multiple instances of different rulebases against a message, and how
might reparse() might be able to take into account?


I'm not sure I understand your question here, can you try to restate it (also, 
when you have a long e-mail like this with many questions, separating them out 
can help avoid confusion)



Another odd thing with working with dynafiles and variables, is
that $!vars appears to only work with lowercase letters, so the rulebase
variables that are uppercase and used as output in the omfile name need to
be set to another variable that is lowercase or it doesn't populate the
outfile name.  When dealing with tens of thousands of clients, it doesn't
lend much to changing anything about what comes into the central logging
service. The raw data output by windows is with nested structures
defined by tabs, character return, new lines, that are replaced with 4, 3,
or 2, spaces:


what version are you using? we had some problems with capitalization not too 
long ago.



"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity
ID:\t\tS-1-5-21-1343760832-931058557-1943201436-1000\r\n\tAccount
Name:\t\tkgreen\r\n\tAccount Domain:\t\tdell\r\n\tLogon
ID:\t\t0x86c35c\r\n\r\nLogon Type:\t\t\t7\r\n\r\nThis event is generated
when a logon session is destroyed. It may be positively correlated with a
logon event using the Logon ID value. Logon IDs are only unique between
reboots on the same computer."

Windows Syslog Agent sends as:
"An account was logged off.Subject:   Security ID:
S-1-5-21-1343760832-931058557-1943201436-1000   Account Name:  kgreen
Account Domain:  dell   Logon ID:  0x86c35cLogon Type:   7This
event is generated when a logon session is destroyed. It may be positively
correlated with a logon event using the Logon ID value. Logon IDs are only
unique between reboots on the same computer."


what windows syslog agent are you using? I was using nxlog, which let me forward 
the eventlog data as a JSON message, which gave me both the message as you are 
describing and a lot of the fields (especially standard ones like eventid) 
broken out as separate json objects.



The disadvantages in mmnormalize, is for the msg object is included as part
of the json structure after the contents have been parsed to fields,
essentially duplicating into structured data containing an unstructured
mess of a log.
This 

Re: [rsyslog] Problem with queues configuration

[David Lang]

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:


Thanks for the hints, I have already done most of them and at the present time 
I am able to keep up with the traffic easily.  I like the solution of 
separating out the major senders by port so there's no possible cross 
contamination if tags are reused across different applications.  All my if 
statements have stop after them so they don't do any further processing, and 
they are ordered with the rules that get hit the most at the very top.

What would simplify my config the most was if there was a way to do a case on 
the syslogtag instead of multiple if statements.  But I haven't found any way 
to do that.


we don't have case, but the array on if statements and/or table lookup handle 
most cases.


if $programname == ['foo','bar'] then
{
} else if $programname == ['baz'] then
{
} else if $programname ==

is functionally equivalent to a case statement. doing a table lookup can 
simplify a complex lookup into a simple one


you could have a table that had keys of 'hostname + " " + programname' and map 
that to a simple string/number to then use in the if statements or dynafile 
strings for example.


David Lang



Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:23 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:


I have one centralized collector, and it was having trouble keeping up.  It
normally runs 20-30 meg (combined in and out) during the day, bursting as high
as 90 meg.  It has 228 if statements, mostly checking syslogtag, but some
checking sending hostname, times, etc.  To eliminate some processing time I
changed the higher traffic apps to come in on their own dedicated ports so I
could bind a much smaller ruleset to the inputs, and everything else comes in
on the default port.  So now the largest number of if statements in a ruleset
is 49 with many being 15 or less.


Ok, I would be interested in looking to simplify the receiving config, that
doesn't seem like an excessive amount of traffic, we should be able to handle it
on a single port. I've run servers handling many GB of logs per day with rather
complex rulesets.

a couple hints to start with.

can you use arrays in if statements?

if $syslogtag == ['foo', 'bar', baz'] then {}

if you have a large enough ruleset, and lots of sets of tags being handled the
same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b'
etc.

Can you use dynafiles (especially in combination with the above capabilities) to
set variables that are then used in filenames to output the files in fewer
statements?

nest if statements instead of having a lot of complex filters

if $syslogtag == 'foo' then {
  if ... then {}
  if ... then {}
}

(note: doing this may let you use rulesets for some of the inner conditions,
greatly simplifying your config)

And finally (and most simply), rsyslog is sensitive to the order of the rules,
so if you have some very common logs, process them first and then have a stop
action once you know that they aren't going to match anything else in the
config.

David Lang


My original intent behind the question was not because I was using a large
amount of ports, but so I could group everything outbound from the clients
into one outbound queue and have something reusable by selecting a new port
instead of writing a new ruleset, actions, and queues for every outbound port.

Welcome back  :-)


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 2:49 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

no, you cannot use a variable for a port.

catching up on this, I'm trying to understand why you are using so many
different ports. Each message has the original hostname in it, and you can split
the logs on that at the central system rather easily, why split it on the
sending side to different ports?

If the receiver can't keep up, having lots of different queues on the sender is
just going to mean you have a lot of queues filling up, the order that they then
drain is rather unpredictable.

David Lang

On Fri, 21 Oct 2016, Scot Kreienkamp wrote:


Would something like this work?  I wasn't sure a config file variable could be 
used in the action context.


ruleset(name="fwd-centralsyslog-customport"
   queue.type="LinkedList"
   

Re: [rsyslog] Problem with queues configuration

[Scot Kreienkamp]

Almost forgot, I also implemented async and IO buffering on dynafile, which 
lowered my CPU usage and disk churn greatly.


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:23 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:

> I have one centralized collector, and it was having trouble keeping up.  It
> normally runs 20-30 meg (combined in and out) during the day, bursting as high
> as 90 meg.  It has 228 if statements, mostly checking syslogtag, but some
> checking sending hostname, times, etc.  To eliminate some processing time I
> changed the higher traffic apps to come in on their own dedicated ports so I
> could bind a much smaller ruleset to the inputs, and everything else comes in
> on the default port.  So now the largest number of if statements in a ruleset
> is 49 with many being 15 or less.

Ok, I would be interested in looking to simplify the receiving config, that
doesn't seem like an excessive amount of traffic, we should be able to handle it
on a single port. I've run servers handling many GB of logs per day with rather
complex rulesets.

a couple hints to start with.

can you use arrays in if statements?

if $syslogtag == ['foo', 'bar', baz'] then {}

if you have a large enough ruleset, and lots of sets of tags being handled the
same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b'
etc.

Can you use dynafiles (especially in combination with the above capabilities) to
set variables that are then used in filenames to output the files in fewer
statements?

nest if statements instead of having a lot of complex filters

if $syslogtag == 'foo' then {
   if ... then {}
   if ... then {}
}

(note: doing this may let you use rulesets for some of the inner conditions,
greatly simplifying your config)

And finally (and most simply), rsyslog is sensitive to the order of the rules,
so if you have some very common logs, process them first and then have a stop
action once you know that they aren't going to match anything else in the
config.

David Lang

> My original intent behind the question was not because I was using a large
> amount of ports, but so I could group everything outbound from the clients
> into one outbound queue and have something reusable by selecting a new port
> instead of writing a new ruleset, actions, and queues for every outbound port.
>
> Welcome back  :-)
>
>
> Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com 
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 2:49 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem with queues configuration
>
> no, you cannot use a variable for a port.
>
> catching up on this, I'm trying to understand why you are using so many
> different ports. Each message has the original hostname in it, and you can 
> split
> the logs on that at the central system rather easily, why split it on the
> sending side to different ports?
>
> If the receiver can't keep up, having lots of different queues on the sender 
> is
> just going to mean you have a lot of queues filling up, the order that they 
> then
> drain is rather unpredictable.
>
> David Lang
>
> On Fri, 21 Oct 2016, Scot Kreienkamp wrote:
>
>> Would something like this work?  I wasn't sure a config file variable could 
>> be used in the action context.
>>
>>
>> ruleset(name="fwd-centralsyslog-customport"
>>queue.type="LinkedList"
>>queue.size="5"
>>queue.maxDiskSpace="1g"
>>queue.discardmark="45000"
>>queue.dequeueBatchSize="1024"
>>queue.filename="fwd-monvsyslog-514"
>>queue.spoolDirectory="/var/spool/rsyslog"
>>queue.saveOnShutdown="on"
>>){
>>action(
>>name="fwd-syslog-collector"
>>type="omfwd"
>>Target="monvsyslog "
>>Port="$!remoteport"
>>Protocol="tcp"
>>)
>> }
>>
>>
>>
>> if $syslogtag == 'Ecomm:' then {
>>set $!remoteport = "1531";
>>call fwd-centralsyslog-customport
>>stop
>> }
>>
>>
>>
>>
>> Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
>> One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
>> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
>> -Original Message-
>> From: 

Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

[Scot Kreienkamp]

That's why I included the line I was using to test, so that anyone reading my 
message had the means to produce whatever output they needed if they chose to 
look into it further.  I don't have a RH6 machine to try this with anymore.  My 
solution was to upgrade to RH7 where it was no longer an issue.

logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test  $(date)"

That logger line, executed on RH7 and delivered to a RH6 host, was not 
processed properly.  I was filtering it based on syslogtag.

