[rsyslog] How to completely move beyond Legacy Format?

CentOS Linux release 7.3.1611 (Core) rsyslog.x86_64 8.28.0-1.el7 @rsyslog_v8 rsyslog-mysql.x86_648.28.0-1.el7 @rsyslog_v8 In February 2016, we needed to move up from whatever Centos 7 had for rsyslog. At that time, this list encouraged me to convert our

Re: [rsyslog] Changes to CONF result in ZERO SSH logging?

> > HTH > > 2017-07-20 16:59 GMT+02:00 Mike Schleif <mike+rsys...@mdsresource.net>: > > Making changes to rsyslog.conf on Production server. Restart rsyslogd > > _after_ successfully verifying conf lines with: > > > > /sbin/rsyslogd -f /etc/rsyslog.con

[rsyslog] Changes to CONF result in ZERO SSH logging?

Making changes to rsyslog.conf on Production server. Restart rsyslogd _after_ successfully verifying conf lines with: /sbin/rsyslogd -f /etc/rsyslog.conf -N 1 No errors in conf. No errors on restart. HOWEVER, zero SSH (authpriv) logging to /var/log/secure, although all other logging appears to

Re: [rsyslog] ommysql: How to eliminate egregious DB write delays?

After lunch, the delay between host events and DB write is > 15 minutes. There are zero queue files under /var/lib/rsyslog. Where are my missing events? I'm studying impstats log and I find the following. ### grep ^2017-07-21T /var/log/rsyslog-stats | grep enqueued | grep -v enqueued=0

[rsyslog] imjournal: How can we avoid this module?

CentOS Linux release 7.3.1611 (Core) rsyslog.x86_64 8.28.0-1.el7 @rsyslog_v8 rsyslog-mysql.x86_648.28.0-1.el7 @rsyslog_v8 This week, after upgrading from 8.24 to 8.28, we noticed errors related to: $OmitLocalLogging on and: $SystemLogSocketName

Re: [rsyslog] Changes to CONF result in ZERO SSH logging?

On Thu, Jul 20, 2017 at 7:06 PM, David Lang <da...@lang.hm> wrote: > On Thu, 20 Jul 2017, Mike Schleif wrote: > > action(type="omprog" template="RSYSLOG_TraditionalFileFormat") >> > > If I am reading you correctly, you are telling rsyslog to o

Re: [rsyslog] ommysql: How to eliminate egregious DB write delays?

What information can I provide that will result in help from this community? I'm now logging to $Debuglevel 2, and the file is swelling quickly. Right now delays are '0' and none of the queue files exist. Please, advise. Thank you. ~ Mike On Fri, Jul 21, 2017 at 9:10 AM, Mike Schleif <m

[rsyslog] ommysql: How to completely move beyond Legacy Format?

CentOS Linux release 7.3.1611 (Core) rsyslog.x86_64 8.28.0-1.el7 @rsyslog_v8 rsyslog-mysql.x86_648.28.0-1.el7 @rsyslog_v8 In February 2016, we needed to move up from whatever Centos 7 had for rsyslog. At that time, this list encouraged me to convert our

Re: [rsyslog] ommysql: How to eliminate egregious DB write delays?

So I noticed this entry pop up in the journalctl stream: Jul 21 10:45:38 hermes.provell.com rsyslogd[11456]: queue 'strm 0x7f610c688810', file '/var/lib/rsyslog/dbSftpQueue.0001' opened for non-append write, but already contains 25231 bytes [v8.28.0.master try http://www.rsyslog.com/e/0 ] I

[rsyslog] Updates 8.29 -> 8.30 broke several logs

# cat /etc/centos-release CentOS Linux release 7.4.1708 (Core) After yum updates yesterday (see below,) several logs no longer logged, including /var/log/secure In the last hour, we rolled back that entire yum update, and logging appears to be as expected Please, advise. Thank you. ~ Mike #

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

rha...@hq.adiscon.com> wrote: > Well it would have helped to have this information before wading through > the log ;-). Now it needs to wait till tomorrow or Monday. > > Did something (systemd) steal the log socket? > > Räuber > > Sent from phone, thus brief. > > Am 19.10.2017 19:

