Re: [rsyslog] RHEL-7.9 rsyslog with FileOwner

2024-06-01 Thread Rainer Gerhards via rsyslog 
I have looked into the log. The group name is actually not resolvable.
The debug log has not more information, but from the config given it
shows that you provide what looks like the group ID (2000) and not the
name ("examplegroup"). Thus resolution seems to fail.

Use

$FileGroupNum 2000

instead. Or, better, use new style format. Please also note the doc for omfile:

https://www.rsyslog.com/doc/configuration/modules/omfile.html

HTH
Rainer

PS: thread history deleted, there seems to have been a large file
inside it, that prevented me from posting on the ML.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs rsyslog_queue_discarded_full_counter?

2024-05-31 Thread Rainer Gerhards via rsyslog 
Plus we wait a bit (pushback to sender) when the next messages come in. But
all depends on queue config.

Rainer

Sent from phone, thus brief.

David Lang via rsyslog  schrieb am Fr., 31. Mai
2024, 19:44:

> when the queue hits full, you you aren't yet losing a message, it's the
> next
> message that arrives while the queue is full that is lost.
>
> David Lang
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] why is my config ignored

2024-05-30 Thread Rainer Gerhards via rsyslog 
I'd say the logger doc is incomplete. Obviously, the value given via
-t is just *the beginning of the tag* and logger itself adds PID after
it to the tag. Problems like these were on our mind when we defined
RFC 5424 with its PROGNAME field.

HTH
Rainer

El mié, 29 may 2024 a las 23:28, sacawulu via rsyslog
() escribió:

>
> ok...
>
> but then... what's the use of being able to assign a tag with "logger -t
> TAG" when that tag cannot be used later on to do something with it?
>
> syslogtag, isequal... is not meant as a logical duo with "logger -t"?
>
> More tomorrow.
>
> Goodnight!
>
> Op 29-05-2024 om 23:07 schreef Mariusz Kruk via rsyslog:
> > See your logged event. You're matching against a string
> > "intruder_lockout:" but your event is logged with a PID added to the
> > progname so you have "intruder_lockout[]:" so your condition doesn't
> > match.
> >
> >
> > On May 29, 2024 12:51:41 PM UTC, cyusedfzfb via rsyslog
> >  wrote:
> >
> >  I have found that when using programname to match, it DOES work.
> >
> >  Why would this line:
> >
> >  logger -t intruder_lockout -p local4.info "this account is now
> >  locked out"
> >
> >  not match when filtering to match syslogtag isequal
> > "intruder_lockout"?
> >
> >  Anyway...I am (finally) able to proceed.
> >
> >  Still hope someone can explain the observed behaviour.
> >
> >  MJ
> >
> >  On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:
> >
> >  It's impossible to answer that without knowing your full config.
> >  My guess would be that your syslog.d contents are included at
> >  the end of the main config file and your event matches a
> >  different disposition first so it's matched to another action
> >  and the processing is stopped there not reaching your rule.
> >
> >  On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:
> >
> >  Hi all!
> >
> >  I am generating log messages from a script with a syslogtag,
> >  like this:
> >
> >  ]# logger -t intruder_lockout -p local4.info "this account
> >  is now locked out"
> >
> >  Next I'm trying to filter these logs, based on syslogtag to
> >  a seperate file. (on RHEL9, with rsyslogd  8.2102.0-117.el9
> >  (aka 2021.02))
> >
> >  To do that, I created the configfile
> >  /etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:
> >
> >  :syslogtag, isequal, "intruder_lockout:"
> >  /var/log/intruder_lockout.log
> >  & stop
> >
> >  But the logger messages continue to end-up in the regular
> >  /var/log/messages.
> >
> >  My config file *is* processed:
> >
> >  ]# rsyslogd -N1 -d | grep intruder
> >
> >  9648.534580052:main thread: rainerscript.c: PROPFILT
> >  9648.534581695:main thread: rainerscript.c:
> >  Property.: 'syslogtag'
> >  9648.534584550:main thread: rainerscript.c:
> >  Operation: 'isequal'
> >  9648.534587716:main thread: rainerscript.c:
> >  Value: 'intruder_lockout:'
> >  9648.534589259:main thread: rainerscript.c: THEN
> >  9648.534590852:main thread: rainerscript.c:   ACTION 2
> >  [builtin:omfile:/data/log/intruder_lockout.log]
> >  9648.534593647:main thread: rainerscript.c:   STOP
> >  9648.534596272:main thread: rainerscript.c: END PROPFILT
> >
> >  I have also disabled selinux for testing, just to make sure
> >  that is not getting in my way.
> >
> >  Anyone here with some imput to help me on my way..? Why is
> >  this not working?!
> >
> >  Thanks!
> >
> > 
> >  rsyslog mailing list
> >  https://lists.adiscon.net/mailman/listinfo/rsyslog
> >  
> >  http://www.rsyslog.com/professional-services/
> >  
> >  What's up with rsyslog? Follow https://twitter.com/rgerhards
> >  
> >  NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
> >  by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
> >  and DO NOT POST if you DON'T LIKE THAT.
> >
> >
> > 
> >  rsyslog mailing list
> >  https://lists.adiscon.net/mailman/listinfo/rsyslog
> >  
> >  http://www.rsyslog.com/professional-services/
> >  
> >  What's

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-29 Thread Rainer Gerhards via rsyslog 
remove all TLS settings, as you do not use TLS from rsyslog PoV. Quick
review brings up:

$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 0

Rainer

El mié, 29 may 2024 a las 12:35, Kathy Lyons () escribió:
>
> Thanks.  I have removed that line from my files.  When I restart rsyslog, I 
> get this error:
>
>  authentication not supported by ptcp netstream driver.
>
> Are there other lines I should remove?  Is the ptcp netstream driver the 
> default?
>
> David, when I run tcpdump for the port 12345 on both client and server I see 
> data on both devices.  Do I not need a TCP connection data for both the 
> client and server?
>
> On Wed, May 29, 2024 at 5:45 AM Rainer Gerhards  
> wrote:
>>
>> Mode 0 indeed does turn any encryption off. It's primarily there for
>> technical reasons, and it is the default.
>>
>> I strongly advise against defining encryption settings and then
>> disabling them this way.
>>
>> Rainer
>>
>> El mié, 29 may 2024 a las 11:26, David Lang via rsyslog
>> () escribió:
>> >
>> > On Wed, 29 May 2024, Kathy Lyons wrote:
>> >
>> > > which part sets encryption?  I thought these options set encryption to 0,
>> > > or disabled.
>> >
>> > leave out all the encryption settings to have them be disabled, setting 
>> > the mode
>> > to anon turns on encryption, but accepting any cert.
>> >
>> > David Lang
>> >
>> > > On Tue, May 28, 2024 at 6:09 PM David Lang  wrote:
>> > >
>> > >> On Tue, 28 May 2024, Kathy Lyons wrote:
>> > >>
>> > >>
>> > >> let's simplify this to the minimum needed
>> > >>
>> > >>> *Server**
>> > >>>
>> > >>> # I've tried both with and without the line below
>> > >>> $ModLoad imtcp
>> > >>> $InputTCPServerRun 12345
>> > >>> $template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
>> > >>> # 10.50.x.x is where the server sends its local data and that of the
>> > >> clients via udp port 514
>> > >>> if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
>> > >>> 
>> > >>> auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
>> > >> @10.50.x.x;LDSTag
>> > >>>
>> > >>>
>> > >>> **Client**
>> > >>>
>> > >>> *#*I've tried both with and without the line below
>> > >>> $ModLoad imtcp
>> > >>> $template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
>> > >>> #Send Settings
>> > >>> auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
>> > >>> @@10.10.10.10.1:12345;LDSTmpl
>> > >>
>> > >> also note that the format of setting a bunch of $foo lines that then
>> > >> affect
>> > >> future lines is discouraged, it's better to use the newer action() 
>> > >> syntax
>> > >> that
>> > >> sets all those things explicitly in the one place.
>> > >>
>> > >> David Lang
>> > >>
>> > >>>
>> > >>> On 5/28/2024 5:42 PM, David Lang wrote:
>> >  your message is badly linewrapped, can you please try again?
>> > 
>> >  also note that while you can ping between the systems, that doesn't
>> > >> mean
>> >  that port 514 (TCP or UDP) can get through, either due to firewalls at
>> > >> the
>> >  network layer or iptables on the systems
>> > 
>> >  David Lang
>> > 
>> > >>>
>> > >>
>> > >
>> > ___
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
>> > DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-29 Thread Rainer Gerhards via rsyslog 
Mode 0 indeed does turn any encryption off. It's primarily there for
technical reasons, and it is the default.

I strongly advise against defining encryption settings and then
disabling them this way.

Rainer

El mié, 29 may 2024 a las 11:26, David Lang via rsyslog
() escribió:
>
> On Wed, 29 May 2024, Kathy Lyons wrote:
>
> > which part sets encryption?  I thought these options set encryption to 0,
> > or disabled.
>
> leave out all the encryption settings to have them be disabled, setting the 
> mode
> to anon turns on encryption, but accepting any cert.
>
> David Lang
>
> > On Tue, May 28, 2024 at 6:09 PM David Lang  wrote:
> >
> >> On Tue, 28 May 2024, Kathy Lyons wrote:
> >>
> >>
> >> let's simplify this to the minimum needed
> >>
> >>> *Server**
> >>>
> >>> # I've tried both with and without the line below
> >>> $ModLoad imtcp
> >>> $InputTCPServerRun 12345
> >>> $template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
> >>> # 10.50.x.x is where the server sends its local data and that of the
> >> clients via udp port 514
> >>> if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
> >>> 
> >>> auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
> >> @10.50.x.x;LDSTag
> >>>
> >>>
> >>> **Client**
> >>>
> >>> *#*I've tried both with and without the line below
> >>> $ModLoad imtcp
> >>> $template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
> >>> #Send Settings
> >>> auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
> >>> @@10.10.10.10.1:12345;LDSTmpl
> >>
> >> also note that the format of setting a bunch of $foo lines that then
> >> affect
> >> future lines is discouraged, it's better to use the newer action() syntax
> >> that
> >> sets all those things explicitly in the one place.
> >>
> >> David Lang
> >>
> >>>
> >>> On 5/28/2024 5:42 PM, David Lang wrote:
>  your message is badly linewrapped, can you please try again?
> 
>  also note that while you can ping between the systems, that doesn't
> >> mean
>  that port 514 (TCP or UDP) can get through, either due to firewalls at
> >> the
>  network layer or iptables on the systems
> 
>  David Lang
> 
> >>>
> >>
> >
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Problem with omprog

2024-05-25 Thread Rainer Gerhards via rsyslog 
Mmmhhh.. usually when things are written to ardour, it's container system.

Which rsyslig version is I

$ rsyslogd -v

Rainer

Sent from phone, thus brief.

Mårten  schrieb am Sa., 25. Mai 2024, 21:14:

> No, it's not a container
> It is a full configuration for the gate opener in rsyslog.d
> Operating system is raspbian on  raspberry 2b.
> Gatekeeper is a fanvill door phone.
>
>
>
> Mårten Persson
> Räften 272
> 24791 södra sandby
>
>
>
>  Originalmeddelande 
> Från: Rainer Gerhards 
> Datum: 2024-05-25 20:41 (GMT+01:00)
> Till: rsyslog-users 
> Kopia: Mårten Persson 
> Ämne: Re: [rsyslog] Problem with omprog
>
> Is this a Container?
>
> Sent from phone, thus brief.
>
> Mårten Persson via rsyslog  schrieb am Sa.,
> 25. Mai 2024, 07:35:
>
>> No errors in any log file when I restart rsyslog with the following:
>>
>> $template gateopener, "/var/log/fanvil.log"
>> if $fromhost-ip startswith "192.168.1.10" then -?gateopener
>>
>> module(load="omprog")
>> template(name="logmsg" type="string" string="%msg%")
>> if $msg contains "door1" then {
>> action( type="omprog"
>> binary="/usr/local/bin/test.sh"
>> output="/var/log/testlog"
>> template="logmsg")
>> }
>>
>> The first part is old and working properly, the second part is new and
>> not doing what it is intended to do... Yes it will filter out the
>> message on "door1" but here is the funny part... Binary is not
>> executed, but the msg is printed out on console.
>> So I suspected that omprog didn't exist.
>>
>> Regards Mårten
>>
>>
>>
>> On Fri, 2024-05-24 at 13:08 -0700, David Lang wrote:
>> > If you specify omprog in your config and then try to start rsyslog,
>> > do you get
>> > any error messages? if the omprog module is not installed, you should
>> > get an
>> > error trying to load it.
>> >
>> > David Lang
>> >
>> >   On Fri, 24 May 2024, Mårten Persson via rsyslog wrote:
>> >
>> > > Date: Fri, 24 May 2024 21:03:56 +0200
>> > > From: Mårten Persson via rsyslog 
>> > > To: rsyslog-users 
>> > > Cc: Mårten Persson 
>> > > Subject: [rsyslog] Problem with omprog
>> > >
>> > > Hi,
>> > > Running raspbian and can't get the omprog to work..
>> > > I suspect that omprog itself may not be my problem but it might be
>> > > missing instead.
>> > > Looked thoug the source and saw config options...
>> > > So my quick question at this point would be:
>> > > Is therer a way to find out if my rsyslog supports omprog and if
>> > > the
>> > > module exists?
>> > >
>> > > Regards, Mårten
>> > >
>> > > --
>> > > Mårten Persson
>> > > Räften 272
>> > > 24791 Södra Sandby
>> > > +46707311298
>> > > ___
>> > > rsyslog mailing list
>> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > http://www.rsyslog.com/professional-services/
>> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> > > POST if you DON'T LIKE THAT.
>>
>> ___
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Problem with omprog

2024-05-25 Thread Rainer Gerhards via rsyslog 
Is this a Container?

Sent from phone, thus brief.

Mårten Persson via rsyslog  schrieb am Sa., 25.
Mai 2024, 07:35:

> No errors in any log file when I restart rsyslog with the following:
>
> $template gateopener, "/var/log/fanvil.log"
> if $fromhost-ip startswith "192.168.1.10" then -?gateopener
>
> module(load="omprog")
> template(name="logmsg" type="string" string="%msg%")
> if $msg contains "door1" then {
> action( type="omprog"
> binary="/usr/local/bin/test.sh"
> output="/var/log/testlog"
> template="logmsg")
> }
>
> The first part is old and working properly, the second part is new and
> not doing what it is intended to do... Yes it will filter out the
> message on "door1" but here is the funny part... Binary is not
> executed, but the msg is printed out on console.
> So I suspected that omprog didn't exist.
>
> Regards Mårten
>
>
>
> On Fri, 2024-05-24 at 13:08 -0700, David Lang wrote:
> > If you specify omprog in your config and then try to start rsyslog,
> > do you get
> > any error messages? if the omprog module is not installed, you should
> > get an
> > error trying to load it.
> >
> > David Lang
> >
> >   On Fri, 24 May 2024, Mårten Persson via rsyslog wrote:
> >
> > > Date: Fri, 24 May 2024 21:03:56 +0200
> > > From: Mårten Persson via rsyslog 
> > > To: rsyslog-users 
> > > Cc: Mårten Persson 
> > > Subject: [rsyslog] Problem with omprog
> > >
> > > Hi,
> > > Running raspbian and can't get the omprog to work..
> > > I suspect that omprog itself may not be my problem but it might be
> > > missing instead.
> > > Looked thoug the source and saw config options...
> > > So my quick question at this point would be:
> > > Is therer a way to find out if my rsyslog supports omprog and if
> > > the
> > > module exists?
> > >
> > > Regards, Mårten
> > >
> > > --
> > > Mårten Persson
> > > Räften 272
> > > 24791 Södra Sandby
> > > +46707311298
> > > ___
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > > POST if you DON'T LIKE THAT.
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Stop actions

2024-05-24 Thread Rainer Gerhards via rsyslog 
pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.

Rainer

El vie, 24 may 2024 a las 13:43, Thomas Raef
() escribió:
>
> I changed it to:
>
> ruleset(name="drop") {
> if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or 
> ($rawmsg contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> But the messages still show up.
>
> If the message is malformed, what can I do?
>
> This is one such message I'm still getting:
>
> "message": type=PATH msg=audit(1715691166.683:1235018): item=1 
> name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
>  inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00 
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 
> OUID=\"[redacted\" OGID=\"redacted\"
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn
> Facebook
>
>
>
> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards  
> wrote:
>>
>> I guess the message is malformed and the string you look for is inside
>> another field.
>>
>> I would suggest that you use "$rawmsg" instead of "$msg". If that
>> works, a) we are on the right track and b) you actually solved the
>> issue, albeit probably not in the best possible way.
>>
>> HTH
>> Rainer
>>
>> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
>> () escribió:
>> >
>> > I have rules setup but I want to ignore all entries like this:
>> >
>> >  "message": type=PATH msg=audit(1715687344.694:1226486): item=3
>> > name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
>> > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
>> > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>> > OUID=\"[redacted]\" OGID=\"[redacted]\"
>> >
>> > I want to ignore all entries that have temp-write-test- in the message.
>> >
>> > I've tried:
>> >
>> > :msg, contains, "temp-write-test-" stop
>> >
>> >
>> >
>> > But I continually get messages with that string in them. I've tried it with
>> > that as the first rule.
>> >
>> >
>> > And I've tried this as well:
>> >
>> >
>> > ruleset(name="drop") {
>> > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
>> > contains "/bb-plugin/cache") then {
>> > stop
>> > }
>> > }
>> >
>> > input(type="imfile"
>> > File="/var/log/audit/audit.log"
>> > Tag="audit_logs"
>> > ruleset="drop"
>> > reopenOnTruncate="on"
>> > )
>> >
>> >
>> > Nothing works.
>> >
>> >
>> > Can anyone shed some light? Please?
>> >
>> >
>> > Thomas J. Raef
>> > Founder, WeWatchYourWebsite.com
>> > http://wewatchyourwebsite.com
>> > tr...@wewatchyourwebsite.com
>> > LinkedIn 
>> > Facebook 
>> > ___
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
>> > DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Stop actions

2024-05-24 Thread Rainer Gerhards via rsyslog 
I guess the message is malformed and the string you look for is inside
another field.

I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.

HTH
Rainer

El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
() escribió:
>
> I have rules setup but I want to ignore all entries like this:
>
>  "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted]\" OGID=\"[redacted]\"
>
> I want to ignore all entries that have temp-write-test- in the message.
>
> I've tried:
>
> :msg, contains, "temp-write-test-" stop
>
>
>
> But I continually get messages with that string in them. I've tried it with
> that as the first rule.
>
>
> And I've tried this as well:
>
>
> ruleset(name="drop") {
> if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
> contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> input(type="imfile"
> File="/var/log/audit/audit.log"
> Tag="audit_logs"
> ruleset="drop"
> reopenOnTruncate="on"
> )
>
>
> Nothing works.
>
>
> Can anyone shed some light? Please?
>
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn 
> Facebook 
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] RHEL-7.9 rsyslog with FileOwner

2024-04-15 Thread Rainer Gerhards via rsyslog 
Which error messages do you see?

Rainer

Sent from phone, thus brief.

warron.french via rsyslog  schrieb am Mo., 15.
Apr. 2024, 15:52:

> At Mariusz, my apologies for not replying earlier, somehow Google Mail
> crunched your reply in the thread so that I did not see it (*laziness on my
> part I guess, I have been extremely busy at work*).
>
> I just executed *ps -ef | egrep rsyslog* and see that rsyslog is running as
> root.  Can I assume that I should be able to use the $FileOwner and
> $FileGroup directives without issue?
>
> Also sir, for clarification, when I attempt to leave those directives (in
> the picture provided earlier in the thread) intact and then restart
> rsyslogd, it simply will not successfully restart.  It's bombing because of
> those directives.
>
> Is there any chance I am using them in an incorrect syntax context?  Where
> can I find the documentation that is specific to my rsyslog version on the
> internet since the documentation is not in the RPM installed?
>
>
>
> --
> Warron French
>
>
>
> On Sat, Apr 6, 2024 at 2:39 AM Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> > Also remember that in Linux system (quoting the man 2 chown):
> >
> > Only a privileged process (Linux: one with the CAP_CHOWN
> > capability) may change the owner of a file.  The owner of a file may
> > change  the group of the file to any group of which that owner
> > is a member.  A privileged process (Linux: with CAP_CHOWN) may
> > change the group arbitrarily.
> >
> > So if your rsyslogd is an unprivileged process (it does not have
> > CAP_CHOWN granted explicitly and it does not run as root user), you won'
> > be able to create files as a different user.
> >
> > MK
> >
> > On 6.04.2024 07:20, David Lang via rsyslog wrote:
> > > if you are using the action() syntax, you set the ownership as part of
> > > the action.
> > >
> > > if you post your full config (including included files) we can better
> > > guess what's wrong with it.
> > >
> > > David Lang
> > >
> > > On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
> > >
> > >> I am running multiple servers on RHEL-7.9 at work and with no option
> to
> > >> upgrade to a newer major version.
> > >>
> > >> I have a server collecting (consolidating) logs from other (remote)
> > >> servers
> > >> and need to store the various independently generated logfiles but
> > >> also set
> > >> the Group-owner to something other than root.
> > >>
> > >> I thought the proper syntax to do this was to set:
> > >> $FileOwner   somegroup
> > >>
> > >> But rsyslogd upon restart fails to accept this directive.
> > >>
> > >> Can someone tell me what directive I should be using because
> > >> attempting to
> > >> find the Rsyslog documentation specific to my RHEL-7.9 in combination
> to
> > >> answering this query at *rsyslog.com  *
> > >> is not proving to be useful.
> > >>
> > >> Thank you in advance for your assistance,
> > >>
> > >> --
> > >> Warron French
> > >> ___
> > >> rsyslog mailing list
> > >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > >> POST if you DON'T LIKE THAT.
> > >>
> > > ___
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > > if you DON'T LIKE THAT.
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL:

Re: [rsyslog] Possibility to introduce a new log crypto provider

2024-04-15 Thread Rainer Gerhards via rsyslog 
Sound good to me, as long as everything is backwards-compatible ;-)

Else we need to discuss pro and con (I guess there a lot of pro!)

Rainer

El lun, 15 abr 2024 a las 11:55, Attila Lakatos via rsyslog
() escribió:

>
> Hello,
>
> Currently, log messages written to files can undergo encryption using the
> libgcrypt cryptographic library [1]. This works fine, logs can be encoded
> and successfully decoded but I think the library has some drawbacks:
>
>- algorithms are hardcoded, if someone would want to use something else,
>then they would need to request it first
>- the same applies to the algorithm mode
>- If I am not mistaken, the libgcrypt library is part of rsyslog only
>for this purpose -> adds extra dependency that maintainers need to cover
>
> I would like to ask if there is any chance that a new crypto provider will
> be part of the project in the future? For example openssl (or gnutls) could
> provide the same functionality and it could reduce the amount of
> dependencies the project currently has. I would gladly craft a patch or two.
> What do you think?
>
> [1] https://www.rsyslog.com/doc/configuration/cryprov_gcry.html
>
> Attila
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rate limiting logs written to a file

2024-04-08 Thread Rainer Gerhards via rsyslog 
This sounds like you are looking for

action.execOnlyOnceEveryInterval="3600"

for the action in question.

Doc:
https://www.rsyslog.com/doc/configuration/actions.html

Sample use in ommal doc:
https://www.rsyslog.com/doc/configuration/modules/ommail.html

HTH
Rainer

El lun, 8 abr 2024 a las 8:36, Prasad Koya via rsyslog
() escribió:
>
> Thanks for the replies.
>
> My requirement is that I have a daemon that may generate a burst of
> syslogs, say, every minute (when a certain subsystem is overloaded).
> We do not want to write all these syslogs to /var/log/messages. We
> also do not want to forward so many of those syslogs to a remote
> syslog server. We wanted to rate limit them, maybe 1 per hour or so.
> For now, I have tried 'omprog' module and sending such syslogs to an
> external program.
>
>
> module( load="omprog" )
>
> if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
>   action(type="omprog"
>  binary="/usr/bin/rate_limit_daemon_syslogs.sh"
>  template="RSYSLOG_FileFormat")
>   stop
> }
>
> /usr/bin/rate_limit_daemon_syslogs.sh maintains state on when was the
> last syslog forwarded or written locally. If this script decides its
> ok to syslog, then it will call 'logger' with differently worded
> message and different facility.
>
> In our case we'd like to limit these logs at the source and not at an
> intermediate syslog collector. I took a quick look at the sampling
> docs and that may not apply to our scenario.
>
> Thanks.
>
> On Wed, Apr 3, 2024 at 12:07 AM Mariusz Kruk via rsyslog
>  wrote:
> >
> > A piece of feedback against
> > https://www.rsyslog.com/doc/tutorials/random_sampling.html
> >
> > I know it's obvious for some people but for some it might not be - it
> > will collect _about_ 20% of logs provided the overall number of events
> > is big enough. Since it's a random-based mechanism, it's... random.
> >
> > Additionally, I had a similar thing implemented for load-balancing to
> > different "backends" and for some reason it didn't work uniformly (I
> > think I already wrote about this) - one of four backends was never
> > chosen. The thing is I was choosing not based directly on random(4) but
> > on (random(some_bigger_integer) % 4) which I thought would yield more
> > uniform randomness. It appears I was wrong.
> >
> > MK
> >
> >
> > On 3.04.2024 08:51, Rainer Gerhards via rsyslog wrote:
> > > This sounds a bit like you are looking for this:
> > >
> > > https://www.rsyslog.com/doc/tutorials/log_sampling.html
> > >
> > > HTH
> > > Rainer
> > >
> > > El mié, 3 abr 2024 a las 3:25, Prasad Koya via rsyslog
> > > () escribió:
> > >> Hi
> > >>
> > >>
> > >> module( load="imuxsock" )
> > >> module( load="imklog" )
> > >>
> > >> if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") 
> > >> then {
> > >>action(type="omfile" queue.size="1000" queue.type="LinkedList"
> > >> queue.dequeueSlowDown="36" file="/var/log/oom")
> > >> }
> > >>
> > >>
> > >> If we have a flurry of, for example, "Out of memory" messages from the
> > >> facility 'kern', we'd like to keep only, say, one per hour in a
> > >> separate file.
> > >>
> > >> https://rsyslog.readthedocs.io/en/latest/rainerscript/queue_parameters.html
> > >> says do not set low value for queue.size.
> > >>
> > >> Above page also says queue.dequeueslowdown can be used as
> > >> rate-limiting. Maybe that doesn't apply for "omfile" as I don't see
> > >> above rsyslog.conf working. high and low watermarks are not applicable
> > >> here as it's not a disk based queue. Appreciate any pointers.
> > >>
> > >> Thank you.
> > >> ___
> > >> rsyslog mailing list
> > >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
> > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
> > >

Re: [rsyslog] rsyslog 8.2404.0 released

2024-04-03 Thread Rainer Gerhards via rsyslog 
Hi Michael,

thanks for the info, but I am unfortunately unable to reproduce this.
As the tests have complex timing interdependencies, may it be the case
that we had just a very busy flaky day? Would it be possible to re-run
them?

Side-note: I also looked at the changes and I cannot see anything that
actually should affect all those tests. But of course, it still could
be.

Rainer

El mar, 2 abr 2024 a las 22:36, Michael Biebl via rsyslog
() escribió:
>
> Hi,
>
> the latest upload triggered this:
> https://buildd.debian.org/status/package.php?p=rsyslog
>
> any ideas?
>
> Am Di., 2. Apr. 2024 um 17:55 Uhr schrieb Florian Riedl via rsyslog
> :
> >
> > Hi all.
> >
> > We are happy to announce the release of rsyslog version 8.2404.0!
> >
> > This release focuses on improvements to the popular omhttp plugin and
> > includes several bug fixes to ensure smooth operation.
> >
> > The omhttp plugin, which allows you to send logs to HTTP endpoints,
> > receives a significant boost in functionality. New configuration
> > parameters provide greater control over retries, handling of specific
> > HTTP status codes, and proxy settings. You can now define timeouts for
> > REST paths, configure a list of retryable and ignorable status codes,
> > and even set up a proxy for outgoing connections. Additionally, omhttp
> > now captures more detailed statistics, including the number of
> > requests, their status codes, transferred bytes, and processing time.
> >
> > In terms of bug fixes, this release addresses a regression that
> > prevented TLS drivers from loading correctly under certain
> > circumstances. The mmdblookup module, used for geolocation lookups, is
> > now more resilient and will continue working even if it encounters an
> > incompatible IP lookup situation. Finally, the distributed tarball has
> > been corrected to include a missing file that was causing test
> > failures.
> >
> > For a complete list of changes, please refer to the official
> > changelog. We encourage you to upgrade to rsyslog v8.2404.0 to benefit
> > from the improved omhttp plugin and the resolved issues.
> >
> > ChangeLog:
> >
> > https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog
> >
> > Download:
> >
> > https://www.rsyslog.com/downloads/download-v8-stable/
> >
> > As always, feedback is appreciated.
> >
> > Florian
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> > LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rate limiting logs written to a file

2024-04-03 Thread Rainer Gerhards via rsyslog 
This sounds a bit like you are looking for this:

https://www.rsyslog.com/doc/tutorials/log_sampling.html

HTH
Rainer

El mié, 3 abr 2024 a las 3:25, Prasad Koya via rsyslog
() escribió:
>
> Hi
>
>
> module( load="imuxsock" )
> module( load="imklog" )
>
> if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") then {
>   action(type="omfile" queue.size="1000" queue.type="LinkedList"
> queue.dequeueSlowDown="36" file="/var/log/oom")
> }
>
>
> If we have a flurry of, for example, "Out of memory" messages from the
> facility 'kern', we'd like to keep only, say, one per hour in a
> separate file.
>
> https://rsyslog.readthedocs.io/en/latest/rainerscript/queue_parameters.html
> says do not set low value for queue.size.
>
> Above page also says queue.dequeueslowdown can be used as
> rate-limiting. Maybe that doesn't apply for "omfile" as I don't see
> above rsyslog.conf working. high and low watermarks are not applicable
> here as it's not a disk based queue. Appreciate any pointers.
>
> Thank you.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Dealing with CEF messages

2024-03-24 Thread Rainer Gerhards via rsyslog 
you need to craft a template with a fixed facility you want. That's
the  part inside the template. See RFC5424 for how to calculate it
(yes, it should be easier, but it's a pretty uncommon request and this
is right now the only way to do it.).

HTH
Rainer

El dom, 24 mar 2024 a las 13:21, Steven Briggs via rsyslog
() escribió:
>
> > I have a rsyslog forwarder RHEL 7.9 That is forwarding syslog and CEF
> > messages to Azure Sentinel now using AMA. What happens is when cef messages
> > are forwarded they appear in the sentinel twice once in syslog table and
> > then in the common security. Which creates duplicates. It’s not possible to
> > change client config, too many devices and appliances
>
>
> My question is can I change the facility of incoming syslogs on the
> > forwarding server ?
> >
> > Other question is whether I can change syslog messages to CEF format on
> > the forwarder ?
> >
> >
> >
> >
> >
> >
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Logs received via tls are binary

2024-03-19 Thread Rainer Gerhards via rsyslog 
Usually this happens when TLS cannot successfully be enabled at the
server side. This can happen even though the config looks valid, e.g.
permission issues reading cert files.