Rsyslog rules I was using:

template (name="NetworkPerIP" type="string" 
string="/opt/network/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log")
template (name="FirewallChangeLog" type="string" 
string="/opt/network/FirewallChange/%$YEAR%-%$MONTH%-%$DAY%.log")

ruleset(name="Net-1514"){
action(name="Net-1514-omfile" type="omfile" dynafilecachesize="50" 
DynaFile="NetworkPerIP" template="RSYSLOG_TraditionalFileFormat" 
ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750"  
FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured")
if $syslogtag contains "ASA-5-111010" then {
action(name="Net-1514-FWCH" type="omfile" 
dynafilecachesize="50" DynaFile="FirewallChangeLog" 
template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off" 
asyncWriting="on" dirCreateMode="0750" FileCreateMode="0640" 
dirGroup="networksecured" fileGroup="networksecured")
}
stop
}


input(type="imudp" port="1514" ruleset="Net-1514")
input(type="imptcp" port="1514" ruleset="Net-1514")






Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:24 PM
To: rsyslog-users
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:

> I was able to reproduce the problem using the logger command from a RH7 
> workstation to an rsyslog server running under RH6 so I am fairly certain the 
> problem wasn't on the Cisco side.

samples of the raw logs that are being mis-processed would be a huge help.

David Lang

>
> Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com 
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 3:12 PM
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
>
> On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote:
>> Hi Everyone,
>>
>> I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
>> repo running in production here.  It's a very busy server, but from
>> what I can tell I am not dropping any messages.  The queues are
>> usually less than 100 and return to 0 within 60 seconds.  I have had
>> the config in place on my server for 1 month now and it had been
>> working flawlessly until the end of last month.  I have included the
>> relevant part of my config inline below, any comments on tuning or
>> help with my problem would be appreciated.
>>
>> Here's my problem:
>>
>> Basically, this section of my config is receiving syslogs from an ASA
>> firewall and writing them all to dynafile NetworkPerIP.  About 20
>> other hosts are also sending logs hitting this rule.  Up through
>> 23:59
>> 9-30-2016 all messages that had a tag that contained "ASA-5-111010"
>> were also written to another dynafile, FirewallChangeLog.  That's
>> what
>> I wanted to happen, and as I said, it was working flawlessly until
>> the
>> end of last month.  Since the calendar flipped over to Oct 1 the logs
>> have not been written to the FirewallChangeLog.  In testing, I
>> simulated a log message from my workstation to this rule like so:
>> logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
>> $(date)".
>> It was written to the FirewallChangeLog but NOT to the NetworkPerIP
>> log; it's only written to the NetworkPerIP log if I don't tag it with
>> the "ASA-5-111010".  That's what makes me think I'm hitting a bug in
>> the code somewhere.  If I copy this config to a test box running
>> RHEL7
>> with the same version of rsyslog and same config it seems to work OK.
>> I haven't tried on another RHEL6.  I am not hitting the limit of
>> number of open files, it's set to 15,000 and I'm only at 5,000 last I
>> checked.  And lastly, rsyslogd -N1 doesn't show any errors.  I went
>> ahead and did the upgrade to RHEL7 since it was on my list to upgrade
>> anyway and the problem has disappeared.
>>
>
> When I see this sort of thing, I suspect that 

Re: [rsyslog] Problem with queues configuration

[Scot Kreienkamp]

Thanks for the hints, I have already done most of them and at the present time 
I am able to keep up with the traffic easily.  I like the solution of 
separating out the major senders by port so there's no possible cross 
contamination if tags are reused across different applications.  All my if 
statements have stop after them so they don't do any further processing, and 
they are ordered with the rules that get hit the most at the very top.

What would simplify my config the most was if there was a way to do a case on 
the syslogtag instead of multiple if statements.  But I haven't found any way 
to do that.


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:23 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:

> I have one centralized collector, and it was having trouble keeping up.  It
> normally runs 20-30 meg (combined in and out) during the day, bursting as high
> as 90 meg.  It has 228 if statements, mostly checking syslogtag, but some
> checking sending hostname, times, etc.  To eliminate some processing time I
> changed the higher traffic apps to come in on their own dedicated ports so I
> could bind a much smaller ruleset to the inputs, and everything else comes in
> on the default port.  So now the largest number of if statements in a ruleset
> is 49 with many being 15 or less.

Ok, I would be interested in looking to simplify the receiving config, that
doesn't seem like an excessive amount of traffic, we should be able to handle it
on a single port. I've run servers handling many GB of logs per day with rather
complex rulesets.

a couple hints to start with.

can you use arrays in if statements?

if $syslogtag == ['foo', 'bar', baz'] then {}

if you have a large enough ruleset, and lots of sets of tags being handled the
same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b'
etc.

Can you use dynafiles (especially in combination with the above capabilities) to
set variables that are then used in filenames to output the files in fewer
statements?

nest if statements instead of having a lot of complex filters

if $syslogtag == 'foo' then {
   if ... then {}
   if ... then {}
}

(note: doing this may let you use rulesets for some of the inner conditions,
greatly simplifying your config)

And finally (and most simply), rsyslog is sensitive to the order of the rules,
so if you have some very common logs, process them first and then have a stop
action once you know that they aren't going to match anything else in the
config.

David Lang

> My original intent behind the question was not because I was using a large
> amount of ports, but so I could group everything outbound from the clients
> into one outbound queue and have something reusable by selecting a new port
> instead of writing a new ruleset, actions, and queues for every outbound port.
>
> Welcome back  :-)
>
>
> Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com 
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 2:49 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem with queues configuration
>
> no, you cannot use a variable for a port.
>
> catching up on this, I'm trying to understand why you are using so many
> different ports. Each message has the original hostname in it, and you can 
> split
> the logs on that at the central system rather easily, why split it on the
> sending side to different ports?
>
> If the receiver can't keep up, having lots of different queues on the sender 
> is
> just going to mean you have a lot of queues filling up, the order that they 
> then
> drain is rather unpredictable.
>
> David Lang
>
> On Fri, 21 Oct 2016, Scot Kreienkamp wrote:
>
>> Would something like this work?  I wasn't sure a config file variable could 
>> be used in the action context.
>>
>>
>> ruleset(name="fwd-centralsyslog-customport"
>>queue.type="LinkedList"
>>queue.size="5"
>>queue.maxDiskSpace="1g"
>>queue.discardmark="45000"
>>queue.dequeueBatchSize="1024"
>>queue.filename="fwd-monvsyslog-514"
>>queue.spoolDirectory="/var/spool/rsyslog"
>>queue.saveOnShutdown="on"
>>){
>>action(
>>name="fwd-syslog-collector"
>>type="omfwd"
>>Target="monvsyslog "
>>

Re: [rsyslog] Action Queue misunderstanding

[phrogz]

Oh ok, thanks a lot!

