Re: [rsyslog] rsyslog 8.28.0 (v8-stable) released

On 6/27/17 9:54 AM, Florian Riedl wrote: Hi all, We have released rsyslog 8.28.0. Any estimate re availability of the 8.28.0 version via the Ubuntu PPA? https://launchpad.net/~adiscon/+archive/ubuntu/v8-stable Thanks. ___ rsyslog mailing list http:

[rsyslog] Log messages held when using FQDN as omrelp target and (/etc/hosts entry not present or 'After=network.target' not present in Unit file)

First of all, thank you for reading this and thanks to the devs for rsyslog. Admittedly, my configuration is likely at fault as I'm still learning how to configure a rsyslog client installation for reliable remote logging. Environment (client & server): * Ubuntu 16.04 (client, server) * rsysl

Re: [rsyslog] Log messages held when using FQDN as omrelp target and (/etc/hosts entry not present or 'After=network.target' not present in Unit file)

On 7/7/17 2:28 AM, deoren wrote: First of all, thank you for reading this and thanks to the devs for rsyslog. Admittedly, my configuration is likely at fault as I'm still learning how to configure a rsyslog client installation for reliable remote logging. Environment (client &am

Re: [rsyslog] Log messages held when using FQDN as omrelp target and (/etc/hosts entry not present or 'After=network.target' not present in Unit file)

On 7/8/17 9:23 PM, David Lang wrote: On Sat, 8 Jul 2017, deoren wrote: Looking around I learned of these two directives: $DebugLevel 2 $DebugFile /var/log/rsyslog-debug.log I added those, rebooted the VM and quickly had lots of debug info to work with. In the file I found these entries

[rsyslog] Any estimate re availability of the 8.28.0 version via the Ubuntu PPA?

Is the policy to wait a bit between releasing a new stable release and then building it for the PPA to make sure there are no issues with the new release? https://launchpad.net/~adiscon/+archive/ubuntu/v8-stable Thanks. ___ rsyslog mailing list http:

[rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

While researching permission issues on /var/log, I realized that the rsyslog package from the Ubuntu PPA doesn't provide an override for /usr/lib/tmpfiles.d/var.conf (which has a rule that sets /var/log to 0755). I submitted #1655 via GitHub for that, thinking that the problem was likely limite

Re: [rsyslog] Log messages held when using FQDN as omrelp target and (/etc/hosts entry not present or 'After=network.target' not present in Unit file)

On 7/8/17 10:19 PM, deoren wrote: Running the same command on the SSD copy of that VM I see about 220ms startup time. I'm also new to systemd, so I might be misinterpreting the values, but it appears that the slower load time for rsyslog is giving the system sufficient time to loa

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 3:07 PM, David Lang wrote: > I've been using rsyslog since 2006 and never seen /usr/lib/tempfiles.d From what I've learned it's systemd specific and really came into play with Ubuntu 15.04, but I only learned about with recent system upgrades from 14.04 to 16.04 LTS. > I don't thi

Re: [rsyslog] Any estimate re availability of the 8.28.0 version via the Ubuntu PPA?

On 7/10/17 3:00 PM, David Lang wrote: no, there are sometimes delays between the release and the PPA, but they are not the result of a deliberate policy I'm a new user of the PPA, so I wasn't sure what to expect re release timeline. Thanks for confirming that it's variable. __

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 5:13 PM, David Lang wrote: On Mon, 10 Jul 2017, deoren wrote: I checked Debian 9 and that release appears to be handling the rsyslog configuration the same way as CentOS 7: run as root, do not attempt to drop privileges. Ubuntu's rsyslog package on the other hand does make

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 5:28 PM, David Lang wrote: On Mon, 10 Jul 2017, deoren wrote: Hi David, My comment wasn't as clear as it should have been. The /usr/lib/tmpfiles.d/var.conf file targets specific directories and one of those is /var/log. By default /var/log is set to 0755, so if rsyslog

Re: [rsyslog] Ubuntu >= 16.04: Upgrading stock rsyslog package via PPA results in /usr/lib/tmpfiles.d/00rsyslog.conf file being removed