Rainer

El mar, 19 mar 2024 a las 15:55, David Lang via rsyslog
() escribió:
>
> we would need to see your full configs on both the sender and receiving sides 
> to
> make a guess as to what is being done wrong.
>
> David Lang
>
> On Tue, 19 Mar 2024, Brian via rsyslog wrote:
>
> > I will have to take a closer look at logs but yes, the logs in the
> > receiving syslog server are showing up as binary files.
> >
> > Brian
> >
> > On 3/19/2024 7:24 AM, Rainer Gerhards wrote:
> >> Please contain a plain text part in your mail. The mailing list
> >> processor removes HTML for security reasons.
> >>
> >> Judging from the subject, I guess either the receiver OR the sender
> >> has not successfully enabled TLS. Check for error messages from
> >> rsyslog.
> >>
> >> HTH
> >> Rainer
> >>
> >> El mar, 19 mar 2024 a las 15:06, Brian W. via rsyslog
> >> () escribió:
> >>>
> >>> ___
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> > LIKE THAT.
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> > LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Logs received via tls are binary

2024-03-19 Thread Rainer Gerhards via rsyslog 
Please contain a plain text part in your mail. The mailing list
processor removes HTML for security reasons.

Judging from the subject, I guess either the receiver OR the sender
has not successfully enabled TLS. Check for error messages from
rsyslog.

HTH
Rainer

El mar, 19 mar 2024 a las 15:06, Brian W. via rsyslog
() escribió:
>
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog on AIX

2024-02-23 Thread Rainer Gerhards via rsyslog 
In theory, you can build rsyslog from the sources yourself - except
when something was broken in the meantime.

Side-note: we offered IBM to keep rsyslog AIX compatible if they
provide a buildbot worker for CI checking and some advise on problems.
but they seemed not very interested in that option.

HTH
Rainer

El vie, 23 feb 2024 a las 0:01, Nelson, Ward via rsyslog
() escribió:
>
> We are looking for an AIX-available version of Rsyslog higher than 8.19.50.2
> IBM offers that one in an installable package (install), but we need the 
> version that allows for wildcards in the directory location instead of only 
> at the file level.
> I see versions mentioned all the way up to 8.40 (I believe the wildcarding we 
> desire was added @ 8.23), but I have not been able to find a new version 
> either
> as source or installable package.  Is anyone out there using rsyslog for AIX?
>
> WardNelson   • Sr. Systems Engineer
> UNIX
> [cid:image370399.png@2F2801A1.C123F329]
> 3840 109th Street   ,   Urbandale   ,   IA  50322
> Phone: +1-515-564-2533
> Email:  wnel...@wrberkley.com
> Website: https://berkleytechnologyservices.com/
>
> Right Team. Right Technology. Simple and Secure.
>
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.
>
> Please know that our company will never ask that you transfer money without 
> verbal confirmation. If you receive an e-mail from our company or any third 
> party purporting to represent our company requesting money be transferred, 
> please report it to me immediately. Our company will only transfer money 
> after receiving verbal confirmation.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rSyslog Windows Agent - FIPS compliance and TLS v1.3 support

2024-02-22 Thread Rainer Gerhards via rsyslog 
As I said, TLS 1.3 is supported, but not all properties are yet
available directly via the GUI. However, they can be set via "SSL
configuration commands". I have requested that the next major version
also provides proper GUI parameters.

In the meantime I suggest to contact Adiscon support at
supp...@adiscon.com when you intend to configure TLS 1.3.

Unfortunately, openssl 3.0 is not yet integrated, this is planned for
the upcoming major release somewhat later this year.

HTH,
Rainer

El mié, 21 feb 2024 a las 16:15, Rainer Gerhards
() escribió:
>
> I need to ask the folks closer to the agent, but to the best of my
> knowledge TLS 1.3 is supported (very sure), and I guess openssl 3.x is
> used (not so sure on that).
>
> HTH
> Rainer
>
> El mié, 21 feb 2024 a las 13:34, Ivanov Timea via rsyslog
> () escribió:
> >
> > Hello!I need to send specific Windows event logs and database and 
> > application server logs to a Syslog server. I think, rSyslog Windows Agent 
> > would be a good choice. But before I start with it, I have too know if it's 
> > FIPS compliant (works with OpenSSL3) and if it can work over  TLS 
> > v1.3.Could you please help me regarding these two topics?
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> > LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rSyslog Windows Agent - FIPS compliance and TLS v1.3 support

2024-02-21 Thread Rainer Gerhards via rsyslog 
I need to ask the folks closer to the agent, but to the best of my
knowledge TLS 1.3 is supported (very sure), and I guess openssl 3.x is
used (not so sure on that).

HTH
Rainer

El mié, 21 feb 2024 a las 13:34, Ivanov Timea via rsyslog
() escribió:
>
> Hello!I need to send specific Windows event logs and database and application 
> server logs to a Syslog server. I think, rSyslog Windows Agent would be a 
> good choice. But before I start with it, I have too know if it's FIPS 
> compliant (works with OpenSSL3) and if it can work over  TLS v1.3.Could you 
> please help me regarding these two topics?
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] bind one queue to a ruleset for all syslogs going to one server.

2024-02-14 Thread Rainer Gerhards via rsyslog 
> You could try pushing all events to a single ruleset with a queue with
> just one worker thread. I suppose then the events dequeued from the main
> queue and enqueued into the ruleset queue would be in order. I'm not
> fully sure about the order of events enqueued into action queues though.
> I'm curious myself.

In this case, it still depends on the main queue actions and settings.
To be pretty sure, it is best to bind the input directly to the
ruleset you mention. The only problem that can occur is outages of the
receiving server. During recovery, some messages may be requeued, and
this at a different queue position.

I have seen some extreme cases of "I always need to preserve
sequence". You can ensure this via

Bind input to a ruleset with a DIRECT mode queue, do not use any other
queue definitions in that ruleset, set potentially failing actions to
retry eternally.

Obviously, this will deliver pretty bad performance.

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Installing rsyslog/omhttp on Rocky linux 9

2024-01-23 Thread Rainer Gerhards via rsyslog 
I checked, but SuSe unfortunately does not provide the ability to
build for Rocky Linux.

Maybe you can give these ones a try:

https://www.rsyslog.com/rhelcentos-rpms/

I would appreciate it if you could report back your findings, whatever
they may be.

Rainer

El lun, 22 ene 2024 a las 22:04, Kevin McKibbin via rsyslog
() escribió:
>
> I have an older install on Centos 7 and I'm trying to install on Rocky
> linux 9.
>
> The older version is running on Centos 7:
> [root@localhost ~]# yum list installed|grep rsyslog
> rsyslog.x86_648.2204.0-3.1
> @home_rgerhards
> rsyslog-omhttp.x86_64 8.2204.0-3.1
> @home_rgerhards
>
> These were installed using these commands:
> [root@local rsyslog]# cd /etc/yum.repos.d/
> [root@local yum.repos.d]# wget --no-check-certificate
> https://download.opensuse.org/repositories/home:rgerhards/CentOS_7/home:rgerhards.repo
> [root@local yum.repos.d]#   yum install rsyslog-omhttp
>
>
> Is there a different repo URL that I can wget/load for Rocky_9?
>
> Kevin
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] rsyslog documentation improvement and AI

2024-01-19 Thread Rainer Gerhards via rsyslog 
Hi all,

I just wrote a bit about how I integrate AI in the doc improvement
process. I thought that might be interesting for some of you:

https://www.rsyslog.com/documentation-improvement-and-ai/

And, as it exits anyhow, a version translated into German is also
available as part of this article:

https://www.rainer-gerhards.de/2024/01/ki-zur-texterstellung-im-news-blog-wie-und-warum/

In general, I now try to keep the rsyslog site regularly updated with
recent developments, background etc in order to provide some more
context on what we do.

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] more updates to doc and site

2024-01-09 Thread Rainer Gerhards via rsyslog 
Hi all,

more news, please have a look here:

https://www.rsyslog.com/additional-improvements-to-rsyslog-doc-and-site/

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] New Doc Effort

2024-01-06 Thread Rainer Gerhards via rsyslog 
Hi all,

thanks for the great feedback!

Any help is appreciated. I am actually looking for four kind of things
right now in regard to the core doc:

* how would a beginner's guide structure best be? What do we need to
describe for someone new to rsyslog and syslog?
* suggestions for restructuring the reference manual
* what would be good FAQ items?
* thinking about news-/blog-like content: what type of postings would
you like to see on rsyslog.com

As a side-note, we have run into an issue with our wordpress theme,
which is currently under evaluation: That's a show stopper for further
web site updates. I assume we'll solve that early next week.

Thanks again,
Rainer

El vie, 5 ene 2024 a las 19:57, Johan Ryberg () escribió:
>
> Wonderful! It was hard to navigate and I think I had to reach out for help a 
> couple of times just because of the documentation.
>
> You will benefit from this in the end 
>
> Best regards Johan Ryberg
>
> Den tors 4 jan. 2024 18:01Peter Portante via rsyslog 
>  skrev:
>>
>> On Thu, Jan 4, 2024 at 11:31 AM Rainer Gerhards via rsyslog
>>  wrote:
>> >
>> > Hi all,
>> >
>> > happy new year to everyone!
>> >
>> > I think I have some good news. I have initiated a new project to
>> > enhance doc and rsyslog website. Initial announcement is here:
>> >
>> > https://www.rsyslog.com/improving-the-rsyslog-documentation/
>>
>> Happy New Year!
>>
>> This is great news!
>>
>> -Peter
>>
>> >
>> > More details follow in further postings. As you may guess, some
>> > generative AI will be involved. I tested it in regard to doc writing
>> > etc the past weeks and there are good results. But there is a lot to
>> > tell, and this is a topic for upcoming postings. Just so that you
>> > know: I do not intend to let it automatically generate the doc - that
>> > would fail miserably. :-)
>> >
>> > Rainer
>> > ___
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
>> > DON'T LIKE THAT.
>> >
>>
>> ___
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
>> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] New Doc Effort

2024-01-04 Thread Rainer Gerhards via rsyslog 
Hi all,

happy new year to everyone!

I think I have some good news. I have initiated a new project to
enhance doc and rsyslog website. Initial announcement is here:

https://www.rsyslog.com/improving-the-rsyslog-documentation/

More details follow in further postings. As you may guess, some
generative AI will be involved. I tested it in regard to doc writing
etc the past weeks and there are good results. But there is a lot to
tell, and this is a topic for upcoming postings. Just so that you
know: I do not intend to let it automatically generate the doc - that
would fail miserably. :-)

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Does HUP signal cause a TLS certificate reload?

2023-12-31 Thread Rainer Gerhards via rsyslog 
It will not.

Rainer

El dom, 31 dic 2023 a las 1:03, David Lang via rsyslog
() escribió:
>
> a HUP will reconnect, but I don't think that a HUP will reload the 
> certificates
> from disk.
>
> David Lang
>
> On Sat, 30 Dec 2023, John Chivian via rsyslog wrote:
>
> > I believe restarting is the only way possible to achieve this.  
> > Certificates are connection based and therefore you must force the client 
> > to re-establish the connection to pickup the new certificate.
> >
> > The client messages are therefore expected and should not be considered an 
> > error.
> >
> > Regards,
> >
> >
> >
> >> On Dec 30, 2023, at 07:42, Andy Smith via rsyslog 
> >>  wrote:
> >>
> >> Hi,
> >>
> >> I'm using rsyslog as packaged by Debian 12 (bookworm). I'm logging
> >> to central servers:
> >>
> >> $DefaultNetstreamDriver gtls
> >> […]
> >> *.* @@server.example.com:10514
> >>
> >> I'm using client TLS certificates that expire after 3 months. I have
> >> automation to put the updated certificate files in place, but if I
> >> do not restart rsyslog then it does not pick up the new certificates
> >> and eventually the client rsyslog is rejected and cannot re-connect.
> >>
> >> I can easily restart rsyslog when new certificate files are put in
> >> place, but then I get logs like this from every client host (many):
> >>
> >> 2023-12-30T02:32:01.521137+00:00 client1.example.com rsyslogd: omfwd: 
> >> remote server at server.example.com:10514 seems to have closed connection. 
> >> This often happens when the remote peer (or an interim system like a load 
> >> balancer or firewall) shuts down or aborts a connection. Rsyslog will 
> >> re-open the connection if configured to do so (we saw a generic IO Error, 
> >> which usually goes along with that behaviour). [v8.2302.0 try 
> >> https://www.rsyslog.com/e/2027 ]
> >> 2023-12-30T02:32:01.531001+00:00 client1.example.com rsyslogd: action 
> >> 'action-19-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. 
> >> There should be messages before this one giving the reason for suspension. 
> >> [v8.2302.0 try https://www.rsyslog.com/e/2007 ]
> >> 2023-12-30T02:32:02.327418+00:00 client1.example.com rsyslogd: action 
> >> 'action-19-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.2302.0 try 
> >> https://www.rsyslog.com/e/2359 ]
> >>
> >> So my simple question is, if I instead send a HUP signal to rsyslog,
> >> will it rel;oad its updated TLS certificate files?
> >>
> >> Or, is there another graceful way to do that?
> >>
> >> The above log lines seem harmless but they trip my monitoring and I
> >> would rather not programmatically ignore them as I may end up
> >> ignoring a real problem later on.
> >>
> >> Thanks,
> >> Andy
> >> ___
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
> >> DON'T LIKE THAT.
> >
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> > LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Memory Leak?

2023-12-07 Thread Rainer Gerhards via rsyslog 
Thx, that is useful. Obviously we have a leak:

> 48,420,608 bytes in 189,143 blocks are definitely lost

unfortunately, we do not have symbols, so we do not know exactly where
it happens. Can you install debug symbols? Usually there is a package
rsyslog-debuginfo (or the like), which should at least contain the
symbols for the static (non-plugin) parts of rsyslog. That would help
with the stacktrace and ease bug hunting.

Rainer

El jue, 7 dic 2023 a las 11:41, Adriaan de Waal
() escribió:
>
> Good day
>
> I ran rsyslog under Valgrind for a while and got the following output:
>
> ==31532== Memcheck, a memory error detector
> ==31532== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
> ==31532== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
> ==31532== Command: /usr/sbin/rsyslogd -n
> ==31532== Parent PID: 1
> ==31532==
> ==31532==
> ==31532== HEAP SUMMARY:
> ==31532== in use at exit: 55,152,508 bytes in 215,413 blocks
> ==31532==   total heap usage: 36,459,066 allocs, 36,243,653 frees, 
> 10,340,685,855 bytes allocated
> ==31532==
> ==31532== 32 bytes in 1 blocks are definitely lost in loss record 35 of 101
> ==31532==at 0x48407B4: malloc (vg_replace_malloc.c:381)
> ==31532==by 0x54FE7B6: ???
> ==31532==by 0x54FE8D4: ???
> ==31532==by 0x550796F: ???
> ==31532==by 0x54FC760: ???
> ==31532==by 0x545EE78: ???
> ==31532==by 0x534271E: ???
> ==31532==by 0x5311A00: ???
> ==31532==by 0x5313067: ???
> ==31532==by 0x53133F8: ???
> ==31532==by 0x173891: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x1751BC: ??? (in /usr/sbin/rsyslogd)
> ==31532==
> ==31532== 48 bytes in 1 blocks are definitely lost in loss record 53 of 101
> ==31532==at 0x48455EF: calloc (vg_replace_malloc.c:1328)
> ==31532==by 0x16DBF2: propConstruct (in /usr/sbin/rsyslogd)
> ==31532==by 0x52E4199: ???
> ==31532==by 0x52E63DF: ???
> ==31532==by 0x52E6C32: ???
> ==31532==by 0x4ACB043: start_thread (pthread_create.c:442)
> ==31532==by 0x4B4A87F: clone (clone.S:100)
> ==31532==
> ==31532== 48 bytes in 1 blocks are definitely lost in loss record 54 of 101
> ==31532==at 0x48455EF: calloc (vg_replace_malloc.c:1328)
> ==31532==by 0x16DBF2: propConstruct (in /usr/sbin/rsyslogd)
> ==31532==by 0x52E41D5: ???
> ==31532==by 0x52E63DF: ???
> ==31532==by 0x52E6C32: ???
> ==31532==by 0x4ACB043: start_thread (pthread_create.c:442)
> ==31532==by 0x4B4A87F: clone (clone.S:100)
> ==31532==
> ==31532== 104 bytes in 1 blocks are definitely lost in loss record 62 of 101
> ==31532==at 0x48407B4: malloc (vg_replace_malloc.c:381)
> ==31532==by 0x5500EDE: ???
> ==31532==by 0x54FC78D: ???
> ==31532==by 0x545EE78: ???
> ==31532==by 0x534271E: ???
> ==31532==by 0x5311A00: ???
> ==31532==by 0x5313067: ???
> ==31532==by 0x53133F8: ???
> ==31532==by 0x173891: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x1751BC: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x17564F: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x1683A1: ??? (in /usr/sbin/rsyslogd)
> ==31532==
> ==31532== 128 (16 direct, 112 indirect) bytes in 1 blocks are definitely lost 
> in loss record 69 of 101
> ==31532==at 0x48407B4: malloc (vg_replace_malloc.c:381)
> ==31532==by 0x5507861: ???
> ==31532==by 0x5507B49: ???
> ==31532==by 0x54FC760: ???
> ==31532==by 0x545EE78: ???
> ==31532==by 0x534271E: ???
> ==31532==by 0x5311A00: ???
> ==31532==by 0x5313067: ???
> ==31532==by 0x53133F8: ???
> ==31532==by 0x173891: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x1751BC: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x17564F: ??? (in /usr/sbin/rsyslogd)
> ==31532==
> ==31532== 205 bytes in 10 blocks are definitely lost in loss record 74 of 101
> ==31532==at 0x48407B4: malloc (vg_replace_malloc.c:381)
> ==31532==by 0x4AE07F9: strdup (strdup.c:42)
> ==31532==by 0x132E7B: yylex (in /usr/sbin/rsyslogd)
> ==31532==by 0x12ED47: yyparse (in /usr/sbin/rsyslogd)
> ==31532==by 0x1459AC: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x12130A: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x11F0E8: main (in /usr/sbin/rsyslogd)
> ==31532==
> ==31532== 205 bytes in 10 blocks are definitely lost in loss record 75 of 101
> ==31532==at 0x48407B4: malloc (vg_replace_malloc.c:381)
> ==31532==by 0x4AE07F9: strdup (strdup.c:42)
> ==31532==by 0x150E0C: msgPropDescrFill (in /usr/sbin/rsyslogd)
> ==31532==by 0x13B71A: cnffuncexistsNew (in /usr/sbin/rsyslogd)
> ==31532==by 0x12F585: yyparse (in /usr/sbin/rsyslogd)
> ==31532==by 0x1459AC: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x12130A: ??? (in /usr/sbin/rsyslogd)
> ==31532==by 0x11F0E8: main (in /usr/sbin/rsyslogd)
> ==31532==
> ==31532== 404 (392 direct, 12 indirect) bytes in 1 blocks are definitely lost 
> in loss record 82 of 101
> ==31532==at 0x48407B4: malloc (vg_replace_malloc.c:381)
> ==31532==by 0x54FEFA6:

Re: [rsyslog] Memory Leak?

2023-12-06 Thread Rainer Gerhards via rsyslog 
Great.

Do you know valgrind? If so, you could run rsyslog under valgrind control,
best in the forground. When you terminate rsyslog, valgrind will show leak
stats of any.

Rainer

Sent from phone, thus brief.

Adriaan de Waal  schrieb am Mi., 6. Dez. 2023,
19:56:

> Good day
>
> Looking at the main Q statistics, the size remains mostly constant around
> 30. The max queue size currently sits at 400. There is also a queue (linked
> list + disk assisted) configured for the omkafka action, with the size not
> really going above single digits (and the DA queue stats remain at 0). Also
> note I completely disabled the omkafka action's queue previously as a test,
> but that didn't make a difference. There are no other queues.
>
> Kind Regards
> ---
>
> --
> *From:* Rainer Gerhards 
> *Sent:* 06 December 2023 17:05
> *To:* rsyslog-users 
> *Cc:* Adriaan de Waal 
> *Subject:* Re: [rsyslog] Memory Leak?
>
> Look at the queue sizes in impstats. Are they ever-increasing?
>
> Rainer
>
> El mié, 6 dic 2023 a las 14:30, Adriaan de Waal via rsyslog
> () escribió:
> >
> > Good day
> >
> > I am trying to diagnose and resolve an issue whereby the memory consumed
> by the rsyslog daemon increases linearly over time. This continues until it
> consumes most of the memory (including swap) of the system and the service
> has to be restarted to free up memory. There are two servers with identical
> configurations. What I noticed is that the server receiving a higher volume
> of messages also consumes memory at a higher rate. In other word it appears
> as if the message rate, or message volume, is directly proportional to the
> rate at which memory is consumed.
> >
> > Below is the version information for the rsyslogd daemon:
> > rsyslogd  8.2310.0 (aka 2023.10) compiled with:
> >PLATFORM:   x86_64-pc-linux-gnu
> >PLATFORM (lsb_release -d):
> >FEATURE_REGEXP: Yes
> >GSSAPI Kerberos 5 support:  No
> >FEATURE_DEBUG (debug build, slow code): No
> >32bit Atomic operations supported:  Yes
> >64bit Atomic operations supported:  Yes
> >memory allocator:   system default
> >Runtime Instrumentation (slow code):No
> >uuid support:   Yes
> >systemd support:Yes
> >Config file:/etc/rsyslog.conf
> >PID file:   /var/run/rsyslogd.pid
> >Number of Bits in RainerScript integers: 64
> >
> > It is running on Debian 12 servers.
> >
> > To provide you with more background detail, initially I configured three
> listeners: one UDP (port 514), one TCP (port 514) and one TLS (port 6514).
> A single system was configured to push logs to the TLS port and that worked
> well (no increase in memory usage over time). Recently I added another UDP
> listener (port 10514) and started configured a number of systems to push
> their logs to this port, but since then I've observed the described gradual
> memory increase.
> >
> > This new listener is configured as follows: A ruleset was created and
> bound to this listener (the ruleset doesn't have its own queue). The
> ruleset first runs the mmutf8fix action then calls a different ruleset
> (named "normalise"), which normalises the data (just sets specific
> variables that is later used in a template to construct a JSON object).
> After the call to the "normalise" ruleset returns, a mmnormalize action is
> performed and some additional variables are set. Lastly the ruleset (the
> one bound to the listener) then calls yet another ruleset (named
> "kafka_output"), which is used to construct a JSON object from the various
> variables and uses the omkafka action to push this to a Kafka cluster.
> >
> > The flow of the above can be visualised as:
> > Source -> Syslog Server [10514/UDP] -> [listener ruleset] -> [normalise
> ruleset] -> [kafka_output ruleset]
> >
> > It should also be noted the original listeners are configured in much
> the same way, apart from having calls to even more rulesets. I haven't
> tested if the UDP listener on port 514 exhibits the same behaviour (it
> isn't currently being used).
> >
> > This rsyslog daemon is also used to capture locally generated logs and
> the statistics (impstats) module is also loaded.
> >
> > What can I do to troubleshoot what's causing this "memory leak"?
> >
> > Kind Regards
> > ---
> >
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>

Re: [rsyslog] Memory Leak?

2023-12-06 Thread Rainer Gerhards via rsyslog 
Look at the queue sizes in impstats. Are they ever-increasing?

Rainer

El mié, 6 dic 2023 a las 14:30, Adriaan de Waal via rsyslog
() escribió:
>
> Good day
>
> I am trying to diagnose and resolve an issue whereby the memory consumed by 
> the rsyslog daemon increases linearly over time. This continues until it 
> consumes most of the memory (including swap) of the system and the service 
> has to be restarted to free up memory. There are two servers with identical 
> configurations. What I noticed is that the server receiving a higher volume 
> of messages also consumes memory at a higher rate. In other word it appears 
> as if the message rate, or message volume, is directly proportional to the 
> rate at which memory is consumed.
>
> Below is the version information for the rsyslogd daemon:
> rsyslogd  8.2310.0 (aka 2023.10) compiled with:
>PLATFORM:   x86_64-pc-linux-gnu
>PLATFORM (lsb_release -d):
>FEATURE_REGEXP: Yes
>GSSAPI Kerberos 5 support:  No
>FEATURE_DEBUG (debug build, slow code): No
>32bit Atomic operations supported:  Yes
>64bit Atomic operations supported:  Yes
>memory allocator:   system default
>Runtime Instrumentation (slow code):No
>uuid support:   Yes
>systemd support:Yes
>Config file:/etc/rsyslog.conf
>PID file:   /var/run/rsyslogd.pid
>Number of Bits in RainerScript integers: 64
>
> It is running on Debian 12 servers.
>
> To provide you with more background detail, initially I configured three 
> listeners: one UDP (port 514), one TCP (port 514) and one TLS (port 6514). A 
> single system was configured to push logs to the TLS port and that worked 
> well (no increase in memory usage over time). Recently I added another UDP 
> listener (port 10514) and started configured a number of systems to push 
> their logs to this port, but since then I've observed the described gradual 
> memory increase.
>
> This new listener is configured as follows: A ruleset was created and bound 
> to this listener (the ruleset doesn't have its own queue). The ruleset first 
> runs the mmutf8fix action then calls a different ruleset (named "normalise"), 
> which normalises the data (just sets specific variables that is later used in 
> a template to construct a JSON object). After the call to the "normalise" 
> ruleset returns, a mmnormalize action is performed and some additional 
> variables are set. Lastly the ruleset (the one bound to the listener) then 
> calls yet another ruleset (named "kafka_output"), which is used to construct 
> a JSON object from the various variables and uses the omkafka action to push 
> this to a Kafka cluster.
>
> The flow of the above can be visualised as:
> Source -> Syslog Server [10514/UDP] -> [listener ruleset] -> [normalise 
> ruleset] -> [kafka_output ruleset]
>
> It should also be noted the original listeners are configured in much the 
> same way, apart from having calls to even more rulesets. I haven't tested if 
> the UDP listener on port 514 exhibits the same behaviour (it isn't currently 
> being used).
>
> This rsyslog daemon is also used to capture locally generated logs and the 
> statistics (impstats) module is also loaded.
>
> What can I do to troubleshoot what's causing this "memory leak"?
>
> Kind Regards
> ---
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] High memory usage with imfile

2023-11-16 Thread Rainer Gerhards via rsyslog 
This smells like a bug. It looks like the discarded messages will
never be deleted.

In this case, I would suggest to open a github issue tracker if that
is possible for you.

Rainer

El jue, 16 nov 2023 a las 16:21, Jeremiah Garmatter via rsyslog
() escribió:
>
> Hello,
>
> I have rsyslog 8.2102.0 installed on Redhat 9 via DNF package manager.
> I recently configured rsyslog to read DNS queries out of NameD and send
> them to a Splunk instance via UDP. Due to Splunk licensing constraints we
> decided to restrict how many messages are retrieved with the
> "MaxLinesPerMinute" config for imfile. After setting this value, rsyslog
> will consume all available memory on the machine and crash.
>
> I am confused as to why this "memory leak" happens when a limit is put in
> place via MaxLinesPerMinute. Without MaxLinesPerMinute there are no memory
> issues. I can include config files and impstats if necessary.
>
>
> 
> 
> 
> 
> 
> *Jeremiah Garmatter*
> Linux Systems Administrator
> Office of Information Technology
> IT Building 107
> 419-772-1074
> j-garmat...@onu.edu
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Hostname field changed in rsyslog proxy

2023-11-02 Thread Rainer Gerhards via rsyslog 
Well, you say that the equipment does not necessarily follow the RFC.
In that case, rsyslog might not be able to read the hostname from the
message. We try hard to handle "well known malformed formats", but we
cannot let everything slip through. Especially if it really is unclear
where the hostname is present.

In such cases, rsyslog falls back to the sender IP address. This *may*
be what you are seeing.

We would need to see the original message from the device where the
"wrong hostname" will be shown later on.

HTH
Rainer

El jue, 2 nov 2023 a las 15:46, Martin Passard via rsyslog
() escribió:
>
> Dear rsyslog mailing list,
>
> First time coming out of the shadow here for a particular behavior that
> I've not well understood in our stack here.
> So, we are monitoring our network using syslog using rsyslog as a proxy
> to be certain of the version format used, as the equipements are very
> diverse and some respects some rfc, some others, and some
> implementations are buggous. Last time we had an issue were we had an
> alert on a log volume on a equipement hostname that is not anymore in
> our network. The IP of the equipement was reused somewhere else.
>
> It seemed that instead of keeping the hostname "as is" the rsyslog proxy
> was using it's own name resolution and replaced the hostname first
> present in the packet by the one in it cache, resulting in the wrong
> hostname beeing transmeted to the promtail/loki infrastructure behind.
>
> Here is what we have as a remote.conf: We have made that for a buggous
> implementation where APPNAME is seen as NULL (not empty string)
> resulting in failure of rsyslog. I don't think this behavious is
> especialy linked to the %HOSTNAME% but I want to be sure with you.
>
>
> ```
> $ModLoad omfwd
> :app-name, !isequal, "" {
>  action(type="omfwd" protocol="tcp" target= "localhost" port="1515"
> Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted"
> KeepAlive="on")
> }
>
> template(name="missingAppName" type="string" string="<%PRI%>1
> %TIMESTAMP:::date-rfc3339% %HOSTNAME% NOAPPNAME %PROCID% %MSGID%
> %STRUCTURED-DATA% %msg% \n")
>
> :app-name, isequal, "" {
>  action(type="omfwd" protocol="tcp" target= "localhost" port="1515"
> Template="missingAppName" TCP_Framing="octet-counted" KeepAlive="on")
> }
> ```
>
>
>
> Could you please clarify how rsyslog interact with the system name
> resolution cache as we thought it wouldn't be touching the value of
> hostname before retransmiting it. It has been fixed by removing the
> cache entry. The server is a Debian bullseye with a 8.2102.0-2+deb11u1
> (version might be incorrect as I've had the issue couple month ago and
> haven't noted here. I will try to find it back if needed).
>
> Best regards.
>
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] RFC: removing rsyslog.service samples from git

2023-10-23 Thread Rainer Gerhards via rsyslog 
Thanks for the comments. Done via

https://github.com/rsyslog/rsyslog/pull/5255

Rainer

El vie, 20 oct 2023 a las 18:33, David Lang via rsyslog
() escribió:
>
> Makes sense to me, they are far more dependent on the distro decisions than
> anything we provide.
>
> David Lang
>
> On Fri, 20 Oct 2023, John Chivian via rsyslog wrote:
>
> > Hi Rainer:
> >
> >   Our source of truth for rsyslog.service has always been the copy packaged 
> > with the OS, and all modifications to it have come from vendor and systemd 
> > documentation.  I do not personally see a need for that file to reside in 
> > the rsyslog repo.
> >
> > Regards,
> >
> >
> >> On Oct 20, 2023, at 10:24, Rainer Gerhards via rsyslog 
> >>  wrote:
> >>
> >> Hi all,
> >>
> >> the git repository contains rsyslog.service sample files. Actually,
> >> these have not been updated for years and do no longer match distro
> >> policies.
> >>
> >> Thankfully, Michael Biebl sent a PR to update the Debian parts. We had
> >> a small discussion about the usefulness of these files at all. Michael
> >> would be fine with removing them, and I think this is probably the
> >> wisest  thing to do. After all, these are not guinea rsyslog files.
> >>
> >> Instead, we can replace them with hints where to look inside the
> >> distro repositories. But I would not tend to do big research to find
> >> all of them.
> >>
> >> The PR is this one:
> >>
> >> https://github.com/rsyslog/rsyslog/pull/5252
> >>
> >> Question now: does anybody object to removing the rsyslog.service
> >> files? If so, why is it important to keep them - and maybe how to
> >> better maintain them.
> >>
> >> TIA,
> >> Rainer
> >> ___
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
> >> DON'T LIKE THAT.
> >
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> > LIKE THAT.
> >
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] RFC: removing rsyslog.service samples from git

2023-10-20 Thread Rainer Gerhards via rsyslog 
Hi all,

the git repository contains rsyslog.service sample files. Actually,
these have not been updated for years and do no longer match distro
policies.

