[rsyslog] What is the best way to blend local messages with messages received from remote nodes?

Scenario: I'm working with a central rsyslog server (latest 8.x version) with a common ruleset (e.g, "remote") bound to the imrelp, imudp and imptcp inputs. That ruleset calls another ruleset (e.g., "notify-rules") to perform omemail actions as appropriate. This central receiver also

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/8/2017 1:10 PM, rsyslog-users-lists.adiscon@whyaskwhy.org wrote: On 8/8/17 2:30 AM, Rainer Gerhards wrote: >> Check what APP-NAME, PROCID and MSGID contain, which are derived from the tag. RFC5424 tells you where these parts are to be placed in the header. It appears that this

Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

On 7/11/17 1:33 AM, mostolog--- via rsyslog wrote: It's implicit, AFAIK On 11/07/17 07:48, deoren wrote: Here is some pseducode based off of another recent thread: ruleset(name="remote-rules"){ action( ... )

Re: [rsyslog] Is there a way to bind a ruleset to the default system log socket?

On 7/11/17 2:59 AM, David Lang wrote: unfortunantly, this is a gap in rsyslog's capabilities. What you can do is assign a ruleset to all remote inputs, and then what's left is the /dev/log (and rsyslog internal) logs you can also test the input of a log message and call a ruleset Thanks. I

Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

On 7/11/17 2:47 AM, Rainer Gerhards wrote: yup ... for this case. Processing stops when there is .. no more processing to do. Usually, this means end of ruleset. But if the ruleset is called from another ruleset, processing will go back to the caller if there is no stop statement. In the given

Re: [rsyslog] Is there a way to bind a ruleset to the default system log socket?

On 7/11/17 3:36 AM, Jiří Vymazal via rsyslog wrote: Well, you have to specify on which socket imuxsock will listen, otherwise it cannot know where to listen. You are not creating any socket by this, unless you explicitly configure otherwise. I guess I incorrectly assumed that these two

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 5:28 PM, David Lang wrote: On Mon, 10 Jul 2017, deoren wrote: Hi David, My comment wasn't as clear as it should have been. The /usr/lib/tmpfiles.d/var.conf file targets specific directories and one of those is /var/log. By default /var/log is set to 0755, so if rsyslog

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 5:13 PM, David Lang wrote: On Mon, 10 Jul 2017, deoren wrote: I checked Debian 9 and that release appears to be handling the rsyslog configuration the same way as CentOS 7: run as root, do not attempt to drop privileges. Ubuntu's rsyslog package on the other hand does make

Re: [rsyslog] Log messages held when using FQDN as omrelp target and (/etc/hosts entry not present or 'After=network.target' not present in Unit file)

On 7/8/17 10:19 PM, deoren wrote: Running the same command on the SSD copy of that VM I see about 220ms startup time. I'm also new to systemd, so I might be misinterpreting the values, but it appears that the slower load time for rsyslog is giving the system sufficient time to load all

[rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

While researching permission issues on /var/log, I realized that the rsyslog package from the Ubuntu PPA doesn't provide an override for /usr/lib/tmpfiles.d/var.conf (which has a rule that sets /var/log to 0755). I submitted #1655 via GitHub for that, thinking that the problem was likely

[rsyslog] Any estimate re availability of the 8.28.0 version via the Ubuntu PPA?

Is the policy to wait a bit between releasing a new stable release and then building it for the PPA to make sure there are no issues with the new release? https://launchpad.net/~adiscon/+archive/ubuntu/v8-stable Thanks. ___ rsyslog mailing list

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 6:58 PM, David Lang wrote: On Mon, 10 Jul 2017, deoren wrote: Without an override in place, the permissions are being reset on boot for the /var/log directory to 0755, ownership of root:syslog. The /usr/lib/tmpfiles.d/00rsyslog.conf file overrides the systemd default configuration

Re: [rsyslog] Any estimate re availability of the 8.28.0 version via the Ubuntu PPA?