On 7/10/17 6:58 PM, David Lang wrote: On Mon, 10 Jul 2017, deoren wrote: Without an override in place, the permissions are being reset on boot for the /var/log directory to 0755, ownership of root:syslog. The /usr/lib/tmpfiles.d/00rsyslog.conf file overrides the systemd default configuration

[rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

Here is some pseducode based off of another recent thread: ruleset(name="remote-rules"){ action( ... ) action( ... ) stop } input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules") input(type="imptcp" port=

[rsyslog] Is there a way to bind a ruleset to the default system log socket?

Hi, If I want to use a ruleset named "local" for an input that handles the default local unix socket, how would I define the module and input entries to reflect that? I thought this would do it: module(load="imuxsock") input(type="imuxsock" ruleset="local") but rsyslog complains like so: >

Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

On 7/11/17 2:47 AM, Rainer Gerhards wrote: yup ... for this case. Processing stops when there is .. no more processing to do. Usually, this means end of ruleset. But if the ruleset is called from another ruleset, processing will go back to the caller if there is no stop statement. In the given co

Re: [rsyslog] Is there a way to bind a ruleset to the default system log socket?

On 7/11/17 2:59 AM, David Lang wrote: unfortunantly, this is a gap in rsyslog's capabilities. What you can do is assign a ruleset to all remote inputs, and then what's left is the /dev/log (and rsyslog internal) logs you can also test the input of a log message and call a ruleset Thanks. I c

Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

On 7/11/17 1:33 AM, mostolog--- via rsyslog wrote: It's implicit, AFAIK On 11/07/17 07:48, deoren wrote: Here is some pseducode based off of another recent thread: ruleset(name="remote-rules"){ action( ... )

Re: [rsyslog] Is there a way to bind a ruleset to the default system log socket?

On 7/11/17 3:36 AM, Jiří Vymazal via rsyslog wrote: Well, you have to specify on which socket imuxsock will listen, otherwise it cannot know where to listen. You are not creating any socket by this, unless you explicitly configure otherwise. I guess I incorrectly assumed that these two entries

[rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

I've setup a ruleset that is applied to messages arriving from remote systems via imrelp. One action within that ruleset matches on auth facility messages and places them into a "combined" auth log file. Additionally an alert is generated via ommail for matching patterns (SSH logins). In addi

Re: [rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

>> On Jul 19, 2017, at 8:37 AM, deoren wrote: >> >> I've setup a ruleset that is applied to messages arriving from remote systems via imrelp. One action within that ruleset matches on auth facility messages and places them into a "combined" auth log file. Addit

Re: [rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

On 7/20/17 6:54 PM, David Lang wrote: On Thu, 20 Jul 2017, deoren wrote: # /etc/rsyslog.conf input(type="imuxsock" socket="/dev/log" ruleset="local") input(type="imrelp" port="2514" KeepAlive="on" ruleset="remote") The ru

Re: [rsyslog] Is there an easy way to combine log messages generated locally AND remotely?

On 7/20/17 7:38 PM, David Lang wrote: On Thu, 20 Jul 2017, deoren wrote: Thanks David. So if I attach the rulesets directly to the inputs, is there any other way to combine auth facility messages into a single file? Should I instead not attach rulesets to the inputs and instead call the

[rsyslog] What is the best way to bring down an active rsyslog instance?

I've setup a central rsyslog instance (sawmill1) that receives messages from all nodes. I consider this node a primary or production node. That same node passes a copy of all messages to a second instance (sawmill2) where I test configuration changes and then pipe into a prototype Graylog insta

Re: [rsyslog] What is the best way to bring down an active rsyslog instance?

On 8/4/17 12:10 PM, David Lang wrote: when you stop rsyslog, it attempts to save the data in the queues to disk and write the .qi file so that it will be able to read the disk queue files on next startup. But many distros have a short timeout that if the program doesn't finish shutting down qui

Re: [rsyslog] What is the best way to bring down an active rsyslog instance?