Thankfully, Michael Biebl sent a PR to update the Debian parts. We had
a small discussion about the usefulness of these files at all. Michael
would be fine with removing them, and I think this is probably the
wisest  thing to do. After all, these are not guinea rsyslog files.

Instead, we can replace them with hints where to look inside the
distro repositories. But I would not tend to do big research to find
all of them.

The PR is this one:

https://github.com/rsyslog/rsyslog/pull/5252

Question now: does anybody object to removing the rsyslog.service
files? If so, why is it important to keep them - and maybe how to
better maintain them.

TIA,
Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Repeated 111 to rsyslog UDS from nginx

2023-09-21 Thread Rainer Gerhards via rsyslog 
I guess it works because journal always throws messages away if it cannot
deliver them quickly. Luke a very short timeout+drop queue config in
rsyslog.

Rainer

Sent from phone, thus brief.

David Lang  schrieb am Do., 21. Sept. 2023, 08:23:

> now you have journald acting as a queue, so all messages from journald
> will end
> up delayed when your script cannot keep up. You haven't solved the problem
> of
> the slow script, you've just added another layer of buffer to fill up
> before you
> notice.
>
> with rsyslog you can set the queue size to whatever you want, and you can
> spill
> logs to disk when your queue fills up.
>
> but no matter what you do, if you have something that is processing logs
> slower
> than they are being generated, eventually you will run out of queue space
> (in
> memory or on disk) and have to stop accepting new messages, or start
> throwing
> away messages you haven't processed yet
>
> David Lang
>
> On Thu, 21 Sep 2023, TG Servers via rsyslog wrote:
>
> > the only way I was able to fix this was to use a dedicated socket
> > created via systemd and passed via systemd to rsyslog
> > since then it is working without any issues.
> > although I implemented a queue, too, this did not fix the problem as
> > long as the socket was handled by rsyslog itself
> > so this is "fixed" from my point of view, I know for the future now
> >
> > On 18/09/2023 21:53, TG Servers via rsyslog wrote:
> >> I don't know what this is... I implemented a complete queue solution
> >> and it occasionally happens when there is no request but one in sight,
> >> and this one gets a 111 then, nothing in nginx debug log, no error to
> >> be seen in rsyslog log
> >> but one thing I realized, after a restart the first log message
> >> always, reproducable gets a 111
> >> the socket is not connected, nor listening, only after the first
> >> request is logged/or not logged (which is logged with 111 in nginx)
> >> the socket is connected and listening, so restarting rsyslog via
> >> systemd does not connect/listen to/on the socket
> >>
> >> the rsyslog debug log just tells us this :
> >> 6289.088037540:main thread: imuxsock.c: imuxsock: Opened UNIX
> >> socket '/run/logmat' (fd 6).
> >>
> >> [root@xxx rsyslog.d]# systemctl restart rsyslog
> >> [root@xxx rsyslog.d]# ss -x | grep logmat
> >> [root@xxx rsyslog.d]# lsof /run/logmat
> >> COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> >> rsyslogd 2097140 root6u  unix 0x  0t0 25300317
> >> /run/logmat type=DGRAM (UNCONNECTED)
> >>
> >> make a request from browser or curl
> >>
> >> [root@xxx rsyslog.d]# lsof /run/logmat
> >> COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> >> rsyslogd 2097140 root6u  unix 0x  0t0 25300317
> >> /run/logmat type=DGRAM (CONNECTED)
> >> [root@xxx rsyslog.d]# ss -x | grep logmat
> >> u_dgr ESTAB 0 0 /run/logmat 25300317* 0
> >>
> >> On 18/09/2023 16:34, TG Servers via rsyslog wrote:
> >>> I just wanted to add that in a further message as it came to my mind.
> >>> you were faster...
> >>> the script is definitely "slow", this is what I know for sure as it
> >>> does quite a lot of processing/analytics in the background, so even
> >>> if you trigger it from command line it can take half a sec or so
> >>> I can't change that, it needs to do what it does, I didn't write it
> >>> though it can handle manual fast F5 triggers in the browser without
> >>> issue and then it 111s when there are 2 requests incoming...
> >>> I thought rsyslog might handle that just well via the queue...
> >>> but then this might eventually really be the issue, and if it is, is
> >>> there anything to mitigate this from rsyslog side (in terms of own
> >>> queue for that socket or something in that direction)?
> >>> ok, will enable impstats, too when I switch back
> >>>
> >>> Thanks,
> >>> Tom
> >>>
> >>> On 18/09/2023 16:17, Rainer Gerhards wrote:
> > so far not a single 111 today, I let this run the until late evening,
> > and if there is stil no 111 I will put back the python script in
> order
> > because right now there are 2 possibilities, I moved the socket as
> > said,
> > and I skipped the script and just appended the message to a file
> > if either of the 2 things are responsible in the end I won't
> > understand
> > it either :)
>  I don't know what the script does. But if it is slow, it may push back
>  to the main queue, making rsyslog unresponsive.
> 
>  This is David's concern. Tomorrow, if you re-enable, you should also
>  enable impstats as David suggested.
> 
>  Rainer
> >>>
> >>> ___
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are

Re: [rsyslog] oversizemsg

2023-09-19 Thread Rainer Gerhards via rsyslog 
I reviewed the code - it's puzzling. It looks like the config system
for that param got implemented, but that part of the config is never
used. Looks a bit like PR is missing. I need to investigate closer.
I'd appreciate the creation of a github issue.

Rainer

El lun, 18 sept 2023 a las 21:15, David Lang via rsyslog
() escribió:
>
> please post your full config including any included files
>
> rsyslogd -N1 -o /path/to/file
>
> will create the combined config as rsyslog sees it, and report any config 
> errors
> it finds along the way.
>
> David Lang
>
> On Mon, 18 Sep 2023, John Chivian via rsyslog wrote:
>
> > Question for maintainers regarding rsyslog 8.2210.   I am using the 
> > following in the configuration…
> >
> >   maxMessageSize="32k"
> >   oversizemsg.errorfile="/path/to/oversize.out"
> >   oversizemsg.input.mode="truncate"
> >
> > …and I am getting LOTS of the following in the rsyslog log file…
> >
> >   rsyslog: imptcp ptcp-51408-in: message received is at least X byte larger 
> > that was msg size; message will be split at: "random 32 chars from message 
> > str"
> >
> > …but there is never anything written to /path/to/oversize.out
> >
> >
> > Is this expected behavior?
> >
> >
> > Thanks and regards,
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> > LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog mmextenal logstash json output with escaped quotations and additional quotations

2023-09-19 Thread Rainer Gerhards via rsyslog 
It's not easy to guess what rsyslog really sees, but I have one final
shot. As it looks, msg might already contain json. In that case, do
not use any special json formatting option. These options exist to
ensure non-json data (or json data as an inner encapsulation layer)
will be received as-is.

Rainer

El lun, 18 sept 2023 a las 17:04, Lennon, Sean (UK)
() escribió:
>
> This email may contain proprietary information of BAE Systems and/or third 
> parties.
>
>
>
> Sorry, but for ‘reasons’ I can only give you a severely edited version, I 
> have used debug output from mmexternal first and the received message from 
> logstash second:
>
>
>
> 1.   mexternal debug output – I am satisfied with this.
> { “msg” : {“messageGroup”:[{“field1”:1,”field2”:2},{“field1”:3,”field2”:4}]}}
>
> 2.   what logstash receives
> “message” => “{ \“msg\” : 
> {\“messageGroup\”:[{\“field1\”:1,\”field2\”:2},{\“field1\”:3,\”field2\”:4}]}}”
>
>
>
>
>
> From: Rainer Gerhards 
> Sent: 18 September 2023 15:47
> To: Lennon, Sean (UK) 
> Cc: rsyslog-users 
> Subject: Re: [rsyslog] rsyslog mmextenal logstash json output with escaped 
> quotations and additional quotations
>
>
>
>
> PHISHING ALERT
>
> This email has been sent from an account outside of the BAE Systems network.
>
> Please treat the email with caution, especially if you are requested to click 
> on a link or open an attachment.
> For further information on how to spot and report a phishing email please 
> access the Global Intranet then select  / .
> If you think this is a phishing email, please report it by using the "Report 
> Phishing" button in Outlook.
>
>
>
>
>
> Output the message with RSYSLOG_DebugFormat template. I need to see which 
> data msg actually has.
>
>
>
> Rainer
>
> Sent from phone, thus brief.
>
>
>
> Lennon, Sean (UK)  schrieb am Mo., 18. Sept. 
> 2023, 16:41:
>
>
>
>
>
> This email may contain proprietary information of BAE Systems and/or third 
> parties.
>
> Thanks for your response Rainer.  I don't think it answers my question, I 
> have property fields from the Rsyslog message that are fine, they get 
> formatted correctly, for example 'timereported' or 'syslogseverity-text'.  
> So, the output json for these and others are correct, it's the msg field that 
> is returned from my custom code (using mmexternal) that is the problem.
>
> I have created a newer template that is more upto date and looks something 
> similar to this:
>
> template(name="json-template" type="list" option.jsonf="on") {
> property(outname="@timestamp" name="timereported" 
> dataformat="rfc3339" format="jsonf")
> property(outname="message" name="msg" format="jsonf")
> }
>
> -Original Message-
> From: Rainer Gerhards 
> Sent: 18 September 2023 15:26
> To: rsyslog-users 
> Cc: Lennon, Sean (UK) 
> Subject: Re: [rsyslog] rsyslog mmextenal logstash json output with escaped 
> quotations and additional quotations
>
> -  PHISHING ALERT  - 
> This email has been sent from an account outside of the BAE Systems network.
>
> Please treat the email with caution, especially if you are requested to click 
> on a link or open an attachment.
> For further information on how to spot and report a phishing email please 
> access the Global Intranet, then select  / .
>
> 
>
> Does this example from the rsyslog testbench help?
>
> https://github.com/rsyslog/rsyslog/blob/761cb2bc51e3046b242b45994cff11ff8be3990e/tests/json-nonstring.sh#L4
>
> Rainer
>
> El lun, 18 sept 2023 a las 15:10, Lennon, Sean (UK) via rsyslog
> () escribió:
> >
> >
> >
> >
> >
> > This email may contain proprietary information of BAE Systems and/or third 
> > parties.
> >
> > This is the one I meant.
> >
> > -Original Message-
> > From: rsyslog  On Behalf Of Lennon,
> > Sean (UK) via rsyslog
> > Sent: 29 August 2023 17:39
> > To: rsyslog@lists.adiscon.com
> > Cc: Lennon, Sean (UK) 
> > Subject: [rsyslog] rsyslog mmextenal logstash json output with escaped
> > quotations and additional quotations
> >
> > -  PHISHING ALERT  
> > - This email has been sent from an account 
> > outside of the BAE Systems network.
> >
> > Please treat the email with caution, especially if you are requested to 
> > click on a link or open an attachment.
> > For further information on how to spot and report a phishing email please 
> > access the Global Intranet, then select  / .
> >
> > --
> > --
> >
> > This email may contain proprietary information of BAE Systems and/or third 
> > parties.
> >
> > Hi all,
> >
> > I've encountered an issue with formatting json output to logstash.  I'm 
> > using mmexternal to reformat data received from a remote system, the data 
> > is project specific and needs to be massaged into json for use with

Re: [rsyslog] rsyslog mmextenal logstash json output with escaped quotations and additional quotations

2023-09-18 Thread Rainer Gerhards via rsyslog 
Output the message with RSYSLOG_DebugFormat template. I need to see which
data msg actually has.

Rainer

Sent from phone, thus brief.

Lennon, Sean (UK)  schrieb am Mo., 18. Sept.
2023, 16:41:

>
>
>
>
> This email may contain proprietary information of BAE Systems and/or third
> parties.
>
> Thanks for your response Rainer.  I don't think it answers my question, I
> have property fields from the Rsyslog message that are fine, they get
> formatted correctly, for example 'timereported' or 'syslogseverity-text'.
> So, the output json for these and others are correct, it's the msg field
> that is returned from my custom code (using mmexternal) that is the problem.
>
> I have created a newer template that is more upto date and looks something
> similar to this:
>
> template(name="json-template" type="list" option.jsonf="on") {
> property(outname="@timestamp" name="timereported"
> dataformat="rfc3339" format="jsonf")
> property(outname="message" name="msg" format="jsonf")
> }
>
> -Original Message-
> From: Rainer Gerhards 
> Sent: 18 September 2023 15:26
> To: rsyslog-users 
> Cc: Lennon, Sean (UK) 
> Subject: Re: [rsyslog] rsyslog mmextenal logstash json output with escaped
> quotations and additional quotations
>
> -  PHISHING ALERT
> - This email has been sent from an account
> outside of the BAE Systems network.
>
> Please treat the email with caution, especially if you are requested to
> click on a link or open an attachment.
> For further information on how to spot and report a phishing email please
> access the Global Intranet, then select  / .
>
>
> 
>
> Does this example from the rsyslog testbench help?
>
>
> https://github.com/rsyslog/rsyslog/blob/761cb2bc51e3046b242b45994cff11ff8be3990e/tests/json-nonstring.sh#L4
>
> Rainer
>
> El lun, 18 sept 2023 a las 15:10, Lennon, Sean (UK) via rsyslog
> () escribió:
> >
> >
> >
> >
> >
> > This email may contain proprietary information of BAE Systems and/or
> third parties.
> >
> > This is the one I meant.
> >
> > -Original Message-
> > From: rsyslog  On Behalf Of Lennon,
> > Sean (UK) via rsyslog
> > Sent: 29 August 2023 17:39
> > To: rsyslog@lists.adiscon.com
> > Cc: Lennon, Sean (UK) 
> > Subject: [rsyslog] rsyslog mmextenal logstash json output with escaped
> > quotations and additional quotations
> >
> > -  PHISHING ALERT
> - This email has been sent from an account
> outside of the BAE Systems network.
> >
> > Please treat the email with caution, especially if you are requested to
> click on a link or open an attachment.
> > For further information on how to spot and report a phishing email
> please access the Global Intranet, then select  / .
> >
> > --
> > --
> >
> > This email may contain proprietary information of BAE Systems and/or
> third parties.
> >
> > Hi all,
> >
> > I've encountered an issue with formatting json output to logstash.  I'm
> using mmexternal to reformat data received from a remote system, the data
> is project specific and needs to be massaged into json for use with
> logstash.  The intention is to create a json message for logstash with the
> mmexternal output being part of that message.  I'm able to receive this
> json output at logstash but the message field (which contains the
> mmexternal output) is encapsulated within double quotes and all json fields
> within have escaped double quotes.  This means that logstash is not able to
> interpret part of the message.  If I take the raw output of the mmextenal
> code and send it to a omfile then it looks perfectly fine.
> >
> > I have asked a more detailed question, on Stackoverflow:
> > https://stackoverflow.com/questions/77001549/rsyslog-mmextenal-logstas
> > h-json-output-with-escaped-quotations-and-additional-qu
> >
> > What am I missing?
> >
> > I appreciate your help.
> >
> > Sean
> >
> > 
> > This email and any attachments are confidential to the intended
> recipient and may also be privileged. If you are not the intended recipient
> please delete it from your system and notify the sender.
> > You should not copy it or use it for any purpose nor disclose or
> distribute its contents to any other person.
> > 
> >
> > BAE Systems may process information about you that may be subject to
> > data protection laws. For more information about how we use your
> > personal information, how we protect your information, our legal basis
> > for using your information, your rights and who you can contact,
> > please refer to our Privacy Notice at www.baesystems.com/en/privacy
> > ___
> > rsyslog mailing list

Re: [rsyslog] rsyslog mmextenal logstash json output with escaped quotations and additional quotations

2023-09-18 Thread Rainer Gerhards via rsyslog 
Does this example from the rsyslog testbench help?

https://github.com/rsyslog/rsyslog/blob/761cb2bc51e3046b242b45994cff11ff8be3990e/tests/json-nonstring.sh#L4

Rainer

El lun, 18 sept 2023 a las 15:10, Lennon, Sean (UK) via rsyslog
() escribió:
>
>
>
>
>
> This email may contain proprietary information of BAE Systems and/or third 
> parties.
>
> This is the one I meant.
>
> -Original Message-
> From: rsyslog  On Behalf Of Lennon, Sean 
> (UK) via rsyslog
> Sent: 29 August 2023 17:39
> To: rsyslog@lists.adiscon.com
> Cc: Lennon, Sean (UK) 
> Subject: [rsyslog] rsyslog mmextenal logstash json output with escaped 
> quotations and additional quotations
>
> -  PHISHING ALERT  - 
> This email has been sent from an account outside of the BAE Systems network.
>
> Please treat the email with caution, especially if you are requested to click 
> on a link or open an attachment.
> For further information on how to spot and report a phishing email please 
> access the Global Intranet, then select  / .
>
> 
>
> This email may contain proprietary information of BAE Systems and/or third 
> parties.
>
> Hi all,
>
> I've encountered an issue with formatting json output to logstash.  I'm using 
> mmexternal to reformat data received from a remote system, the data is 
> project specific and needs to be massaged into json for use with logstash.  
> The intention is to create a json message for logstash with the mmexternal 
> output being part of that message.  I'm able to receive this json output at 
> logstash but the message field (which contains the mmexternal output) is 
> encapsulated within double quotes and all json fields within have escaped 
> double quotes.  This means that logstash is not able to interpret part of the 
> message.  If I take the raw output of the mmextenal code and send it to a 
> omfile then it looks perfectly fine.
>
> I have asked a more detailed question, on Stackoverflow: 
> https://stackoverflow.com/questions/77001549/rsyslog-mmextenal-logstash-json-output-with-escaped-quotations-and-additional-qu
>
> What am I missing?
>
> I appreciate your help.
>
> Sean
>
> 
> This email and any attachments are confidential to the intended recipient and 
> may also be privileged. If you are not the intended recipient please delete 
> it from your system and notify the sender.
> You should not copy it or use it for any purpose nor disclose or distribute 
> its contents to any other person.
> 
>
> BAE Systems may process information about you that may be subject to data 
> protection laws. For more information about how we use your personal 
> information, how we protect your information, our legal basis for using your 
> information, your rights and who you can contact, please refer to our Privacy 
> Notice at www.baesystems.com/en/privacy 
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This 
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Repeated 111 to rsyslog UDS from nginx

2023-09-18 Thread Rainer Gerhards via rsyslog 
> so far not a single 111 today, I let this run the until late evening,
> and if there is stil no 111 I will put back the python script in order
> because right now there are 2 possibilities, I moved the socket as said,
> and I skipped the script and just appended the message to a file
> if either of the 2 things are responsible in the end I won't understand
> it either :)

I don't know what the script does. But if it is slow, it may push back
to the main queue, making rsyslog unresponsive.

This is David's concern. Tomorrow, if you re-enable, you should also
enable impstats as David suggested.

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Repeated 111 to rsyslog UDS from nginx

2023-09-18 Thread Rainer Gerhards via rsyslog 
Maybe a debug logs helps, but if rsyslog does not emit an error
message, it does not sound like it has some issue. I also don't see a
relation to the script. But to be sure, would it be possible to
temporarily remove it and see if that changes anything?

Rainer

El lun, 18 sept 2023 a las 9:09, TG Servers () escribió:
>
> Hi Rainer,
>
> this is from nginx error log, yes.
> No I cannot find any other errors, thats my problem
> But it happens every single day, regularly...
> as just written in another message re the question if it occurs with rsyslog 
> restart or logrotate :
>
> no absolutely not, I cannot see any relation to things like that, that is 
> what leaves me a bit baffled here.
> You can see this is all from one day, and if there is a 111 on 2:52:19 on 
> 2:52:22 there is everything ok (just as an example)
> Rsyslog restarts run between 0:10 and 0:15, depending on finish of nightly 
> dnf-update, logrotate runs at 0:00 via systemd timer, nginx is not restarted 
> automatically
> There is no information in any log except in the nginx logs, and the entries 
> that are shown as failed are clearly missing in the target analytics log
> I cannot see any pattern...
>
>
> On 18/09/2023 08:53, Rainer Gerhards wrote:
>
> Is this from a nginx text log? Any errors infos from rsyslog itself?
>
> Rainer
> PS: I do not see how this can be related to rsyslog, but you never
> know. I do not yet understand the fault scenario TBH.
>
> El dom, 17 sept 2023 a las 18:39, TG Servers via rsyslog
> () escribió:
>
> Hi,
>
> ever since I started logging to a UDS from my nginx I get the occasional
> 111 in my nginx error logs.
> As I literally don't have any other information or log entries I
> honestly do not know how to debug this.
> The thing is requests one second, or a few seconds later are processed
> totally fine, so it cannot be a general problem, nor a access problem or
> a permission problem.
> I would be glad if anyone could help on fixing this
>
> Examples:
> error.log:2023/09/17 02:41:59 [error] 346192#346192: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 02:41:59 [error] 346191#346191: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 02:52:19 [error] 346192#346192: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 04:09:44 [error] 346193#346193: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 04:09:45 [error] 346185#346185: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 04:20:20 [error] 346186#346186: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 06:20:01 [error] 346182#346182: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 08:32:35 [error] 346182#346182: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 08:32:35 [error] 346188#346188: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 09:34:34 [error] 346183#346183: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 09:34:35 [error] 346183#346183: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 16:00:25 [error] 346187#346187: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
>
> configuration for this single use case, of course there is a lot more in
> rsyslog.conf
> $AddUnixListenSocket /var/cache/nginx/rsyslog.socket
>
> $template app,"%msg:2:$%"
>
> if $programname == "app" then {
> ^/usr/local/script/app_log.sh;app
> stop
> }
>
> The script app_log.sh does simply
> echo "${@}" | /usr/bin/python 
>
> Many thanks
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
>
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow

Re: [rsyslog] Repeated 111 to rsyslog UDS from nginx

2023-09-18 Thread Rainer Gerhards via rsyslog 
Is this from a nginx text log? Any errors infos from rsyslog itself?

Rainer
PS: I do not see how this can be related to rsyslog, but you never
know. I do not yet understand the fault scenario TBH.

El dom, 17 sept 2023 a las 18:39, TG Servers via rsyslog
() escribió:
>
> Hi,
>
> ever since I started logging to a UDS from my nginx I get the occasional
> 111 in my nginx error logs.
> As I literally don't have any other information or log entries I
> honestly do not know how to debug this.
> The thing is requests one second, or a few seconds later are processed
> totally fine, so it cannot be a general problem, nor a access problem or
> a permission problem.
> I would be glad if anyone could help on fixing this
>
> Examples:
> error.log:2023/09/17 02:41:59 [error] 346192#346192: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 02:41:59 [error] 346191#346191: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 02:52:19 [error] 346192#346192: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 04:09:44 [error] 346193#346193: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 04:09:45 [error] 346185#346185: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 04:20:20 [error] 346186#346186: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 06:20:01 [error] 346182#346182: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 08:32:35 [error] 346182#346182: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 08:32:35 [error] 346188#346188: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 09:34:34 [error] 346183#346183: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 09:34:35 [error] 346183#346183: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
> error.log:2023/09/17 16:00:25 [error] 346187#346187: send() failed (111:
> Connection refused) while logging to syslog, server:
> unix:/var/cache/nginx/rsyslog.socket
>
> configuration for this single use case, of course there is a lot more in
> rsyslog.conf
> $AddUnixListenSocket /var/cache/nginx/rsyslog.socket
>
> $template app,"%msg:2:$%"
>
> if $programname == "app" then {
> ^/usr/local/script/app_log.sh;app
> stop
> }
>
> The script app_log.sh does simply
> echo "${@}" | /usr/bin/python 
>
> Many thanks
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] debugging pmciscoios

2023-09-13 Thread Rainer Gerhards via rsyslog 
you can load modules only once. If you need a new input, just use the
"input" object.

I cannot read your config snippet correctly (it's garbled by your mail
client, maybe due to html mail). But it looks like it is invalid.

Rainer

El jue, 7 sept 2023 a las 17:44, Pedro Caetano via rsyslog
() escribió:
>
> Hi,
>
> Following advice from this list, I've added the adiscom repository to the
> rocky linux, installed rsyslog and rsyslog-pmciscoios and restarted rsyslog
> service.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *[root@svpasr1logp01 rsyslog.d]# rpm -qi rsyslogName:
> rsyslogVersion : 8.2310.0.masterRelease : 1694045281Architecture:
> x86_64Install Date: Thu 07 Sep 2023 12:34:27 PM WESTGroup   : System
> Environment/DaemonsSize: 2664591License : (GPLv3+ and ASL
> 2.0)Signature   : RSA/SHA256, Thu 07 Sep 2023 01:19:35 AM WEST, Key ID
> 6b11d5c78f67ef64Source RPM  :
> rsyslog-8.2310.0.master-1694045281.src.rpmBuild Date  : Thu 07 Sep 2023
> 01:19:32 AM WESTBuild Host  : cb116f7368f7Relocations : (not
> relocatable)URL : http://www.rsyslog.com/
> Summary : Enhanced system logging and kernel
> message trapping daemonDescription :Rsyslog is an enhanced, multi-threaded
> syslog daemon. It supports MySQL,syslog/TCP, RFC 3195, permitted sender
> lists, filtering on any message part,and fine grain output format control.
> It is compatible with stock sysklogdand can be used as a drop-in
> replacement. Rsyslog is simple to set up, withadvanced features suitable
> for enterprise-class, encryption-protected syslogrelay
> chains.[root@svpasr1logp01 rsyslog.d]# rpm -qi rsyslog-pmciscoiosName
>  : rsyslog-pmciscoiosVersion : 8.2310.0.masterRelease :
> 1694045281Architecture: x86_64Install Date: Thu 07 Sep 2023 04:05:39 PM
> WESTGroup   : System Environment/DaemonsSize: 17000License
> : (GPLv3+ and ASL 2.0)Signature   : RSA/SHA256, Thu 07 Sep 2023 01:19:36 AM
> WEST, Key ID 6b11d5c78f67ef64Source RPM  :
> rsyslog-8.2310.0.master-1694045281.src.rpmBuild Date  : Thu 07 Sep 2023
> 01:19:32 AM WESTBuild Host  : cb116f7368f7Relocations : (not
> relocatable)URL : http://www.rsyslog.com/
> Summary : pmciscoios supportDescription
> :Parser module which supports various Cisco IOS formats.*
>
>
> Then I've populated a file named switches.conf in /etc/rsyslog.d/ with the
> following content:
>
>
>
>
>
>
>
>
>
>
>
>
>
> *$template TmplAuth,
> "/var/log/remote-syslog/testswitch1.log"#Modulesmodule(load="imtcp")module(load="pmciscoios")#Inputsinput(type="imtcp"
> port="20514"
> ruleset="rsyslogswitchs")#Parsersparser(name="custom.ciscoios.withOrigin"
> type="pmciscoios"
>  present.origin="on")#Rulesruleset(name="rsyslogswitchs"
> parser=["custom.ciscoios.withOrigin", "rsyslog.ciscoios"]){   *.*
> action(type="omfile" DynaFile="TmplAuth"*
>
> Unfortunately it's not possible to load this file/input:
>
>
>
>
>
>
>
> *[root@svpasr1logp01 rsyslog.d]# rsyslogd -f /etc/rsyslog.conf -N3rsyslogd:
> version 8.2310.0.master, config validation run (level 3), master config
> /etc/rsyslog.confrsyslogd: module 'imtcp' already in this config, cannot be
> added  [v8.2310.0.master try https://www.rsyslog.com/e/2221
>  ]rsyslogd: error during parsing file
> /etc/rsyslog.d/switches.conf, on or before line 19: invalid character '}'
> in object definition - is there an invalid escape sequence somewhere?
> [v8.2310.0.master try https://www.rsyslog.com/e/2207
>  ]rsyslogd: error during parsing file
> /etc/rsyslog.conf, on or before line 40: invalid character '$' in object
> definition - is there an invalid escape sequence somewhere?
> [v8.2310.0.master try https://www.rsyslog.com/e/2207
>  ]rsyslogd: error during parsing file
> /etc/rsyslog.conf, on or before line 40: syntax error on token 'on'
> [v8.2310.0.master try https://www.rsyslog.com/e/2207
>  ]rsyslogd: could not interpret master
> config file '/etc/rsyslog.conf'. [v8.2310.0.master try
> https://www.rsyslog.com/e/2207  ]rsyslogd:
> imtcp: ruleset 'rsyslogswitchs' for port 20514 not found - using default
> ruleset instead [v8.2310.0.master]*
>
> If the new file is removed, rsyslog is able to start without this warnings,
> so I presume the error may lie in the added configuration.
>
> Any help would be appreciated.
>
> Best,
> Pedro
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___

Re: [rsyslog] Permission Denied when running rsyslog

2023-08-30 Thread Rainer Gerhards via rsyslog 
Ole,

it probably is a good idea to file this as a github issue and tag
@cropi while doing so.

The last fix to that patch was this here:

https://github.com/rsyslog/rsyslog/pull/5166

Rainer

El mié, 30 ago 2023 a las 14:30, Rainer Gerhards
() escribió:
>
> There is a patch by Red Hat that limits rsyslog capabilities. One
> capability is CAP_DAC_OVERRIDE, which permits to bypass permission
> checks. IMHO it should not be dropped even with the patch present, but
> it sounds like it is. Please also note that there are different
> versions of that patch available.
>
> My guess is that you have a patched version which drops that capability.
>
> We (Adiscon, rsyslog's main sponsor) do not currently apply that patch
> in our package build process, as it gave a couple of folks trouble.
> Thus I asked if it works with our native version. In any case, it
> would make sense for you to contact Red Hat support.
>
> HTH
> Rainer
>
> El mié, 30 ago 2023 a las 13:24, Ole Froslie via rsyslog
> () escribió:
> >
> > When logged in as root, I can read the file with its permissions set to
> > -rw--- , for example using "cat access". This outputs the content of
> > the file on my terminal screen.
> > I do not understand the difference between reading with cat , and rsyslog
> > reading when running as root?
> >
> > I agree that it should be possible to configure the system creating the
> > file and doing the roll, so that the file is readable by others.
> > On the other hand, these are log files of a security related system so it
> > is understandable that access is very limited.
> >
> >
> >
> >
> > On Wed, 30 Aug 2023 at 11:16, David Lang  wrote:
> >
> > > On Wed, 30 Aug 2023, Ole Froslie wrote:
> > >
> > > > Since rsyslog is running as root, I thought it should be able to read 
> > > > any
> > > > file on the system, regardless file permissions?
> > >
> > > no, it can (eventually) set permissions so it can read it, which you did
> > > by
> > > doing o+r (which also shows that it's not SELinux
> > >
> > > but when the file rolls and sets the permissions on the new file, root can
> > > no
> > > longer read it.
> > >
> > > > Adding rsyslog to the dirsrv group does not solve the problem since the
> > > > file permissions for the access file only allows the user dirsrv to read
> > > > /write, not the group dirsrv.
> > > > -rw---. 1 dirsrv dirsrv  6007159 Aug 29 10:56 *access*
> > >
> > > so it's setting it so that only something running as the user dirsrv can
> > > read
> > > it, you need to change the settings in that program.
> > >
> > > or as a horrible work around, you could run a second copy of rsyslog as
> > > the user
> > > dirsrv to read the file and sent it to your main instance.
> > >
> > > but fixing it so that something other that the user dirsrv can read it
> > > will
> > > probably be your best option.
> > >
> > > David Lang
> > >
> > > > -Ole
> > > >
> > > >
> > > > On Tue, 29 Aug 2023 at 19:25, David Lang  wrote:
> > > >
> > > >> you have already identified the problem, the files are being created
> > > with
> > > >> permissions that prohibit rsyslog from reading them.
> > > >>
> > > >> you may be able to add root to the group dirsrv to allow rsyslog to 
> > > >> read
> > > >> them,
> > > >> otherwise you need to figure out a way to create the files with
> > > different
> > > >> permissions.
> > > >>
> > > >> David Lang
> > > >>
> > > >> On Tue, 29 Aug 2023, Ole Froslie via rsyslog wrote:
> > > >>
> > > >>> Hi,
> > > >>> I am setting up centralized logging from FreeIPA version 4.10.1 
> > > >>> running
> > > >> on
> > > >>> CentOs.
> > > >>> I have tried to set up the logging, initially just the access log,
> > > using
> > > >>> this config (with domain and ips obfuscated)
> > > >>>
> > > >>> module(load="imfile")
> > > >>>
> > > >>>
> > > >>> input(type="imfile" File="/var/log/dirsrv/slapd-MY_DOMAIN/access"
> > > >>> Tag="ipa-security-log" Facility="local0")
> > > >>>
> > > >>> # Forward local facilities
> > > >>>
> > > >>> if $syslogfacility >= 16 then @my_ip_adress:514
> > > >>>
> > > >>> When restarting rsyslog with this config , I get error message (with
> > > >>> servername and domains obfuscated):
> > > >>>
> > > >>> Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Starting System
> > > >> Logging
> > > >>> Service...
> > > >>>
> > > >>> Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: on
> > > >> startup
> > > >>> file '/var/log/dirsrv/slapd-MY-DOMAIN/access' does not exist but is
> > > >>> configured in static file monitor - this may indicate a
> > > misconfiguration.
> > > >>> If the file appears at a later time, it will automatically be
> > > processed.
> > > >>> Reason: Permission denied [v8.2102.0-109.el9]*
> > > >>>
> > > >>> Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Started System
> > > Logging
> > > >>> Service.
> > > >>>
> > > >>> Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: [origin
> > > >>> software="rsyslogd" swVersion="8.2102.0-109.el9" x-pid="12607"

Re: [rsyslog] Permission Denied when running rsyslog

2023-08-30 Thread Rainer Gerhards via rsyslog 
There is a patch by Red Hat that limits rsyslog capabilities. One
capability is CAP_DAC_OVERRIDE, which permits to bypass permission
checks. IMHO it should not be dropped even with the patch present, but
it sounds like it is. Please also note that there are different
versions of that patch available.