On 7/10/17 3:00 PM, David Lang wrote: no, there are sometimes delays between the release and the PPA, but they are not the result of a deliberate policy I'm a new user of the PPA, so I wasn't sure what to expect re release timeline. Thanks for confirming that it's variable.

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 3:07 PM, David Lang wrote: > I've been using rsyslog since 2006 and never seen /usr/lib/tempfiles.d From what I've learned it's systemd specific and really came into play with Ubuntu 15.04, but I only learned about with recent system upgrades from 14.04 to 16.04 LTS. > I don't

[rsyslog] Is there a way to bind a ruleset to the default system log socket?

Hi, If I want to use a ruleset named "local" for an input that handles the default local unix socket, how would I define the module and input entries to reflect that? I thought this would do it: module(load="imuxsock") input(type="imuxsock" ruleset="local") but rsyslog complains like so:

Re: [rsyslog] Log messages held when using FQDN as omrelp target and (/etc/hosts entry not present or 'After=network.target' not present in Unit file)

On 7/7/17 2:28 AM, deoren wrote: First of all, thank you for reading this and thanks to the devs for rsyslog. Admittedly, my configuration is likely at fault as I'm still learning how to configure a rsyslog client installation for reliable remote logging. Environment (client & se

Re: [rsyslog] Log messages held when using FQDN as omrelp target and (/etc/hosts entry not present or 'After=network.target' not present in Unit file)

On 7/8/17 9:23 PM, David Lang wrote: On Sat, 8 Jul 2017, deoren wrote: Looking around I learned of these two directives: $DebugLevel 2 $DebugFile /var/log/rsyslog-debug.log I added those, rebooted the VM and quickly had lots of debug info to work with. In the file I found these entries

[rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

I've setup a ruleset that is applied to messages arriving from remote systems via imrelp. One action within that ruleset matches on auth facility messages and places them into a "combined" auth log file. Additionally an alert is generated via ommail for matching patterns (SSH logins). In

Re: [rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

On 7/20/17 7:38 PM, David Lang wrote: On Thu, 20 Jul 2017, deoren wrote: Thanks David. So if I attach the rulesets directly to the inputs, is there any other way to combine auth facility messages into a single file? Should I instead not attach rulesets to the inputs and instead call

Re: [rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

>> On Jul 19, 2017, at 8:37 AM, deoren wrote: >> >> I've setup a ruleset that is applied to messages arriving from remote systems via imrelp. One action within that ruleset matches on auth facility messages and places them into a "combined" auth log file. Additional

Re: [rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

On 7/20/17 6:54 PM, David Lang wrote: On Thu, 20 Jul 2017, deoren wrote: # /etc/rsyslog.conf input(type="imuxsock" socket="/dev/log" ruleset="local") input(type="imrelp" port="2514" KeepAlive="on" ruleset="remote") The ru

Re: [rsyslog] rsyslog 8.28.0 (v8-stable) released

On 6/27/17 9:54 AM, Florian Riedl wrote: Hi all, We have released rsyslog 8.28.0. Any estimate re availability of the 8.28.0 version via the Ubuntu PPA? https://launchpad.net/~adiscon/+archive/ubuntu/v8-stable Thanks. ___ rsyslog mailing list

Re: [rsyslog] What is the best way to bring down an active rsyslog instance?

On 8/4/17 12:10 PM, David Lang wrote: when you stop rsyslog, it attempts to save the data in the queues to disk and write the .qi file so that it will be able to read the disk queue files on next startup. But many distros have a short timeout that if the program doesn't finish shutting down

Re: [rsyslog] What is the best way to bring down an active rsyslog instance?