On 8/4/17 3:32 PM, David Lang wrote: what init system do you have systemd from Ubuntu 16.04. you would need to change systemd settings, and I don't know if this is in a file shipped with the distro or something provided by the adiscon PPA. Me either, but I'll look into it. Thank you for y

[rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

I've recently converted all of our nodes from forwarding messages from the default forwarding format to using the 'RSYSLOG_SyslogProtocol23Format' format. I only did light research beforehand (so I can only blame myself), but when our relay nodes log in either 'RSYSLOG_TraditionalFileFormat' o

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/5/17 10:59 PM, deoren wrote: I've recently converted all of our nodes from forwarding messages from the default forwarding format to using the 'RSYSLOG_SyslogProtocol23Format' format. I only did light research beforehand (so I can only blame myself), but when our rel

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/5/17 11:28 PM, David Lang wrote: on the receiver, write a log with the format rawmsg or use the RSYSLOG_DebugFormat and look at the rawmsg line there. Let's see exactly what is being sent to see if the data is being lost at transmit or on reception. Personally, I have my senders reformat

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/5/17 11:42 PM, deoren wrote: On 8/5/17 10:59 PM, deoren wrote: I've recently converted all of our nodes from forwarding messages from the default forwarding format to using the 'RSYSLOG_SyslogProtocol23Format' format. I only did light research beforehand (so I can on

Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

On 8/8/2017 1:10 PM, rsyslog-users-lists.adiscon@whyaskwhy.org wrote: On 8/8/17 2:30 AM, Rainer Gerhards wrote: >> Check what APP-NAME, PROCID and MSGID contain, which are derived from the tag. RFC5424 tells you where these parts are to be placed in the header. It appears that this lac

[rsyslog] What is the best way to blend local messages with messages received from remote nodes?

Scenario: I'm working with a central rsyslog server (latest 8.x version) with a common ruleset (e.g, "remote") bound to the imrelp, imudp and imptcp inputs. That ruleset calls another ruleset (e.g., "notify-rules") to perform omemail actions as appropriate. This central receiver also forward

[rsyslog] How can I view the definition of built-in templates?

For example, I am trying to troubleshoot why messages arriving in one format are not saved as expected, even though the debug formatted output shows properties populated as expected. Thanks. ___ rsyslog mailing list http://lists.adiscon.net/mailman/lis

Re: [rsyslog] How can I view the definition of built-in templates?

>2017-08-19 0:20 GMT+02:00 deoren >: >> For example, I am trying to troubleshoot why messages arriving in one >format are not saved as expected, even though the debug formatted >output shows properties populated as expected. >> >> Thanks. On August 19, 2017 4

[rsyslog] Is there an option to "echo" a message when processing a statement?

For example, here is a small block that I'm using to route rsyslog related messages to the local /var/log/rsyslog.log file: if ($programname == 'rsyslogd' or $syslogfacility-text == 'syslog') then { action( name="rsyslog-messages" type="omfile" file="/var/log/rsyslog.

Re: [rsyslog] Is there an option to "echo" a message when processing a statement?

On 8/25/2017 4:26 PM, David Lang wrote: you can put in an action that writes a different template, and that template can be fixed text. Thank you! That makes sense. I appreciate the quick response also. ___ rsyslog mailing list http://lists.adiscon.ne

[rsyslog] Changing IP of central log server, clients are configured to use FQDN instead of IP. Anything special needed to have clients send queued messages to the new IP instead of the old?

Currently I have all of the clients setup to use DNS A record to connect to the central system. That A record has a TTL of 300 seconds. I plan to down the central server and then move it to a new hosting environment with a totally different IP. That move will take more than the 300 seconds TTL

[rsyslog] Any good guides for generating JSON formatted log messages on rsyslog client nodes for processing on rsyslog receiver node?

Most of what I'm coming across is geared towards sending into another product like mongodb or elasticsearch. I'm really new to this aspect, so the more newbie friendly the better. In particular, I'd like to find a barebones template for replicating forwarding of content using RSYSLOG_ForwardFo

Re: [rsyslog] Changing IP of central log server, clients are configured to use FQDN instead of IP. Anything special needed to have clients send queued messages to the new IP instead of the old?