Ludovic

-Message d'origine-
De : rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang
Envoyé : jeudi 27 octobre 2016 21:26
À : rsyslog-users 
Objet : Re: [rsyslog] Action Queue misunderstanding

Yes, the file does not get re-written as logs are delivered, it's just pointers 
into the file that change (the overhead and race conditions related to 
re-writing a potentially large file when one message is delivered and 
additional messages are arriving are ugly)

David Lang

On Thu, 27 Oct 2016, phrogz wrote:

> Thanks for the feedback, you right pstats show 0 for the DA queue, but is it 
> normal that the file (inside) is not empty? Because there are still some 
> messages in the queue, and If I take one random msg in this file I can see 
> that the msg has been transmitted to the backend database.
>
> Thanks,
>
> Ludovic
> -Message d'origine-
> De : rsyslog-boun...@lists.adiscon.com 
> [mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang 
> Envoyé : jeudi 27 octobre 2016 20:42 À : rsyslog-users 
>  Objet : Re: [rsyslog] Action Queue 
> misunderstanding
>
> disk assisted queues will leave one file in place when they are fully caught 
> up (in case there are more files that need to be queued), when you shutdown 
> rsyslog (not a HUP, but a full shutdown), this 'last' queue file will go away.
>
> but the pstats data should show the enqueued size as 0 for the DA version of 
> the queue.
>
> when you have a DA queue, it's actually two queues, a memory queue and a disk 
> assist queue, they show up separately in the pstats data, and the memory 
> queue will fill up before the disk queue starts being used.
>
> David Lang
>
>
> On Thu, 20 Oct 2016, phrogz wrote:
>
>> Date: 20 Oct 2016 17:42:22 +0200
>> From: phrogz 
>> Reply-To: rsyslog-users 
>> To: rsyslog@lists.adiscon.com
>> Subject: Re: [rsyslog] Action Queue misunderstanding
>>
>> yes, but normally the queues are cleaned? isn't it?
>>
>> 2016-10-20 17:34 GMT+02:00 phrogz :
>>> Anyway,  the logs in the queue files are delivered.
>>
>> So you are happy?
>>>
>>> Thanks,
>>>
>>> Ludovic
>>>
>>> ___
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
>>> LIKE THAT.
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This 
>> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
>> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>
>>
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites 
>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
>> THAT.
>>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This 
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE 
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites 
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Action Queue misunderstanding

[David Lang]

Yes, the file does not get re-written as logs are delivered, it's just pointers 
into the file that change (the overhead and race conditions related to 
re-writing a potentially large file when one message is delivered and additional 
messages are arriving are ugly)


David Lang

On Thu, 27 Oct 2016, phrogz wrote:


Thanks for the feedback, you right pstats show 0 for the DA queue, but is it 
normal that the file (inside) is not empty? Because there are still some 
messages in the queue, and If I take one random msg in this file I can see that 
the msg has been transmitted to the backend database.

Thanks,

Ludovic
-Message d'origine-
De : rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang
Envoyé : jeudi 27 octobre 2016 20:42
À : rsyslog-users 
Objet : Re: [rsyslog] Action Queue misunderstanding

disk assisted queues will leave one file in place when they are fully caught up 
(in case there are more files that need to be queued), when you shutdown 
rsyslog (not a HUP, but a full shutdown), this 'last' queue file will go away.

but the pstats data should show the enqueued size as 0 for the DA version of 
the queue.

when you have a DA queue, it's actually two queues, a memory queue and a disk 
assist queue, they show up separately in the pstats data, and the memory queue 
will fill up before the disk queue starts being used.

David Lang


On Thu, 20 Oct 2016, phrogz wrote:


Date: 20 Oct 2016 17:42:22 +0200
From: phrogz 
Reply-To: rsyslog-users 
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] Action Queue misunderstanding

yes, but normally the queues are cleaned? isn't it?

2016-10-20 17:34 GMT+02:00 phrogz :

Anyway,  the logs in the queue files are delivered.


So you are happy?


Thanks,

Ludovic

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites 
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is 
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites 
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is 
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Action Queue misunderstanding

[phrogz]

Thanks for the feedback, you right pstats show 0 for the DA queue, but is it 
normal that the file (inside) is not empty? Because there are still some 
messages in the queue, and If I take one random msg in this file I can see that 
the msg has been transmitted to the backend database.

Thanks,

Ludovic
-Message d'origine-
De : rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang
Envoyé : jeudi 27 octobre 2016 20:42
À : rsyslog-users 
Objet : Re: [rsyslog] Action Queue misunderstanding

disk assisted queues will leave one file in place when they are fully caught up 
(in case there are more files that need to be queued), when you shutdown 
rsyslog (not a HUP, but a full shutdown), this 'last' queue file will go away.

but the pstats data should show the enqueued size as 0 for the DA version of 
the queue.

when you have a DA queue, it's actually two queues, a memory queue and a disk 
assist queue, they show up separately in the pstats data, and the memory queue 
will fill up before the disk queue starts being used.

David Lang


On Thu, 20 Oct 2016, phrogz wrote:

> Date: 20 Oct 2016 17:42:22 +0200
> From: phrogz 
> Reply-To: rsyslog-users 
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Action Queue misunderstanding
> 
> yes, but normally the queues are cleaned? isn't it?
>
> 2016-10-20 17:34 GMT+02:00 phrogz :
>> Anyway,  the logs in the queue files are delivered.
>
> So you are happy?
>>
>> Thanks,
>>
>> Ludovic
>>
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites 
>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
>> THAT.
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This 
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE 
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites 
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is 
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

[David Lang]

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:


I was able to reproduce the problem using the logger command from a RH7 
workstation to an rsyslog server running under RH6 so I am fairly certain the 
problem wasn't on the Cisco side.


samples of the raw logs that are being mis-processed would be a huge help.

David Lang



Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:12 PM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote:

Hi Everyone,

I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
repo running in production here.  It's a very busy server, but from
what I can tell I am not dropping any messages.  The queues are
usually less than 100 and return to 0 within 60 seconds.  I have had
the config in place on my server for 1 month now and it had been
working flawlessly until the end of last month.  I have included the
relevant part of my config inline below, any comments on tuning or
help with my problem would be appreciated.

Here's my problem:

Basically, this section of my config is receiving syslogs from an ASA
firewall and writing them all to dynafile NetworkPerIP.  About 20
other hosts are also sending logs hitting this rule.  Up through
23:59
9-30-2016 all messages that had a tag that contained "ASA-5-111010"
were also written to another dynafile, FirewallChangeLog.  That's
what
I wanted to happen, and as I said, it was working flawlessly until
the
end of last month.  Since the calendar flipped over to Oct 1 the logs
have not been written to the FirewallChangeLog.  In testing, I
simulated a log message from my workstation to this rule like so:
logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
$(date)".
It was written to the FirewallChangeLog but NOT to the NetworkPerIP
log; it's only written to the NetworkPerIP log if I don't tag it with
the "ASA-5-111010".  That's what makes me think I'm hitting a bug in
the code somewhere.  If I copy this config to a test box running
RHEL7
with the same version of rsyslog and same config it seems to work OK.
I haven't tried on another RHEL6.  I am not hitting the limit of
number of open files, it's set to 15,000 and I'm only at 5,000 last I
checked.  And lastly, rsyslogd -N1 doesn't show any errors.  I went
ahead and did the upgrade to RHEL7 since it was on my list to upgrade
anyway and the problem has disappeared.



When I see this sort of thing, I suspect that there is a problem with
the date format being sent by the ASA, can you send samples of a raw
message (either output with $rawmsg or use the RSYSLOG_DebugFormat)

I would guess that instead of Oct  1 it's doing Oct 1 or something odd
like that. You may want to play around with the pmcisco* modules to try
and fix up the cisco specific oddities that we know about.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

This message is intended only for the individual or entity to which it is 
addressed.  It may contain privileged, confidential information which is exempt 
from disclosure under applicable laws.  If you are not the intended recipient, 
you are strictly prohibited from disseminating or distributing this information 
(other than to the intended recipient) or copying this information.  If you 
have received this communication in error, please notify us immediately by 
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Problem with queues configuration

[David Lang]

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:

I have one centralized collector, and it was having trouble keeping up.  It 
normally runs 20-30 meg (combined in and out) during the day, bursting as high 
as 90 meg.  It has 228 if statements, mostly checking syslogtag, but some 
checking sending hostname, times, etc.  To eliminate some processing time I 
changed the higher traffic apps to come in on their own dedicated ports so I 
could bind a much smaller ruleset to the inputs, and everything else comes in 
on the default port.  So now the largest number of if statements in a ruleset 
is 49 with many being 15 or less.


Ok, I would be interested in looking to simplify the receiving config, that 
doesn't seem like an excessive amount of traffic, we should be able to handle it 
on a single port. I've run servers handling many GB of logs per day with rather 
complex rulesets.


a couple hints to start with.

can you use arrays in if statements?

if $syslogtag == ['foo', 'bar', baz'] then {}

if you have a large enough ruleset, and lots of sets of tags being handled the 
same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b' 
etc.