On 8/4/17 3:32 PM, David Lang wrote: what init system do you have systemd from Ubuntu 16.04. you would need to change systemd settings, and I don't know if this is in a file shipped with the distro or something provided by the adiscon PPA. Me either, but I'll look into it. Thank you for

[rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

I've recently converted all of our nodes from forwarding messages from the default forwarding format to using the 'RSYSLOG_SyslogProtocol23Format' format. I only did light research beforehand (so I can only blame myself), but when our relay nodes log in either 'RSYSLOG_TraditionalFileFormat'

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/5/17 10:59 PM, deoren wrote: I've recently converted all of our nodes from forwarding messages from the default forwarding format to using the 'RSYSLOG_SyslogProtocol23Format' format. I only did light research beforehand (so I can only blame myself), but when our relay nodes log

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/5/17 11:28 PM, David Lang wrote: on the receiver, write a log with the format rawmsg or use the RSYSLOG_DebugFormat and look at the rawmsg line there. Let's see exactly what is being sent to see if the data is being lost at transmit or on reception. Personally, I have my senders

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/5/17 11:42 PM, deoren wrote: On 8/5/17 10:59 PM, deoren wrote: I've recently converted all of our nodes from forwarding messages from the default forwarding format to using the 'RSYSLOG_SyslogProtocol23Format' format. I only did light research beforehand (so I can only blame myself

[rsyslog] What is the best way to bring down an active rsyslog instance?

I've setup a central rsyslog instance (sawmill1) that receives messages from all nodes. I consider this node a primary or production node. That same node passes a copy of all messages to a second instance (sawmill2) where I test configuration changes and then pipe into a prototype Graylog

[rsyslog] How can I view the definition of built-in templates?

For example, I am trying to troubleshoot why messages arriving in one format are not saved as expected, even though the debug formatted output shows properties populated as expected. Thanks. ___ rsyslog mailing list

[rsyslog] Any good guides for generating JSON formatted log messages on rsyslog client nodes for processing on rsyslog receiver node?

Most of what I'm coming across is geared towards sending into another product like mongodb or elasticsearch. I'm really new to this aspect, so the more newbie friendly the better. In particular, I'd like to find a barebones template for replicating forwarding of content using

Re: [rsyslog] Changing IP of central log server, clients are configured to use FQDN instead of IP. Anything special needed to have clients send queued messages to the new IP instead of the old?

On 9/13/2017 6:12 PM, deoren wrote: Currently I have all of the clients setup to use DNS A record to connect to the central system. That A record has a TTL of 300 seconds. I plan to down the central server and then move it to a new hosting environment with a totally different IP. That move

[rsyslog] Changing IP of central log server, clients are configured to use FQDN instead of IP. Anything special needed to have clients send queued messages to the new IP instead of the old?

Currently I have all of the clients setup to use DNS A record to connect to the central system. That A record has a TTL of 300 seconds. I plan to down the central server and then move it to a new hosting environment with a totally different IP. That move will take more than the 300 seconds

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

2017-10-06 8:27 GMT+02:00 deoren <rsyslog-users-lists.adiscon@whyaskwhy.org>: On October 6, 2017 1:03:32 AM CDT, Thomas Deutschmann via rsyslog <rsyslog@lists.adiscon.com> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-10-06 07:45, deoren wrote: Is this

Re: [rsyslog] error on journal/rsyslog configs

On 10/2/2017 8:58 AM, senaps via rsyslog wrote: [Journal] Storage=volatile Compress=no RateLimitInterval= 0 RateLimitBurst= 10 MaxRetentionSec=5s #Storage=auto #Compress=yes #Seal=yes Are you attempting to have rsyslog process this? That looks to be the format that systemd uses for its

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On October 6, 2017 1:03:32 AM CDT, Thomas Deutschmann via rsyslog <rsyslog@lists.adiscon.com> wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA512 > >On 2017-10-06 07:45, deoren wrote: >> Is this expected? I recall reading that rsyslog should be properly >>

[rsyslog] Qualys scan against rsyslog causes it to segfault

Is this expected? I recall reading that rsyslog should be properly firewalled to protect it from malicious traffic, but I couldn't recall what would happen if it were exposed to scans: fall over vs trash data logged. ___ rsyslog mailing list

[rsyslog] Is there a difference in scope for local variables vs message json properties?