On 9/13/2017 6:12 PM, deoren wrote: Currently I have all of the clients setup to use DNS A record to connect to the central system. That A record has a TTL of 300 seconds. I plan to down the central server and then move it to a new hosting environment with a totally different IP. That move

[rsyslog] Is there a difference in scope for local variables vs message json properties?

In my limited experience I've managed to use both in similar ways, though by passing '$!' to a remote node I understand[1] that I'm not including the local variables. Those values are stored within '$.' instead. For setting values within a configuration for reference within templates, function

Re: [rsyslog] Add the file name to syslog data

On 9/28/2017 6:37 AM, Joan via rsyslog wrote: I am using rsylog to read (imfile) some logfiles and forward them to graylog in syslog format RFC5424. I would like to add an attribute with the filename, I explored doing it by modifiing the template (such as this

Re: [rsyslog] error on journal/rsyslog configs

On 10/2/2017 8:58 AM, senaps via rsyslog wrote: [Journal] Storage=volatile Compress=no RateLimitInterval= 0 RateLimitBurst= 10 MaxRetentionSec=5s #Storage=auto #Compress=yes #Seal=yes Are you attempting to have rsyslog process this? That looks to be the format that systemd uses for its con

[rsyslog] Qualys scan against rsyslog causes it to segfault

Is this expected? I recall reading that rsyslog should be properly firewalled to protect it from malicious traffic, but I couldn't recall what would happen if it were exposed to scans: fall over vs trash data logged. ___ rsyslog mailing list http://li

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On October 6, 2017 1:03:32 AM CDT, Thomas Deutschmann via rsyslog wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA512 > >On 2017-10-06 07:45, deoren wrote: >> Is this expected? I recall reading that rsyslog should be properly >> firewalled to protect it from

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

2017-10-06 8:27 GMT+02:00 deoren : On October 6, 2017 1:03:32 AM CDT, Thomas Deutschmann via rsyslog wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-10-06 07:45, deoren wrote: Is this expected? I recall reading that rsyslog should be properly firewalled to protect it from

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/6/2017 4:42 PM, David Lang wrote: On Fri, 6 Oct 2017, deoren wrote: I'm going to retest soon, one port at a time to see if the segfault is specific to one of the inputs. Once I determine that I'll likely setup a vanilla installation of rsyslog with imudp, imptcp and imrelp e

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/7/2017 5:25 AM, Rainer Gerhards wrote: 2017-10-07 7:57 GMT+02:00 deoren : As I dig more into this, I'm beginning to think the only thing the Qualys scan did was aggravate an existing problem and cause rsyslog to tip over more quickly. While I didn't observe the problem at t

[rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

Refs: https://github.com/rsyslog/rsyslog/issues/1782 Scenario: * rsyslog v8.30.0 (Ubuntu PPA) * Ubuntu 16.04 * rsyslog sender setup to forward via omrelp (with a DA queue) to a remote receiver * nearly 1 GB of held message content in /var/spool/rsyslog There are 1272152 messages currently

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/17/2017 3:36 PM, David Lang wrote: you can copy the queue files somewhere else (best done with rsyslog stopped), and then configure a copy of rsyslog,conf to not have any inputs, but have the queue files and the rules for what to do with them. You can then run a second copy of rsyslog (di

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/17/2017 3:45 PM, Rainer Gerhards wrote: Errno 11 seems to be EAGAIN, more a status than a warning. The full Debug log may reveal details. Is the debug on demand log file sufficient or should enabling debug mode at startup the better route? On a different note, will rsyslog accept a mes

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/17/2017 6:57 PM, David Lang wrote: Yes, rsyslog will accept messages it can't deliver, the accepting of messages is decoupled from the delivery. if a message is too long, it will get ttruncated, even if it's json (at that point it's a string of bytes, rsyslog has no way of knowing that