Can you use dynafiles (especially in combination with the above capabilities) to 
set variables that are then used in filenames to output the files in fewer 
statements?


nest if statements instead of having a lot of complex filters

if $syslogtag == 'foo' then {
  if ... then {}
  if ... then {}
}

(note: doing this may let you use rulesets for some of the inner conditions, 
greatly simplifying your config)


And finally (and most simply), rsyslog is sensitive to the order of the rules, 
so if you have some very common logs, process them first and then have a stop 
action once you know that they aren't going to match anything else in the 
config.


David Lang

My original intent behind the question was not because I was using a large 
amount of ports, but so I could group everything outbound from the clients 
into one outbound queue and have something reusable by selecting a new port 
instead of writing a new ruleset, actions, and queues for every outbound port.


Welcome back  :-)


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 2:49 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

no, you cannot use a variable for a port.

catching up on this, I'm trying to understand why you are using so many
different ports. Each message has the original hostname in it, and you can split
the logs on that at the central system rather easily, why split it on the
sending side to different ports?

If the receiver can't keep up, having lots of different queues on the sender is
just going to mean you have a lot of queues filling up, the order that they then
drain is rather unpredictable.

David Lang

On Fri, 21 Oct 2016, Scot Kreienkamp wrote:


Would something like this work?  I wasn't sure a config file variable could be 
used in the action context.


ruleset(name="fwd-centralsyslog-customport"
   queue.type="LinkedList"
   queue.size="5"
   queue.maxDiskSpace="1g"
   queue.discardmark="45000"
   queue.dequeueBatchSize="1024"
   queue.filename="fwd-monvsyslog-514"
   queue.spoolDirectory="/var/spool/rsyslog"
   queue.saveOnShutdown="on"
   ){
   action(
   name="fwd-syslog-collector"
   type="omfwd"
   Target="monvsyslog "
   Port="$!remoteport"
   Protocol="tcp"
   )
}



if $syslogtag == 'Ecomm:' then {
   set $!remoteport = "1531";
   call fwd-centralsyslog-customport
   stop
}




Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Thursday, October 13, 2016 8:52 AM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

sorry, hit wrong key. Here comes the comnplete message ;)

2016-10-13 14:49 GMT+02:00 Rainer Gerhards :

2016-10-13 13:45 GMT+02:00 Angel L. Mateo :

El 11/10/16 a las 15:17, Angel L. Mateo escribió:


El 11/10/16 a las 15:01, Rainer Gerhards escribió:


Can you check if the problem persists with the currently supported 8.22.0
version? V7 is very, very old.


I have to make deeper tests, but it seems to work with 8.22.


I can confirm that is working fine with 8.22.0.

Re: [rsyslog] help with high CPU usage

[Scot Kreienkamp]

After much experimentation I found out that having multiple threads on the 
network input modules was causing my problems, probably as you said by causing 
locking issues with the queues.  After changing to this:

module(load="imudp"threads="1" timeRequery="8" batchSize="128")
module(load="imptcp" threads="1")


My load is back down to somewhere between .1 and .2.



Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:06 PM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] help with high CPU usage

 On Mon, 10 Oct 2016 15:23:22 +, Scot Kreienkamp wrote:
> Hi everyone,
>
> I am troubleshooting a few problems on my rsyslog server, the first
> of which is high CPU usage.  Top -H is showing 100% CPU usage for the
> imptcp module, and I can't figure out why.  It doesn't start out that
> way when rsyslog is restarted, but after a few minutes it goes right
> to the top of the list.  Can help direct me as to why the CPU usage
> is
> so high for IMPTCP?
>
> Top output showing threads:
>   PID USER  PR  NIVIRTRESSHR S %CPU %MEM TIME+
> COMMAND
> 32670 root  20   0 6161012 204032   2908 R 99.9  1.7  31:57.75
> in:imptcp
> 32673 root  20   0 6161012 204032   2908 R 79.4  1.7  21:43.37
> in:imptcp
>
>
> My config is not that complicated, mostly just filtering things to
> specific logs by tag.  I've included the main queue incoming config
> below, I can post the rest if needed but it's fairly long so I'll
> defer that unless necessary.  I don't seem to have any problems
> receiving messages, none are being discarded that I'm aware of.  Just
> seems to be high CPU usage.
>
> $umask 
> $FileCreateMode 0644
> $DirCreateMode 0755
> $RepeatedMsgReduction off
> $EscapeControlCharactersOnReceive off
> $MaxMessageSize 64k
> $RepeatedMsgReduction off
> $WorkDirectory /var/spool/rsyslog
>
>
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

> $ActionQueueType LinkedList
> $ActionQueueWorkerThreads 2

 try removing these two lines, it's counter-intuitive, but having too
 many threads decreases performance because the extra threads end up
 fighting for locks on the queue.

 Also, these queue parameters only apply to the next action, so they are
 almost certinly not what you want.

>
> global(workDirectory="/var/spool/rsyslog" preserveFQDN="on"
> maxMessageSize="64k")
>
>
> # Provides UDP syslog reception
> # for parameters see http://www.rsyslog.com/doc/imudp.html
> module(load="imudp"threads="1" timeRequery="8" batchSize="128") #
> needs to be done just once
> #input(type="imudp" port="514")
>
> # Provides TCP syslog reception
> # for parameters see http://www.rsyslog.com/doc/imtcp.html
> module(load="imptcp" threads="1") # needs to be done just once
> #input(type="imptcp" port="514")
>
> module(load="impstats"
> interval="60"
> log.syslog="on"
> resetCounters="on"
> /* need to turn log stream logging off! */
> /* log.file="/var/log/rsyslogd.stats" */
> )
>
>
>
> main_queue(
>   queue.workerThreadMinimumMessages="5000"
>   queue.discardmark="45000"

>   queue.workerThreads="2"

 this will actually function, but after you remove the lines above, try
 removing this line

>   queue.dequeueBatchSize="2048"
>   queue.spoolDirectory="/var/spool/rsyslog"  # where to write on disk
>   queue.fileName="rsyslogmainqueue"
>   queue.maxDiskSpace="5g"# it will stop at this much disk
> space
>   queue.size="5"   # or this many messages
>   queue.saveOnShutdown="on"  # save memory queue contents to disk
> when rsyslog is exiting
> }

 David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

This message is intended only for the individual or entity to which it is 
addressed.  It may contain privileged, confidential information which is exempt 
from disclosure under applicable laws.  If you are not the intended recipient, 
you are strictly prohibited from disseminating or distributing this information 
(other than to the intended recipient) or copying this information.  If you 
have received this communication in error, please notify us immediately by 
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? 

Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

[Scot Kreienkamp]

I was able to reproduce the problem using the logger command from a RH7 
workstation to an rsyslog server running under RH6 so I am fairly certain the 
problem wasn't on the Cisco side.


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:12 PM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

 On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote:
> Hi Everyone,
>
> I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
> repo running in production here.  It's a very busy server, but from
> what I can tell I am not dropping any messages.  The queues are
> usually less than 100 and return to 0 within 60 seconds.  I have had
> the config in place on my server for 1 month now and it had been
> working flawlessly until the end of last month.  I have included the
> relevant part of my config inline below, any comments on tuning or
> help with my problem would be appreciated.
>
> Here's my problem:
>
> Basically, this section of my config is receiving syslogs from an ASA
> firewall and writing them all to dynafile NetworkPerIP.  About 20
> other hosts are also sending logs hitting this rule.  Up through
> 23:59
> 9-30-2016 all messages that had a tag that contained "ASA-5-111010"
> were also written to another dynafile, FirewallChangeLog.  That's
> what
> I wanted to happen, and as I said, it was working flawlessly until
> the
> end of last month.  Since the calendar flipped over to Oct 1 the logs
> have not been written to the FirewallChangeLog.  In testing, I
> simulated a log message from my workstation to this rule like so:
> logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
> $(date)".
> It was written to the FirewallChangeLog but NOT to the NetworkPerIP
> log; it's only written to the NetworkPerIP log if I don't tag it with
> the "ASA-5-111010".  That's what makes me think I'm hitting a bug in
> the code somewhere.  If I copy this config to a test box running
> RHEL7
> with the same version of rsyslog and same config it seems to work OK.
> I haven't tried on another RHEL6.  I am not hitting the limit of
> number of open files, it's set to 15,000 and I'm only at 5,000 last I
> checked.  And lastly, rsyslogd -N1 doesn't show any errors.  I went
> ahead and did the upgrade to RHEL7 since it was on my list to upgrade
> anyway and the problem has disappeared.
>

 When I see this sort of thing, I suspect that there is a problem with
 the date format being sent by the ASA, can you send samples of a raw
 message (either output with $rawmsg or use the RSYSLOG_DebugFormat)

 I would guess that instead of Oct  1 it's doing Oct 1 or something odd
 like that. You may want to play around with the pmcisco* modules to try
 and fix up the cisco specific oddities that we know about.