My guess is that you have a patched version which drops that capability.

We (Adiscon, rsyslog's main sponsor) do not currently apply that patch
in our package build process, as it gave a couple of folks trouble.
Thus I asked if it works with our native version. In any case, it
would make sense for you to contact Red Hat support.

HTH
Rainer

El mié, 30 ago 2023 a las 13:24, Ole Froslie via rsyslog
() escribió:
>
> When logged in as root, I can read the file with its permissions set to
> -rw--- , for example using "cat access". This outputs the content of
> the file on my terminal screen.
> I do not understand the difference between reading with cat , and rsyslog
> reading when running as root?
>
> I agree that it should be possible to configure the system creating the
> file and doing the roll, so that the file is readable by others.
> On the other hand, these are log files of a security related system so it
> is understandable that access is very limited.
>
>
>
>
> On Wed, 30 Aug 2023 at 11:16, David Lang  wrote:
>
> > On Wed, 30 Aug 2023, Ole Froslie wrote:
> >
> > > Since rsyslog is running as root, I thought it should be able to read any
> > > file on the system, regardless file permissions?
> >
> > no, it can (eventually) set permissions so it can read it, which you did
> > by
> > doing o+r (which also shows that it's not SELinux
> >
> > but when the file rolls and sets the permissions on the new file, root can
> > no
> > longer read it.
> >
> > > Adding rsyslog to the dirsrv group does not solve the problem since the
> > > file permissions for the access file only allows the user dirsrv to read
> > > /write, not the group dirsrv.
> > > -rw---. 1 dirsrv dirsrv  6007159 Aug 29 10:56 *access*
> >
> > so it's setting it so that only something running as the user dirsrv can
> > read
> > it, you need to change the settings in that program.
> >
> > or as a horrible work around, you could run a second copy of rsyslog as
> > the user
> > dirsrv to read the file and sent it to your main instance.
> >
> > but fixing it so that something other that the user dirsrv can read it
> > will
> > probably be your best option.
> >
> > David Lang
> >
> > > -Ole
> > >
> > >
> > > On Tue, 29 Aug 2023 at 19:25, David Lang  wrote:
> > >
> > >> you have already identified the problem, the files are being created
> > with
> > >> permissions that prohibit rsyslog from reading them.
> > >>
> > >> you may be able to add root to the group dirsrv to allow rsyslog to read
> > >> them,
> > >> otherwise you need to figure out a way to create the files with
> > different
> > >> permissions.
> > >>
> > >> David Lang
> > >>
> > >> On Tue, 29 Aug 2023, Ole Froslie via rsyslog wrote:
> > >>
> > >>> Hi,
> > >>> I am setting up centralized logging from FreeIPA version 4.10.1 running
> > >> on
> > >>> CentOs.
> > >>> I have tried to set up the logging, initially just the access log,
> > using
> > >>> this config (with domain and ips obfuscated)
> > >>>
> > >>> module(load="imfile")
> > >>>
> > >>>
> > >>> input(type="imfile" File="/var/log/dirsrv/slapd-MY_DOMAIN/access"
> > >>> Tag="ipa-security-log" Facility="local0")
> > >>>
> > >>> # Forward local facilities
> > >>>
> > >>> if $syslogfacility >= 16 then @my_ip_adress:514
> > >>>
> > >>> When restarting rsyslog with this config , I get error message (with
> > >>> servername and domains obfuscated):
> > >>>
> > >>> Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Starting System
> > >> Logging
> > >>> Service...
> > >>>
> > >>> Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: on
> > >> startup
> > >>> file '/var/log/dirsrv/slapd-MY-DOMAIN/access' does not exist but is
> > >>> configured in static file monitor - this may indicate a
> > misconfiguration.
> > >>> If the file appears at a later time, it will automatically be
> > processed.
> > >>> Reason: Permission denied [v8.2102.0-109.el9]*
> > >>>
> > >>> Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Started System
> > Logging
> > >>> Service.
> > >>>
> > >>> Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: [origin
> > >>> software="rsyslogd" swVersion="8.2102.0-109.el9" x-pid="12607" x-info="
> > >>> https://www.rsyslog.com;] start
> > >>>
> > >>> Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: error
> > >>> accessing file '/var/log/dirsrv/slapd-MY-DOMAIN/access': Permission
> > >> denied
> > >>> [v8.2102.0-109.el9]*
> > >>>
> > >>> Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imjournal:
> > >> journal
> > >>> files changed, reloading...  [v8.2102.0-109.el9 try
> > >>> https://www.rsyslog.com/e/0  ]*
> > >>>
> > >>>
> > >>> I have observed the following,

Re: [rsyslog] Permission Denied when running rsyslog

2023-08-30 Thread Rainer Gerhards via rsyslog 
It might be worth contacting Red Hat if there is a patch inside their
version that causes the issue.

Alternatively, you can try rsyslog from the project itself.

And maybe there are some other OS settings that cause this issue.

My 2cts,
Rainer

El mié, 30 ago 2023 a las 10:07, Ole Froslie via rsyslog
() escribió:
>
> Since rsyslog is running as root, I thought it should be able to read any
> file on the system, regardless file permissions?
> Adding rsyslog to the dirsrv group does not solve the problem since the
> file permissions for the access file only allows the user dirsrv to read
> /write, not the group dirsrv.
>  -rw---. 1 dirsrv dirsrv  6007159 Aug 29 10:56 *access*
>
> -Ole
>
>
> On Tue, 29 Aug 2023 at 19:25, David Lang  wrote:
>
> > you have already identified the problem, the files are being created with
> > permissions that prohibit rsyslog from reading them.
> >
> > you may be able to add root to the group dirsrv to allow rsyslog to read
> > them,
> > otherwise you need to figure out a way to create the files with different
> > permissions.
> >
> > David Lang
> >
> > On Tue, 29 Aug 2023, Ole Froslie via rsyslog wrote:
> >
> > > Hi,
> > > I am setting up centralized logging from FreeIPA version 4.10.1 running
> > on
> > > CentOs.
> > > I have tried to set up the logging, initially just the access log, using
> > > this config (with domain and ips obfuscated)
> > >
> > > module(load="imfile")
> > >
> > >
> > > input(type="imfile" File="/var/log/dirsrv/slapd-MY_DOMAIN/access"
> > > Tag="ipa-security-log" Facility="local0")
> > >
> > > # Forward local facilities
> > >
> > > if $syslogfacility >= 16 then @my_ip_adress:514
> > >
> > > When restarting rsyslog with this config , I get error message (with
> > > servername and domains obfuscated):
> > >
> > > Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Starting System
> > Logging
> > > Service...
> > >
> > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: on
> > startup
> > > file '/var/log/dirsrv/slapd-MY-DOMAIN/access' does not exist but is
> > > configured in static file monitor - this may indicate a misconfiguration.
> > > If the file appears at a later time, it will automatically be processed.
> > > Reason: Permission denied [v8.2102.0-109.el9]*
> > >
> > > Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Started System Logging
> > > Service.
> > >
> > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: [origin
> > > software="rsyslogd" swVersion="8.2102.0-109.el9" x-pid="12607" x-info="
> > > https://www.rsyslog.com;] start
> > >
> > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: error
> > > accessing file '/var/log/dirsrv/slapd-MY-DOMAIN/access': Permission
> > denied
> > > [v8.2102.0-109.el9]*
> > >
> > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imjournal:
> > journal
> > > files changed, reloading...  [v8.2102.0-109.el9 try
> > > https://www.rsyslog.com/e/0  ]*
> > >
> > >
> > > I have observed the following, following tips on various threads and info
> > > found on internet.
> > >
> > >
> > >   - rsyslog is working as intended when exporting the standard linux logs
> > >   - rsyslog is running as root. There is no drop privileges configured. I
> > >   have checked this in the /etc/rsyslog.conf, and I also see that
> > rsyslog is
> > >   running as root when using ps -ef | grep rsyslogd
> > >   - running as root should enable it to read any file
> > >   -
> > >   - I have tried to turn off SELinix, the problem remains the same. I
> > have
> > >   also checked logs , but there are no  signs of SELinux being the cause
> > of
> > >   the problem.
> > >
> > >
> > >   - FreeIPA is using its system user dirsrv when creating the files.
> > >   - The ownership of the directories and files are as follows:
> > >
> > > drwxr-xr-x.  3 rootroot  28 Aug 23 15:23 *dirsrv*
> > >
> > > drwxrwx--x.  2 dirsrv dirsrv 4096 Aug 28 16:55 *slapd-MY-DOMAIN*
> > >
> > > -rw---. 1 dirsrv dirsrv  6007159 Aug 29 10:56 *access*
> > >
> > >
> > >   - I have tried to manually change the access rights of the access file
> > >   with chmod o+r access and set chmod o+x on the slapd-directory. This
> > >   removes the error after restart of rsyslog, and rsyslog exports the
> > logs as
> > >   expected.
> > >   - However, due to the FreeIpa log rotation set-up, new files are
> > created
> > >   and rotated removing the read access for others, and the logging stops
> > >   again.
> > >
> > >
> > > Has anyone seen anything similar, does anyone have any clues about what
> > the
> > > cause of this could be?
> > >
> > > regards,
> > > Ole
> > > ___
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>

Re: [rsyslog] rsyslog - problem sending udp traffic

2023-08-21 Thread Rainer Gerhards via rsyslog 
You should move the forwarding rule really to the top, above the include
statement. Thus I really meant top because it solves all such rule
dependency issues (I am not a fan of splitting configs, it unnecessarily
complicates things, at least in almost all cases) .

Rainer


kathy lyons  schrieb am Mo., 21. Aug. 2023, 13:07:

> That works - thanks!  The only thing it does not do is forward the logs we
> have configured in /etc/rsyslog.d.  Is that correct or is there potentially
> a different issue?  We put the stops in there because the audit logs were
> appearing in /var/log/syslog.
>
> On Fri, Aug 18, 2023 at 3:18 AM Rainer Gerhards 
> wrote:
>
>> Move the forwarding rule to the top, that should solve your issue.
>>
>> Rainer
>>
>> Sent from phone, thus brief.
>>
>> David Lang via rsyslog  schrieb am Do., 17.
>> Aug. 2023, 19:16:
>>
>>> all of those  lines are telling rsyslog that if it matches the
>>> filter and
>>> writes it to the file that it should stop processing that message.
>>>
>>> As a result, anything that gets written to a local file will stop
>>> processing
>>> before it gets down to your udp sending action
>>>
>>> David Lang
>>>
>>> On Thu, 17 Aug 2023, kathy lyons wrote:
>>>
>>> > Date: Thu, 17 Aug 2023 13:12:03 -0400
>>> > From: kathy lyons 
>>> > To: David Lang 
>>> > Cc: kathy lyons via rsyslog 
>>> > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
>>> >
>>> > Here it is:
>>> >
>>> > module(load="imfile")
>>> > module(load="imuxsock")
>>> > module(load="imklog")
>>> > module(load="imjournal")
>>> >
>>> > timezone(id="UTC")
>>> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>> >
>>> > $RepeatedMsgReduction on
>>> >
>>> > $FileOwner syslog
>>> > $FileGroup adm
>>> >
>>> > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
>>> > maxMessageSize="128K")
>>> >
>>> > $IncludeConfig /etc/rsyslog.d/*.conf
>>> >
>>> > audit.*  action(type="omfile" file="/var/log/audit/audit.log")
>>> > & stop
>>> > auth.warning;authpriv.info.*  action(type="omfile"
>>> > file="/var/log/auth.log")
>>> > & stop
>>> > auth,authpriv.none   action(type="omfile"
>>> > file="/var/log/syslog")
>>> > & stop
>>> > cron.infoaction(type="omfile"
>>> > file="/var/log/cron.log")
>>> > & stop
>>> > daemon.info  action(type="omfile" file="/var/log/daemon.log")
>>> > & stop
>>> > kern.info  action(type="omfile" file="/var/log/kern.log")
>>> > & stop
>>> > user.info  action(type="omfile" file="/var/log/user.log")
>>> > & stop
>>> >
>>> > local7.*action(type="omfile" file="/var/log/boot.log")
>>> > & stop
>>> >
>>> > *.* @x.x.x.x
>>> >
>>> > rsyslogd -N1 shows no errors.  strace shows no errors.
>>> >
>>> > On Wed, Aug 16, 2023 at 12:15 PM David Lang  wrote:
>>> >
>>> >> please post your full config.
>>> >>
>>> >> I would also check your firewall config (iptables/nftables) on the
>>> system
>>> >> to see
>>> >> if it's blocking the connection.
>>> >>
>>> >> Also make sure you have a route to the destination IP (you probably
>>> have a
>>> >> default route that does this, but it is something we've run across)
>>> >>
>>> >> are you seeing any startup errors? or config errors (start rsyslog
>>> >> manually with
>>> >> rsyslogd -N1
>>> >>
>>> >> if none of that helps, we may need to get debug info, but start with
>>> the
>>> >> simpler
>>> >> stuff. Normally this 'just works' so I'd guess that it's a syntax
>>> error
>>> >> somewhere in the config.
>>> >>
>>> >> David Lang
>>> >>
>>> >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>>> >>
>>> >>> I hope this is the right place to ask this question.  I have a basic
>>> >>> rsyslog setup sending udp data from a Debian 11 host to a remote
>>> server.
>>> >>> At the bottom of my rsyslog.conf file I have:
>>> >>>
>>> >>>  *.* @x.x.x.x
>>> >>>
>>> >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so
>>> I am
>>> >>> not worried about that. The problem is that on the device itself I
>>> do not
>>> >>> see any logs leaving the device. Nor do I see them at the firewall
>>> >>> (x.x.x.x).  I  have used netcat to see if the remote port is open and
>>> >>> reachable and it is.  I have re-install rsyslog and restarted it.
>>> >> Nothing
>>> >>> seems to work.
>>> >>>
>>> >>> However, when I issue the logger command:
>>> >>>
>>> >>> logger -n x.x.x.x -P 514 -d "This is a test"
>>> >>>
>>> >>> I see that data.  What else can I check with my rsyslog setup?  Thank
>>> >> you.
>>> >>> ___
>>> >>> rsyslog mailing list
>>> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> >>> http://www.rsyslog.com/professional-services/
>>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad
>>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> >> DON'T LIKE THAT.
>>> >>>
>>> >>

Re: [rsyslog] rsyslog - problem sending udp traffic

2023-08-18 Thread Rainer Gerhards via rsyslog 
Move the forwarding rule to the top, that should solve your issue.

Rainer

Sent from phone, thus brief.

David Lang via rsyslog  schrieb am Do., 17. Aug.
2023, 19:16:

> all of those  lines are telling rsyslog that if it matches the filter
> and
> writes it to the file that it should stop processing that message.
>
> As a result, anything that gets written to a local file will stop
> processing
> before it gets down to your udp sending action
>
> David Lang
>
> On Thu, 17 Aug 2023, kathy lyons wrote:
>
> > Date: Thu, 17 Aug 2023 13:12:03 -0400
> > From: kathy lyons 
> > To: David Lang 
> > Cc: kathy lyons via rsyslog 
> > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
> >
> > Here it is:
> >
> > module(load="imfile")
> > module(load="imuxsock")
> > module(load="imklog")
> > module(load="imjournal")
> >
> > timezone(id="UTC")
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >
> > $RepeatedMsgReduction on
> >
> > $FileOwner syslog
> > $FileGroup adm
> >
> > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
> > maxMessageSize="128K")
> >
> > $IncludeConfig /etc/rsyslog.d/*.conf
> >
> > audit.*  action(type="omfile" file="/var/log/audit/audit.log")
> > & stop
> > auth.warning;authpriv.info.*  action(type="omfile"
> > file="/var/log/auth.log")
> > & stop
> > auth,authpriv.none   action(type="omfile"
> > file="/var/log/syslog")
> > & stop
> > cron.infoaction(type="omfile"
> > file="/var/log/cron.log")
> > & stop
> > daemon.info  action(type="omfile" file="/var/log/daemon.log")
> > & stop
> > kern.info  action(type="omfile" file="/var/log/kern.log")
> > & stop
> > user.info  action(type="omfile" file="/var/log/user.log")
> > & stop
> >
> > local7.*action(type="omfile" file="/var/log/boot.log")
> > & stop
> >
> > *.* @x.x.x.x
> >
> > rsyslogd -N1 shows no errors.  strace shows no errors.
> >
> > On Wed, Aug 16, 2023 at 12:15 PM David Lang  wrote:
> >
> >> please post your full config.
> >>
> >> I would also check your firewall config (iptables/nftables) on the
> system
> >> to see
> >> if it's blocking the connection.
> >>
> >> Also make sure you have a route to the destination IP (you probably
> have a
> >> default route that does this, but it is something we've run across)
> >>
> >> are you seeing any startup errors? or config errors (start rsyslog
> >> manually with
> >> rsyslogd -N1
> >>
> >> if none of that helps, we may need to get debug info, but start with the
> >> simpler
> >> stuff. Normally this 'just works' so I'd guess that it's a syntax error
> >> somewhere in the config.
> >>
> >> David Lang
> >>
> >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
> >>
> >>> I hope this is the right place to ask this question.  I have a basic
> >>> rsyslog setup sending udp data from a Debian 11 host to a remote
> server.
> >>> At the bottom of my rsyslog.conf file I have:
> >>>
> >>>  *.* @x.x.x.x
> >>>
> >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so I
> am
> >>> not worried about that. The problem is that on the device itself I do
> not
> >>> see any logs leaving the device. Nor do I see them at the firewall
> >>> (x.x.x.x).  I  have used netcat to see if the remote port is open and
> >>> reachable and it is.  I have re-install rsyslog and restarted it.
> >> Nothing
> >>> seems to work.
> >>>
> >>> However, when I issue the logger command:
> >>>
> >>> logger -n x.x.x.x -P 514 -d "This is a test"
> >>>
> >>> I see that data.  What else can I check with my rsyslog setup?  Thank
> >> you.
> >>> ___
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >>
> >
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Support for multiple certificate chains (TLS)

2023-08-17 Thread Rainer Gerhards via rsyslog 
any Inc., CN = Democompany Inc. - Root-CA C = US, O =
> > Amazon, CN = Amazon Root CA 4 [...]
> >
> > ca_mixed.pem has the same content in both tests. So it seems that
> > something is broken in the newer version (at least in the Red Hat
> > version)
> >
> > On rsyslogd  8.2102.0-13.el8 (aka 2021.02) when I use an empty
> > ca_mixed.pem it shows in " Acceptable client certificate CA names"
> > certificates
> > which seem to come from the own rsyslog certificate
> > "/etc/rsyslog.d/cert.pem"
> >
> > Can you see this behavior in the vanilla rsyslog too?
> >
> > Kind regards,
> > Roman Möller (He/His)
> >
> >
> >
> >
> >
> >
> > -Ursprüngliche Nachricht-
> > Von: rsyslog  Im Auftrag von Rainer
> > Gerhards via rsyslog
> > Gesendet: Mittwoch, 2. August 2023 10:48
> > An: rsyslog-users 
> > Cc: Rainer Gerhards 
> > Betreff: Re: [rsyslog] Support for multiple certificate chains (TLS)
> >
> > Caution: External email. Do not open attachments or click links,
> > unless this email comes from a known sender and you know the content
> > is safe.
> >
> > Thanks - the RELP info is a good pointer!
> >
> > Rainer
> >
> > El mié, 2 ago 2023 a las 10:27, Mariusz Kruk via rsyslog
> > () escribió:
> > >
> > > Sorry, I'm just a simple admin. I wouldn't touch the TLS-related
> > > programming with a ten-foot pole. Tried it once, long time ago, got
> > > my hair a bit more grayish and ran away screaming ;-)
> > >
> > > But, to make things more interesting as far as I remember loading
> > > certificate chains (for RELP) worked relatively well with gnutls way
> > > before it did with openssl.
> > >
> > > MK
> > >
> > > On 2.08.2023 10:21, Rainer Gerhards wrote:
> > > > disclaimer: I did not read the full message
> > > > BUT: I think you are both right.
> > > >
> > > > It actually should work in the way Mariusz describes, but for many
> > > > software products it actually does work like Andre describes (I
> > > > think even some web server).
> > > >
> > > > Not sure if it is a lib limitation or something we need to enable
> > > > inside the lib.
> > > >
> > > > A good indication that there seems to be a general problem is that
> > > > the multi-ca patch came from RH, quoting intermediate CAs IIRC.
> > > >
> > > > Andre: can you craft a test with interim certs and let's see what
> > > > happens?
> > > > Mariusz: do you happen to know special lib settings out of your
> > > > head (don't dig deep, we can research this as well)
> > > >
> > > > Rainer
> > > >
> > > > El mié, 2 ago 2023 a las 10:17, Mariusz Kruk via rsyslog
> > > > () escribió:
> > > >> No. It's not how it works.
> > > >>
> > > >> If a client A's cerificate was issued by intermediate CA B which
> > > >> was issued a signing cert by RootCA C, the server only has to
> > > >> trust B to "directly" authenticate the client. (and this was for
> > > >> a long time the only supported option for RELP). In such case the
> > > >> server nows the cert of B and the client only presents its own cert A.
> > > >> Neither party needs to show the cert of the RootCA since it's not
> > > >> needed for the trust relation to work. The problem (again - which
> > > >> I had for a long time with RELP
> > > >> connectivity) was when you could not specify multiple trusted CAs
> > > >> and you had clients using certificates from different CAs (like a
> > > >> common rootCA but two separate intermediate CAs in one organization).
> > > >>
> > > >> Normally the server should trust the RootCA C and the client
> > > >> should present the cert along with the certification chain. So
> > > >> client A should show cert A and cert B to the server. The server
> > > >> would then verify that A was signed by B and B was signed by C
> > > >> which it knows and
> > trusts.
> > > >> That's the way it normally works. And that's the way it's been
> > > >> working finally since... 2021? with imrelp/omrelp. But with those
> > > >> modules you can specify the certs explicitly (since 2020? Before
> > > >> that you could only use the default netdriver sett

Re: [rsyslog] DTLS Support with rsyslog

2023-08-03 Thread Rainer Gerhards via rsyslog 
actually, there is DTLS, which is "datagram tls" and there also is a RFC.

So far, we had no real demand to implement it. My impression is that
DTLS syslog is largely unused.

Rainer

El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
() escribió:
>
> Yeah, unfortunately that's what I expected. Thanks David.
>
> Cheers,
> Mike
> -Original Message-
> From: David Lang 
> Sent: Thursday, August 3, 2023 8:03 PM
> To: Redbourne,Michael via rsyslog 
> Cc: Redbourne,Michael 
> Subject: Re: [rsyslog] DTLS Support with rsyslog
>
> CAUTION: The Sender is located Outside The Organization. Do not click links 
> or open attachments unless you recognize the sender and know the content is 
> safe.
>
>
> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:
>
> > I know rsyslog is using gnutls (default) with a recommendation for openssl 
> > and has support for TLS-encrypted TCP connections. Does rsyslog support 
> > TLS-encrypted UDP connections (specifically, inbound)?
>
> No, TLS requires a stream of packets as the encryption for each packet 
> changes based on the prior packets., UDP syslog has each packet handled 
> completely independently, and packets can get reordered or dropped on the 
> network before they are processed, so TLS really can't work.
>
> David Lang
> 
> This e-mail communication (including any or all attachments) is intended only 
> for the use of the person or entity to which it is addressed and may contain 
> confidential and/or privileged material. If you are not the intended 
> recipient of this e-mail, any use, review, retransmission, distribution, 
> dissemination, copying, printing, or other use of, or taking of any action in 
> reliance upon this e-mail, is strictly prohibited. If you have received this 
> e-mail in error, please contact the sender and delete the original and any 
> copy of this e-mail and any printout thereof, immediately. If you have any 
> questions or concerns, please contact our Customer Service Desk at 
> 1-877-274-2349. Your co-operation is appreciated.
>
> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son 
> destinataire, qu'il soit une personne ou un organisme, et pourrait comporter 
> des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le 
> destinataire du courriel, il est interdit d'utiliser, de revoir, de 
> retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce 
> courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. 
> Si vous avez reçu le présent courriel par erreur, prière de communiquer avec 
> l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie 
> électronique ou imprimée de celui-ci, immédiatement. Si vous avez des 
> questions ou des préoccupations, veuillez contacter notre centre de service à 
> la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre 
> collaboration.
> 
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Support for multiple certificate chains (TLS)

2023-08-02 Thread Rainer Gerhards via rsyslog 
Thanks - the RELP info is a good pointer!

Rainer

El mié, 2 ago 2023 a las 10:27, Mariusz Kruk via rsyslog
() escribió:
>
> Sorry, I'm just a simple admin. I wouldn't touch the TLS-related
> programming with a ten-foot pole. Tried it once, long time ago, got my
> hair a bit more grayish and ran away screaming ;-)
>
> But, to make things more interesting as far as I remember loading
> certificate chains (for RELP) worked relatively well with gnutls way
> before it did with openssl.
>
> MK
>
> On 2.08.2023 10:21, Rainer Gerhards wrote:
> > disclaimer: I did not read the full message
> > BUT: I think you are both right.
> >
> > It actually should work in the way Mariusz describes, but for many
> > software products it actually does work like Andre describes (I think
> > even some web server).
> >
> > Not sure if it is a lib limitation or something we need to enable
> > inside the lib.
> >
> > A good indication that there seems to be a general problem is that the
> > multi-ca patch came from RH, quoting intermediate CAs IIRC.
> >
> > Andre: can you craft a test with interim certs and let's see what happens?
> > Mariusz: do you happen to know special lib settings out of your head
> > (don't dig deep, we can research this as well)
> >
> > Rainer
> >
> > El mié, 2 ago 2023 a las 10:17, Mariusz Kruk via rsyslog
> > () escribió:
> >> No. It's not how it works.
> >>
> >> If a client A's cerificate was issued by intermediate CA B which was
> >> issued a signing cert by RootCA C, the server only has to trust B to
> >> "directly" authenticate the client. (and this was for a long time the
> >> only supported option for RELP). In such case the server nows the cert
> >> of B and the client only presents its own cert A. Neither party needs to
> >> show the cert of the RootCA since it's not needed for the trust relation
> >> to work. The problem (again - which I had for a long time with RELP
> >> connectivity) was when you could not specify multiple trusted CAs and
> >> you had clients using certificates from different CAs (like a common
> >> rootCA but two separate intermediate CAs in one organization).
> >>
> >> Normally the server should trust the RootCA C and the client should
> >> present the cert along with the certification chain. So client A should
> >> show cert A and cert B to the server. The server would then verify that
> >> A was signed by B and B was signed by C which it knows and trusts.
> >> That's the way it normally works. And that's the way it's been working
> >> finally since... 2021? with imrelp/omrelp. But with those modules you
> >> can specify the certs explicitly (since 2020? Before that you could only
> >> use the default netdriver settings). The only limitation as far as I
> >> remember (maybe it changed in recent versions) was that you couldn't
> >> specify multiple trusted certs so you could trust a single RootCA and
> >> accept certificates from multiple intermediate CAs this way but couldn't
> >> accept certificates from multiple CAs signed by multiple different RootCAs.
> >>
> >> Maybe with imtcp it works differently. Normally TLS-backed
> >> authentication should work this way.
> >>
> >> MK
> >>
> >> On 2.08.2023 09:47, Andre Lorbach wrote:
> >>> Ok to be honest I have not worked with intermediate CA generated
> >>> certificates yet, so I can only stick to the
> >>> documentation I found. As far as I understand, the server needs to know 
> >>> the
> >>> root and intermediate CA certificate, if he shall be able to verify the
> >>> client certificate.
> >>>
> >>> If the client shall present the intermediateCA to the server, It needs to
> >>> have support for this. I remembered that there was a similar issue last 
> >>> year
> >>> which was fixed by this PR: https://github.com/rsyslog/rsyslog/pull/4889
> >>>
> >>> A new setting NetstreamDriverCAExtraFiles was added with this PR to 
> >>> address
> >>> issues like this. However, you will require at least rsyslog v8.2210.0.
> >>>
> >>> Best regards,
> >>> Andre Lorbach
> >>> --
> >>> Adiscon GmbH
> >>> Mozartstr. 21
> >>> 97950 Großrinderfeld, Germany
> >>> Ph. +49-9349-9298530
> >>> Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
> >>> 560610
> >>> Ust.-IDNr.: DE 81 22 04 622
> >>> Web: www.adiscon.com - Mail: i...@adiscon.com
> >>>
> >>> Informations regarding your data privacy policy can be found here:
> >>> https://www.adiscon.com/data-privacy-policy/
> >>>
> >>> This e-mail may contain confidential and/or privileged information. If you
> >>> are not the intended recipient or have received this e-mail in error 
> >>> please
> >>> notify the sender immediately and delete this e-mail. Any unauthorized
> >>> copying, disclosure or distribution of the material in this e-mail is
> >>> strictly forbidden.
> >>>
>  -Original Message-
>  From: rsyslog  On Behalf Of Mariusz
>  Kruk via rsyslog
>  Sent: Mittwoch, 2. August 2023 08:45
>  To: rsyslog@lists.adiscon.com
>  Cc: Mariusz Kruk 
>

Re: [rsyslog] Support for multiple certificate chains (TLS)

2023-08-02 Thread Rainer Gerhards via rsyslog 
disclaimer: I did not read the full message
BUT: I think you are both right.

It actually should work in the way Mariusz describes, but for many
software products it actually does work like Andre describes (I think
even some web server).

Not sure if it is a lib limitation or something we need to enable
inside the lib.

A good indication that there seems to be a general problem is that the
multi-ca patch came from RH, quoting intermediate CAs IIRC.