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 11:51 AM, deoren wrote: On 10/17/2017 6:57 PM, David Lang wrote: Yes, rsyslog will accept messages it can't deliver, the accepting of messages is decoupled from the delivery. if a message is too long, it will get ttruncated, even if it's json (at that point it

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 12:02 PM, deoren wrote: On 10/18/2017 11:51 AM, deoren wrote: On 10/17/2017 6:57 PM, David Lang wrote: Yes, rsyslog will accept messages it can't deliver, the accepting of messages is decoupled from the delivery. if a message is too long, it will get ttruncated, even if

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 1:36 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: I checked and sawmill1 is having trouble sending the messages on to the "downstream" receivers (sawmill2, sawmill3). Based on the "... at least 232 byte larger than max msg size ..." log entr

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 3:22 PM, Rainer Gerhards wrote: The queue errors are bad. Anything else in regard to that queue? After discussing it on this thread, I stopped rsyslog yesterday and moved all content from /var/spool/rsyslog to a different directory, hoping to have rsyslog come back online with a

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 12:34 PM, Rainer Gerhards wrote: 2017-10-18 1:14 GMT+02:00 deoren : On 10/17/2017 3:45 PM, Rainer Gerhards wrote: Errno 11 seems to be EAGAIN, more a status than a warning. The full Debug log may reveal details. Is the debug on demand log file sufficient or should enabling

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 5:02 PM, deoren wrote: On 10/18/2017 3:22 PM, Rainer Gerhards wrote: The queue errors are bad. Anything else in regard to that queue? After discussing it on this thread, I stopped rsyslog yesterday and moved all content from /var/spool/rsyslog to a different directory, hoping

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 3:15 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: On 10/18/2017 1:36 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: Since the sender and receiver in this are both the latest versions of rsyslog (with the plan for the setup to remain that way), can I scale

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/18/2017 8:10 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: On 10/18/2017 3:15 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: On 10/18/2017 1:36 PM, David Lang wrote: On Wed, 18 Oct 2017, deoren wrote: Since the sender and receiver in this are both the latest

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/19/2017 3:12 PM, Rainer Gerhards wrote: Am 19.10.2017 21:55 schrieb "David Lang" : RELP has it's place, but most of the time I'm willing to loose some logs under rare failure conditions and so haven't bothered to use it. large maxmessagesize leads to wasted memory in rsyslog, but nothing

[rsyslog] What is the expected behavior when checking non-existent variable in the $! object?

This is a tangent of another issue I was dealing with a few weeks back, but it appears that problem was related to checking whether a non-existent $!variable was empty. Is the expected behavior for that check to fail? This is with v8.29.0 and I have not tested with 8.30.0 yet, but I am more i

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/7/2017 10:44 AM, deoren wrote: On 10/7/2017 5:25 AM, Rainer Gerhards wrote: 2017-10-07 7:57 GMT+02:00 deoren : As I dig more into this, I'm beginning to think the only thing the Qualys scan did was aggravate an existing problem and cause rsyslog to tip over more quickly. Wh

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes), the problem isn't specific to the Qualys scan. I later learned that messages coming from our ESXi hosts trigge

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:38 PM, deoren wrote: On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes), the problem isn't specific to the Qualys scan. I later learned

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:51 PM, deoren wrote: On 10/23/2017 7:38 PM, deoren wrote: On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes), the problem isn't specific t

Re: [rsyslog] If messages are stuck in a queue, do you have any option other than nuking the queue file(s)?

On 10/19/2017 6:58 PM, deoren wrote: On 10/19/2017 3:12 PM, Rainer Gerhards wrote: Am 19.10.2017 21:55 schrieb "David Lang" : RELP has it's place, but most of the time I'm willing to loose some logs under rare failure conditions and so haven't bothered to use it. larg

Re: [rsyslog] Sourcing Environment Variables for Use in Templates?

On 10/25/2017 3:48 PM, Naftuli Kay via rsyslog wrote: I have a few environment variables that I'd like to include in my log messages that I'm formatting in JSON format. I have a service that runs on boot which generates /etc/sysconfig/ec2 which contains variables like EC2_INSTANCE_ID, EC2_AMI_ID,

Re: [rsyslog] Sourcing Environment Variables for Use in Templates?