 David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

This message is intended only for the individual or entity to which it is 
addressed.  It may contain privileged, confidential information which is exempt 
from disclosure under applicable laws.  If you are not the intended recipient, 
you are strictly prohibited from disseminating or distributing this information 
(other than to the intended recipient) or copying this information.  If you 
have received this communication in error, please notify us immediately by 
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

[David Lang]

On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote:

Hi Everyone,

I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
repo running in production here.  It's a very busy server, but from
what I can tell I am not dropping any messages.  The queues are
usually less than 100 and return to 0 within 60 seconds.  I have had
the config in place on my server for 1 month now and it had been
working flawlessly until the end of last month.  I have included the
relevant part of my config inline below, any comments on tuning or
help with my problem would be appreciated.

Here's my problem:

Basically, this section of my config is receiving syslogs from an ASA
firewall and writing them all to dynafile NetworkPerIP.  About 20
other hosts are also sending logs hitting this rule.  Up through 
23:59

9-30-2016 all messages that had a tag that contained "ASA-5-111010"
were also written to another dynafile, FirewallChangeLog.  That's 
what
I wanted to happen, and as I said, it was working flawlessly until 
the

end of last month.  Since the calendar flipped over to Oct 1 the logs
have not been written to the FirewallChangeLog.  In testing, I
simulated a log message from my workstation to this rule like so:
logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test 
$(date)".

It was written to the FirewallChangeLog but NOT to the NetworkPerIP
log; it's only written to the NetworkPerIP log if I don't tag it with
the "ASA-5-111010".  That's what makes me think I'm hitting a bug in
the code somewhere.  If I copy this config to a test box running 
RHEL7

with the same version of rsyslog and same config it seems to work OK.
I haven't tried on another RHEL6.  I am not hitting the limit of
number of open files, it's set to 15,000 and I'm only at 5,000 last I
checked.  And lastly, rsyslogd -N1 doesn't show any errors.  I went
ahead and did the upgrade to RHEL7 since it was on my list to upgrade
anyway and the problem has disappeared.



When I see this sort of thing, I suspect that there is a problem with 
the date format being sent by the ASA, can you send samples of a raw 
message (either output with $rawmsg or use the RSYSLOG_DebugFormat)


I would guess that instead of Oct  1 it's doing Oct 1 or something odd 
like that. You may want to play around with the pmcisco* modules to try 
and fix up the cisco specific oddities that we know about.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] help with high CPU usage

[David Lang]

On Mon, 10 Oct 2016 15:23:22 +, Scot Kreienkamp wrote:

Hi everyone,

I am troubleshooting a few problems on my rsyslog server, the first
of which is high CPU usage.  Top -H is showing 100% CPU usage for the
imptcp module, and I can't figure out why.  It doesn't start out that
way when rsyslog is restarted, but after a few minutes it goes right
to the top of the list.  Can help direct me as to why the CPU usage 
is

so high for IMPTCP?

Top output showing threads:
  PID USER  PR  NIVIRTRESSHR S %CPU %MEM TIME+ 
COMMAND
32670 root  20   0 6161012 204032   2908 R 99.9  1.7  31:57.75 
in:imptcp
32673 root  20   0 6161012 204032   2908 R 79.4  1.7  21:43.37 
in:imptcp



My config is not that complicated, mostly just filtering things to
specific logs by tag.  I've included the main queue incoming config
below, I can post the rest if needed but it's fairly long so I'll
defer that unless necessary.  I don't seem to have any problems
receiving messages, none are being discarded that I'm aware of.  Just
seems to be high CPU usage.

$umask 
$FileCreateMode 0644
$DirCreateMode 0755
$RepeatedMsgReduction off
$EscapeControlCharactersOnReceive off
$MaxMessageSize 64k
$RepeatedMsgReduction off
$WorkDirectory /var/spool/rsyslog


$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



$ActionQueueType LinkedList
$ActionQueueWorkerThreads 2


try removing these two lines, it's counter-intuitive, but having too 
many threads decreases performance because the extra threads end up 
fighting for locks on the queue.


Also, these queue parameters only apply to the next action, so they are 
almost certinly not what you want.




global(workDirectory="/var/spool/rsyslog" preserveFQDN="on"
maxMessageSize="64k")


# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp"threads="1" timeRequery="8" batchSize="128") #
needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imptcp" threads="1") # needs to be done just once
#input(type="imptcp" port="514")

module(load="impstats"
interval="60"
log.syslog="on"
resetCounters="on"
/* need to turn log stream logging off! */
/* log.file="/var/log/rsyslogd.stats" */
)



main_queue(
  queue.workerThreadMinimumMessages="5000"
  queue.discardmark="45000"



  queue.workerThreads="2"


this will actually function, but after you remove the lines above, try 
removing this line



  queue.dequeueBatchSize="2048"
  queue.spoolDirectory="/var/spool/rsyslog"  # where to write on disk
  queue.fileName="rsyslogmainqueue"
  queue.maxDiskSpace="5g"# it will stop at this much disk 
space

  queue.size="5"   # or this many messages
  queue.saveOnShutdown="on"  # save memory queue contents to disk
when rsyslog is exiting
}


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Problem with queues configuration

[Scot Kreienkamp]

I have one centralized collector, and it was having trouble keeping up.  It 
normally runs 20-30 meg (combined in and out) during the day, bursting as high 
as 90 meg.  It has 228 if statements, mostly checking syslogtag, but some 
checking sending hostname, times, etc.  To eliminate some processing time I 
changed the higher traffic apps to come in on their own dedicated ports so I 
could bind a much smaller ruleset to the inputs, and everything else comes in 
on the default port.  So now the largest number of if statements in a ruleset 
is 49 with many being 15 or less.

My original intent behind the question was not because I was using a large 
amount of ports, but so I could group everything outbound from the clients into 
one outbound queue and have something reusable by selecting a new port instead 
of writing a new ruleset, actions, and queues for every outbound port.

Welcome back  :-)


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 2:49 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

no, you cannot use a variable for a port.

catching up on this, I'm trying to understand why you are using so many
different ports. Each message has the original hostname in it, and you can split
the logs on that at the central system rather easily, why split it on the
sending side to different ports?

If the receiver can't keep up, having lots of different queues on the sender is
just going to mean you have a lot of queues filling up, the order that they then
drain is rather unpredictable.

David Lang

On Fri, 21 Oct 2016, Scot Kreienkamp wrote:

> Would something like this work?  I wasn't sure a config file variable could 
> be used in the action context.
>
>
> ruleset(name="fwd-centralsyslog-customport"
>queue.type="LinkedList"
>queue.size="5"
>queue.maxDiskSpace="1g"
>queue.discardmark="45000"
>queue.dequeueBatchSize="1024"
>queue.filename="fwd-monvsyslog-514"
>queue.spoolDirectory="/var/spool/rsyslog"
>queue.saveOnShutdown="on"
>){
>action(
>name="fwd-syslog-collector"
>type="omfwd"
>Target="monvsyslog "
>Port="$!remoteport"
>Protocol="tcp"
>)
> }
>
>
>
> if $syslogtag == 'Ecomm:' then {
>set $!remoteport = "1531";
>call fwd-centralsyslog-customport
>stop
> }
>
>
>
>
> Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com 
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, October 13, 2016 8:52 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem with queues configuration
>
> sorry, hit wrong key. Here comes the comnplete message ;)
>
> 2016-10-13 14:49 GMT+02:00 Rainer Gerhards :
>> 2016-10-13 13:45 GMT+02:00 Angel L. Mateo :
>>> El 11/10/16 a las 15:17, Angel L. Mateo escribió:

 El 11/10/16 a las 15:01, Rainer Gerhards escribió:
>
> Can you check if the problem persists with the currently supported 8.22.0
> version? V7 is very, very old.
>
 I have to make deeper tests, but it seems to work with 8.22.