Andre: can you craft a test with interim certs and let's see what happens?
Mariusz: do you happen to know special lib settings out of your head
(don't dig deep, we can research this as well)

Rainer

El mié, 2 ago 2023 a las 10:17, Mariusz Kruk via rsyslog
() escribió:
>
> No. It's not how it works.
>
> If a client A's cerificate was issued by intermediate CA B which was
> issued a signing cert by RootCA C, the server only has to trust B to
> "directly" authenticate the client. (and this was for a long time the
> only supported option for RELP). In such case the server nows the cert
> of B and the client only presents its own cert A. Neither party needs to
> show the cert of the RootCA since it's not needed for the trust relation
> to work. The problem (again - which I had for a long time with RELP
> connectivity) was when you could not specify multiple trusted CAs and
> you had clients using certificates from different CAs (like a common
> rootCA but two separate intermediate CAs in one organization).
>
> Normally the server should trust the RootCA C and the client should
> present the cert along with the certification chain. So client A should
> show cert A and cert B to the server. The server would then verify that
> A was signed by B and B was signed by C which it knows and trusts.
> That's the way it normally works. And that's the way it's been working
> finally since... 2021? with imrelp/omrelp. But with those modules you
> can specify the certs explicitly (since 2020? Before that you could only
> use the default netdriver settings). The only limitation as far as I
> remember (maybe it changed in recent versions) was that you couldn't
> specify multiple trusted certs so you could trust a single RootCA and
> accept certificates from multiple intermediate CAs this way but couldn't
> accept certificates from multiple CAs signed by multiple different RootCAs.
>
> Maybe with imtcp it works differently. Normally TLS-backed
> authentication should work this way.
>
> MK
>
> On 2.08.2023 09:47, Andre Lorbach wrote:
> > Ok to be honest I have not worked with intermediate CA generated
> > certificates yet, so I can only stick to the
> > documentation I found. As far as I understand, the server needs to know the
> > root and intermediate CA certificate, if he shall be able to verify the
> > client certificate.
> >
> > If the client shall present the intermediateCA to the server, It needs to
> > have support for this. I remembered that there was a similar issue last year
> > which was fixed by this PR: https://github.com/rsyslog/rsyslog/pull/4889
> >
> > A new setting NetstreamDriverCAExtraFiles was added with this PR to address
> > issues like this. However, you will require at least rsyslog v8.2210.0.
> >
> > Best regards,
> > Andre Lorbach
> > --
> > Adiscon GmbH
> > Mozartstr. 21
> > 97950 Großrinderfeld, Germany
> > Ph. +49-9349-9298530
> > Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
> > 560610
> > Ust.-IDNr.: DE 81 22 04 622
> > Web: www.adiscon.com - Mail: i...@adiscon.com
> >
> > Informations regarding your data privacy policy can be found here:
> > https://www.adiscon.com/data-privacy-policy/
> >
> > This e-mail may contain confidential and/or privileged information. If you
> > are not the intended recipient or have received this e-mail in error please
> > notify the sender immediately and delete this e-mail. Any unauthorized
> > copying, disclosure or distribution of the material in this e-mail is
> > strictly forbidden.
> >
> >> -Original Message-
> >> From: rsyslog  On Behalf Of Mariusz
> >> Kruk via rsyslog
> >> Sent: Mittwoch, 2. August 2023 08:45
> >> To: rsyslog@lists.adiscon.com
> >> Cc: Mariusz Kruk 
> >> Subject: Re: [rsyslog] Support for multiple certificate chains (TLS)
> >>
> >> Wait a second.
> >>
> >> Firstly, and most importantly, the whole idea of multiple CA levels is
> >> that if a
> >> subject A presents a cert issued by CA B which in turn was issued a
> >> signing cert
> >> by RootCA C it should be enough for the other end to just trust the RootCA
> >> C.
> >>
> >> So in the OP's situation it should be enough to have the RootCA as a
> >> trusted
> >> cert and the sending parties should present proper certificate chains
> >> including
> >> the subject cert and the intermediate CA cert.
> >>
> >> That's how it works (currently; it didn't for quite some time which had
> >> been a
> >> source of huge grief for me) with imrelp/omrelp. I'm not sure about imtcp
> >> with TLS simply because I don't use it.
> >>

Re: [rsyslog] Support for multiple certificate chains (TLS)

2023-08-01 Thread Rainer Gerhards via rsyslog 
This could be it. I don't know about what is present in RH rsyslog
packages, but if you use our's, you can check that it works.

@andre: can you comment on this?

Rainer

El lun, 31 jul 2023 a las 18:30, Roman Möller
() escribió:
>
> OK thanks!
> Is this work perhaps related to this bug report: 
> https://bugzilla.redhat.com/show_bug.cgi?id=2124934
> It seems the Red Hat team has ported back the NetstreamDriverCaExtraFiles 
> directive.
>
> Or would NetstreamDriverCaExtraFiles  not be the solution for my issue?
>
> Kind regards,
> Roman Möller (He/His)
>
>
>
>
>
>
> -Ursprüngliche Nachricht-----
> Von: rsyslog  Im Auftrag von Rainer 
> Gerhards via rsyslog
> Gesendet: Montag, 31. Juli 2023 18:21
> An: rsyslog-users 
> Cc: Rainer Gerhards 
> Betreff: Re: [rsyslog] Support for multiple certificate chains (TLS)
>
> Caution: External email. Do not open attachments or click links, unless this 
> email comes from a known sender and you know the content is safe.
>
> I think this version is too old.thre was related work not long ago.
>
> Rainer
>
> Sent from phone, thus brief.
>
> Roman Möller via rsyslog  schrieb am Mo., 31.
> Juli 2023, 18:18:
>
> > Hello subscribers,
> > we are using rsyslog with TLS to collect logs transport encrypted from
> > different logsources.
> > The used certificates are generated by our company CA for the rsyslog
> > server but also for the logsources.
> >
> > I have used these setting until now (filename gives hint about content):
> > $DefaultNetstreamDriver gtls
> > $DefaultNetstreamDriverCAFile
> > /etc/pki/rsyslog/rootCA_and_intermediateCA-1.pem
> > $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer_and_
> > intermediateCA-1.crt
> > $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rsyslogServer.key
> >
> > And the reception of logs worked pretty well so far.
> >
> > Now we have a new intermediate CA and the certificate chains look like
> > this:
> >++
> >| Root-CA |
> >++
> >  |
> > ++--+
> > |
> >   |
> > v
> >   v
> >+--+
> >  +--+
> >| Intermediate CA-1 |   | Intermediate CA-2 |
> >+--+
> >  +--+
> >  |
> > |
> >  v
> > v
> > +---+
> >  +-+
> > | Generated the certificate |   | Generated certificates   |
> > | for the rsyslog Server|   | for yet other logsources |
> > | but also for other   |
> >  +-+
> > | logsources   |
> > +---+
> >
> > Our rsyslog Server is not able to accept syslog-TLS encrypted traffic
> > from logsources which have a certificate from Intermediate CA-2.
> > A test with openssl s_client -connect localhost:6514 shows that the
> > system only accepts certificates which originate from Intermediate
> > CA-1
> >
> > We are using rsyslogd  8.2102.0-10.el8 (aka 2021.02) at the moment.
> >
> > Is it somehow possible to configure the acceptance of certificates
> > from both Intermediate CAs or is this simply not possible with one
> > instance of rsyslog?
> >
> > Kind regards and thanks in advance,
> > Roman Möller (He/His)
> >
> >
> >
> >
> >
> >
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This 
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Support for multiple certificate chains (TLS)

2023-07-31 Thread Rainer Gerhards via rsyslog 
I think this version is too old.thre was related work not long ago.

Rainer

Sent from phone, thus brief.

Roman Möller via rsyslog  schrieb am Mo., 31.
Juli 2023, 18:18:

> Hello subscribers,
> we are using rsyslog with TLS to collect logs transport encrypted from
> different logsources.
> The used certificates are generated by our company CA for the rsyslog
> server but also for the logsources.
>
> I have used these setting until now (filename gives hint about content):
> $DefaultNetstreamDriver gtls
> $DefaultNetstreamDriverCAFile
> /etc/pki/rsyslog/rootCA_and_intermediateCA-1.pem
> $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/rsyslogServer_and_
> intermediateCA-1.crt
> $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/rsyslogServer.key
>
> And the reception of logs worked pretty well so far.
>
> Now we have a new intermediate CA and the certificate chains look like
> this:
>++
>| Root-CA |
>++
>  |
> ++--+
> |
>   |
> v
>   v
>+--+
>  +--+
>| Intermediate CA-1 |   | Intermediate CA-2 |
>+--+
>  +--+
>  |
> |
>  v
> v
> +---+
>  +-+
> | Generated the certificate |   | Generated certificates   |
> | for the rsyslog Server|   | for yet other logsources |
> | but also for other   |
>  +-+
> | logsources   |
> +---+
>
> Our rsyslog Server is not able to accept syslog-TLS encrypted traffic from
> logsources which have a certificate from Intermediate CA-2.
> A test with openssl s_client -connect localhost:6514 shows that the system
> only accepts certificates which originate from Intermediate CA-1
>
> We are using rsyslogd  8.2102.0-10.el8 (aka 2021.02) at the moment.
>
> Is it somehow possible to configure the acceptance of certificates from
> both Intermediate CAs or is this simply not possible with one instance of
> rsyslog?
>
> Kind regards and thanks in advance,
> Roman Möller (He/His)
>
>
>
>
>
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] What happens when the main message queue is full ?

2023-07-31 Thread Rainer Gerhards via rsyslog 
Well, it depends.

For a busy system, the default timeout in the main queue is way to
long (I think I have shortened it recently, but still). This means
while the message ultimately gets deleted, the system can become
sluggish to a point where it looks totally unresponsive.

HOWEVER, you can change the default via config, and you can also set
the timeout to zero, which means "immediately". I suggest this for
many scenarios. Obviously, it causes loss of logs, but usually this is
preferred over loss of function.

Just be aware that attackers may use this approach to hide their traces.

HTH
Rainer

El lun, 31 jul 2023 a las 15:13, David Lang via rsyslog
() escribió:
>
> the inputs block, but eventually many inputs will drop messages (think network
> connections)
>
> you can configure how to drop messages (look at the watermark configs)
>
> In general, when the queue is full, anything attempting to put messages into 
> the
> queue blocks, if that thing is reading messages from a source that can wait, 
> the
> messages wait, if the source can't wait, the message gets dropped.
>
> David Lang
>
> On Mon, 31 Jul 2023, Raphaël Laguerre via rsyslog wrote:
>
> > Date: Mon, 31 Jul 2023 14:15:59 +0200
> > From: Raphaël Laguerre via rsyslog 
> > To: rsyslog@lists.adiscon.com
> > Cc: Raphaël Laguerre 
> > Subject: [rsyslog] What happens when the main message queue is full ?
> >
> > Hello,
> >
> > My system is a Debian 11 with rsyslog 8.2102.0-2+deb11u1.
> >
> > It is said in 
> > https://www.rsyslog.com/doc/v8-stable/concepts/queues.html#filled-up-queues 
> > :
> >
> > "For example, throttling the local log socket too long would cause the 
> > system at whole come to a standstill. To prevent this, rsyslogd times out 
> > after a configured period (”$QueueTimeoutEnqueue“, specified in 
> > milliseconds) if no space becomes available. As a last resort, it then 
> > discards the newly arrived message."
> >
> > And I read in the warning section of 
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-working_with_queues_in_rsyslog
> >  :
> >
> > "If an output plug-in is unable to deliver a message, it is stored in the 
> > preceding message queue. If the queue fills, the inputs block until it is 
> > no longer full. This will prevent new messages from being logged via the 
> > blocked queue. In the absence of separate action queues this can have 
> > severe consequences, such as preventing SSH logging, which in turn can 
> > prevent SSH access. Therefore it is advised to use dedicated action queues 
> > for outputs which are forwarded over a network or to a database."
> >
> > I find these two statements contradictory because according the first one, 
> > when the main message queue is full, rsyslog will enventually drop newly 
> > arrived messages when according to the second one "the inputs block until 
> > it is no longer full".
> >
> > I would like to be sure that the processes loging to rsyslog via unix 
> > socket won't be blocked in the cas my main message queue is full.
> >
> > thanks,
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> > LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslogd: unexpected gnutls error -110 in nsd_gtls.c:594:

2023-07-17 Thread Rainer Gerhards via rsyslog 
I suggest to use the openssl driver (ossl, separate package). A prime
reason for implementing openssl was that the gnutls error messages are
usually very unhelpful. this is much better with openssl.

Rainer

El lun, 17 jul 2023 a las 8:54, Mariusz Kruk via rsyslog
() escribió:
>
> Yes. People came across this error several times.
>
> -110GNUTLS_E_PREMATURE_TERMINATION  The TLS connection was
> non-properly terminated.
>
> It means something is wrong with either the configuration or your network.
>
> With such skimpy details we can't say much more.
>
> Check your config, check your connection with openssl s_client, do a
> tcpdump if necessary and see what's going on on the wire...
>
> On 17.07.2023 06:29, Andrew Cowan via rsyslog wrote:
> > Has anyone come across this error?
> >
> > This occurs in the logs when I do a logger test from client to server using 
> > TLS. Some kind of TLS error.
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Followhttps://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> > LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog 8.2306.0 released

2023-06-21 Thread Rainer Gerhards via rsyslog 
> I have the rsyslog repo configured and use "yum update".

the repo via SuSe OBS or from the Adiscon servers?

Rainer

>
> The same error occurred when trying to update to 8.2304.0. There was an error 
> in the package definition for this specific dependency.
>
> -Original Message-
> From: Rainer Gerhards 
> Sent: Wednesday, June 21, 2023 5:17 AM
> To: rsyslog-users 
> Cc: Tobias Heaton 
> Subject: Re: [rsyslog] rsyslog 8.2306.0 released
>
> CAUTION: This email originated from outside of the University System. Do not 
> click links or open attachments unless you recognize the sender and know the 
> content is safe.
>
>
> Where do you install from?
>
> Rainer
>
> El mié, 21 jun 2023 a las 11:14, Tobias Heaton via rsyslog
> () escribió:
> >
> > Good Morning,
> >
> > The libfastjson package conflict for OEL8 yum update is cropping up again, 
> > much like it did for the 8.2304.0 release (see errors below).
> >
> > -Tobias
> >
> > Error:
> >  Problem 1: package rsyslog-8.2306.0-1.el8.x86_64 requires libfastjson >= 
> > 0.99.8, but none of the providers can be installed
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.i686
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.x86_64
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.i686
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.x86_64
> >   - cannot install the best update candidate for package 
> > rsyslog-8.2304.0-2.el8.x86_64
> >   - cannot install the best update candidate for package 
> > libfastjson4-1.2304.0-1.el8.x86_64
> >  Problem 2: package rsyslog-8.2306.0-1.el8.x86_64 requires libfastjson >= 
> > 0.99.8, but none of the providers can be installed
> >   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> > 0.99.9 provided by libfastjson-0.99.8-2.el8.i686
> >   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> > 0.99.9 provided by libfastjson-0.99.8-2.el8.x86_64
> >   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> > 0.99.9 provided by libfastjson-0.99.9-1.el8.i686
> >   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> > 0.99.9 provided by libfastjson-0.99.9-1.el8.x86_64
> >   - problem with installed package libfastjson4-1.2304.0-1.el8.x86_64
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.i686
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.x86_64
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.i686
> >   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> > libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.x86_64
> >   - package rsyslog-mysql-8.2306.0-1.el8.x86_64 requires rsyslog = 
> > 8.2306.0-1.el8, but none of the providers can be installed
> >   - cannot install the best update candidate for package 
> > rsyslog-mysql-8.2304.0-2.el8.x86_64
> > (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to 
> > use not only best candidate packages)
> >
> >
> > -Original Message-
> > From: rsyslog  On Behalf Of Florian 
> > Riedl via rsyslog
> > Sent: Tuesday, June 20, 2023 10:05 AM
> > To: rsyslog-users 
> > Cc: Florian Riedl 
> > Subject: [rsyslog] rsyslog 8.2306.0 released
> >
> > CAUTION: This email originated from outside of the University System. Do 
> > not click links or open attachments unless you recognize the sender and 
> > know the content is safe.
> >
> >
> > Today, we release rsyslog 8.2306.0.
> >
> > This release consists of a number of bugfixes for different modules
> > and parts of rsyslog as well as a few additions.
> >
> > The fixes include changes to imfile for a file handle leak and GnuTLS
> > for a memory leak mmnormalize for when a parser chain is stopped
> > because a parser is unable to parse a message.
> >
> > New functionality was added to [i/o]mhiredis for support of a new
> > stream mode, imjournal to add the FileCreateMode parameter and a new
> > global config option libcapng.default which defines how rsyslog should
> > behave when capabilities were to be dropped.
> >
> > Please make sure to read the changelog to get more details about the
> > additions and an overview of all changes.
> >
> > ChangeLog:
> >
> > https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog
> >
> > Download:
> >
> > https://www.rsyslog.com/downloads/download-v8-stable/
> >
> > As always, feedback is appreciated.
> >
> > Florian
> > ___
> > rsyslog

Re: [rsyslog] rsyslog 8.2306.0 released

2023-06-21 Thread Rainer Gerhards via rsyslog 
Where do you install from?

Rainer

El mié, 21 jun 2023 a las 11:14, Tobias Heaton via rsyslog
() escribió:
>
> Good Morning,
>
> The libfastjson package conflict for OEL8 yum update is cropping up again, 
> much like it did for the 8.2304.0 release (see errors below).
>
> -Tobias
>
> Error:
>  Problem 1: package rsyslog-8.2306.0-1.el8.x86_64 requires libfastjson >= 
> 0.99.8, but none of the providers can be installed
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.i686
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.x86_64
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.i686
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.x86_64
>   - cannot install the best update candidate for package 
> rsyslog-8.2304.0-2.el8.x86_64
>   - cannot install the best update candidate for package 
> libfastjson4-1.2304.0-1.el8.x86_64
>  Problem 2: package rsyslog-8.2306.0-1.el8.x86_64 requires libfastjson >= 
> 0.99.8, but none of the providers can be installed
>   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> 0.99.9 provided by libfastjson-0.99.8-2.el8.i686
>   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> 0.99.9 provided by libfastjson-0.99.8-2.el8.x86_64
>   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> 0.99.9 provided by libfastjson-0.99.9-1.el8.i686
>   - package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes libfastjson <= 
> 0.99.9 provided by libfastjson-0.99.9-1.el8.x86_64
>   - problem with installed package libfastjson4-1.2304.0-1.el8.x86_64
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.i686
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.8-2.el8.x86_64
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.i686
>   - installed package libfastjson4-1.2304.0-1.el8.x86_64 obsoletes 
> libfastjson <= 0.99.9 provided by libfastjson-0.99.9-1.el8.x86_64
>   - package rsyslog-mysql-8.2306.0-1.el8.x86_64 requires rsyslog = 
> 8.2306.0-1.el8, but none of the providers can be installed
>   - cannot install the best update candidate for package 
> rsyslog-mysql-8.2304.0-2.el8.x86_64
> (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to 
> use not only best candidate packages)
>
>
> -Original Message-
> From: rsyslog  On Behalf Of Florian Riedl 
> via rsyslog
> Sent: Tuesday, June 20, 2023 10:05 AM
> To: rsyslog-users 
> Cc: Florian Riedl 
> Subject: [rsyslog] rsyslog 8.2306.0 released
>
> CAUTION: This email originated from outside of the University System. Do not 
> click links or open attachments unless you recognize the sender and know the 
> content is safe.
>
>
> Today, we release rsyslog 8.2306.0.
>
> This release consists of a number of bugfixes for different modules
> and parts of rsyslog as well as a few additions.
>
> The fixes include changes to imfile for a file handle leak and GnuTLS
> for a memory leak mmnormalize for when a parser chain is stopped
> because a parser is unable to parse a message.
>
> New functionality was added to [i/o]mhiredis for support of a new
> stream mode, imjournal to add the FileCreateMode parameter and a new
> global config option libcapng.default which defines how rsyslog should
> behave when capabilities were to be dropped.
>
> Please make sure to read the changelog to get more details about the
> additions and an overview of all changes.
>
> ChangeLog:
>
> https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog
>
> Download:
>
> https://www.rsyslog.com/downloads/download-v8-stable/
>
> As always, feedback is appreciated.
>
> Florian
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list

Re: [rsyslog] Omfwd OpenSSL TLS fails on 2023.04.0

2023-06-05 Thread Rainer Gerhards via rsyslog 
Derek, Andre,

> > There has been no change on nsd_ossl.c driver since January 2023, so I
> > believe this is not related to the different rsyslog versions you are
> > running.
> > The warnings tell you, that there is no client certificate configured
> > which
> > can be ok but unusual in this setup. The get rid of them I would recommend
> > configuring a client certificate as well.
>
> I'm not using client-authentication, which is why there is no client cert.
>  Not sure why you consider it "unusual".  But that's not the error I am
> concerned about.

Derek: I agree and would actually say it is a common scenario.

Andre: For that reason, I think we should at most emit an "info"
message if it is not set. Not sure what the gtls driver does, but that
doesn't really matter - it may need to be changed as well.

Also: I think that when server side cert is in place, we are NOT
limited to anon ciphers! The server provides its public key, and if I
am not totally mistaken, that should be sufficient to use all ciphers,
including async ones.

Of course, without client cert, we have one-way anon traffic and
cannot detect man in the middle.

Am I wrong?

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Omfwd OpenSSL TLS fails on 2023.04.0

2023-06-05 Thread Rainer Gerhards via rsyslog 
> It might be common, but it's wrong. If you're using cert-based
> authentication, reusing the same certificate is effectively defeating
> the purpose. True, in some specific use cases it might be OK but a
> decision to do so should be preceeded by risk analysis. In general -
> using the same cryptographic material to mass-authenticate multiple
> clients does not differ significantly from not authenticating them at all.

I basically agree. There seems to be a common use case, with
vendor-provided monitoring devices where the customer has no real
access. I've often seen this used in those settings. But: it's
definitely not as secure as it (c|sh)ould be ;-)

Just my 2cts
Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] change in filer

2023-05-04 Thread Rainer Gerhards via rsyslog 
No problem, thanks!

Sent from phone, thus brief.

Brad Van Orden  schrieb am Do., 4. Mai 2023, 14:45:

> I figured it out.  I had a second line in that same file that started with:
>
> if $progamname == "systemd-logind"
>
> I was missing the second 'r' in programname.  :(
>
> Sorry for the bother.
>
> On Thu, May 4, 2023 at 6:10 AM Brad Van Orden 
> wrote:
>
>> version is 8.2102.0-10.el8
>> rsyslogd -N1 spits out:
>> rsyslogd: error during parsing file
>> /etc/rsyslog.d/ignore-systemd-session-slice.conf, on or before line 2:
>> invalid property 'programname' [v8.2102.0-10.el8 try
>> https://www.rsyslog.com/e/2207 ]
>>
>> rsyslog.conf:
>>
>> $PreserverFQDN on
>> $ModLoad imuxsock
>> $ModLoad imklog
>> $IncludeConfig /etc/rsyslog.d/*.conf
>> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>> authpriv.*/var/log/secure
>> mail.*
>> -/var/log/maillog
>> cron.* /var/log/cron
>> *.emerg   :omusrmsg:*
>> uucp,news.crit/var/log/spooler
>> local6.*  /var/log/dhcpd
>> local7.*
>> /var/log/boot.log
>> $WorkDirectory /var/lib/rsyslog
>> $ActionQueueFileName fwdSyslog
>> $ActionQueueMaxDiskSpace 500m
>> $ActionQueueSaveOnShutdown on
>> $ActionQueueType LinkedList
>> $ActionQueueResumeRetryCount -1
>> *.debug @1.2.3.4:10975
>>
>> We are running RHEL 8.7.
>>
>> On Thu, May 4, 2023 at 5:48 AM Rainer Gerhards 
>> wrote:
>>
>>> This is strange. No,everything is supported, we never remove any
>>> config capability without very, very strong reason. Plus, the "if" is
>>> not BSD-Style but script, the most modern filter.
>>>
>>> Which version is running on RHEL 8?
>>> How does the full config look like?
>>> What does rsyslogd -N1 split out?
>>>
>>> Rainer
>>>
>>> El jue, 4 may 2023 a las 11:29, Brad Van Orden via rsyslog
>>> () escribió:
>>> >
>>> > On RHEL 7, I have a filter:
>>> >
>>> > if $programname == "systemd" and ( $msg contains "Starting Session" or
>>> $msg
>>> > contains "Started Session" ) then stop
>>> >
>>> > which works fine.  However under RHEL 8, I get
>>> >
>>> > invalid property 'programname'
>>> >
>>> > I think this is because BSD type filters are no longer supported, but
>>> I'm
>>> > not sure how to change this to the new style.  I don't see an example
>>> of
>>> > how to make a compound filter:
>>> >
>>> > :programname, isequal, "systemd" stop
>>> >
>>> > I'm not sure where to add the msg filters in?  Could someone point me
>>> to
>>> > the correct documentation?
>>> >
>>> > Thanks!
>>> > ___
>>> > rsyslog mailing list
>>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> > http://www.rsyslog.com/professional-services/
>>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>> you DON'T LIKE THAT.
>>>
>>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] change in filer

2023-05-04 Thread Rainer Gerhards via rsyslog 
This is strange. No,everything is supported, we never remove any
config capability without very, very strong reason. Plus, the "if" is
not BSD-Style but script, the most modern filter.

Which version is running on RHEL 8?
How does the full config look like?
What does rsyslogd -N1 split out?

Rainer

El jue, 4 may 2023 a las 11:29, Brad Van Orden via rsyslog
() escribió:
>
> On RHEL 7, I have a filter:
>
> if $programname == "systemd" and ( $msg contains "Starting Session" or $msg
> contains "Started Session" ) then stop
>
> which works fine.  However under RHEL 8, I get
>
> invalid property 'programname'
>
> I think this is because BSD type filters are no longer supported, but I'm
> not sure how to change this to the new style.  I don't see an example of
> how to make a compound filter:
>
> :programname, isequal, "systemd" stop
>
> I'm not sure where to add the msg filters in?  Could someone point me to
> the correct documentation?
>
> Thanks!
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] handling multiline in other than imfile

2023-03-24 Thread Rainer Gerhards via rsyslog 
imuxsock? Is really something spamming the unix socket with multiline messages?

nevertheless, imptcp has similar functionality.

Rainer

El vie, 24 mar 2023 a las 14:23, Tan Mientras via rsyslog
() escribió:
>
> Hi
>
> Is imfile the unique module that can handlee multilines with startmsg.regex?
>
> wouldn't be great to have that functionality in imuxsock too?
>
> Thanks in advance
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog as an AWS Markteplace Application

2023-03-24 Thread Rainer Gerhards via rsyslog 
Hi Yury,

thanks for the suggestion - you are right. We will look into it.

Rainer

El jue, 23 mar 2023 a las 11:35, Yury Bushmelev () escribió:
>
> Hello!
>
> I'd suggest extending the offer to Azure cloud too.. it shouldn't be really 
> different from the AWS case (I'd expect just a bit different `packer` config 
> to create the image)..
>
> Thank you!
>
> On Wed, 22 Mar 2023 at 15:30, Rainer Gerhards via rsyslog 
>  wrote:
>>
>> Hi all,
>>
>> just some info you might find interesting. We have been working the
>> past couple of weeks on an AWS rsyslog offering. Quick Intro is here:
>>
>> https://www.rsyslog.com/aws-rsyslog-an-overview/
>>
>> Why are we doing this?
>>
>> We were approached by some folks that currently AWS host a rsyslog
>> implementation by some third party that looks like it is from the
>> rsyslog project. The quality of the rsyslog part (which is the main
>> point) of that application is questionable (we actually got complaints
>> about rsyslog quality).
>>
>> As such, we thought if such an offering makes sense for us as the
>> project. Actually, I find value in it. Main points:
>>
>> - it helps to make clear what is an official rsyslog project and what not
>> - it exposes me to even better understand of end-user needs that our
>> regular support offerings
>> - it hopefully provides some additional funding to the project
>> - it is an interesting new service offering for those folks looking
>> for a cloud-based solution
>>
>> We are in early stages of development, but we already go quite some
>> ideas of how we could improve rsyslog to support such an offering in a
>> technical way. The resulting enhancements will benefit the community
>> at large.
>>
>> My plan is that we go to a final first release in Q2/23. Up until
>> then, we will try to use rsyslog without larger modification to handle
>> all required features. If after release we see real demand, we are
>> ready to go into new feature development.
>>
>> Now you know what has been going on in the last time. We weren't clear
>> enough about the project until now, so we did not communicate. The web
>> doc went live 5 minutes ago.
>>
>> I just wanted to let you know before we begin to tell other folks.
>>
>> Rainer
>> ___
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
>> LIKE THAT.
>
>
>
> --
> Yury Bushmelev
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] rsyslog as an AWS Markteplace Application

2023-03-22 Thread Rainer Gerhards via rsyslog 
Hi all,

just some info you might find interesting. We have been working the
past couple of weeks on an AWS rsyslog offering. Quick Intro is here:

https://www.rsyslog.com/aws-rsyslog-an-overview/

Why are we doing this?

We were approached by some folks that currently AWS host a rsyslog
implementation by some third party that looks like it is from the
rsyslog project. The quality of the rsyslog part (which is the main
point) of that application is questionable (we actually got complaints
about rsyslog quality).

As such, we thought if such an offering makes sense for us as the
project. Actually, I find value in it. Main points:

- it helps to make clear what is an official rsyslog project and what not
- it exposes me to even better understand of end-user needs that our
regular support offerings
- it hopefully provides some additional funding to the project
- it is an interesting new service offering for those folks looking
for a cloud-based solution

We are in early stages of development, but we already go quite some
ideas of how we could improve rsyslog to support such an offering in a
technical way. The resulting enhancements will benefit the community
at large.

My plan is that we go to a final first release in Q2/23. Up until
then, we will try to use rsyslog without larger modification to handle
all required features. If after release we see real demand, we are
ready to go into new feature development.

Now you know what has been going on in the last time. We weren't clear
enough about the project until now, so we did not communicate. The web
doc went live 5 minutes ago.

I just wanted to let you know before we begin to tell other folks.

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] action if property not set

2023-03-06 Thread Rainer Gerhards via rsyslog 
What do you expect?

Sent from phone, thus brief.

Tan Mientras via rsyslog  schrieb am Mo., 6.
März 2023, 13:27:

> Found
>
> https://github.com/rsyslog/rsyslog-doc/commit/912bc5dcc54966be2cea9890c81414a1e96a94ce
> however it isn't working as expected (or at least how I expect)
>
> On Mon, Mar 6, 2023 at 9:00 AM Tan Mientras 
> wrote:
>
> > Is it possible to filter depending on a field that may exists or not in a
> > json message?
> > Something like:
> >
> > # if property is not set
> > if ! $!source_app then {
> > action(...)
> > }
> >
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] escaping windows events messages

2023-03-06 Thread Rainer Gerhards via rsyslog 
IMHO this is a JSON question, not rsyslog.  But iirc it is \"

Rainer

Sent from phone, thus brief.