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

plus. > > Rainer > > Sent from phone, thus brief. > > Am 19.10.2017 20:24 schrieb "Mike Schleif" <mike+rsys...@mdsresource.net>: > > > Rainer, > > > > Apparently, I wasn't explicit enough when submitting the debug log. > > > > You

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

- NOT one other log was written to in more than ten (10) minutes ... Please, advise. Thank you. ~ Mike On Thu, Oct 19, 2017 at 12:32 PM, Rainer Gerhards <rgerha...@hq.adiscon.com> wrote: > 2017-10-19 16:14 GMT+02:00 Mike Schleif <mike+rsys...@mdsresource.net>: > > Raine

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

Rainer, It looks like this this testing package is working properly. Thank you. We have updated rsyslog from the testing repository via yum: Updated: rsyslog.x86_64 0:8.30.0.2-1.el7 Dependency Updated: rsyslog-mysql.x86_64 0:8.30.0.2-1.el7 This host has rebooted twice (2x) and we do have

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

On Fri, Nov 24, 2017 at 11:55 AM, Rainer Gerhards <rgerha...@hq.adiscon.com> wrote: > 2017-11-24 16:49 GMT+01:00 Mike Schleif <mike+rsys...@mdsresource.net>: > > How will we return to the $basearch repository? > > It'll be part of next Tuesday's 8.31.0 release.

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

Rainer, Please, advise status. Thank you. On Mon, Nov 6, 2017 at 8:57 AM, Rainer Gerhards <rgerha...@hq.adiscon.com> wrote: > thanks for following up! > > 2017-11-06 15:54 GMT+01:00 Mike Schleif <mike+rsys...@mdsresource.net>: > > Rainer, > > > >

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

gt; > > > 2017-11-13 16:12 GMT+01:00 Rainer Gerhards <rgerha...@hq.adiscon.com>: > >> will come this week > >> > >> 2017-11-13 15:56 GMT+01:00 Mike Schleif <mike+rsys...@mdsresource.net>: > >>> Rainer, > >>> > >>> Please, advise

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

Rainer, I see that you closed #1895 yesterday. Does this mean that there is something for us to test now? Where is it? Please, advise. Thank you. ~ Mike On Fri, Oct 27, 2017 at 10:48 AM, Rainer Gerhards <rgerha...@hq.adiscon.com> wrote: > 2017-10-27 17:32 GMT+02:00 Mike Schleif &

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

on.com>: > > It would be great to have it as similar as possible. > > > > Sent from phone, thus brief. > > > > Am 19.10.2017 20:57 schrieb "Mike Schleif" <mike+rsys...@mdsresource.net > >: > >> > >> Rainer, > >

[rsyslog] Fwd: Your message to rsyslog awaits moderator approval

Rainer, Please, moderate my debug containing message below: -- Forwarded message -- From: Date: Fri, Oct 20, 2017 at 8:20 AM Subject: Your message to rsyslog awaits moderator approval To: mike+rsys...@mdsresource.net Your mail to 'rsyslog'

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

Rainer, Please, advise status. Thank you. ~ Mike On Tue, Oct 24, 2017 at 9:10 AM, Rainer Gerhards wrote: > ok, thanks, we are getting closer: > > https://github.com/rsyslog/rsyslog/issues/1895 > > While the question is why it get's an error in the first place, >

Re: [rsyslog] Updates 8.29 -> 8.30 broke several logs

Gerhards <rgerha...@hq.adiscon.com> wrote: > I think we have a fix now. It's already mentioned in the GitHub issue > tracker. Can you build from source and try it? > > Rainer > > Sent from phone, thus brief. > > Am 27.10.2017 16:46 schrieb "Mike Schleif" <

[rsyslog] Missing messages in our databases

What does the following mean? How can we correct this? We just discovered missing rsyslog messages in our databases, going back to February 2018. /var/log/messages shows errors like these: Feb 3 02:16:33 hermes rsyslogd[30458]: The error statement was: insert into SystemEvents (Message,

Re: [rsyslog] Missing messages in our databases

On Wed, Nov 21, 2018 at 1:55 PM Rainer Gerhards wrote: > Am Mi., 21. Nov. 2018, 20:44 hat Mike Schleif < > mike+rsys...@mdsresource.net> > geschrieben: > > > On Wed, Nov 21, 2018 at 12:01 PM Rainer Gerhards < > rgerha...@hq.adiscon.com > > > > > wrote