>>> I can confirm that is working fine with 8.22.0.
>>>
>>> One more question... I have a lot of this rule sending to a remote
>>> syslog depending on different conditions. Is there any way to share the
>>> queue between all these rules?
>>
> The way to do this is to use a ruleset. Instead of doing
>
> action(name="action1" type="omfwd" queue. ...)
> action(name="action2" type="omfwd" queue. ...)
> action(name="action3" type="omfwd" queue. ...)
>
> do
>
> ruleset(name="fwdtodest" queue. ...) {
>   action(name="action" type="omfwd" ...) # NO queue params
> }
>
> and replace the action calls with
>
> call fwdtodest
>
> This will make all actions use the single ruleset queue. Note that you
> now have a single connection to the destination and thus possibly
> different timing. But that's probably what you also wanted.
>
> HTH
> Rainer
>>>
>>>
>>> --
>>> Angel L. Mateo Martínez
>>> Sección de Telemática
>>> Área de Tecnologías de la Información
>>> y las Comunicaciones Aplicadas (ATICA)
>>> http://www.um.es/atica
>>> Tfo: 868889150
>>> Fax: 86337
>>> ___
>>> rsyslog mailing list
>>> 

Re: [rsyslog] Assign variable from expression replacement

[David Lang]

On Fri, 14 Oct 2016, Rainer Gerhards wrote:


2016-10-14 15:12 GMT+02:00 Angel L. Mateo :

Hello,

I'm trying to assign a variable with a substring of the message.
This is my config:

set $!myvar = "%msg:R,ERE,1,DFLT:^ *([a-zA-Z]+)(--end%";


This is not a valid expression, but rather a string template.

You can use e.g. the re_extract() function. Or -much less performat-
use a template and execute it.


what's the performance of calling a small mmnormalize ruleset compared to 
executing a template?


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

[David Lang]

On Sat, 8 Oct 2016, Radu Gheorghe wrote:


That's right, it's not so much about problems as
conveniency/flexibility. For example, with grok.regex you can specify
optional fields right in the middle of the pattern. With
liblognorm/mmnormalize I have to repeat that rule with and without
that field. If you have 5 of those... you get quite a combinatorial
explosion.

Maybe this particular one is already possible with liblognorm v2? But
anyway, this is just an example. Though I'm looking forward to work
[more] with v2 because it seems much more flexible than v1 indeed.


Yep, one of the things you can specify in the v2 language is alturnatives, and 
you can do this either inside a single rule or as a type that you then use in a 
rule.


v2 is a massive improvement in terms of flexibility compared to v1

David Lang


--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/


On Fri, Oct 7, 2016 at 9:56 AM, Rainer Gerhards
 wrote:

Not speaking for Radu, buy I think he does not have problems, but Grok
rules seem more convenient, and often that's really what they are. That's
where custom types come in: if you have a good base set, then it really is
not much difference in convenience. Unfortunately we don't have this yet.

Rainer

Sent from phone, thus brief.

Am 07.10.2016 18:53 schrieb "Joe Blow" :


Hey Radu,

Long time listener, first time caller :).  What did you have problems with
mmnormalize?

Cheers,

JB

On Fri, Oct 7, 2016 at 12:43 PM, Rainer Gerhards 

wrote:

Hi Radu


After reading
http://lists.adiscon.net/pipermail/rsyslog/2013-December/035122.html

and

considering several years have passed, I would like to get some

feedback

of

your experience, to help me choose between raw forwarding

messages+logstash

or split before forwarding with mmnormalize.

If this decision should've been made today, what you would've

choosen?


Of course, everybody is welcome to join the thread.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a

myriad

of

sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you

DON'T

LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a

myriad

of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE 

Re: [rsyslog] Confirmation on disk assisted queue functionality

[David Lang]

I believe I read this somewhere previously, but cannot currently find it.
For a Disk Assisted In-Memory queue configuration, messages are pulled off
the top of the disk queue, correct? So for a sufficiently busy action queue,
messages will be dequeued out of order and delivered to their destination
out of order?


When a disk assisted queue is being drained, current messages are delivered 
first, and then when the queue size drops 'low enough', rsyslog will pull 
messages from disk and send them.


So yes, the messages will be delivered out of order. This is only one of the 
many ways that messages can end up being processed out of order. Rsyslog is 
multi-threaded, so if you get busy enough to have two threads sending messages, 
they will each be processing messages independently of each other and this will 
result in re-ordering of messages. But even with traditional syslog, UDP packets 
have been known to get re-ordered over the network, causing logs to arrive out 
of order. The advanced features of Rsyslog can trigger this in more common 
cases, but it's a matter of how common this is, not if it happens or not.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] I'm back

[singh.janmejay]

I was wondering about your silence on the mailing list.

Welcome back.

On Oct 28, 2016 12:03 AM, "David Lang"  wrote:

> I'm back on my feet, but don't have a new job yet, so I'm getting there.
>
> David Lang
>
> On Thu, 27 Oct 2016, Rainer Gerhards wrote:
>
> Hi David,
>>
>> welcome back, you have been missed :-)
>>
>> I hope your are doing well again and everyting has worked out to your
>> favor!
>>
>> Rainer
>>
>> 2016-10-27 11:10 GMT+02:00 David Lang :
>>
>>> I left my job and broke my ankle the next day and just dropped out of
>>> everything for a while.
>>>
>>> The volume of traffic related to rsyslog has been quite significant,
>>> which
>>> is a good thing, but kept being a "amd I really ready to dive back into
>>> that" barrier :-)
>>>
>>> It's great to see so many people talking on the list and new active
>>> contributers.
>>>
>>> so I'm catching up on things from the last couple of months.
>>>
>>> David Lang
>>> ___
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>>
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Problem with queues configuration

[David Lang]

no, you cannot use a variable for a port.

catching up on this, I'm trying to understand why you are using so many 
different ports. Each message has the original hostname in it, and you can split 
the logs on that at the central system rather easily, why split it on the 
sending side to different ports?


If the receiver can't keep up, having lots of different queues on the sender is 
just going to mean you have a lot of queues filling up, the order that they then 
drain is rather unpredictable.


David Lang

On Fri, 21 Oct 2016, Scot Kreienkamp wrote:


Would something like this work?  I wasn't sure a config file variable could be 
used in the action context.


ruleset(name="fwd-centralsyslog-customport"
   queue.type="LinkedList"
   queue.size="5"
   queue.maxDiskSpace="1g"
   queue.discardmark="45000"
   queue.dequeueBatchSize="1024"
   queue.filename="fwd-monvsyslog-514"
   queue.spoolDirectory="/var/spool/rsyslog"
   queue.saveOnShutdown="on"
   ){
   action(
   name="fwd-syslog-collector"
   type="omfwd"
   Target="monvsyslog "
   Port="$!remoteport"
   Protocol="tcp"
   )
}



if $syslogtag == 'Ecomm:' then {
   set $!remoteport = "1531";
   call fwd-centralsyslog-customport
   stop
}




Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Thursday, October 13, 2016 8:52 AM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration

sorry, hit wrong key. Here comes the comnplete message ;)

2016-10-13 14:49 GMT+02:00 Rainer Gerhards :

2016-10-13 13:45 GMT+02:00 Angel L. Mateo :

El 11/10/16 a las 15:17, Angel L. Mateo escribió:


El 11/10/16 a las 15:01, Rainer Gerhards escribió:


Can you check if the problem persists with the currently supported 8.22.0
version? V7 is very, very old.


I have to make deeper tests, but it seems to work with 8.22.


I can confirm that is working fine with 8.22.0.

One more question... I have a lot of this rule sending to a remote
syslog depending on different conditions. Is there any way to share the
queue between all these rules?



The way to do this is to use a ruleset. Instead of doing

action(name="action1" type="omfwd" queue. ...)
action(name="action2" type="omfwd" queue. ...)
action(name="action3" type="omfwd" queue. ...)

do

ruleset(name="fwdtodest" queue. ...) {
  action(name="action" type="omfwd" ...) # NO queue params
}

and replace the action calls with

call fwdtodest

This will make all actions use the single ruleset queue. Note that you
now have a single connection to the destination and thus possibly
different timing. But that's probably what you also wanted.