Tan Mientras via rsyslog  schrieb am Mo., 6.
März 2023, 12:36:

> Hi
>
> Receiving the following log:
>
> 2023-03-06T12:30:19+00:00 mycomputer windows/windows: {
> "event_id":"7036","event_number":"23135", "eventlog":"System",
> "source":"Service Control Manager", "source_message":"Windows module
> instaler entered in state "*stopped*".","category_id":"0","category":"",
> "computer":"mycomputer", "computer_ip":"192.168.0.2", "user":"" }
>
> json parsing fails as it contains unescaped " (enclosing stopped)
> Same happens when message contains unescaped \, like in domain\account
>
> hoy could I escape the colons or backslashes ?
> So far I have tried:
> set $!msg=replace($!msg,"\"","\\\"");
> set $!source_message=replace($!source_message,"\"","\\\"");
> set $!msg=replace($!msg!source_message,"\"","\\\"");
> without any success.
>
> Thanks
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] R: Re: R: Re: received json log format

2023-03-04 Thread Rainer Gerhards via rsyslog 
> > Code w/ comments:
> >
> > https://github.com/rsyslog/liblognorm/blob/master/src/parser.c#L2578
>
> That's what I remember seeing, but I don't see it in the documentation page

Yeah, but it's a full feature for quite a while. As I said, there is a
doc build problem or a doc issue in general. Will check later (very
very busy at the moment)

> I would expect that the iptables parser would be modified to be a wrapper 
> around
> this (setting options and then a passthrough, existing pretty much only for
> backwards compatibility)

Just to be clear: this released code, not the PRs. The PRs try to
modify the NameValue parser in an incompatible way. That's the
problem. NameValue *is* deployed in practice!

Iiptables and NameValue are different code bases (with similarities),
as iptables specific format permits to be more strict. IIRC we tried
with parameters, but the code got to complex.

Rainer
>
> David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] R: Re: R: Re: received json log format

2023-03-03 Thread Rainer Gerhards via rsyslog 
I checked a bit ;-)

> > is it as simple as taking the PR and changing the type name?
>
> I need to look, but probably not - else I would have done it.

That would cause a lot of code duplication - bad. The proper solution
is to control this via options.
>
> >
> > given that we don't have an existing name-value type, what backwards
> > compatibility broke?
>
> We already have one, the iptables type.

And we also have the NameValue parser ... I wonder if the online doc
is outdated or there is a doc issue.

Code w/ comments:

https://github.com/rsyslog/liblognorm/blob/master/src/parser.c#L2578

Rainer
>
> Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] R: Re: R: Re: received json log format

2023-03-03 Thread Rainer Gerhards via rsyslog 
> is it as simple as taking the PR and changing the type name?

I need to look, but probably not - else I would have done it.

>
> given that we don't have an existing name-value type, what backwards
> compatibility broke?

We already have one, the iptables type.

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] R: Re: R: Re: received json log format

2023-03-03 Thread Rainer Gerhards via rsyslog 
> note that I know I've seen patches go by for the name-value type, but I'm not
> seeing it in the documentation at
> https://www.liblognorm.com/files/manual/configuration.html#field-types
>
> @rainer, have those patches not made it to a release?

IIRC no, because they broke backwards compatibility and no effort was
made to use a new type for that. IIRC ;-)
Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] syslog tag not automatically detected

2023-03-01 Thread Rainer Gerhards via rsyslog 
Post the output of the debug file template.

Rainer

Sent from phone, thus brief.

John Chivian via rsyslog  schrieb am Mi., 1.
März 2023, 14:33:

> The needParse option for imfile is how you tell rsyslog to attempt to read
> syslog header elements out of the imfile content.  If it is not used, then
> everything read from the file is in the “msg” property.
>
> Regards,
>
>
> > On Mar 1, 2023, at 07:23, Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
> >
> > There is also an option for imfile called needParse
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html
> >
> > Might work, might not - never used it myself. But always worth giving it
> a try.
> >
> > On 1.03.2023 14:21, David Lang via rsyslog wrote:
> >> that's what I'm guessing, but you should check what you are getting and
> attempt to turn on the feature to have imfile parse the lines from imfile
> as if they were sent as syslog messages. I say that I don't think '*' is
> allowed, because I think that it's forbidden by the RFC, so rsyslog has to
> guess what to do and I expect that it puts it in the msg field.
> >>
> >> you will see this when you log with debugformat.
> >>
> >> depending on how successful rsyslog is in parsing the log as a syslog
> message, it's possible that *queries* will be the very beginning of the msg
> field, which will make it very easy to detect and parse., if not, it's more
> work.
> >>
> >> mmnormalize is a different beast than regex extraction that grok does,
> but it if FAR more efficient, so worth the time to learn.
> >>
> >> If you can fix the thing that's writing these messaes to not put
> illegal characters in them, it will be easier.
> >>
> >> David Lang
> >>
> >> On Wed, 1 Mar 2023, Tan Mientras via rsyslog wrote:
> >>
> >>> After testing what you said, it doesn't seem to exist a property which
> >>> returns "queries", and I'll be only able to parse it using something
> like
> >>> grok.
> >>> Did I understood right?
> >>>
> >>> On Wed, Mar 1, 2023 at 1:55 PM Mariusz Kruk via rsyslog <
> >>> rsyslog@lists.adiscon.com> wrote:
> >>>
>  As my colleague used to say - try and see. Define logging action with
>  RSYSLOG_DebugFormat template and see what your properties are.*
>  *
> 
>  On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
> > Im not sure I understood properly.
> > imfile has a mandatory tag required. but apart from that, the line
>  contains
> > a "static" string "*queries*"
> >
> > Which *property* would be "*queries*" when processing the line...or
> is it
> > impossible?
> >
> > 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> > 30.0.30.142#59640
> > (e8333.g.akamaiedge.net): view internal-view: query:
>  e8333.g.akamaiedge.net IN
> > A +E(0)D (192.168.2.254)
> >
> > On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
> > rsyslog@lists.adiscon.com> wrote:
> >
> >> You're explicitly telling your imfile to apply the *dns-query* tag.
> I'd
> >> say that this behaviour is expected. $programname is the "static"
> part
> >> of tag. The tag is *dns-query*. So...
> >>
> >> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> >>> Hi.
> >>>
> >>> Which *property* would be "*queries*" when processing the following
>  line?
> >>>
> >>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view:
> query:
> >>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >>>
> >>> AFAIK, *programname*, but with the following configuration it
> returns
> >>> *dns-query* :(
> >>>
> >>> module(load="imfile")
> >>> template(name="json" type="list" option.json="on") {
> >>> constant(value="{")
> >>> constant(value="\"@source_timestamp\":\"")
> >>> property(name="timereported" dateFormat="rfc3339")
> >>> constant(value="\",\"source_message\":\"")
> >>> property(name="msg")
> >>> constant(value="\",\"source_hostname\":\"")
> >>> property(name="hostname")
> >>> constant(value="\",\"source_severity\":\"")
> >>> property(name="syslogseverity-text")
> >>> constant(value="\",\"source_facility\":\"")
> >>> property(name="syslogfacility-text")
> >>> constant(value="\",\"source_tag\":\"")
> >>> property(name="syslogtag")
> >>> constant(value="\",\"source_app\":\"")
> >>> property(name="*programname*")
> >>> constant(value="\",\"source_filename\":\"")
> >>> property(name="$.filename")
> >>> constant(value="\"}\n")
> >>> }
> >>> input(type="imfile" file="/var/log/bind/DNSquery.log"
> addMetadata="on"
> >> tag="
> >>> *dns-query*" ruleset="syslog")
> >>> ruleset(name="syslog") {
> >>>   set $.filename = $!metadata!filename;
> >>>   action(type="omfwd"

Re: [rsyslog] imrelp - no messages processed

2023-02-24 Thread Rainer Gerhards via rsyslog 
also: do you send a proper RELP greeting via telnet? If not, this is
the reason the connection is closed.

Rainer

El vie, 24 feb 2023 a las 18:23, David Lang via rsyslog
() escribió:
>
> what is the rest of your config? what you have shown is the config to receive
> logs, but not any instructions to rsyslog to write logs out.
>
> David Lang
>
> On Fri, 24 Feb 2023, Jozef Zajac via rsyslog wrote:
>
> > Date: Fri, 24 Feb 2023 15:41:42 +0100
> > From: Jozef Zajac via rsyslog 
> > To: rsyslog@lists.adiscon.com
> > Cc: Jozef Zajac 
> > Subject: [rsyslog] imrelp - no messages processed
> >
> > Hi everyone,
> >
> >
> > I'm trying to put rsyslog into a docker container with the imrelp module.
> > Setup is quite easy:
> >
> >
> > rsyslog_docker_global/03-modules.conf:2:module(load="imrelp")
> > rsyslog_docker_lin/rsyslog.d/11-input-tcp.conf:1:input(type="imrelp"
> > port="2514" maxDataSize="10k" keepAlive="on")
> >
> >
> > Unfortunately, there are no logs, but service looks fine. Logger is working
> > with UDP (imudp module) but not in imrelp tcp. When I tried the ptcp module,
> > logging worked fine.
> >
> >
> > Setup:
> > Ubuntu - 22.04 LTS, 5.15.0-56-generic
> > docker version
> > Client: Docker Engine - Community
> >  Version:   23.0.1
> >  API version:   1.42
> >  Go version:go1.19.5
> >  Git commit:a5ee5b1
> >  Built: Thu Feb  9 19:47:01 2023
> >  OS/Arch:   linux/amd64
> >  Context:   default
> >
> >
> > Server: Docker Engine - Community
> >  Engine:
> >   Version:  23.0.1
> >   API version:  1.42 (minimum version 1.12)
> >   Go version:   go1.19.5
> >   Git commit:   bc3805a
> >   Built:Thu Feb  9 19:47:01 2023
> >   OS/Arch:  linux/amd64
> >   Experimental: false
> >  containerd:
> >   Version:  1.6.18
> >   GitCommit:2456e983eb9e37e47538f59ea18f2043c9a73640
> >  runc:
> >   Version:  1.1.4
> >   GitCommit:v1.1.4-0-g5fd4c4d
> >  docker-init:
> >   Version:  0.19.0
> >   GitCommit:de40ad0
> >
> >
> > rsyslog - 8.2302
> > rsyslog-relp - 8.2302
> > librelp0 - 1.11.0
> >
> >
> > When I try to connect to imrelp with telnet and close the session, I receive
> > this error:
> >
> > v8.2302 (docker)
> > syslog.err rsyslogd: imrelp[2514]: error 'server closed relp session, 
> > session
> > broken', object  'lstn 2514: conn to clt127.0.0.1/localhost' - input may not
> > work as intended [v8.2302.0 try https://www.rsyslog.com/e/2353 ]
> > v8.1901 (no docker)
> > syslog.err rsyslogd: imrelp[514]: error 'server closed relp session, session
> > broken', object  'lstn 514: conn to clt 127.0.0.1/localhost' - input may not
> > work as intended [v8.1901.0 try https://www.rsyslog.com/e/2353 ]
> > v8.2112 (no docker)
> > syslog.err syslogd: imrelp[514]: error 'server closed relp session, session
> > broken', object  'lstn 514: conn to clt 127.0.0.1/localhost' - input may not
> > work as intended [v8.2112.0 try https://www.rsyslog.com/e/2353 ]
> >
> >
> > When I ran rsyslog in debug mode, nothing unusual showed up.
> > (/usr/sbin/rsyslogd -i /var/run/syslog.pid -f /etc/rsyslog.conf -dn)
> >
> >
> >
> > Is there something that I'm missing on this basic setup ?
> >
> >
> > Thank you for any advice
> >
> >
> > Best regards,
> >
> >
> > Tomas Bekecs
> >
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> > LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Non-message based looping

2023-02-17 Thread Rainer Gerhards via rsyslog 
yes and yes - I suggest a simple script to run during the deployment process.

Rainer

El vie, 17 feb 2023 a las 16:13, Mariusz Kruk via rsyslog
() escribió:
>
> Just double-checking.
>
> Please confirm that I see it right and there is no way of "looping"
> outside of the message processing mechanism. I mean - if I have several
> dozens of lookup files I have to explicitly create those lookups one by
> one, I can't do a "loop" over some set of names to automatically create
> those lookups, right?
>
> And on a similar note - I can't dynamically create values for some
> configuration parts like - for example - input name. Use case - same
> config deployed over several hosts and I want to have inputs named
> differently so that when I capture stats I can easiliy distinguish
> between the nodes. I suppose provisioning tool like ansible/chef/puppet
> is needed here, right?
>
> Best regards and have a great weekend ;-)
>
> MK
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] test - pls ignore

2023-01-23 Thread Rainer Gerhards via rsyslog 
System test after some maintenance work. Please disregard.

Rainer
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] $SpaceLFOnReceive - how to use in if statement for one $programname - issue is SpaceLFOnReceive applies regardless of $programname

2023-01-06 Thread Rainer Gerhards via rsyslog 
The problem is that these are multi-line messages (#012 is LF). This
will most probably hurt you in later log processing and may give
problem in log forwarding. Thus they are escaped. Validly formed logs
usually have no LF. If and only if the other log sources behave well,
there would be no problem with enabling that globally.

Rainer

El vie, 6 ene 2023 a las 15:11, Morgan Cox via rsyslog
() escribió:
>
> Thanks for clarifying David.  I could see the if statement was otherwise
> working
>
> Here is an example debug line
>
> Debug line with all properties:
> FROMHOST: 'mcox-acs-test', fromhost-ip: '127.0.0.1', HOSTNAME:
> 'mcox-acs-test', PRI: 37,
> syslogtag 'aide[2987]:', programname: 'aide', APP-NAME: 'aide', PROCID:
> '2987', MSGID: '-',
> TIMESTAMP: 'Jan  6 14:06:02', STRUCTURED-DATA: '-',
> msg: '#012#012End timestamp: 2023-01-06 14:06:02 + (run time: 0m 0s)'
> escaped msg: '#012#012End timestamp: 2023-01-06 14:06:02 + (run
> time: 0m 0s)'
> inputname: imjournal rawmsg: '#012#012End timestamp: 2023-01-06 14:06:02
> + (run time: 0m 0s)'
> $!:{ "_TRANSPORT": "syslog", "_UID": "0", "_GID": "0", "_MACHINE_ID":
> "a64ab243d93144128694b0be9d05ae60", "_HOSTNAME": "mcox-acs-test",
> "PRIORITY": "5", "SYSLOG_IDENTIFIER": "aide", "_SELINUX_CONTEXT":
> "unconfined_u:unconfined_r:unconfi
> ned_t:s0-s0:c0.c1023", "SYSLOG_FACILITY": "4", "_BOOT_ID":
> "0a5c2493ccf347c19745d8eaf473e003", "_PID": "2987", "MESSAGE": "\n\nEnd
> timestamp: 2023-01-06 14:06:02 + (run time: 0m 0s)",
> "_SOURCE_REALTIME_TIMESTAMP": "1673013962145150"
> }
> $.:
> $/:
>
> This led to the #012 appearing in the remote server
>
> Jan  6 13:59:53 test aide[2953]: #012#012End timestamp: 2023-01-06
> 13:59:53 + (run time: 0m 0s)
>
> Is there an other option to change the output but just for this
> application (i'm worried about the effect on other logs if I enable
> SpaceLFOnReceive globally.
>
>
> Thanks for you help so far - much appreciated
>
>
> On 05/01/2023 17:17, David Lang wrote:
> > No, that is a universal parser directive.
> >
> > One thing that's confusing about rsyslog configs is that there are two
> > types of things that are in the config
> >
> > 1. things processed at startup to configure rsyslog
> >
> > 2. things processed per message to manipulate that message
> >
> > it doesn't matter where in the config you put the startup items, they
> > all get processed at startup time.
> >
> > by the time you are processing the message, directives like this one
> > have or have not already had their effect (they are things that happen
> > as the message is being parsed, before you know anything about it)
> >
> > can you give us an example of a message that you are having problems
> > with? Ideally the rawmsg as shown by the RSYSLOG_DebugFormat template
> >
> > David Lang
> >
> > On Thu, 5 Jan 2023, Morgan Cox via rsyslog wrote:
> >
> >> Date: Thu, 5 Jan 2023 17:07:57 +
> >> From: Morgan Cox via rsyslog 
> >> To: rsyslog@lists.adiscon.com
> >> Cc: Morgan Cox 
> >> Subject: [rsyslog] $SpaceLFOnReceive - how to use in if statement for
> >> one
> >> $programname - issue is SpaceLFOnReceive applies regardless of
> >> $programname
> >>
> >> Hi.
> >>
> >> Wondering if anyone can help
> >>
> >> I forward all syslog messages (linux) using (syslog server ip has
> >> been removed.)
> >>
> >> if $fromhost-ip == '127.0.0.1' then @syslogserverip:514
> >>
> >> And this works.
> >>
> >> However, I am trying to send Aide check output via syslog using
> >> systemd-cat
> >>
> >> I have an issue with spacing, etc (i.e I see #012 all over the output
> >> on remote server)
> >>
> >> The solution is to use
> >>
> >> $SpaceLFOnReceive on
> >>
> >> This fixes the #012 issue.
> >>
> >> However I didn't want to set this globally so I have created if
> >> statements in rsyslog conf
> >>
> >>
> >> e.g
> >>
> >> if $fromhost-ip == '127.0.0.1' and $programname != 'aide' then {
> >>@syslogserverip:514
> >> }
> >>
> >> if $programname == 'aide' then {
> >>$SpaceLFOnReceive on
> >>@syslogserverip:514
> >> }
> >>
> >>
> >> The if statement works - apart from the $SpaceLFOnReceive on part
> >>
> >> e.g if I enable $SpaceLFOnReceive on  in the 2nd if statement it
> >> applies to anything
> >>
> >> i.e I have tested replacing $programname with sshd in both if
> >> statements but $SpaceLFOnReceive on is enabled if I use any service.
> >>
> >> If there a way to make $SpaceLFOnReceive apply to just a specified
> >> $programname ?
> >>
> >>
> >> Thanks
> >>
> >>
> >>
> --
> Sincerely yours,
> /Morgan Cox/
> /System Administrator/
> +44 115 753 0120
> m@compassplus.com 
>
> 
>
> compassplus *NOTTINGHAM, UNITED KINGDOM*
> +44 115 753 0120| +44 115 986 4140(fax)
> Follow
> us
>
>

Re: [rsyslog] Can't find uuid property information

2022-12-16 Thread Rainer Gerhards via rsyslog 
I checked, it's contributed code that I just merged (via commit and
some fixes). It depends on libuuid. Patch is here:

https://github.com/rsyslog/rsyslog/commit/744d7c426da4aa3229771358a5da27b79e2edf52

If you have text for the doc, feel free to create a doc PR or at least
le me know some suggestions.

HTH
Rainer

El vie, 16 dic 2022 a las 9:26, Johan Ryberg via rsyslog
() escribió:
>
> Hi,
>
> I have a template with the following property
> property(outname="id" name="uuid" format="jsonf")
>
> It kind of work for our purpose but I always get a random string looking
> like this: A18F8D7067FE4DE793EC8B9CB95BDDB4
>
> The problem is that it's not really a "uuid" per definition?
>
> I can't find any information about this feature in the documentation and I
> wonder if it can be modified to a uuid version 4 with correct format?
>
> Where can I read about this property? I expected it to be here:
> https://www.rsyslog.com/doc/v8-stable/configuration/properties.html
>
> Best regards Johan
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Rate-limit: Cannot configure higher limit

2022-12-14 Thread Rainer Gerhards via rsyslog 
I ignore the database logging issue. When you have rate-limiting
issues again, please report, together with the description of what
happens.

If you think this is related to mysql, please address that issue first.

Rainer

El mié, 14 dic 2022 a las 17:48, helices
() escribió:
>
> REF: Rsyslogd/ommysql.so: Not writing to DB intermittently
>
> Rainer asked us to start a new post for the rate-limit issue.
>
>
> A few of many hundreds of rate-limit errors and lost messages:
>
> 2022-12-13T02:23:44.003241-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1792 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> 2022-12-13T02:23:50.001278-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1779 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> 2022-12-13T02:23:56.001273-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1835 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> 2022-12-13T02:24:02.005300-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1768 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> s
>
>
> # date; grep -v "^\(#\|\s*$\)" /etc/rsyslog.conf ;date
> Wed Dec 14 10:35:41 CST 2022
> $DebugFile /var/log/rsyslog.debug
> $DebugLevel 2
> module(load="imjournal" Ratelimit.Burst="3" Ratelimit.Interval="1000" 
> StateFile="imjournal.state")
> module(load="imklog")
> module(load="immark")
> module(load="impstats" interval="600" severity="7")
> syslog.=debug /var/log/rsyslog-stats
> module(load="imtcp")
> input(type="imtcp" port="514")
> module(load="imudp")
> input(type="imudp" port="514")
> module(load="ommysql.so")
> global(workDirectory="/var/lib/rsyslog")
> authpriv.none;cron.none;*.info;mail.none/var/log/messages
> authpriv.*  /var/log/secure
> cron.*  /var/log/cron
> *.emerg :omusrmsg:*
> ftp.*   /var/log/vsftpd.log
> local7.*/var/log/boot.log
> mail.*  /var/log/maillog
> uucp,news.crit  /var/log/spooler
> $ActionName Ftp
> $ActionQueueFileName dbFtpQueue   # Set file name, also enables disk mode
> $ActionQueueSaveOnShutdown on # Save messages to disk on shutdown
> $ActionQueueType LinkedList   # Use asynchronous processing
> $ActionResumeRetryCount -1# Infinite retries on insert failure
> ftp.* 
> :ommysql:10.199.5.177,vsftplog,hermesvsftplog,_
> $ActionName Sftp
> $ActionQueueFileName dbSftpQueue   # Set file name, also enables disk mode
> $ActionQueueSaveOnShutdown on  # Save messages to disk on shutdown
> $ActionQueueType LinkedList# Use asynchronous processing
> $ActionResumeRetryCount -1 # Infinite retries on insert failure
> authpriv.* 
> :ommysql:10.199.5.177,sftplogDB,hermesvsftplog,_
> $ActionName Admin
> $ActionQueueFileName ZenossQueue  # Set file name, also enables disk mode
> $ActionQueueSaveOnShutdown on # Save messages to disk on shutdown
> $ActionQueueType LinkedList   # Use asynchronous processing
> $ActionResumeRetryCount -1# Infinite retries on insert failure
> *.*   @@10.199.1.160
> Wed Dec 14 10:35:41 CST 2022
>
>
> Rainer asked us to setup a debug log, according to:
> https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
>
> Initial startup here:
> https://pastebin.com/DUgwmPC
>
>
> No rate-limiting occurred since early yesterday (12/13) morning. This appears 
> to be associated with the errors and multi-line syslog entries mentioned in 
> the other post.
>
> The sole intent of the database logging is tracking all incoming remote file 
> transfer (SFTP) activities. There is a firewall between this host and the 
> internet. Only "whitelisted" IP addresses can get through, and are to be 
> inserted into the database.
>
> Apparently, at least one client connects in the early morning hours, and this 
> unusual SFTP unusual activity results in multi-line syslog entries that come 
> in very large numbers. One problem is, the multiple line entries are not 
> written to /var/log/messages, are not inserted into the database, and 
> rate-limiting obscures all content. Hence, this support request is our 
> attempt to understand what is happening, after which we can act to correct 
> these problems.
>
> Interestingly, we are not aware of any missing files from this or any other 
> file transfer clients.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T

Re: [rsyslog] Rsyslogd/ommysql.so: Not writing to DB intermittently

2022-12-14 Thread Rainer Gerhards via rsyslog 
It's a bad idea to try to handle two independent issues on a single
conversation. I do not have more advise for sql other than UI gave.
But the debug log should also be helpful here. If you have issues with
rate limiting, pls open a new issue, ideally on github. But else use a
different subject.

Thx,
Rainer

El mié, 14 dic 2022 a las 15:38, helices
() escribió:
>
> Neither the errors nor rate-limiting occurred since early yesterday (12/13) 
> morning, examples of which I've already posted.
>
> The sole intent of the database logging is tracking all incoming remote file 
> transfer (SFTP) activities. There is a firewall between this host and the 
> internet. Only "whitelisted" IP addresses can get through, and are to be 
> inserted into the database.
>
> Apparently, at least one client connects in the early morning hours, and this 
> unusual SFTP unusual activity results in multi-line syslog entries that come 
> in very large numbers. One problem is, the multiple line entries are not 
> written to /var/log/messages, are not inserted into the database, and 
> rate-limiting obscures all content. Hence, this support request is our 
> attempt to understand what is happening, after which we can act to correct 
> these problems.
>
> Interestingly, we are not aware of any missing files from this or any other 
> file transfer clients.
>
> On Wed, Dec 14, 2022 at 2:54 AM Rainer Gerhards  
> wrote:
>>
>> Thx - I do not see anything obviously wrong.
>>
>> Could it be that those messages arrive e.g. via imklog instead of imjournal?
>>
>> Can you check inside the debug log for occurrences of the ratelimited
>> message - and find where it actually is emitted. Alternatively, you
>> may want to post a full debug log which shows the problem (I guess
>> that's out of option, so an excerpt could do it, but would probably
>> require some turnaround to nail the actual info items needed).
>>
>> Rainer
>>
>> El mar, 13 dic 2022 a las 16:59, helices
>> () escribió:
>> >
>> > https://pastebin.com/DUgwmPCs
>> >
>> > On Tue, Dec 13, 2022 at 9:02 AM Rainer Gerhards  
>> > wrote:
>> >>
>> >> well, for the debug log to make sense to me, I need the whole thing at
>> >> least for the startup sequence. You can post it in a gist or something
>> >> like pastebin. I guess David would also be interested in it.
>> >>
>> >> Rainer
>> >>
>> >> El mar, 13 dic 2022 a las 15:57, helices
>> >> () escribió:
>> >> >
>> >> > I'm trying to understand what is really happening. Recently, it seems 
>> >> > one of our clients initiates many SFTP connections to this host in the 
>> >> > early morning hours. There are many, many rsyslog entries for this, and 
>> >> > they are also those - apparently - wrapping across multiple lines, 
>> >> > which fail insertion into our database.
>> >> >
>> >> > we have not yet identified a full entry that fails mysql insertion. So, 
>> >> > no, we did not "manually try the insert statement." Nor have we found 
>> >> > appropriate mysql error log entries.
>> >> >
>> >> > "Could you at least post the startup part of the debug log?" - How much?
>> >> >
>> >> > NOTE: 'ratelimit.interval' and 'ratelimit.burst' are set; but, 
>> >> > 'ratelimitinterval' and 'ratelimitburst' are BOTH UNSET. What is that 
>> >> > about?
>> >> >
>> >> > 0953.048546212:main thread: glbl.c: debug level 2 set via config 
>> >> > file
>> >> > 0953.048561879:main thread: glbl.c: This is rsyslog version 8.2212.0
>> >> > 0953.048577415:main thread: rsconf.c: cnf:global:obj: obj: 'module'
>> >> > 0953.048587780:main thread: rainerscript.c: nvlst 0x561102c16ca0:
>> >> > 0953.048592371:main thread: rainerscript.c: name: 
>> >> > 'StateFile', value 'imjournal.state'
>> >> > 0953.048596753:main thread: rainerscript.c: name: 
>> >> > 'Ratelimit.Interval', value '1000'
>> >> > 0953.048600958:main thread: rainerscript.c: name: 
>> >> > 'Ratelimit.Burst', value '3'
>> >> > 0953.048605071:main thread: rainerscript.c: name: 'load', 
>> >> > value 'imjournal'
>> >> > 0953.048636752:main thread: rainerscript.c: nvlstGetParam: name 
>> >> > 'load', type 13, valnode->bUsed 0
>> >> > 0953.048643952:main thread: modules.c: modulesProcessCnf params:
>> >> > 0953.048647990:main thread: rainerscript.c: load:  'imjournal'
>> >> > 0953.048666065:main thread: modules.c: Requested to load module 
>> >> > 'imjournal'
>> >> > 0953.048671930:main thread: modules.c: loading module 
>> >> > '/usr/lib64/rsyslog/imjournal.so'
>> >> > 0953.049450325:main thread: modules.c: module imjournal of type 0 
>> >> > being loaded (keepType=0).
>> >> > 0953.049461922:main thread: modules.c: module config name is 
>> >> > 'imjournal'
>> >> > 0953.049466285:main thread: modules.c: module imjournal supports 
>> >> > rsyslog v6 config interface
>> >> > 0953.049471442:main thread: imjournal.c: entry point 
>> >> > 'activateCnfPrePrivDrop' not present in module
>> >> > 0953.049476234:main thread:

Re: [rsyslog] Rsyslogd/ommysql.so: Not writing to DB intermittently

2022-12-14 Thread Rainer Gerhards via rsyslog 
Thx - I do not see anything obviously wrong.

Could it be that those messages arrive e.g. via imklog instead of imjournal?

Can you check inside the debug log for occurrences of the ratelimited
message - and find where it actually is emitted. Alternatively, you
may want to post a full debug log which shows the problem (I guess
that's out of option, so an excerpt could do it, but would probably
require some turnaround to nail the actual info items needed).

Rainer

El mar, 13 dic 2022 a las 16:59, helices
() escribió:
>
> https://pastebin.com/DUgwmPCs
>
> On Tue, Dec 13, 2022 at 9:02 AM Rainer Gerhards  
> wrote:
>>
>> well, for the debug log to make sense to me, I need the whole thing at
>> least for the startup sequence. You can post it in a gist or something
>> like pastebin. I guess David would also be interested in it.
>>
>> Rainer
>>
>> El mar, 13 dic 2022 a las 15:57, helices
>> () escribió:
>> >
>> > I'm trying to understand what is really happening. Recently, it seems one 
>> > of our clients initiates many SFTP connections to this host in the early 
>> > morning hours. There are many, many rsyslog entries for this, and they are 
>> > also those - apparently - wrapping across multiple lines, which fail 
>> > insertion into our database.
>> >
>> > we have not yet identified a full entry that fails mysql insertion. So, 
>> > no, we did not "manually try the insert statement." Nor have we found 
>> > appropriate mysql error log entries.
>> >
>> > "Could you at least post the startup part of the debug log?" - How much?
>> >
>> > NOTE: 'ratelimit.interval' and 'ratelimit.burst' are set; but, 
>> > 'ratelimitinterval' and 'ratelimitburst' are BOTH UNSET. What is that 
>> > about?
>> >
>> > 0953.048546212:main thread: glbl.c: debug level 2 set via config file
>> > 0953.048561879:main thread: glbl.c: This is rsyslog version 8.2212.0
>> > 0953.048577415:main thread: rsconf.c: cnf:global:obj: obj: 'module'
>> > 0953.048587780:main thread: rainerscript.c: nvlst 0x561102c16ca0:
>> > 0953.048592371:main thread: rainerscript.c: name: 'StateFile', 
>> > value 'imjournal.state'
>> > 0953.048596753:main thread: rainerscript.c: name: 
>> > 'Ratelimit.Interval', value '1000'
>> > 0953.048600958:main thread: rainerscript.c: name: 
>> > 'Ratelimit.Burst', value '3'
>> > 0953.048605071:main thread: rainerscript.c: name: 'load', 
>> > value 'imjournal'
>> > 0953.048636752:main thread: rainerscript.c: nvlstGetParam: name 
>> > 'load', type 13, valnode->bUsed 0
>> > 0953.048643952:main thread: modules.c: modulesProcessCnf params:
>> > 0953.048647990:main thread: rainerscript.c: load:  'imjournal'
>> > 0953.048666065:main thread: modules.c: Requested to load module 
>> > 'imjournal'
>> > 0953.048671930:main thread: modules.c: loading module 
>> > '/usr/lib64/rsyslog/imjournal.so'
>> > 0953.049450325:main thread: modules.c: module imjournal of type 0 
>> > being loaded (keepType=0).
>> > 0953.049461922:main thread: modules.c: module config name is 
>> > 'imjournal'
>> > 0953.049466285:main thread: modules.c: module imjournal supports 
>> > rsyslog v6 config interface
>> > 0953.049471442:main thread: imjournal.c: entry point 
>> > 'activateCnfPrePrivDrop' not present in module
>> > 0953.049476234:main thread: imjournal.c: entry point 'newInpInst' not 
>> > present in module
>> > 0953.049480495:main thread: imjournal.c: entry point 'doHUP' not 
>> > present in module
>> > 0953.049486505:main thread: rainerscript.c: nvlstGetParam: name 
>> > 'statefile', type 13, valnode->bUsed 0
>> > 0953.049491290:main thread: rainerscript.c: nvlstGetParam: name 
>> > 'ratelimit.interval', type 6, valnode->bUsed 0
>> > 0953.049497144:main thread: rainerscript.c: nvlstGetParam: name 
>> > 'ratelimit.burst', type 6, valnode->bUsed 0
>> > 0953.049502097:main thread: imjournal.c: module (global) param blk for 
>> > imjournal:
>> > 0953.049506011:main thread: rainerscript.c: statefile:  
>> > 'imjournal.state'
>> > 0953.049515590:main thread: rainerscript.c: ratelimit.interval: 1000
>> > 0953.049524703:main thread: rainerscript.c: ratelimit.burst: 3
>> > 0953.049533615:main thread: rainerscript.c: persiststateinterval: 
>> > (unset)
>> > 0953.049542575:main thread: rainerscript.c: ignorepreviousmessages: 
>> > (unset)
>> > 0953.049551231:main thread: rainerscript.c: ignorenonvalidstatefile: 
>> > (unset)
>> > 0953.049559845:main thread: rainerscript.c: defaultseverity: (unset)
>> > 0953.049568448:main thread: rainerscript.c: defaultfacility: (unset)
>> > 0953.049577070:main thread: rainerscript.c: usepidfromsystem: (unset)
>> > 0953.049585721:main thread: rainerscript.c: usepid: (unset)
>> > 0953.049594328:main thread: rainerscript.c: workaroundjournalbug: 
>> > (unset)
>> > 0953.049602947:main thread: rainerscript.c: fsync: (unset)
>> > 0953.049611537:main thread:

Re: [rsyslog] Rsyslogd/ommysql.so: Not writing to DB intermittently

2022-12-13 Thread Rainer Gerhards via rsyslog 
well, for the debug log to make sense to me, I need the whole thing at
least for the startup sequence. You can post it in a gist or something
like pastebin. I guess David would also be interested in it.