On 10/25/2017 4:18 PM, Naftuli Kay via rsyslog wrote: So would I do "set $deploy_env = getenv('DEPLOY_ENV')"? How would I then reference this variable? I'm still trying to learn more about rsyslog variables and how to use them in templates. I'm still learning myself, so I completely understand.

Re: [rsyslog] Sourcing Environment Variables for Use in Templates?

On 10/27/2017 5:19 PM, Naftuli Kay via rsyslog wrote: Can anyone shed any light on how to set global variables? Environment variables won't change over the lifetime of the process so it would make sense to not have to allocate for every log message. Thanks, - Naftuli Kay I've not used them y

Re: [rsyslog] Qualys scan against rsyslog causes it to segfault

On 10/23/2017 7:55 PM, deoren wrote: On 10/23/2017 7:51 PM, deoren wrote: On 10/23/2017 7:38 PM, deoren wrote: On 10/23/2017 7:11 PM, David Lang wrote: do you have a tcpdump or info from Qualys saying what it sends as part of the scan? David Lang Thankfully (for troubleshooting purposes

[rsyslog] How is the imrelp MaxDataSize parameter related to the global() maxMessageSize parameter?

I originally sent this as part of another thread, but I think this got buried and lost among the noise the rest of my notes generated. Posting a cleaner version here in case others know the answer. I'm trying to avoid using legacy configuration options where I can, but just in case the order

Re: [rsyslog] How is the imrelp MaxDataSize parameter related to the global() maxMessageSize parameter?

parameter messages that were previously "stuck", flow once more. On 10/29/2017 1:22 PM, Rainer Gerhards wrote: quick answer: I guess you ran into this https://github.com/rsyslog/rsyslog/issues/1741 Let me know if more info is needed. Rainer 2017-10-29 19:15 GMT+01:00 deoren : I origi

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 10/31/2017 12:42 PM, matthew.gaetano wrote: Hello, I'm not sure this is an issue considering Legacy format shouldn't really be used in version 8, however it seems that when using legacy forwarding (as described in the default rsyslog.conf file) rsyslog suspends the actions and never retries.

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 10/31/2017 4:05 PM, matthew.gaetano wrote: Seems like your on the right track. We changed the dns names in the conf to the destination IPs and this somewhat resolved the issue. Rsyslog would still suspend the two destination actions however once the system settled the actions were resumed. Si

Re: [rsyslog] Legacy FWD Failes on startup (v8)

https://github.com/rsyslog/rsyslog/issues/1656 See if that matches what you are fighting with. On November 7, 2017 9:51:51 AM CST, "matthew.gaetano" wrote: >Queue's aside, regardless of the order rsyslog loads (before or after >network) its retry function should not stall. As it currently stand

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 11/7/2017 10:31 AM, matthew.gaetano wrote: With the exception of the relation to storage, yes, for the most part. We encountered the issue on a physical server using SCSI/SATA drives. Our secondary tester were in vmware. I initially emphasized the boot speed from running the Ubuntu 16.04 VM

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 11/7/2017 12:25 PM, deoren wrote: On 11/7/2017 10:31 AM, matthew.gaetano wrote: With the exception of the relation to storage, yes, for the most part. We encountered the issue on a physical server using SCSI/SATA drives. Our secondary tester were in vmware. I initially emphasized the boot

Re: [rsyslog] Legacy FWD Failes on startup (v8)

On 11/9/2017 4:08 AM, Thomas Deutschmann via rsyslog wrote: Hi, no distribution will probably _require_ network for rsyslog per default because in the default configuration distributions are shipping, no network is required. Due to the fact that most init systems nowadays support parallel invoca

Re: [rsyslog] preserving metadata on message split

On 11/9/2017 9:00 AM, Rainer Gerhards wrote: 2017-11-09 14:46 GMT+01:00 Scot Kreienkamp : Hi David, Any ideas on any way to get around this if there's no way to preserve the metadata on an oversized message? You need to increase the message size. It's a simple config parmater [global(maxmess