HTH
Rainer



--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

This message is intended only for the individual or entity to which it is 
addressed.  It may contain privileged, confidential information which is exempt 
from disclosure under applicable laws.  If you are not the intended recipient, 
you are strictly prohibited from disseminating or distributing this information 
(other than to the intended recipient) or copying this information.  If you 
have received this communication in error, please notify us immediately by 
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 

Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements

[Saint Germain]

Hum when I enter exactly that, I got again:
rsyslogd-2207: error during config processing: STOP is followed by
unreachable statements!  [v8.16.0 try http://www.rsyslog.com/e/2207 ]

On Thu, 27 Oct 2016 11:35:27 -0700 (PDT), David Lang 
wrote :

> looking at your original, another way of viewing it is:
> 
> :msg, startswith, "Starting Cleanup" stop
> :msg, startswith, "Started Cleanup" stop
> :msg, startswith, "Failed to reset devices.list" {
>stop
>stop
> }
> 
> it was the last stop that it was complaining about.
> 
> David Lang
> 
> On Thu, 27 Oct 2016, Saint Germain wrote:
> 
> > I have removed all the stop except the one on the last line and it
> > seems to work.
> >
> > Thanks a lot !
> >
> > On Thu, 27 Oct 2016 13:27:06 +0200, Rainer Gerhards
> >  wrote :
> >
> >> You have stop twice.
> >>
> >> Sent from phone, thus brief.
> >>
> >> Am 27.10.2016 1:24 PM schrieb "Saint Germain" :
> >>
> >>> Hello,
> >>>
> >>> Perhaps is my previous message gone in the spam folders ?
> >>> Can someone give me some hints on how to solve the problem
> >>> described below ?
> >>>
> >>> Thanks in advance !
> >>>
> >>> On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain
> >>>  wrote :
> >>>
>  Hello,
> 
>  I am using rsyslog 8.16 on Debian Jessie (package is coming from
>  backports) and I have trouble filtering my logs.
> 
>  I wanted to filter out the following logs in /var/log/syslog:
>  systemd[1]: Starting Cleanup of Temporary Directories...
>  systemd[1]: Failed to reset devices.list
>  on /system.slice/systemd-tmpfiles-clean.service: No such file or
>  directory systemd[1]: Started Cleanup of Temporary Directories.
> 
>  I have create a file with the following content
>  in /etc/rsyslog.d: :msg, startswith, "Starting Cleanup" stop
>  :msg, startswith, "Started Cleanup" stop
>  :msg, startswith, "Failed to reset devices.list" stop
>  & stop
> 
>  But each time I start rsyslog I got the following message:
>  rsyslogd-2207: error during config processing: STOP is followed
>  by unreachable statements!  [v8.16.0 try
>  http://www.rsyslog.com/e/2207 ]
> 
>  I don't understand what I am doing wrong.
> 
>  Perhaps someone can point me to the mistake ?
> 
>  Thanks
> >>> ___
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >>> POST if you DON'T LIKE THAT.
> >>>
> >> ___
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you DON'T LIKE THAT.
> > ___
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > POST if you DON'T LIKE THAT.
> >
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Action Queue misunderstanding

[David Lang]

disk assisted queues will leave one file in place when they are fully caught up 
(in case there are more files that need to be queued), when you shutdown rsyslog 
(not a HUP, but a full shutdown), this 'last' queue file will go away.


but the pstats data should show the enqueued size as 0 for the DA version of the 
queue.


when you have a DA queue, it's actually two queues, a memory queue and a disk 
assist queue, they show up separately in the pstats data, and the memory queue 
will fill up before the disk queue starts being used.


David Lang


On Thu, 20 Oct 2016, phrogz wrote:


Date: 20 Oct 2016 17:42:22 +0200
From: phrogz 
Reply-To: rsyslog-users 
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] Action Queue misunderstanding

yes, but normally the queues are cleaned? isn't it?

2016-10-20 17:34 GMT+02:00 phrogz :

Anyway,  the logs in the queue files are delivered.


So you are happy?


Thanks,

Ludovic

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites 
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is 
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements

[David Lang]

looking at your original, another way of viewing it is:

:msg, startswith, "Starting Cleanup" stop
:msg, startswith, "Started Cleanup" stop
:msg, startswith, "Failed to reset devices.list" {
  stop
  stop
}

it was the last stop that it was complaining about.

David Lang

On Thu, 27 Oct 2016, Saint Germain wrote:


I have removed all the stop except the one on the last line and it
seems to work.

Thanks a lot !

On Thu, 27 Oct 2016 13:27:06 +0200, Rainer Gerhards
 wrote :


You have stop twice.

Sent from phone, thus brief.

Am 27.10.2016 1:24 PM schrieb "Saint Germain" :


Hello,

Perhaps is my previous message gone in the spam folders ?
Can someone give me some hints on how to solve the problem described
below ?

Thanks in advance !

On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain
 wrote :


Hello,

I am using rsyslog 8.16 on Debian Jessie (package is coming from
backports) and I have trouble filtering my logs.

I wanted to filter out the following logs in /var/log/syslog:
systemd[1]: Starting Cleanup of Temporary Directories...
systemd[1]: Failed to reset devices.list
on /system.slice/systemd-tmpfiles-clean.service: No such file or
directory systemd[1]: Started Cleanup of Temporary Directories.

I have create a file with the following content in /etc/rsyslog.d:
:msg, startswith, "Starting Cleanup" stop
:msg, startswith, "Started Cleanup" stop
:msg, startswith, "Failed to reset devices.list" stop
& stop

But each time I start rsyslog I got the following message:
rsyslogd-2207: error during config processing: STOP is followed by
unreachable statements!  [v8.16.0 try
http://www.rsyslog.com/e/2207 ]

I don't understand what I am doing wrong.

Perhaps someone can point me to the mistake ?

Thanks

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] I'm back

[David Lang]

I'm back on my feet, but don't have a new job yet, so I'm getting there.

David Lang

On Thu, 27 Oct 2016, Rainer Gerhards wrote:


Hi David,

welcome back, you have been missed :-)

I hope your are doing well again and everyting has worked out to your favor!

Rainer

2016-10-27 11:10 GMT+02:00 David Lang :

I left my job and broke my ankle the next day and just dropped out of
everything for a while.

The volume of traffic related to rsyslog has been quite significant, which
is a good thing, but kept being a "amd I really ready to dive back into
that" barrier :-)

It's great to see so many people talking on the list and new active
contributers.

so I'm catching up on things from the last couple of months.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements

[Saint Germain]

I have removed all the stop except the one on the last line and it
seems to work.

Thanks a lot !

On Thu, 27 Oct 2016 13:27:06 +0200, Rainer Gerhards
 wrote :

> You have stop twice.
> 
> Sent from phone, thus brief.
> 
> Am 27.10.2016 1:24 PM schrieb "Saint Germain" :
> 
> > Hello,
> >
> > Perhaps is my previous message gone in the spam folders ?
> > Can someone give me some hints on how to solve the problem described
> > below ?
> >
> > Thanks in advance !
> >
> > On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain
> >  wrote :
> >
> > > Hello,
> > >
> > > I am using rsyslog 8.16 on Debian Jessie (package is coming from
> > > backports) and I have trouble filtering my logs.
> > >
> > > I wanted to filter out the following logs in /var/log/syslog:
> > > systemd[1]: Starting Cleanup of Temporary Directories...
> > > systemd[1]: Failed to reset devices.list
> > > on /system.slice/systemd-tmpfiles-clean.service: No such file or
> > > directory systemd[1]: Started Cleanup of Temporary Directories.
> > >
> > > I have create a file with the following content in /etc/rsyslog.d:
> > > :msg, startswith, "Starting Cleanup" stop
> > > :msg, startswith, "Started Cleanup" stop
> > > :msg, startswith, "Failed to reset devices.list" stop
> > > & stop
> > >
> > > But each time I start rsyslog I got the following message:
> > > rsyslogd-2207: error during config processing: STOP is followed by
> > > unreachable statements!  [v8.16.0 try
> > > http://www.rsyslog.com/e/2207 ]
> > >
> > > I don't understand what I am doing wrong.
> > >
> > > Perhaps someone can point me to the mistake ?
> > >
> > > Thanks
> > ___
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > POST if you DON'T LIKE THAT.
> >
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] I'm back

[Singh, Radesh]

Welcome back David!