Rainer

El mar, 13 dic 2022 a las 15:57, helices
() escribió:
>
> I'm trying to understand what is really happening. Recently, it seems one of 
> our clients initiates many SFTP connections to this host in the early morning 
> hours. There are many, many rsyslog entries for this, and they are also those 
> - apparently - wrapping across multiple lines, which fail insertion into our 
> database.
>
> we have not yet identified a full entry that fails mysql insertion. So, no, 
> we did not "manually try the insert statement." Nor have we found appropriate 
> mysql error log entries.
>
> "Could you at least post the startup part of the debug log?" - How much?
>
> NOTE: 'ratelimit.interval' and 'ratelimit.burst' are set; but, 
> 'ratelimitinterval' and 'ratelimitburst' are BOTH UNSET. What is that about?
>
> 0953.048546212:main thread: glbl.c: debug level 2 set via config file
> 0953.048561879:main thread: glbl.c: This is rsyslog version 8.2212.0
> 0953.048577415:main thread: rsconf.c: cnf:global:obj: obj: 'module'
> 0953.048587780:main thread: rainerscript.c: nvlst 0x561102c16ca0:
> 0953.048592371:main thread: rainerscript.c: name: 'StateFile', 
> value 'imjournal.state'
> 0953.048596753:main thread: rainerscript.c: name: 
> 'Ratelimit.Interval', value '1000'
> 0953.048600958:main thread: rainerscript.c: name: 
> 'Ratelimit.Burst', value '3'
> 0953.048605071:main thread: rainerscript.c: name: 'load', value 
> 'imjournal'
> 0953.048636752:main thread: rainerscript.c: nvlstGetParam: name 'load', 
> type 13, valnode->bUsed 0
> 0953.048643952:main thread: modules.c: modulesProcessCnf params:
> 0953.048647990:main thread: rainerscript.c: load:  'imjournal'
> 0953.048666065:main thread: modules.c: Requested to load module 
> 'imjournal'
> 0953.048671930:main thread: modules.c: loading module 
> '/usr/lib64/rsyslog/imjournal.so'
> 0953.049450325:main thread: modules.c: module imjournal of type 0 being 
> loaded (keepType=0).
> 0953.049461922:main thread: modules.c: module config name is 'imjournal'
> 0953.049466285:main thread: modules.c: module imjournal supports rsyslog 
> v6 config interface
> 0953.049471442:main thread: imjournal.c: entry point 
> 'activateCnfPrePrivDrop' not present in module
> 0953.049476234:main thread: imjournal.c: entry point 'newInpInst' not 
> present in module
> 0953.049480495:main thread: imjournal.c: entry point 'doHUP' not present 
> in module
> 0953.049486505:main thread: rainerscript.c: nvlstGetParam: name 
> 'statefile', type 13, valnode->bUsed 0
> 0953.049491290:main thread: rainerscript.c: nvlstGetParam: name 
> 'ratelimit.interval', type 6, valnode->bUsed 0
> 0953.049497144:main thread: rainerscript.c: nvlstGetParam: name 
> 'ratelimit.burst', type 6, valnode->bUsed 0
> 0953.049502097:main thread: imjournal.c: module (global) param blk for 
> imjournal:
> 0953.049506011:main thread: rainerscript.c: statefile:  'imjournal.state'
> 0953.049515590:main thread: rainerscript.c: ratelimit.interval: 1000
> 0953.049524703:main thread: rainerscript.c: ratelimit.burst: 3
> 0953.049533615:main thread: rainerscript.c: persiststateinterval: (unset)
> 0953.049542575:main thread: rainerscript.c: ignorepreviousmessages: 
> (unset)
> 0953.049551231:main thread: rainerscript.c: ignorenonvalidstatefile: 
> (unset)
> 0953.049559845:main thread: rainerscript.c: defaultseverity: (unset)
> 0953.049568448:main thread: rainerscript.c: defaultfacility: (unset)
> 0953.049577070:main thread: rainerscript.c: usepidfromsystem: (unset)
> 0953.049585721:main thread: rainerscript.c: usepid: (unset)
> 0953.049594328:main thread: rainerscript.c: workaroundjournalbug: (unset)
> 0953.049602947:main thread: rainerscript.c: fsync: (unset)
> 0953.049611537:main thread: rainerscript.c: remote: (unset)
> 0953.049648880:main thread: rsconf.c: cnf:global:obj: obj: 'module'
> 0953.049656182:main thread: rainerscript.c: nvlst 0x561102c16cd0:
> 0953.049660452:main thread: rainerscript.c: name: 'load', value 
> 'imklog'
> 0953.049665572:main thread: rainerscript.c: nvlstGetParam: name 'load', 
> type 13, valnode->bUsed 0
> 0953.049669812:main thread: modules.c: modulesProcessCnf params:
> 0953.049673667:main thread: rainerscript.c: load:  'imklog'
> 0953.049683199:main thread: modules.c: Requested to load module 'imklog'
> 0953.049688342:main thread: modules.c: loading module 
> '/usr/lib64/rsyslog/imklog.so'
> 0953.050263553:main thread: modules.c: module imklog of type 0 being 
> loaded (keepType=0).
> 0953.050274236:main thread: imklog.c: entry point 
> 'isCompatibleWithFeature' not present in

Re: [rsyslog] Rsyslogd/ommysql.so: Not writing to DB intermittently

2022-12-13 Thread Rainer Gerhards via rsyslog 
I am a bit confused if/how this shall relate to the imjournal rate
limiter, but... well.. you may know - especially if it helped ;-)

As to troubleshooting the SQL issue: did you manually try the insert
statement? Did the sql server error log give you more information?

Could you at least post the startup part of the debug log? Be sure to
check for passwords etc. before doing so.

Rainer

El mar, 13 dic 2022 a las 15:21, helices
() escribió:
>
> Done.
>
> Apparently, this issue happens mostly in the very early morning hours.
>
> It seems to be associated with the original issue in my original post:
>
> 2022-12-13T02:23:44.392947-06:00 hermes rsyslogd[2539]: action 'Sftp' (module 
> 'ommysql.so') message lost, could not be processed. Check for additional 
> error messages before this one. [v8.2212.0 try https://www.rsyslog.com/e/2218 
> ]
> 2022-12-13T02:23:44.399259-06:00 hermes rsyslogd[2539]: ommysql: db error 
> (1172): Result consisted of more than one row  [v8.2212.0]
> 2022-12-13T02:23:44.399470-06:00 hermes rsyslogd[2539]: The error statement 
> was: insert into SystemEvents (Message, Facility, FromHost, Priority, 
> DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('Received 
> disconnect from 44.228.232.55 port 53606:11: disconnected by user 
> [postauth]', 10, 'hermes', 6, '20221213020903', '20221213020903', 1, 
> 'sshd[23880]:') [v8.2212.0 try https://www.rsyslog.com/e/2218 ]
>
> I remain unclear on how to get more details regarding this to a log file.
>
> Thank you for your assistance.
>
> ~ Mike
>
>
>
> On Tue, Dec 13, 2022 at 8:01 AM Rainer Gerhards  
> wrote:
>>
>> I would probably make sense to create a debug log, at least for
>> startup, to show what actually happened.
>>
>> Doc: https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
>>
>> Rainer
>>
>> El mar, 13 dic 2022 a las 15:00, helices
>> () escribió:
>> >
>> > No, it still rate-limits. I verified that the restart restarted rsyslogd:
>> >
>> > # systemctl -l status rsyslog
>> > * rsyslog.service - System Logging Service
>> >Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; 
>> > vendor preset: enabled)
>> >Active: active (running) since Mon 2022-12-12 13:58:40 CST; 18h ago
>> >  Docs: man:rsyslogd(8)
>> >https://www.rsyslog.com/doc/
>> >  Main PID: 2539 (rsyslogd)
>> >CGroup: /system.slice/rsyslog.service
>> >`-2539 /usr/sbin/rsyslogd -n
>> >
>> > Dec 13 04:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 05:18:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 05:38:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 05:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 06:18:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 06:38:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 06:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 07:18:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 07:38:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> > Dec 13 07:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>> >
>> >
>> > Yet, it is still rate-limiting:
>> >
>> > 2022-12-13T02:23:38.001127-06:00 hermes rsyslogd[2539]: 
>> > rsyslogd[internal_messages]: 1808 messages lost due to rate-limiting (500 
>> > allowed within 5 seconds)
>> > 2022-12-13T02:23:44.003241-06:00 hermes rsyslogd[2539]: 
>> > rsyslogd[internal_messages]: 1792 messages lost due to rate-limiting (500 
>> > allowed within 5 seconds)
>> > 2022-12-13T02:23:50.001278-06:00 hermes rsyslogd[2539]: 
>> > rsyslogd[internal_messages]: 1779 messages lost due to rate-limiting (500 
>> > allowed within 5 seconds)
>> > 2022-12-13T02:23:56.001273-06:00 hermes rsyslogd[2539]: 
>> > rsyslogd[internal_messages]: 1835 messages lost due to rate-limiting (500 
>> > allowed within 5 seconds)
>> > 2022-12-13T02:24:02.005300-06:00 hermes rsyslogd[2539]: 
>> > rsyslogd[internal_messages]: 1768 messages lost due to rate-limiting (500 
>> > allowed within 5 seconds)
>> >
>> >
>> > Please, advise. Thank you.
>> >
>> >
>> > On Mon, Dec 12, 2022 at 2:03 PM helices  
>> > wrote:
>> >>
>> >> I just now restarted again, like this:
>> >>
>> >> # systemctl restart rsyslog
>> >>
>> >> We'll see overnight if that does the trick.
>> >>
>> >>
>> >> # date; grep -v "^\(#\|\s*$\)" /etc/rsyslog.conf ;date
>> >> Mon Dec 12 13:56:12 CST 2022
>> >> module(load="imjournal" Ratelimit.Burst="3" Ratelimit.Interval="1000" 
>> >> StateFile="imjournal.state")
>> >> module(load="imklog")
>> >> module(load="immark")
>> >> module(load="impstats" interval="600" severity="7")
>> >> syslog.=debug /var/log/rsyslog-stats
>> >> module(load="imtcp")
>> >> input(type="imtcp" port="514")
>> >> module(load="imudp")
>> >> input(type="imudp" port="514")
>> >> module(load="ommysql.so")
>> >> global(workDirectory="/var/lib/rsyslog")
>> >> authpriv.none;cron.none;*.info;mail.none/var/log/messages
>> >> authpriv.*

Re: [rsyslog] Rsyslogd/ommysql.so: Not writing to DB intermittently

2022-12-13 Thread Rainer Gerhards via rsyslog 
I would probably make sense to create a debug log, at least for
startup, to show what actually happened.

Doc: https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html

Rainer

El mar, 13 dic 2022 a las 15:00, helices
() escribió:
>
> No, it still rate-limits. I verified that the restart restarted rsyslogd:
>
> # systemctl -l status rsyslog
> * rsyslog.service - System Logging Service
>Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor 
> preset: enabled)
>Active: active (running) since Mon 2022-12-12 13:58:40 CST; 18h ago
>  Docs: man:rsyslogd(8)
>https://www.rsyslog.com/doc/
>  Main PID: 2539 (rsyslogd)
>CGroup: /system.slice/rsyslog.service
>`-2539 /usr/sbin/rsyslogd -n
>
> Dec 13 04:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 05:18:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 05:38:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 05:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 06:18:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 06:38:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 06:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 07:18:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 07:38:43 hermes.provell.com rsyslogd[2539]: -- MARK --
> Dec 13 07:58:43 hermes.provell.com rsyslogd[2539]: -- MARK --
>
>
> Yet, it is still rate-limiting:
>
> 2022-12-13T02:23:38.001127-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1808 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> 2022-12-13T02:23:44.003241-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1792 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> 2022-12-13T02:23:50.001278-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1779 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> 2022-12-13T02:23:56.001273-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1835 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
> 2022-12-13T02:24:02.005300-06:00 hermes rsyslogd[2539]: 
> rsyslogd[internal_messages]: 1768 messages lost due to rate-limiting (500 
> allowed within 5 seconds)
>
>
> Please, advise. Thank you.
>
>
> On Mon, Dec 12, 2022 at 2:03 PM helices  wrote:
>>
>> I just now restarted again, like this:
>>
>> # systemctl restart rsyslog
>>
>> We'll see overnight if that does the trick.
>>
>>
>> # date; grep -v "^\(#\|\s*$\)" /etc/rsyslog.conf ;date
>> Mon Dec 12 13:56:12 CST 2022
>> module(load="imjournal" Ratelimit.Burst="3" Ratelimit.Interval="1000" 
>> StateFile="imjournal.state")
>> module(load="imklog")
>> module(load="immark")
>> module(load="impstats" interval="600" severity="7")
>> syslog.=debug /var/log/rsyslog-stats
>> module(load="imtcp")
>> input(type="imtcp" port="514")
>> module(load="imudp")
>> input(type="imudp" port="514")
>> module(load="ommysql.so")
>> global(workDirectory="/var/lib/rsyslog")
>> authpriv.none;cron.none;*.info;mail.none/var/log/messages
>> authpriv.*  /var/log/secure
>> cron.*  /var/log/cron
>> *.emerg :omusrmsg:*
>> ftp.*   /var/log/vsftpd.log
>> local7.*/var/log/boot.log
>> mail.*  /var/log/maillog
>> uucp,news.crit  /var/log/spooler
>> $ActionName Ftp
>> $ActionQueueFileName dbFtpQueue   # Set file name, also enables disk mode
>> $ActionQueueSaveOnShutdown on # Save messages to disk on shutdown
>> $ActionQueueType LinkedList   # Use asynchronous processing
>> $ActionResumeRetryCount -1# Infinite retries on insert failure
>> ftp.* 
>> :ommysql:10.199.5.177,vsftplog,hermesvsftplog,_
>> $ActionName Sftp
>> $ActionQueueFileName dbSftpQueue   # Set file name, also enables disk mode
>> $ActionQueueSaveOnShutdown on  # Save messages to disk on shutdown
>> $ActionQueueType LinkedList# Use asynchronous processing
>> $ActionResumeRetryCount -1 # Infinite retries on insert failure
>> authpriv.* 
>> :ommysql:10.199.5.177,sftplogDB,hermesvsftplog,_
>> $ActionName Admin
>> $ActionQueueFileName ZenossQueue  # Set file name, also enables disk mode
>> $ActionQueueSaveOnShutdown on # Save messages to disk on shutdown
>> $ActionQueueType LinkedList   # Use asynchronous processing
>> $ActionResumeRetryCount -1# Infinite retries on insert failure
>> *.*   @@10.199.1.160
>> Mon Dec 12 13:56:12 CST 2022
>>
>> On Mon, Dec 12, 2022 at 1:34 PM David Lang  wrote:
>>>
>>> did you do a full restart after making the change? can you show the full 
>>> config?
>>>
>>> the messages you are showing are saying taht the config line you show isn't
>>> being used.
>>>
>>> David Lang

Re: [rsyslog] Rsyslogd/ommysql.so: Not writing to DB intermittently

2022-12-09 Thread Rainer Gerhards via rsyslog 
you set the interval, but not ratelimit.burst

doc: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imjournal.html

Rainer

El mar, 6 dic 2022 a las 15:16, helices via rsyslog
() escribió:
>
> David,
>
> What am I doing wrong?
>
> module(load="imjournal" Ratelimit.Interval="1"
> StateFile="imjournal.state")
>
> 2022-12-06T07:19:26.004772-06:00 hermes rsyslogd[29735]:
> rsyslogd[internal_messages]: 1755 messages lost due to rate-limiting (500
> allowed within 5 seconds)
>
> Please, advise. Thank you.
>
> ~ Mike
>
>
>
> On Thu, Dec 1, 2022 at 3:12 PM David Lang  wrote:
>
> > On Thu, 1 Dec 2022, helices wrote:
> >
> > > [1] What is "action() syntax?" Which lines ought to be converted? How?
> >
> >
> > https://www.rsyslog.com/doc/master/configuration/basic_structure.html#statement-types
> >
> > instead of
> >
> > @@10.0.0.1
> >
> > you would do
> >
> > action(type="omfwd" target="10.0.0.1" port="514" protocol="tcp")
> >
> > for this trivial example, the earlier syntax makes more sense, but when
> > you have
> > more complex things (like the queues that you have), adding them all into
> > the
> > action makes it clearer exactly what is happening
> >
> >
> > so you currently have
> >
> > >>> $ActionName Admin
> > >>> $ActionQueueDequeueSlowdown 1000  # How long (in microseconds)
> > dequeueing
> > >>> should be delayed
> > >>> $ActionQueueFileName ZenossQueue  # Set file name, also enables disk
> > mode
> > >>> $ActionQueueSaveOnShutdown on # Save messages to disk on shutdown
> > >>> $ActionQueueType LinkedList   # Use asynchronous processing
> > >>> $ActionResumeRetryCount -1# Infinite retries on insert failure
> > >>> *.*   @@10.199.1.160
> >
> >
> > This would be
> >
> > action(name="Admin" type="omfwd" target="10.199.1.160" protocol="tcp"
> > queue.filename="ZenossQueue" queue.saveonshutdown="on"
> > queue.type="linkedlist"
> > resumeretrycount="-1" queue.dequeueslowdown="1000")
> >
> > this makes it very clear that all these parameters apply only to this
> > action
> > (which is what the old syntax does, but it's less obvious to people that
> > it only
> > applies to the next action)
> >
> > > [2] Where is the "pause" you mention? I don't recognize that.
> >
> > $ActionQueueDequeueSlowdown 1000  # How long (in microseconds) dequeueing
> >
> > This tells rsyslog to pause after each batch of messages before processing
> > the
> > next batch.
> >
> > > [3] impstats? Permanently? Only for this debugging?
> >
> > I like to have it on permanently, but especially for debugging it provides
> > a lot
> > of useful info
> >
> > > [4] How to modify imjournal rate limits?
> >
> > see
> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imjournal.html
> >
> > > [5] RSYSLOG_DebugFormat? I found this:
> > > https://www.rsyslog.com/doc/v8-stable/configuration/templates.html - Is
> > > that example proper by itself? Where does this template go? How can I
> > > specify the file and location for debugging?
> >
> > as I said below
> >
> > >> ftp.* /var/log/ftp;RSYSLOG_DebugFormat (legacy format, add
> > template="RSYSLOG_DebugFormat" to that action() format)
> >
> > > If there are URLs to inform me, I appreciate your direction.
> >
> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imjournal.html
> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/ommysql.html
> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
> > https://www.rsyslog.com/doc/master/configuration/actions.html
> > https://www.rsyslog.com/doc/master/rainerscript/queue_parameters.html
> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html
> >
> > feel free to keep asking questions.
> >
> > David Lang
> >
> >
> > > ~ Mike
> > >
> > >
> > >
> > > On Thu, Dec 1, 2022 at 1:33 PM David Lang  wrote:
> > >
> > >> it would be useful to convert to the action() syntax as it makes it
> > >> clearer
> > >> what's happening.
> > >>
> > >> Why are you pausing between writing logs? (this could be why you are
> > >> dropping
> > >> logs)
> > >>
> > >> given the number of queues and actions, look at configuring impstats so
> > >> that you
> > >> can see the number of messages in the queues, number processed, etc.
> > >>
> > >> imjournal defaults to some fairly aggressive rate limiting, I find that
> > I
> > >> always
> > >> need to drastically increase the limits.
> > >>
> > >> writing logs using the RSYSLOG_DebugFormat is adding the template to the
> > >> file
> > >>
> > >> ftp.* /var/log/ftp;RSYSLOG_DebugFormat (legacy format, add
> > >> template="RSYSLOG_DebugFormat" to that action() format)
> > >>
> > >> the debug format is large, but you really need to see the message that's
> > >> failing
> > >> to figure out why it's failing. The MySQL logs may give you better info
> > on
> > >> that.
> > >>
> > >> David Lang
> > >>
> > >> On Thu, 1 Dec 2022, helices wrote:
> > >>
> > >>> Date: Thu, 1 Dec 2022 13:26:47 -0600
> > >>> From: helices 
> >

Re: [rsyslog] Multiple TLS Certs and Ports

2022-11-23 Thread Rainer Gerhards via rsyslog 
You do this at the input() level.

Rainer

Sent from phone, thus brief.

Robert Gabriel via rsyslog  schrieb am Mi., 23.
Nov. 2022, 18:55:

> Hi,
>
> Am I right in saying that multiple different TLS certs across multiple
> ports is unsupported?
>
> So, I cannot declare various configs with different Cases etc.:
>
> paidca.conf:
>
> ```
> DefaultNetstreamDriver="gtls"
> DefaultNetstreamDriverCAFile="/etc/pki/tls/certs/paidca.crt"
> DefaultNetstreamDriverCertFile="/etc/pki/tls/certs/paidssl.crt"
> DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/paidssl.key”
> ```
>
> myca.conf:
>
> ```
> DefaultNetstreamDriver="gtls"
> DefaultNetstreamDriverCAFile="/etc/pki/tls/certs/myca.crt"
> DefaultNetstreamDriverCertFile="/etc/pki/tls/certs/myssl.crt"
> DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/myssl.key”
> ```
>
> It’s either TCP only for the entire rSyslog instance or TLS TCP for the
> entire instance with one set of certs?
>
> Thank you.
>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Reducing selector effect in RainerScript

2022-11-18 Thread Rainer Gerhards via rsyslog 
sorry, I didn't notice the follow-up question, just saw it when I came
back today for the actual doc bug fix. You can use the following
old-style selector to craft your desired behaviour:

*.*;local6.!=info;local6.!=notice;local6.!=warn

BTW, doc PRs are here:
https://github.com/rsyslog/rsyslog/pull/5028
https://github.com/rsyslog/rsyslog-doc/pull/994

Rainer

El jue, 3 nov 2022 a las 16:43, Gordon Marler (BLOOMBERG/ 120 PARK)
via rsyslog () escribió:
>
> Perfectly fine with a doc fix; we're converting from syslog selectors that 
> predate the 2000s (probably from around 1984 or so).
>
> So I'm still left with the question of how best to convert a selector like 
> the following examples to something more modern, maintaining the old/original 
> intent of:
>
>  "capture everything at first, then whittle away priority ranges of 
> individual facilities"
>
> Example #1:
>
> *.debug;local6.err   
>
> Which translates to:
>
>
> *Start by logging all facilities, all priorities to 
> *Eliminate local6.{debug,info,notice,warn}
>
> Example #2:
>
> *.debug;mail.none;local2.none;lpr,local4,local6.err  
>
> Which translates to:
>
>
> *Start by logging all facilities, all priorities to 
> *Eliminate mail.*
> *Eliminate local2.*
> *Eliminate {lpr,local4,local6}.{debug,info,notice,warn}
>
>
> I'm going to look at using the if-then construct and see if it's an easy 
> conversion; it'd just be nice to know if it's possible to still craft the old 
> style selector to achieve the same end result.
>
> From: rsyslog@lists.adiscon.com At: 11/03/22 08:47:57 UTC-4:00To:  
> rsyslog@lists.adiscon.com
> Cc:  k...@epsilon.eu.org
> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
>
> +1 on the doc fix. It's not that it's a bug per se. And I suppose there
> might be installations "in the wild" relying on the filter specification
> mechanics so I don't think changing it is called for. It's just that the
> docs should probably more closely represent it.
>
> MK
>
> On 3.11.2022 13:05, Rainer Gerhards wrote:
> > It's complicated. This may be a bug. I tend to say it is, although some
> > may argue the man page text does not cover this specific case.
> >
> > Anyhow, this was not introduced into rsyslog, but into sysklogd. My
> > earliest commit is from 2004, with a little bit of non-git history
> > before. I can't find the original sysklogd source any longer, but I am
> > totally sure we did not touch this part of the code in the early
> > 2000's (we were focussed on database writing).
> >
> > Have a look at the original code, and head to line 2512. It's (minus
> > cosmetic utility function changes) the same code as it is today.
> >
> >
> https://github.com/rsyslog/rsyslog/commit/05f2f1839c2712ca77e86aa679dc909d051fc2
> 3b?diff=unified#diff-9d04cb1c9964eae767720b1cfc19111074b0fe23e22416d8594872c4973
> 7a304R2512
> >
> > Even more so, the man page text also stems directly back to sysklogd,
> > without any alteration in wording.
> >
> > How to go forward? Of course I can fix this "bug", but that would
> > probably cause a lt of grief with long-existing configs. So I
> > would tend to say it is a doc bug so let's fix the doc and be done.
> >
> > Any comments? David Lang maybe?
> >
> > Rainer
> >
> > El jue, 3 nov 2022 a las 10:26, Rainer Gerhards
> >
> > () escribió:
> >> In any case, if it is a bug, fixing it is hard for compatibility
> >> reasons. The code has not been touched for a very long time.
> >>
> >> https://github.com/rsyslog/rsyslog/blame/master/runtime/conf.c#L356
> >>
> >> Rainer
> >>
> >> El jue, 3 nov 2022 a las 10:08, Rainer Gerhards
> >> () escribió:
> >>> maybe I have not fully understood the original question. Will try
> >>> later today ;-)
> >>>
> >>> However, that part of the code that parses the selectors is actually
> >>> still the same we inherited from syslogd ~20 years ago. Of course, I
> >>> can't outrule we made some changes, but I honestly don't think so.
> >>>
> >>> Rainer
> >>>
> >>> El jue, 3 nov 2022 a las 9:23, Mariusz Kruk via rsyslog
> >>> () escribió:
> >>>> I'm not saying that behaviour is wrong but I'd interpret the wording in
> >>>> the docs as Gordon intended.
> >>>>
> >>>> https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
> >>>>
> >>>> "Multiple selectors may be specified for a single action using the
> &g

Re: [rsyslog] rsyslog Performance Tuning - Dropped UDP Events

2022-11-16 Thread Rainer Gerhards via rsyslog 
t; >>> 5 drops at skb_release_data+12b (0x937f8cab)
> >>> 161 drops at udp_queue_rcv_one_skb+438 (0x938fd528)
> >>> 1 drops at nf_hook_slow+9d (0x938ae98d)
> >>>
> >>> Top -H
> >>> 1842 omsagent  20   0 1304664 251636   9828 R 52.2  1.5   0:18.48 
> >>> in_syslog.rb:1*
> >>> 1779 omsagent  20   0 1304664 251636   9828 S 41.9  1.5   0:13.58 
> >>> output.rb:140
> >>> 1453 root  20   0  589760  10560   5464 R 26.6  0.1   0:09.74 rs:main 
> >>> Q:Reg
> >>> 1838 omsagent  20   0 1304664 251636   9828 S 16.9  1.5   0:17.69 
> >>> in_syslog.rb:1*
> >>> 1447 root  20   0  589760  10560   5464 S  9.6  0.1   0:02.71 in:imudp
> >>> 1448 root  20   0  589760  10560   5464 S  1.7  0.1   0:01.66 in:imtcp
> >>>
> >>> /etc/sysctl.conf
> >>> net.core.rmem_default = 33554432
> >>> net.core.rmem_max = 268435456
> >>> net.core.wmem_default = 33554432
> >>> net.core.wmem_max = 268435456
> >>> net.ipv4.tcp_mem = 190611   254150  381222
> >>> net.ipv4.tcp_rmem = 4096131072  6291456
> >>> net.ipv4.tcp_wmem = 409616384   4194304
> >>> net.ipv4.udp_mem = 762450   1524900 3049800
> >>> net.ipv4.udp_rmem_min = 33554432
> >>> net.ipv4.udp_wmem_min = 33554432
> >>>
> >>>
> >>> -Original Message-
> >>> From: David Lang 
> >>> Sent: Tuesday, November 15, 2022 2:30 PM
> >>> To: Redbourne,Michael 
> >>> Cc: rsyslog-users ; David Lang
> >>> 
> >>> Subject: RE: [rsyslog] rsyslog Performance Tuning - Dropped UDP
> >>> Events
> >>>
> >>> what does the pstats output look like when it's dropping messages?
> >>> (give a couple cycles please)
> >>>
> >>> did you try to eliminate the action queue for /var/log/secure?
> >>>
> >>> David Lang
> >>>
> >>> On Tue, 15 Nov 2022, Redbourne,Michael wrote:
> >>>
> >>>> Date: Tue, 15 Nov 2022 13:01:02 +
> >>>> From: "Redbourne,Michael" 
> >>>> To: rsyslog-users , David Lang
> >>>> 
> >>>> Subject: RE: [rsyslog] rsyslog Performance Tuning - Dropped UDP
> >>>> Events
> >>>>
> >>>> Building on this -
> >>>>
> >>>> When the drop count spikes top is showing a spike in CPU usage among the 
> >>>> previously listed threads:
> >>>> In:imdup spikes to ~10%
> >>>> in_syslog.rb spikes to 90-100% usage rs:main Q:Reg spikes to 25%
> >>>> usage.
> >>>>
> >>>> -Original Message-
> >>>> From: rsyslog  On Behalf Of
> >>>> Redbourne,Michael via rsyslog
> >>>> Sent: Tuesday, November 15, 2022 8:42 AM
> >>>> To: rsyslog-users ; David Lang
> >>>> 
> >>>> Cc: Redbourne,Michael 
> >>>> Subject: Re: [rsyslog] rsyslog Performance Tuning - Dropped UDP
> >>>> Events
> >>>>
> >>>> Concerning the /proc and pstats. There is /proc/net/netstat, which looks 
> >>>> something like this after a couple minutes of logs:
> >>>> Udp:
> >>>>5820820 packets received
> >>>>1504 packets to unknown port received.
> >>>>798900 packet receive errors
> >>>>3338814 packets sent
> >>>>798900 receive buffer errors
> >>>>0 send buffer errors
> >>>>
> >>>> I have doubled the values in net.ipv4.udp_mem.
> >>>>
> >>>> The intent behind the queue $ActionQueue* legacy directives was spawning 
> >>>> additional worker threads when the queue became abnormally large. I've 
> >>>> tried various settings assigned to it, high worker threads, low 
> >>>> messages, and vice versa. Would it be beneficial (and possible) to move 
> >>>> those legacy directives to 
> >>>> /etc/rsyslog.d/security-confiig-omsagent.conf? That is where most of the 
> >>>> load is going to be. (Though with less extreme settings).
> >>>>
> >>>> The ereregex filters are set to remove information from being forwarded 
> >>>> to Sentinel, in most cases, large swaths of IP subnet ranges that are 
> >>>> irrelevant for monitoring purpos

Re: [rsyslog] rsyslog Performance Tuning - Dropped UDP Events

2022-11-15 Thread Rainer Gerhards via rsyslog 
Just wanted to make sure awareness of that option. Agree that it is
not often needed.