In my limited experience I've managed to use both in similar ways, though by passing '$!' to a remote node I understand[1] that I'm not including the local variables. Those values are stored within '$.' instead. For setting values within a configuration for reference within templates,

Re: [rsyslog] Add the file name to syslog data

On 9/28/2017 6:37 AM, Joan via rsyslog wrote: I am using rsylog to read (imfile) some logfiles and forward them to graylog in syslog format RFC5424. I would like to add an attribute with the filename, I explored doing it by modifiing the template (such as this

Re: [rsyslog] How can I view the definition of built-in templates?

>2017-08-19 0:20 GMT+02:00 deoren ><rsyslog-users-lists.adiscon@whyaskwhy.org>: >> For example, I am trying to troubleshoot why messages arriving in one >format are not saved as expected, even though the debug formatted >output shows properties populated as expected.

[rsyslog] Is there an option to "echo" a message when processing a statement?

For example, here is a small block that I'm using to route rsyslog related messages to the local /var/log/rsyslog.log file: if ($programname == 'rsyslogd' or $syslogfacility-text == 'syslog') then { action( name="rsyslog-messages" type="omfile"

Re: [rsyslog] Is there an option to "echo" a message when processing a statement?

On 8/25/2017 4:26 PM, David Lang wrote: you can put in an action that writes a different template, and that template can be fixed text. Thank you! That makes sense. I appreciate the quick response also. ___ rsyslog mailing list

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/6/2017 4:42 PM, David Lang wrote: On Fri, 6 Oct 2017, deoren wrote: I'm going to retest soon, one port at a time to see if the segfault is specific to one of the inputs. Once I determine that I'll likely setup a vanilla installation of rsyslog with imudp, imptcp and imrelp enabled

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/7/2017 5:25 AM, Rainer Gerhards wrote: 2017-10-07 7:57 GMT+02:00 deoren <rsyslog-users-lists.adiscon@whyaskwhy.org>: As I dig more into this, I'm beginning to think the only thing the Qualys scan did was aggravate an existing problem and cause rsyslog to tip over more quickly.

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 3:15 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: On 10/18/2017 1:36 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: Since the sender and receiver in this are both the latest versions of rsyslog (with the plan for the setup to remain that way), can I scale

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 5:02 PM, deoren wrote: On 10/18/2017 3:22 PM, Rainer Gerhards wrote: The queue errors are bad. Anything else in regard to that queue? After discussing it on this thread, I stopped rsyslog yesterday and moved all content from /var/spool/rsyslog to a different directory, hoping

[rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

Refs: https://github.com/rsyslog/rsyslog/issues/1782 Scenario: * rsyslog v8.30.0 (Ubuntu PPA) * Ubuntu 16.04 * rsyslog sender setup to forward via omrelp (with a DA queue) to a remote receiver * nearly 1 GB of held message content in /var/spool/rsyslog There are 1272152 messages

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/17/2017 3:36 PM, David Lang wrote: you can copy the queue files somewhere else (best done with rsyslog stopped), and then configure a copy of rsyslog,conf to not have any inputs, but have the queue files and the rules for what to do with them. You can then run a second copy of rsyslog

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/17/2017 3:45 PM, Rainer Gerhards wrote: Errno 11 seems to be EAGAIN, more a status than a warning. The full Debug log may reveal details. Is the debug on demand log file sufficient or should enabling debug mode at startup the better route? On a different note, will rsyslog accept a

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 12:02 PM, deoren wrote: On 10/18/2017 11:51 AM, deoren wrote: On 10/17/2017 6:57 PM, David Lang wrote: Yes, rsyslog will accept messages it can't deliver, the accepting of messages is decoupled from the delivery. if a message is too long, it will get ttruncated, even if it's