Re: [rsyslog] Missing messages in our databases

On Wed, Nov 21, 2018 at 12:01 PM Rainer Gerhards wrote: > El mié., 21 nov. 2018 a las 16:23, Mike Schleif > () escribió: > > Now, how can I send all log entries containing a fixed string to a new > > logfile? > > https://www.rsyslog.com/doc/v8-stable/configuration/filters

Re: [rsyslog] Missing messages in our databases

On Tue, Nov 20, 2018 at 9:53 AM Jacob Steinberger via rsyslog < rsyslog@lists.adiscon.com> wrote: > Try this in your config: > > $template tpltext, "insert into SystemEvents (Message, Facility, FromHost, > Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values > ('%msg%',

Re: [rsyslog] Missing messages in our databases

On Tue, Nov 20, 2018 at 3:41 PM Joe Blow via rsyslog < rsyslog@lists.adiscon.com> wrote: > You don't need to load the omfile module at all, unless you're changing > config parameters: > > Don't even bother loading that, it should work without it. > > This is how I use omfile: > >

Re: [rsyslog] Missing messages in our databases

That is in the original post. There I showed two configurations to the same database and host - one that has never failed, and the errant one. On Tue, Nov 20, 2018 at 9:32 AM Jacob Steinberger via rsyslog < rsyslog@lists.adiscon.com> wrote: > That template is used for just writing to a file, not

Re: [rsyslog] Missing messages in our databases

David, On Mon, Nov 19, 2018 at 2:52 PM David Lang wrote: > On Mon, 19 Nov 2018, Mike Schleif wrote: > > > How can I do that? > > in your config for writing to mysql you specify a template to use, use > that same > template to write to a file > > old syntax >

Re: [rsyslog] Missing messages in our databases

What am I missing? On Tue, Nov 20, 2018 at 9:15 AM Rich Megginson via rsyslog < rsyslog@lists.adiscon.com> wrote: > You could try this: > > # debug output > > module(load="builtin:omfile" file="/var/log/rsyslog-debug.log" > template="RSYSLOG_TraditionalFileFormat") > > If

Re: [rsyslog] Missing messages in our databases

On Tue, Nov 20, 2018 at 10:30 AM Jacob Steinberger via rsyslog < rsyslog@lists.adiscon.com> wrote: > Technically the documentation says file should be "File", you could give > that a try. > > Are you running Rsyslog 8.39? > Yes, we are running the latest: v8.39.0 The problems I have not

Re: [rsyslog] Missing messages in our databases

On Tue, Nov 20, 2018 at 9:53 AM Jacob Steinberger via rsyslog < rsyslog@lists.adiscon.com> wrote: > Try this in your config: > > $template tpltext, "insert into SystemEvents (Message, Facility, FromHost, > Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values > ('%msg%',

[rsyslog] Missing messages in our databases

What does the following mean? How can we correct this? We just discovered missing rsyslog messages in our databases, going back to February 2018. /var/log/messages shows errors like these: Feb 3 02:16:33 hermes rsyslogd[30458]: The error statement was: insert into SystemEvents (Message,

Re: [rsyslog] Missing messages in our databases

Sorry, I didn't notice this earlier :( On Mon, Nov 19, 2018 at 11:44 AM Rainer Gerhards wrote: > Do you have any rsyslog error messages "in front of" the quoted ones? > They look like the are second in an error report - but may > unfortunately be the only ones. > > Nothing looks obviously

Re: [rsyslog] Missing messages in our databases

On Mon, Nov 19, 2018 at 2:25 PM David Lang wrote: > Try writing the log message to a file using the same template that you are > using > to send it to the database, you may find that there's an embedded newline > or > other puncutation in the failing message. > > David Lang > How can I do that?

Re: [rsyslog] Missing messages in our databases

On Mon, Nov 19, 2018 at 2:52 PM David Lang wrote: > On Mon, 19 Nov 2018, Mike Schleif wrote: > > > How can I do that? > > in your config for writing to mysql you specify a template to use, use > that same > template to write to a file > > old syntax > > /v