Re: [rsyslog] preserving metadata on message split

On 11/9/2017 10:24 AM, Scot Kreienkamp wrote: I have it set at 128k now... I thought I read in the list archives that was the maximium value? https://github.com/rsyslog/rsyslog/issues/1741 Looks like it (for now). ___ rsyslog mailing list http://li

Re: [rsyslog] preserving metadata on message split

hich actually have set it to a couple of MB (and occasionally use it). Rainer 2017-11-09 17:25 GMT+01:00 deoren : On 11/9/2017 10:24 AM, Scot Kreienkamp wrote: I have it set at 128k now... I thought I read in the list archives that was the maximium value? https://github.c

Re: [rsyslog] Ubuntu 16 rsyslogd not creating log files

On November 9, 2017 6:47:11 PM CST, dchappelle via rsyslog wrote: >I am running a vanilla install of Ubuntu 16 and my rsyslogd is not >creating >new log files for me. I added a new filter rule and restarted rsyslogd. >After doing so and generating log messages for that rule, the target >log >fi

Re: [rsyslog] Ubuntu 16 rsyslogd not creating log files

On November 9, 2017 10:21:04 PM CST, dchappelle via rsyslog wrote: >Apologies for not including the config. Here is >/etc/rsyslog.d/10-example.conf: > >dchappelle@L164:/etc/rsyslog.d$ cat 10-example.conf >local0.* /var/log/test.log >& stop > >The actual is

Re: [rsyslog] Ubuntu 16 rsyslogd not creating log files

On 11/10/2017 9:33 AM, dchappelle via rsyslog wrote: Thanks for all of the info deoren. I do have the file you speak of installed on my system: dchappelle@L164:~$ cat /usr/lib/tmpfiles.d/00rsyslog.conf # Override systemd's default tmpfiles.d/var.conf to make /var/log writab

Re: [rsyslog] rsyslog status ABRT or SEGV

On November 14, 2017 10:49:06 PM CST, "Войнович Андрей Александрович via rsyslog" wrote: >Thank you, David > >We have upgraded our linux box to the latest available (Debian 9) and >now rsyslog version is 8.24 (the newest from deb repo), but we still >experience the same problems. Seems we are doi

[rsyslog] Are configuration parameters case sensitive?

I noticed this commit focused on fixing the case in the source code for comparison purposes: https://github.com/rgerhards/rsyslog/commit/b9cda4602b26a4778fdfec4990a62b6faf2bc86b which leads me to ask: Are configuration parameters case sensitive? For example, are these all equivalent? global

Re: [rsyslog] Are configuration parameters case sensitive?

On 11/17/2017 11:05 AM, Rainer Gerhards wrote: 2017-11-17 18:04 GMT+01:00 deoren : I noticed this commit focused on fixing the case in the source code for comparison purposes: https://github.com/rgerhards/rsyslog/commit/b9cda4602b26a4778fdfec4990a62b6faf2bc86b which leads me to ask: Are

[rsyslog] imuxsock module documentation: What exactly does the 'SysDock.Name' parameter do?

Is that parameter used to specify the replacement for /dev/log or is that parameter used to specify another socket that is in addition to /dev/log as an input source? I assume that SysSock.Use defaults to /dev/log, but if SysSock.Name is specified, does SysSock.Use now refer to using that loca

Re: [rsyslog] imuxsock module documentation: What exactly does the 'SysDock.Name' parameter do?

On 11/30/2017 5:28 PM, deoren wrote: Is that parameter used to specify the replacement for /dev/log or is that parameter used to specify another socket that is in addition to /dev/log as an input source? I assume that SysSock.Use defaults to /dev/log, but if SysSock.Name is specified, does

[rsyslog] Who manages the Rsyslog documentation on Read the Docs?

Is this something that the Rsyslog team manages or is it someone at the Read the Docs team that manages the content? I ask because it appears that the version of the docs (stable, latest) available there are outdated and I wanted to make sure to report the issue to the correct place. Thanks.