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 11:51 AM, deoren wrote: On 10/17/2017 6:57 PM, David Lang wrote: Yes, rsyslog will accept messages it can't deliver, the accepting of messages is decoupled from the delivery. if a message is too long, it will get ttruncated, even if it's json (at that point it's a string

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/17/2017 6:57 PM, David Lang wrote: Yes, rsyslog will accept messages it can't deliver, the accepting of messages is decoupled from the delivery. if a message is too long, it will get ttruncated, even if it's json (at that point it's a string of bytes, rsyslog has no way of knowing that

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 1:36 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: I checked and sawmill1 is having trouble sending the messages on to the "downstream" receivers (sawmill2, sawmill3). Based on the "... at least 232 byte larger than max msg size ..." lo

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/7/2017 10:44 AM, deoren wrote: On 10/7/2017 5:25 AM, Rainer Gerhards wrote: 2017-10-07 7:57 GMT+02:00 deoren <rsyslog-users-lists.adiscon@whyaskwhy.org>: As I dig more into this, I'm beginning to think the only thing the Qualys scan did was aggravate an existing problem and

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes), the problem isn't specific to the Qualys scan. I later learned that messages coming from our ESXi hosts

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:38 PM, deoren wrote: On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes), the problem isn't specific to the Qualys scan. I later learned

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:51 PM, deoren wrote: On 10/23/2017 7:38 PM, deoren wrote: On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes), the problem isn't specific

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 12:34 PM, Rainer Gerhards wrote: 2017-10-18 1:14 GMT+02:00 deoren <rsyslog-users-lists.adiscon@whyaskwhy.org>: On 10/17/2017 3:45 PM, Rainer Gerhards wrote: Errno 11 seems to be EAGAIN, more a status than a warning. The full Debug log may reveal details. Is the

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 3:22 PM, Rainer Gerhards wrote: The queue errors are bad. Anything else in regard to that queue? After discussing it on this thread, I stopped rsyslog yesterday and moved all content from /var/spool/rsyslog to a different directory, hoping to have rsyslog come back online with

[rsyslog] What is the expected behavior when checking non-existent variable in the $! object?

This is a tangent of another issue I was dealing with a few weeks back, but it appears that problem was related to checking whether a non-existent $!variable was empty. Is the expected behavior for that check to fail? This is with v8.29.0 and I have not tested with 8.30.0 yet, but I am more

Re: [rsyslog] rsyslog status ABRT or SEGV

On November 14, 2017 10:49:06 PM CST, "Войнович Андрей Александрович via rsyslog" wrote: >Thank you, David > >We have upgraded our linux box to the latest available (Debian 9) and >now rsyslog version is 8.24 (the newest from deb repo), but we still >experience the

Re: [rsyslog] imuxsock module documentation: What exactly does the 'SysDock.Name' parameter do?

On 11/30/2017 5:28 PM, deoren wrote: Is that parameter used to specify the replacement for /dev/log or is that parameter used to specify another socket that is in addition to /dev/log as an input source? I assume that SysSock.Use defaults to /dev/log, but if SysSock.Name is specified, does

[rsyslog] imuxsock module documentation: What exactly does the 'SysDock.Name' parameter do?

Is that parameter used to specify the replacement for /dev/log or is that parameter used to specify another socket that is in addition to /dev/log as an input source? I assume that SysSock.Use defaults to /dev/log, but if SysSock.Name is specified, does SysSock.Use now refer to using that

Re: [rsyslog] klogLocalIPIF

On 12/14/2017 8:19 PM, Rory Toma wrote: I have put in $ModLoad imklog $klogLocalIPIF eth0 in my rsyslog.conf file (8.30.0) However, rsyslogd: invalid or yet-unknown config file command 'klogLocalIPIF' - have you forgotten to load a module? [v8.30.0 try http://www.rsyslog.com/e/3003 ]

[rsyslog] Are configuration parameters case sensitive?