R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745

RC Offering: SC07507098


H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35

"Give instruction to a wise man, and he will be yet wiser : teach a just man, 
and he will increase in learning." - Proverbs 9:9


-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 5:11 AM
To: rsyslog-users
Subject: [rsyslog] I'm back

I left my job and broke my ankle the next day and just dropped out of 
everything for a while.

The volume of traffic related to rsyslog has been quite significant, which is a 
good thing, but kept being a "amd I really ready to dive back into that" barrier
:-)

It's great to see so many people talking on the list and new active 
contributers.

so I'm catching up on things from the last couple of months.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://secure-web.cisco.com/1osma2ggoKVJhW_vA40j4_T8iAgEkI7Be5_eUkY2sT8-L5biV2lxQ441OYOS06XnzrU9GdDqHunGQX8rha-os6XxTudi1vdNK2iQgZ-qYKVI5BhaxrRJFL68-fe55FzMm5uCqr3jfso67Fb77bR3hqP2hSvPYwXCxhUuD14nWTHxhp2wNqhM2GvsnBBw0on2_meITPisCHix8phi8EMUCE192zTk9Dj4v-ga3aPwAiHBMf2qIPfxld01ekoGiSNtWPgqCRv1MvbBxLrHYBvGjMNDE2FtS9fh9jKTpoI5exBEISSErwOouw-pNNWIG-ZdPBh_3Xh2ISkIjuk7oBrkxaKez4h8DwW-hH-ouc3odcmmjUD1UjB5AL0j19jbC2f6Y/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F
What's up with rsyslog? Follow 
https://secure-web.cisco.com/1HCVDJOh8vetA4GiOz7qjfduxOP7ORoxRVmi0HSWVavZXgBKARLly8CRkeWClihRifexD_idAa4V-HxX3OnF3JT2p-VSpG0R58KycgV5MjQ_O8T__dqlJjQbWxw26jY4TUmqlBK3N3_H00IMzAyYnLVc3LrAlOdzHRwFSmj25qGQm_2Uk2UrRQopRaTNdNQSw0Sz94SUqsI-yp7JHhywwTdnxOrTP5PQ7XfYLh-iSyAG8Gw_ZCOidIiMHLeUbB43jnycjZC9IcMsKnstIOTKN_UTSW8wNv2R-3I_PfJAhs3L_Li48AGs-FY8LlbB6KytWtjjM_Pmc2KlQOQDdAHSuZCMy_hSzDLiZXogonOztSnDpD3rqOZ3S-muqT4x3NJe-JnpdTEf4kXCOQaXP-Y1V-g/https%3A%2F%2Ftwitter.com%2Frgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.




This email transmission and any accompanying attachments may contain CSX 
privileged and confidential information intended only for the use of the 
intended addressee. Any dissemination, distribution, copying or action taken in 
reliance on the contents of this email by anyone other than the intended 
recipient is strictly prohibited. If you have received this email in error 
please immediately delete it and notify sender at the above CSX email address. 
Sender and CSX accept no liability for any damage caused directly or indirectly 
by receipt of this email.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] I'm back

[Joe Blow]

Welcome back!  Where are you working now?

Cheers,

JB


  Original Message  
From: rgerha...@hq.adiscon.com
Sent: October 27, 2016 6:51 AM
To: rsyslog@lists.adiscon.com
Reply-to: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] I'm back

Hi David,

welcome back, you have been missed :-)

I hope your are doing well again and everyting has worked out to your favor!

Rainer

2016-10-27 11:10 GMT+02:00 David Lang :
> I left my job and broke my ankle the next day and just dropped out of
> everything for a while.
>
> The volume of traffic related to rsyslog has been quite significant, which
> is a good thing, but kept being a "amd I really ready to dive back into
> that" barrier :-)
>
> It's great to see so many people talking on the list and new active
> contributers.
>
> so I'm catching up on things from the last couple of months.
>
> David Lang
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] I'm back

[Rainer Gerhards]

Hi David,

welcome back, you have been missed :-)

I hope your are doing well again and everyting has worked out to your favor!

Rainer

2016-10-27 11:10 GMT+02:00 David Lang :
> I left my job and broke my ankle the next day and just dropped out of
> everything for a while.
>
> The volume of traffic related to rsyslog has been quite significant, which
> is a good thing, but kept being a "amd I really ready to dive back into
> that" barrier :-)
>
> It's great to see so many people talking on the list and new active
> contributers.
>
> so I'm catching up on things from the last couple of months.
>
> David Lang
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements

[Rainer Gerhards]

You have stop twice.

Sent from phone, thus brief.

Am 27.10.2016 1:24 PM schrieb "Saint Germain" :

> Hello,
>
> Perhaps is my previous message gone in the spam folders ?
> Can someone give me some hints on how to solve the problem described
> below ?
>
> Thanks in advance !
>
> On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain 
> wrote :
>
> > Hello,
> >
> > I am using rsyslog 8.16 on Debian Jessie (package is coming from
> > backports) and I have trouble filtering my logs.
> >
> > I wanted to filter out the following logs in /var/log/syslog:
> > systemd[1]: Starting Cleanup of Temporary Directories...
> > systemd[1]: Failed to reset devices.list
> > on /system.slice/systemd-tmpfiles-clean.service: No such file or
> > directory systemd[1]: Started Cleanup of Temporary Directories.
> >
> > I have create a file with the following content in /etc/rsyslog.d:
> > :msg, startswith, "Starting Cleanup" stop
> > :msg, startswith, "Started Cleanup" stop
> > :msg, startswith, "Failed to reset devices.list" stop
> > & stop
> >
> > But each time I start rsyslog I got the following message:
> > rsyslogd-2207: error during config processing: STOP is followed by
> > unreachable statements!  [v8.16.0 try http://www.rsyslog.com/e/2207 ]
> >
> > I don't understand what I am doing wrong.
> >
> > Perhaps someone can point me to the mistake ?
> >
> > Thanks
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements

[Saint Germain]

Hello,

Perhaps is my previous message gone in the spam folders ?
Can someone give me some hints on how to solve the problem described
below ?

Thanks in advance !

On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain 
wrote :

> Hello,
> 
> I am using rsyslog 8.16 on Debian Jessie (package is coming from
> backports) and I have trouble filtering my logs.
> 
> I wanted to filter out the following logs in /var/log/syslog:
> systemd[1]: Starting Cleanup of Temporary Directories...
> systemd[1]: Failed to reset devices.list
> on /system.slice/systemd-tmpfiles-clean.service: No such file or
> directory systemd[1]: Started Cleanup of Temporary Directories.
> 
> I have create a file with the following content in /etc/rsyslog.d:
> :msg, startswith, "Starting Cleanup" stop
> :msg, startswith, "Started Cleanup" stop
> :msg, startswith, "Failed to reset devices.list" stop
> & stop
> 
> But each time I start rsyslog I got the following message:
> rsyslogd-2207: error during config processing: STOP is followed by
> unreachable statements!  [v8.16.0 try http://www.rsyslog.com/e/2207 ]
> 
> I don't understand what I am doing wrong.
> 
> Perhaps someone can point me to the mistake ?
> 
> Thanks
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] I'm back

[chika tambun]

Welcome back, David
I'm relieved to hear that... :p

*Best regards,*
*chika.tambun*

*"Winning loves preparation"*

On Thu, Oct 27, 2016 at 4:10 PM, David Lang  wrote:

> I left my job and broke my ankle the next day and just dropped out of
> everything for a while.
>
> The volume of traffic related to rsyslog has been quite significant, which
> is a good thing, but kept being a "amd I really ready to dive back into
> that" barrier :-)
>
> It's great to see so many people talking on the list and new active
> contributers.
>
> so I'm catching up on things from the last couple of months.
>
> David Lang
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] I'm back

[David Lang]

I left my job and broke my ankle the next day and just dropped out of everything 
for a while.


The volume of traffic related to rsyslog has been quite significant, which is a 
good thing, but kept being a "amd I really ready to dive back into that" barrier 
:-)


It's great to see so many people talking on the list and new active 
contributers.


so I'm catching up on things from the last couple of months.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.