Re: [rsyslog] Who manages the Rsyslog documentation on Read the Docs?

On 12/13/2017 8:55 AM, Lars Kellogg-Stedman via rsyslog wrote: On Wed, Dec 6, 2017 at 7:22 PM, David Lang wrote: On Wed, 6 Dec 2017, deoren wrote: Is this something that the Rsyslog team manages or is it someone at the Read the Docs team that manages the content? It's someone on

Re: [rsyslog] klogLocalIPIF

On 12/14/2017 8:19 PM, Rory Toma wrote: I have put in $ModLoad imklog $klogLocalIPIF eth0 in my rsyslog.conf file (8.30.0) However, rsyslogd: invalid or yet-unknown config file command 'klogLocalIPIF' - have you forgotten to load a module? [v8.30.0 try http://www.rsyslog.com/e/3003 ] appears

Re: [rsyslog] klogLocalIPIF

On 12/20/2017 4:24 AM, deoren wrote: > On 12/14/2017 8:19 PM, Rory Toma wrote: >> I have put in >> $ModLoad imklog >> $klogLocalIPIF eth0 >> >> in my rsyslog.conf file (8.30.0) However, >> rsyslogd: invalid or yet-unknown config file command 'klogL

Re: [rsyslog] Imkafka/omkafka tuning

On 12/22/2017 9:52 AM, Luigi Tagliamonte via rsyslog wrote: > Hi there! > What are the tunable parameters for this module, like: > - an option to increase the number of threads for kafka processing > - number of messages to process per req. > - etc.. > Regards > L. Module docs: * http://www.rs

Re: [rsyslog] Error with omkafka

On 12/21/2017 1:10 PM, Andrew Akins via rsyslog wrote: > I was wondering if anyone had seen this. I’m running rsyslog on Alpine Linux, > deployed as a container. Rsyslog was built from source, and is version 8.31.0 > > Basically, initialization of a omkafka message is failing: > > 2648.0276888

[rsyslog] Request: Feedback on parameter formats for rsyslog module docs

Hi all, I'd like to get your feedback on some proposed formatting changes to the imuxsock module doc. I mention my preference below, but the end goal is to standardize the formatting and make the docs easier to work with, so my personal preferences can take a backseat in the scheme of things. ;)

Re: [rsyslog] Request: Feedback on parameter formats for rsyslog module docs

contributions without a set of standards in place. Everything from typos, to clarifications of content to adding missing coverage. I'm still learning the ins/outs of everything (including Git), but I'd be happy to answer any questions that I'm able to. Just mention me (e.g., &quo

Re: [rsyslog] Request: Feedback on parameter formats for rsyslog module docs

On 1/8/2018 3:30 AM, Simon Lundström wrote: On Sun, 2018-01-07 at 23:56:27 -0600, deoren wrote: Hi all, I'd like to get your feedback on some proposed formatting changes to the imuxsock module doc. I mention my preference below, but the end goal is to standardize the formatting and mak

Re: [rsyslog] Request: Feedback on parameter formats for rsyslog module docs

On 1/8/2018 9:22 AM, deoren wrote: On 1/8/2018 9:11 AM, Andrew Griffin via rsyslog wrote: This looks great, I love it! Can someone refresh my memory on the process for contributing to the documentation?  I’d like to chip in Andrew Griffin Thanks for the feedback. Do I understand your

[rsyslog] Is there an advanced/current/RainerScript version of the obsolete legacy ActionFileDefaultTemplate directive?

I'm looking through the docs and I haven't spotted it. Thanks. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WEL

Re: [rsyslog] Is there an advanced/current/RainerScript version of the obsolete legacy ActionFileDefaultTemplate directive?

On 1/12/2018 2:43 PM, deoren wrote: I'm looking through the docs and I haven't spotted it. I think I answered my own question: module(load="builtin:omfile" template="RSYSLOG_FileFormat") or just: module(load="builtin:omfile") if I am fine with t

  1   2   >