I noticed this commit focused on fixing the case in the source code for comparison purposes: https://github.com/rgerhards/rsyslog/commit/b9cda4602b26a4778fdfec4990a62b6faf2bc86b which leads me to ask: Are configuration parameters case sensitive? For example, are these all equivalent? global

Re: [rsyslog] Are configuration parameters case sensitive?

On 11/17/2017 11:05 AM, Rainer Gerhards wrote: 2017-11-17 18:04 GMT+01:00 deoren <rsyslog-users-lists.adiscon@whyaskwhy.org>: I noticed this commit focused on fixing the case in the source code for comparison purposes: https://github.com/rgerhards/rsyslog/

Re: [rsyslog] Ubuntu 16 rsyslogd not creating log files

On 11/10/2017 9:33 AM, dchappelle via rsyslog wrote: Thanks for all of the info deoren. I do have the file you speak of installed on my system: dchappelle@L164:~$ cat /usr/lib/tmpfiles.d/00rsyslog.conf # Override systemd's default tmpfiles.d/var.conf to make /var/log writable

Re: [rsyslog] preserving metadata on message split

which actually have set it to a couple of MB (and occasionally use it). Rainer 2017-11-09 17:25 GMT+01:00 deoren <rsyslog-users-lists.adiscon@whyaskwhy.org>: On 11/9/2017 10:24 AM, Scot Kreienkamp wrote: I have it set at 128k now... I thought I read in the list archives that was

Re: [rsyslog] preserving metadata on message split

On 11/9/2017 10:24 AM, Scot Kreienkamp wrote: I have it set at 128k now... I thought I read in the list archives that was the maximium value? https://github.com/rsyslog/rsyslog/issues/1741 Looks like it (for now). ___ rsyslog mailing list

Re: [rsyslog] Ubuntu 16 rsyslogd not creating log files

On November 9, 2017 10:21:04 PM CST, dchappelle via rsyslog wrote: >Apologies for not including the config. Here is >/etc/rsyslog.d/10-example.conf: > >dchappelle@L164:/etc/rsyslog.d$ cat 10-example.conf >local0.* /var/log/test.log

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 11/9/2017 4:08 AM, Thomas Deutschmann via rsyslog wrote: Hi, no distribution will probably _require_ network for rsyslog per default because in the default configuration distributions are shipping, no network is required. Due to the fact that most init systems nowadays support parallel

Re: [rsyslog] Ubuntu 16 rsyslogd not creating log files

On November 9, 2017 6:47:11 PM CST, dchappelle via rsyslog wrote: >I am running a vanilla install of Ubuntu 16 and my rsyslogd is not >creating >new log files for me. I added a new filter rule and restarted rsyslogd. >After doing so and generating log messages for

Re: [rsyslog] Legacy FWD Failes on startup (v8)

https://github.com/rsyslog/rsyslog/issues/1656 See if that matches what you are fighting with. On November 7, 2017 9:51:51 AM CST, "matthew.gaetano" wrote: >Queue's aside, regardless of the order rsyslog loads (before or after >network) its retry function should not

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 11/7/2017 10:31 AM, matthew.gaetano wrote: With the exception of the relation to storage, yes, for the most part. We encountered the issue on a physical server using SCSI/SATA drives. Our secondary tester were in vmware. I initially emphasized the boot speed from running the Ubuntu 16.04 VM

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 11/7/2017 12:25 PM, deoren wrote: On 11/7/2017 10:31 AM, matthew.gaetano wrote: With the exception of the relation to storage, yes, for the most part. We encountered the issue on a physical server using SCSI/SATA drives. Our secondary tester were in vmware. I initially emphasized the boot

[rsyslog] Who manages the Rsyslog documentation on Read the Docs?

Is this something that the Rsyslog team manages or is it someone at the Read the Docs team that manages the content? I ask because it appears that the version of the docs (stable, latest) available there are outdated and I wanted to make sure to report the issue to the correct place.

Re: [rsyslog] Sourcing Environment Variables for Use in Templates?

On 10/25/2017 4:18 PM, Naftuli Kay via rsyslog wrote: So would I do "set $deploy_env = getenv('DEPLOY_ENV')"? How would I then reference this variable? I'm still trying to learn more about rsyslog variables and how to use them in templates. I'm still learning myself, so I completely

Re: [rsyslog] Sourcing Environment Variables for Use in Templates?

On 10/25/2017 3:48 PM, Naftuli Kay via rsyslog wrote: I have a few environment variables that I'd like to include in my log messages that I'm formatting in JSON format. I have a service that runs on boot which generates /etc/sysconfig/ec2 which contains variables like EC2_INSTANCE_ID,

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/19/2017 6:58 PM, deoren wrote: On 10/19/2017 3:12 PM, Rainer Gerhards wrote: Am 19.10.2017 21:55 schrieb "David Lang" <da...@lang.hm>: RELP has it's place, but most of the time I'm willing to loose some logs under rare failure conditions and so haven't bothered to

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 10/31/2017 12:42 PM, matthew.gaetano wrote: Hello, I'm not sure this is an issue considering Legacy format shouldn't really be used in version 8, however it seems that when using legacy forwarding (as described in the default rsyslog.conf file) rsyslog suspends the actions and never retries.

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 10/31/2017 4:05 PM, matthew.gaetano wrote: Seems like your on the right track. We changed the dns names in the conf to the destination IPs and this somewhat resolved the issue. Rsyslog would still suspend the two destination actions however once the system settled the actions were resumed.

[rsyslog] How is the imrelp MaxDataSize parameter related to the global() maxMessageSize parameter?

I originally sent this as part of another thread, but I think this got buried and lost among the noise the rest of my notes generated. Posting a cleaner version here in case others know the answer. I'm trying to avoid using legacy configuration options where I can, but just in case the order

Re: [rsyslog] How is the imrelp MaxDataSize parameter related to the global() maxMessageSize parameter?

parameter messages that were previously "stuck", flow once more. On 10/29/2017 1:22 PM, Rainer Gerhards wrote: quick answer: I guess you ran into this https://github.com/rsyslog/rsyslog/issues/1741 Let me know if more info is needed. Rainer 2017-10-29 19:15 GMT+01:00 deoren <

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/19/2017 3:12 PM, Rainer Gerhards wrote: Am 19.10.2017 21:55 schrieb "David Lang" : RELP has it's place, but most of the time I'm willing to loose some logs under rare failure conditions and so haven't bothered to use it. large maxmessagesize leads to wasted memory in

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 8:10 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: On 10/18/2017 3:15 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: On 10/18/2017 1:36 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: Since the sender and receiver in this are both the latest

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:55 PM, deoren wrote: On 10/23/2017 7:51 PM, deoren wrote: On 10/23/2017 7:38 PM, deoren wrote: On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes

Re: [rsyslog] Sourcing Environment Variables for Use in Templates?

On 10/27/2017 5:19 PM, Naftuli Kay via rsyslog wrote: Can anyone shed any light on how to set global variables? Environment variables won't change over the lifetime of the process so it would make sense to not have to allocate for every log message. Thanks, - Naftuli Kay I've not used them

Re: [rsyslog] klogLocalIPIF

On 12/20/2017 4:24 AM, deoren wrote: > On 12/14/2017 8:19 PM, Rory Toma wrote: >> I have put in >> $ModLoad imklog >> $klogLocalIPIF eth0 >> >> in my rsyslog.conf file (8.30.0) However, >> rsyslogd: invalid or yet-unknown config file command 'klogLoca

Re: [rsyslog] Error with omkafka

On 12/21/2017 1:10 PM, Andrew Akins via rsyslog wrote: > I was wondering if anyone had seen this. I’m running rsyslog on Alpine Linux, > deployed as a container. Rsyslog was built from source, and is version 8.31.0 > > Basically, initialization of a omkafka message is failing: > >

Re: [rsyslog] Imkafka/omkafka tuning

On 12/22/2017 9:52 AM, Luigi Tagliamonte via rsyslog wrote: > Hi there! > What are the tunable parameters for this module, like: > - an option to increase the number of threads for kafka processing > - number of messages to process per req. > - etc.. > Regards > L. Module docs: *

[rsyslog] Request: Feedback on parameter formats for rsyslog module docs

Hi all, I'd like to get your feedback on some proposed formatting changes to the imuxsock module doc. I mention my preference below, but the end goal is to standardize the formatting and make the docs easier to work with, so my personal preferences can take a backseat in the scheme of things. ;)

Re: [rsyslog] Request: Feedback on parameter formats for rsyslog module docs

s in place. Everything from typos, to clarifications of content to adding missing coverage. I'm still learning the ins/outs of everything (including Git), but I'd be happy to answer any questions that I'm able to. Just mention me (e.g., "@deoren") on whatever GitHub issue/PR you work o

Re: [rsyslog] Request: Feedback on parameter formats for rsyslog module docs

On 1/8/2018 3:30 AM, Simon Lundström wrote: On Sun, 2018-01-07 at 23:56:27 -0600, deoren wrote: Hi all, I'd like to get your feedback on some proposed formatting changes to the imuxsock module doc. I mention my preference below, but the end goal is to standardize the formatting and make

Re: [rsyslog] Request: Feedback on parameter formats for rsyslog module docs

On 1/8/2018 9:22 AM, deoren wrote: On 1/8/2018 9:11 AM, Andrew Griffin via rsyslog wrote: This looks great, I love it! Can someone refresh my memory on the process for contributing to the documentation?  I’d like to chip in Andrew Griffin Thanks for the feedback. Do I understand your

Re: [rsyslog] Can a single logfile be part of multiple imfile configs?

[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of deoren Sent: Friday, January 26, 2018 4:36 PM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Can a single logfile be part of multiple imfile configs? On 1/26/2018 3:29 PM, Scot Kreienkamp wrote: Hi everyone, My basic question: Can the same logfile

Re: [rsyslog] Can a single logfile be part of multiple imfile configs?

On 1/26/2018 3:29 PM, Scot Kreienkamp wrote: Hi everyone, My basic question: Can the same logfile be used in two imfile inputs? There may be other ways of doing this, but this comes to mind: 1. A single input object which specifies the file you want to monitor. 2. Attach a single ruleset to

[rsyslog] Is there an advanced/current/RainerScript version of the obsolete legacy ActionFileDefaultTemplate directive?

I'm looking through the docs and I haven't spotted it. Thanks. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE

Re: [rsyslog] POLL (informal): What are your thoughts regarding current and potential rsyslog support channels?

On 2/2/2018 5:41 AM, Simon Lundström wrote: Thank you for your feedback! > I like mailinglists and IRC but the most important for me is that the > questions are answered, be it by employees or the community I completely agree with this. Seeing how spread out the current community is between

Re: [rsyslog] Help select a new logo

@Rainer +1 for logo 1 out of the provided options (also voted using the provided poll) On 2/2/2018 1:27 AM, Ciprian Hacman wrote: > Nice. Logo 1 from me also (voted). Seems the cleanest one. > > Ciprian > > -- > Performance Monitoring * Log Analytics * Search Analytics > Solr & Elasticsearch

Re: [rsyslog] rsyslog+elasticsearch (and some Kafka and a few others) eBook

On 2/1/2018 6:27 AM, Radu Gheorghe wrote: Hi, Today we just published what I hope to be a quite complete eBook about centralizing logs with rsyslog. The destination I had in mind was Elasticsearch, but I think it should apply to many other use-cases. Here's the blog post with more details on

  1   2   >