Rainer

El mar, 15 nov 2022 a las 10:02, David Lang () escribió:
>
> I haven't needed to do that to handle 300k messages/sec on UDP input (usually 
> I
> run into bottlenecks in processing the messages long before I have problems
> accepting them)
>
> David Lang
>
> On Tue, 15 Nov 2022, Rainer Gerhards wrote:
>
> > let me add: look into setting imudp to realtime priority. Doc:
> >
> > https://www.rsyslog.com/doc/master/configuration/modules/imudp.html
> >
> > Rainer
> >
> > El mar, 15 nov 2022 a las 5:04, David Lang via rsyslog
> > () escribió:
> >>
> >> Some additional comments on the config
> >>
> >>
> >>
> >> These action queue configs probably don't do what you intend them to do
> >>
> >> the first thing is that they only affect the next action, which is 
> >> authpriv.* to
> >> /var/log/secure and you configure 2000 threads to write these logs out. 
> >> That
> >> will create a HUGE amount of contention for the queue lock and under load 
> >> you
> >> should see it maxing out quite quickly
> >>
> >> what is it that you are attempting to do here?
> >>
> >>
> >>
> >> # Performance Tuning #
> >> $ActionQueueWorkerThreads 2000
> >> $ActionQueueWorkerThreadMinimumMessages 1000
> >> $ActionQueueSize 100
> >> $ActionQueueDiscardMark 80
> >> $ActionQueueHighWaterMark 60
> >>
> >>  RULES 
> >> # Log all kernel messages to the console.
> >> # Logging much else clutters up the screen.
> >> #kern.* /dev/console
> >>
> >> # Log anything (except mail authpriv, cron)
> >> # Dont log private authentication messages!
> >> #*.*;mail.none;authpriv.none;cron.none   ?RemoteIP
> >>
> >> # The authpriv file has restricted access.
> >> authpriv.*  /var/log/secure
> >>
> >>
> >> since the queue only applied to the next action with this config, 
> >> everything
> >> below this is operating from the main queue again as if there was no action
> >> queue configuration
> >>
> >>
> >>
> >>
> >> # Log all the mail messages in one place.
> >> mail.*  -/var/log/maillog
> >>
> >> # Log cron stuff
> >> cron.*  /var/log/cron
> >>
> >> # Everybody gets emergency messages
> >> *.emerg :omusrmsg:*
> >>
> >> # Save news errors of level crit and higher in a special file.
> >> uucp,news.crit  /var/log/spooler
> >>
> >> # Save boot messages also to boot.log
> >> # local7.*  
> >> /var/syslog/boot.log
> >>
> >>
> >>
> >> ereregex is a fairly expensive filter to apply, it's much better to figure 
> >> out a
> >> non-regex approach to filtering these. Can you post some examples of what 
> >> you
> >> are trying to filter? mmnormalize to parse the logs and then make 
> >> decisions on
> >> the parsed results id probably much faster.
> >>
> >>
> >> /etc/rsyslog.d/security-config-omsagent.conf
> >> # [Firewall Log Filtering] #
> >> :msg, ereregex, "(1.1.[0-9]+.[0-9]+)" stop
> >> :msg, ereregex, "(1.2.[0-9]+.[0-9]+)" stop
> >> :msg, ereregex, "(1.3.[0-9]+.[0-9]+)" stop
> >> :msg, ereregex, "(1.4.[0-9]+.[0-9]+)" stop
> >> :msg, ereregex, "(1.5.[0-9]+.[0-9]+)" stop
> >> :msg, ereregex, "(1.6.1[6-9].[0-9]+)" stop
> >> :msg, ereregex, "(1.7.2[0-3].[0-9]+)" stop
> >> :msg, ereregex, "(1.8.68.[0-9]+)" stop
> >> :msg, ereregex, "(1.9.69.[0-9]+)" stop
> >> :msg, ereregex, "(1.10.82.[0-9]+)" stop
> >> :msg, ereregex, "(IP multicast routing failed)" stop
> >> :msg, ereregex, "(TCP_7680)" stop
> >>
> >>
> >> check the messages to see where CEF: and ASA- are in the message, can you 
> >> filter
> >> on something smaller than rawmsg? (say syslogtag), and can you use 
> >> 'startswith'
> >> instead of 'contains'?, again mmnormalize may be much faster
> >>
> >> if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then 
> >> @@127.0.0.1:25226
> >> & stop
> >> if $rawmsg contains "infobloxgridmstr" then @127.0.0.1:25224
> >> & stop
> >>
> >>
> >> combining multiple filters into one action, or having the filters call a 
> >> ruleset
> >> can be far more efficient than all of them writing things out 
> >> independently.
> >>
> >> the if..then filter structure lets you easily combine filters
> >>
> >> local0.info @127.0.0.1:25224
> >> & stop
> >> local1.info @127.0.0.1:25224
> >> & stop
> >> local2.info @127.0.0.1:25224
> >> & stop
> >> local3.info @127.0.0.1:25224
> >> & stop
> >> local4.info @127.0.0.1:25224
> >> & stop
> >> local5.info @127.0.0.1:25224
> >> & stop
> >> local6.info @127.0.0.1:25224
> >> & stop
> >> local7.info @127.0.0.1:25224
> >> & stop
> >> auth.* @127.0.0.1:25224
> >> & stop
> >> authpriv.* @127.0.0.1:25224
> >> & stop
> >> daemon.info @127.0.0.1:25224
> >> & stop
> >> syslog.* @127.0.0.1:25224
> >> & stop
> >>

Re: [rsyslog] rsyslog Performance Tuning - Dropped UDP Events

2022-11-15 Thread Rainer Gerhards via rsyslog 
let me add: look into setting imudp to realtime priority. Doc:

https://www.rsyslog.com/doc/master/configuration/modules/imudp.html

Rainer

El mar, 15 nov 2022 a las 5:04, David Lang via rsyslog
() escribió:
>
> Some additional comments on the config
>
>
>
> These action queue configs probably don't do what you intend them to do
>
> the first thing is that they only affect the next action, which is authpriv.* 
> to
> /var/log/secure and you configure 2000 threads to write these logs out. That
> will create a HUGE amount of contention for the queue lock and under load you
> should see it maxing out quite quickly
>
> what is it that you are attempting to do here?
>
>
>
> # Performance Tuning #
> $ActionQueueWorkerThreads 2000
> $ActionQueueWorkerThreadMinimumMessages 1000
> $ActionQueueSize 100
> $ActionQueueDiscardMark 80
> $ActionQueueHighWaterMark 60
>
>  RULES 
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.* /dev/console
>
> # Log anything (except mail authpriv, cron)
> # Dont log private authentication messages!
> #*.*;mail.none;authpriv.none;cron.none   ?RemoteIP
>
> # The authpriv file has restricted access.
> authpriv.*  /var/log/secure
>
>
> since the queue only applied to the next action with this config, everything
> below this is operating from the main queue again as if there was no action
> queue configuration
>
>
>
>
> # Log all the mail messages in one place.
> mail.*  -/var/log/maillog
>
> # Log cron stuff
> cron.*  /var/log/cron
>
> # Everybody gets emergency messages
> *.emerg :omusrmsg:*
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit  /var/log/spooler
>
> # Save boot messages also to boot.log
> # local7.*  /var/syslog/boot.log
>
>
>
> ereregex is a fairly expensive filter to apply, it's much better to figure 
> out a
> non-regex approach to filtering these. Can you post some examples of what you
> are trying to filter? mmnormalize to parse the logs and then make decisions on
> the parsed results id probably much faster.
>
>
> /etc/rsyslog.d/security-config-omsagent.conf
> # [Firewall Log Filtering] #
> :msg, ereregex, "(1.1.[0-9]+.[0-9]+)" stop
> :msg, ereregex, "(1.2.[0-9]+.[0-9]+)" stop
> :msg, ereregex, "(1.3.[0-9]+.[0-9]+)" stop
> :msg, ereregex, "(1.4.[0-9]+.[0-9]+)" stop
> :msg, ereregex, "(1.5.[0-9]+.[0-9]+)" stop
> :msg, ereregex, "(1.6.1[6-9].[0-9]+)" stop
> :msg, ereregex, "(1.7.2[0-3].[0-9]+)" stop
> :msg, ereregex, "(1.8.68.[0-9]+)" stop
> :msg, ereregex, "(1.9.69.[0-9]+)" stop
> :msg, ereregex, "(1.10.82.[0-9]+)" stop
> :msg, ereregex, "(IP multicast routing failed)" stop
> :msg, ereregex, "(TCP_7680)" stop
>
>
> check the messages to see where CEF: and ASA- are in the message, can you 
> filter
> on something smaller than rawmsg? (say syslogtag), and can you use 
> 'startswith'
> instead of 'contains'?, again mmnormalize may be much faster
>
> if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then @@127.0.0.1:25226
> & stop
> if $rawmsg contains "infobloxgridmstr" then @127.0.0.1:25224
> & stop
>
>
> combining multiple filters into one action, or having the filters call a 
> ruleset
> can be far more efficient than all of them writing things out independently.
>
> the if..then filter structure lets you easily combine filters
>
> local0.info @127.0.0.1:25224
> & stop
> local1.info @127.0.0.1:25224
> & stop
> local2.info @127.0.0.1:25224
> & stop
> local3.info @127.0.0.1:25224
> & stop
> local4.info @127.0.0.1:25224
> & stop
> local5.info @127.0.0.1:25224
> & stop
> local6.info @127.0.0.1:25224
> & stop
> local7.info @127.0.0.1:25224
> & stop
> auth.* @127.0.0.1:25224
> & stop
> authpriv.* @127.0.0.1:25224
> & stop
> daemon.info @127.0.0.1:25224
> & stop
> syslog.* @127.0.0.1:25224
> & stop
> ftp.* @127.0.0.1:25224
> & stop
> user.* @127.0.0.1:25224
> & stop
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you

Re: [rsyslog] Reducing selector effect in RainerScript

2022-11-03 Thread Rainer Gerhards via rsyslog 
It's complicated. This may be a bug. I tend to say it is, although some
may argue the man page text does not cover this specific case.

Anyhow, this was not introduced into rsyslog, but into sysklogd. My
earliest commit is from 2004, with a little bit of non-git history
before. I can't find the original sysklogd source any longer, but I am
totally sure we did not touch this part of the code in the early
2000's (we were focussed on database writing).

Have a look at the original code, and head to line 2512. It's (minus
cosmetic utility function changes) the same code as it is today.

https://github.com/rsyslog/rsyslog/commit/05f2f1839c2712ca77e86aa679dc909d051fc23b?diff=unified#diff-9d04cb1c9964eae767720b1cfc19111074b0fe23e22416d8594872c49737a304R2512

Even more so, the man page text also stems directly back to sysklogd,
without any alteration in wording.

How to go forward? Of course I can fix this "bug", but that would
probably cause a lt of grief with long-existing configs. So I
would tend to say it is a doc bug so let's fix the doc and be done.

Any comments? David Lang maybe?

Rainer

El jue, 3 nov 2022 a las 10:26, Rainer Gerhards

() escribió:
>
> In any case, if it is a bug, fixing it is hard for compatibility
> reasons. The code has not been touched for a very long time.
>
> https://github.com/rsyslog/rsyslog/blame/master/runtime/conf.c#L356
>
> Rainer
>
> El jue, 3 nov 2022 a las 10:08, Rainer Gerhards
> () escribió:
> >
> > maybe I have not fully understood the original question. Will try
> > later today ;-)
> >
> > However, that part of the code that parses the selectors is actually
> > still the same we inherited from syslogd ~20 years ago. Of course, I
> > can't outrule we made some changes, but I honestly don't think so.
> >
> > Rainer
> >
> > El jue, 3 nov 2022 a las 9:23, Mariusz Kruk via rsyslog
> > () escribió:
> > >
> > > I'm not saying that behaviour is wrong but I'd interpret the wording in
> > > the docs as Gordon intended.
> > >
> > > https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
> > >
> > > "Multiple selectors may be specified for a single action using the
> > > semicolon (“;’’) separator. Remember that each selector in the selector
> > > field is capable to overwrite the preceding ones. Using this behavior
> > > you can exclude some priorities from the pattern." (as a side note -
> > > "capable" connects with "of *ing", so should be rather used as "capable
> > > of overwriting" but that's not the point ;-)). I'd intepret that passage
> > > as "if you add multiple selectors with semilcolons, the latter ones
> > > overwrite the former" so I'd expect it to work as Gordon did. It might
> > > need rewording if it works differently.
> > >
> > > MK
> > >
> > > On 2.11.2022 20:18, Rainer Gerhards via rsyslog wrote:
> > > > Info is higher severity than debug, so it validly matches.
> > > >
> > > > Sent from phone, thus brief.
> > > >
> > > > David Lang via rsyslog  schrieb am Mi., 2. 
> > > > Nov.
> > > > 2022, 20:10:
> > > >
> > > >> not that I expect this to fix it (this isn't something I've seen as a
> > > >> known
> > > >> bug), but could you please confirm that this still happens on the 
> > > >> current
> > > >> version of rsyslog?
> > > >>
> > > >> David Lang
> > > >>
> > > >> On Wed, 2 Nov 2022, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog 
> > > >> wrote:
> > > >>
> > > >>> Date: Wed, 2 Nov 2022 19:01:22 -
> > > >>> From: "Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog"
> > > >>>  
> > > >>> Reply-To: Gordon Marler ,
> > > >>>  rsyslog-users 
> > > >>> To: rsyslog@lists.adiscon.com
> > > >>> Cc: "Gordon Marler (BLOOMBERG/ 120 PARK)" 
> > > >>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> > > >>>
> > > >>> I've stripped down my config to just this rule, and tried with and
> > > >> without the stop directive - after restarting rsyslogd, of course - no
> > > >> change.
> > > >>> Also happens on the rsyslogd versions delivered with Solaris 11.4, 
> > > >>> RHEL
> > > >> 7.x and RHEL 8.x, which all hover around the 8.210x version
> > > >>> From: rsy

Re: [rsyslog] Managing log files permissions per file

2022-11-03 Thread Rainer Gerhards via rsyslog 
For linux file permission system see e.g.
https://linuxize.com/post/understanding-linux-file-permissions/

you can set the owner of the file. But linux permissions does not give
you the capability to grant permissions to specific users.

Raienr

El jue, 3 nov 2022 a las 10:59, Alexander Birman
() escribió:
>
> Hi,
>
> thanks for answering so quickly.
> The link you gave me leads to the following example:
>
> action(type="omfile" dirCreateMode="0700" FileCreateMode="0644"
>File="/var/log/messages")
>
> This example doesn't show how I can give full permissions to a user named, 
> for example, "dohnjoe".
> If I can't give permissions to a specific user, global full permissions are 
> also good for me. Like chmod 777
> But I don't understand the numbers in rsyslog permissions system... In my 
> case, what numbers should I write in FileCreatorMode so all users get full 
> access?
>
> action(type="omfile" dirCreateMode="0700" FileCreateMode=""
>File="/home/pi/logs/hive_manager.log")
>
>
> Have a good day!
>
> Alexander Birman
> +972-54-7556432
>
>
> On Thu, Nov 3, 2022 at 11:05 AM Rainer Gerhards  
> wrote:
>>
>> specify the settings in the action() object. Doc:
>>
>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html
>>
>> side-note: I am not sure, but I think the legacy construct you quoted
>> just changes the setting for the next output action. But I am too lazy
>> to look this up, as it is not really relevant in this case. ;-)
>>
>> Rainer
>>
>> El jue, 3 nov 2022 a las 9:39, Alexander Birman via rsyslog
>> () escribió:
>> >
>> > Hello,
>> >
>> > I want to set non-default permission to the log file created for my 
>> > service.
>> >
>> > - My service is started and named in
>> > */etc/systemd/system/hive_manager.service.*
>> > - Then, in */etc/rsyslog.d/hive_manager.conf* the name of the log is
>> > defined by the following condition:
>> >
>> > *if $programname == 'hive_manager' then /home/pi/logs/hive_manager.log*
>> >
>> > - Finally, in */etc/rsyslog.conf * I have the following definitions:
>> >
>> > *#*
>> > *# Set the default permissions for all log files.*
>> > *#*
>> > *$FileOwner root*
>> > *$FileGroup adm*
>> > *$FileCreateMode 0640*
>> > *$DirCreateMode 0755*
>> > *$Umask 0022*
>> >
>> > *# Include all config files in /etc/rsyslog.d/*
>> > *#*
>> > *$IncludeConfig /etc/rsyslog.d/*.conf*
>> >
>> >
>> > Currently, the */home/pi/logs/hive_manager.log* is created under the root
>> > permissions (the default). I need to configure its creation under different
>> > user permissions.
>> > How can I do it? I couldn't find any help with it in the relevant forums.
>> >
>> > Thanks a lot!
>> >
>> > Have a good day!
>> >
>> > Alexander Birman
>> > +972-54-7556432
>> > ___
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
>> > DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Reducing selector effect in RainerScript

2022-11-03 Thread Rainer Gerhards via rsyslog 
In any case, if it is a bug, fixing it is hard for compatibility
reasons. The code has not been touched for a very long time.

https://github.com/rsyslog/rsyslog/blame/master/runtime/conf.c#L356

Rainer

El jue, 3 nov 2022 a las 10:08, Rainer Gerhards
() escribió:
>
> maybe I have not fully understood the original question. Will try
> later today ;-)
>
> However, that part of the code that parses the selectors is actually
> still the same we inherited from syslogd ~20 years ago. Of course, I
> can't outrule we made some changes, but I honestly don't think so.
>
> Rainer
>
> El jue, 3 nov 2022 a las 9:23, Mariusz Kruk via rsyslog
> () escribió:
> >
> > I'm not saying that behaviour is wrong but I'd interpret the wording in
> > the docs as Gordon intended.
> >
> > https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
> >
> > "Multiple selectors may be specified for a single action using the
> > semicolon (“;’’) separator. Remember that each selector in the selector
> > field is capable to overwrite the preceding ones. Using this behavior
> > you can exclude some priorities from the pattern." (as a side note -
> > "capable" connects with "of *ing", so should be rather used as "capable
> > of overwriting" but that's not the point ;-)). I'd intepret that passage
> > as "if you add multiple selectors with semilcolons, the latter ones
> > overwrite the former" so I'd expect it to work as Gordon did. It might
> > need rewording if it works differently.
> >
> > MK
> >
> > On 2.11.2022 20:18, Rainer Gerhards via rsyslog wrote:
> > > Info is higher severity than debug, so it validly matches.
> > >
> > > Sent from phone, thus brief.
> > >
> > > David Lang via rsyslog  schrieb am Mi., 2. Nov.
> > > 2022, 20:10:
> > >
> > >> not that I expect this to fix it (this isn't something I've seen as a
> > >> known
> > >> bug), but could you please confirm that this still happens on the current
> > >> version of rsyslog?
> > >>
> > >> David Lang
> > >>
> > >> On Wed, 2 Nov 2022, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog 
> > >> wrote:
> > >>
> > >>> Date: Wed, 2 Nov 2022 19:01:22 -
> > >>> From: "Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog"
> > >>>  
> > >>> Reply-To: Gordon Marler ,
> > >>>  rsyslog-users 
> > >>> To: rsyslog@lists.adiscon.com
> > >>> Cc: "Gordon Marler (BLOOMBERG/ 120 PARK)" 
> > >>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> > >>>
> > >>> I've stripped down my config to just this rule, and tried with and
> > >> without the stop directive - after restarting rsyslogd, of course - no
> > >> change.
> > >>> Also happens on the rsyslogd versions delivered with Solaris 11.4, RHEL
> > >> 7.x and RHEL 8.x, which all hover around the 8.210x version
> > >>> From: rsyslog@lists.adiscon.com At: 11/02/22 03:45:01 UTC-4:00To:
> > >> rsyslog@lists.adiscon.com
> > >>> Cc:  k...@epsilon.eu.org
> > >>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> > >>>
> > >>> Generally, your config should work the way you indended. It's hard to
> > >>> say however if other entries in your config don't cause any side 
> > >>> effects.
> > >>>
> > >>> You could add a "stop" directive to make sure that events matching your
> > >>> selector won't be processed further. Like:
> > >>>
> > >>> *.debug;local6.err {
> > >>> action( type="omfile" file="/what/ever/file")
> > >>> stop
> > >>> }
> > >>>
> > >>> On 2.11.2022 01:26, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog
> > >> wrote:
> > >>>> I'm porting some configurations from syslog to rsyslog, and seeing some
> > >>> unexpected selector behavior in rsyslog 8.2104
> > >>>> After reading the selector examples from the configuration portion of
> > >> the
> > >>> rsyslog manual, I'm either misunderstanding how this is supposed to
> > >> work, or
> > >>> there's a long standing issue here.
> > >>>> So, the original selector looks like this:
> > >>>>
> > >>>> *.d

Re: [rsyslog] Reducing selector effect in RainerScript

2022-11-03 Thread Rainer Gerhards via rsyslog 
maybe I have not fully understood the original question. Will try
later today ;-)

However, that part of the code that parses the selectors is actually
still the same we inherited from syslogd ~20 years ago. Of course, I
can't outrule we made some changes, but I honestly don't think so.

Rainer

El jue, 3 nov 2022 a las 9:23, Mariusz Kruk via rsyslog
() escribió:
>
> I'm not saying that behaviour is wrong but I'd interpret the wording in
> the docs as Gordon intended.
>
> https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
>
> "Multiple selectors may be specified for a single action using the
> semicolon (“;’’) separator. Remember that each selector in the selector
> field is capable to overwrite the preceding ones. Using this behavior
> you can exclude some priorities from the pattern." (as a side note -
> "capable" connects with "of *ing", so should be rather used as "capable
> of overwriting" but that's not the point ;-)). I'd intepret that passage
> as "if you add multiple selectors with semilcolons, the latter ones
> overwrite the former" so I'd expect it to work as Gordon did. It might
> need rewording if it works differently.
>
> MK
>
> On 2.11.2022 20:18, Rainer Gerhards via rsyslog wrote:
> > Info is higher severity than debug, so it validly matches.
> >
> > Sent from phone, thus brief.
> >
> > David Lang via rsyslog  schrieb am Mi., 2. Nov.
> > 2022, 20:10:
> >
> >> not that I expect this to fix it (this isn't something I've seen as a
> >> known
> >> bug), but could you please confirm that this still happens on the current
> >> version of rsyslog?
> >>
> >> David Lang
> >>
> >> On Wed, 2 Nov 2022, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog wrote:
> >>
> >>> Date: Wed, 2 Nov 2022 19:01:22 -
> >>> From: "Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog"
> >>>  
> >>> Reply-To: Gordon Marler ,
> >>>  rsyslog-users 
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: "Gordon Marler (BLOOMBERG/ 120 PARK)" 
> >>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> >>>
> >>> I've stripped down my config to just this rule, and tried with and
> >> without the stop directive - after restarting rsyslogd, of course - no
> >> change.
> >>> Also happens on the rsyslogd versions delivered with Solaris 11.4, RHEL
> >> 7.x and RHEL 8.x, which all hover around the 8.210x version
> >>> From: rsyslog@lists.adiscon.com At: 11/02/22 03:45:01 UTC-4:00To:
> >> rsyslog@lists.adiscon.com
> >>> Cc:  k...@epsilon.eu.org
> >>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> >>>
> >>> Generally, your config should work the way you indended. It's hard to
> >>> say however if other entries in your config don't cause any side effects.
> >>>
> >>> You could add a "stop" directive to make sure that events matching your
> >>> selector won't be processed further. Like:
> >>>
> >>> *.debug;local6.err {
> >>> action( type="omfile" file="/what/ever/file")
> >>> stop
> >>> }
> >>>
> >>> On 2.11.2022 01:26, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog
> >> wrote:
> >>>> I'm porting some configurations from syslog to rsyslog, and seeing some
> >>> unexpected selector behavior in rsyslog 8.2104
> >>>> After reading the selector examples from the configuration portion of
> >> the
> >>> rsyslog manual, I'm either misunderstanding how this is supposed to
> >> work, or
> >>> there's a long standing issue here.
> >>>> So, the original selector looks like this:
> >>>>
> >>>> *.debug;local6.err
> >>>>
> >>>> The intent is to log all facilities at debug or higher, except for
> >> local6,
> >>> which should only log at err or higher.  So I end up with a RainerScript
> >> block
> >>> like so:
> >>>> *.debug;local6.err {
> >>>>  action( type="omfile" file="/what/ever/file")
> >>>> }
> >>>>
> >>>> But, I start to see messages at local6.info show up in the file,
> >> surprisingly.
> >>>> To get the desired end effect, I end up having to craft the selector
> >> like so
> >>> (which only works becaus

Re: [rsyslog] Managing log files permissions per file

2022-11-03 Thread Rainer Gerhards via rsyslog 
specify the settings in the action() object. Doc:

https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html

side-note: I am not sure, but I think the legacy construct you quoted
just changes the setting for the next output action. But I am too lazy
to look this up, as it is not really relevant in this case. ;-)

Rainer

El jue, 3 nov 2022 a las 9:39, Alexander Birman via rsyslog
() escribió:
>
> Hello,
>
> I want to set non-default permission to the log file created for my service.
>
> - My service is started and named in
> */etc/systemd/system/hive_manager.service.*
> - Then, in */etc/rsyslog.d/hive_manager.conf* the name of the log is
> defined by the following condition:
>
> *if $programname == 'hive_manager' then /home/pi/logs/hive_manager.log*
>
> - Finally, in */etc/rsyslog.conf * I have the following definitions:
>
> *#*
> *# Set the default permissions for all log files.*
> *#*
> *$FileOwner root*
> *$FileGroup adm*
> *$FileCreateMode 0640*
> *$DirCreateMode 0755*
> *$Umask 0022*
>
> *# Include all config files in /etc/rsyslog.d/*
> *#*
> *$IncludeConfig /etc/rsyslog.d/*.conf*
>
>
> Currently, the */home/pi/logs/hive_manager.log* is created under the root
> permissions (the default). I need to configure its creation under different
> user permissions.
> How can I do it? I couldn't find any help with it in the relevant forums.
>
> Thanks a lot!
>
> Have a good day!
>
> Alexander Birman
> +972-54-7556432
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Reducing selector effect in RainerScript

2022-11-02 Thread Rainer Gerhards via rsyslog 
If you want to match only debug in old Style, it is

*.=debug

See man page. It's odd, but it is this way since 40+ years...

Rainer

Sent from phone, thus brief.

John Chivian via rsyslog  schrieb am Mi., 2.
Nov. 2022, 20:46:

> I think what Rainer is saying is that *.debug matches all events of
> priority debug or higher from all facilities, and therefore it matches
> local6.info , but that seems odd to me.
>
> Either way it seems that you have the solution being…
>
> *.debug;local6.!=info
>
>
>
> > On Nov 2, 2022, at 14:27, Gordon Marler (BLOOMBERG/ 120 PARK) via
> rsyslog  wrote:
> >
> > So, what would be the correct way to start with *.debug, then reduce to
> priority .err and higher for particular facilities, like local6?
> >
> > From: rsyslog@lists.adiscon.com At: 11/02/22 15:18:21 UTC-4:00To:
> rsyslog@lists.adiscon.com
> > Cc:  rgerha...@hq.adiscon.com
> > Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> >
> > Info is higher severity than debug, so it validly matches.
> >
> > Sent from phone, thus brief.
> >
> > David Lang via rsyslog  schrieb am Mi., 2.
> Nov.
> > 2022, 20:10:
> >
> >> not that I expect this to fix it (this isn't something I've seen as a
> >> known
> >> bug), but could you please confirm that this still happens on the
> current
> >> version of rsyslog?
> >>
> >> David Lang
> >>
> >> On Wed, 2 Nov 2022, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog
> wrote:
> >>
> >>> Date: Wed, 2 Nov 2022 19:01:22 -
> >>> From: "Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog"
> >>>
> >>> Reply-To: Gordon Marler ,
> >>>rsyslog-users 
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: "Gordon Marler (BLOOMBERG/ 120 PARK)" 
> >>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> >>>
> >>> I've stripped down my config to just this rule, and tried with and
> >> without the stop directive - after restarting rsyslogd, of course - no
> >> change.
> >>>
> >>> Also happens on the rsyslogd versions delivered with Solaris 11.4, RHEL
> >> 7.x and RHEL 8.x, which all hover around the 8.210x version
> >>>
> >>> From: rsyslog@lists.adiscon.com At: 11/02/22 03:45:01 UTC-4:00To:
> >> rsyslog@lists.adiscon.com
> >>> Cc:  k...@epsilon.eu.org
> >>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> >>>
> >>> Generally, your config should work the way you indended. It's hard to
> >>> say however if other entries in your config don't cause any side
> effects.
> >>>
> >>> You could add a "stop" directive to make sure that events matching your
> >>> selector won't be processed further. Like:
> >>>
> >>> *.debug;local6.err {
> >>>   action( type="omfile" file="/what/ever/file")
> >>>   stop
> >>> }
> >>>
> >>> On 2.11.2022 01:26, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog
> >> wrote:
>  I'm porting some configurations from syslog to rsyslog, and seeing
> some
> >>> unexpected selector behavior in rsyslog 8.2104
> 
>  After reading the selector examples from the configuration portion of
> >> the
> >>> rsyslog manual, I'm either misunderstanding how this is supposed to
> >> work, or
> >>> there's a long standing issue here.
> 
>  So, the original selector looks like this:
> 
>  *.debug;local6.err
> 
>  The intent is to log all facilities at debug or higher, except for
> >> local6,
> >>> which should only log at err or higher.  So I end up with a
> RainerScript
> >> block
> >>> like so:
> 
>  *.debug;local6.err {
> action( type="omfile" file="/what/ever/file")
>  }
> 
>  But, I start to see messages at local6.info show up in the file,
> >> surprisingly.
> 
>  To get the desired end effect, I end up having to craft the selector
> >> like so
> >>> (which only works because only local6.info is chatty, nothing higher
> >> than
> >>> that), which surprises me:
> 
>  *.debug;local6.err;local6.!=info
> 
>  So, am I simply doing this wrong/misunderstanding how selectors work,
> >> or is
> >>> there something odd going on?
> 
> 
>  ___
>  rsyslog mailing list
>  https://lists.adiscon.net/mailman/listinfo/rsyslog
>  http://www.rsyslog.com/professional-services/
>  What's up with rsyslog? Follow https://twitter.com/rgerhards
>  NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of
> >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE
> >>> THAT.
> >>> ___
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of
> >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE
> >>> THAT.
> >>>
> >>>
> >>>

Re: [rsyslog] Reducing selector effect in RainerScript

2022-11-02 Thread Rainer Gerhards via rsyslog 
Info is higher severity than debug, so it validly matches.

Sent from phone, thus brief.

David Lang via rsyslog  schrieb am Mi., 2. Nov.
2022, 20:10:

> not that I expect this to fix it (this isn't something I've seen as a
> known
> bug), but could you please confirm that this still happens on the current
> version of rsyslog?
>
> David Lang
>
> On Wed, 2 Nov 2022, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog wrote:
>
> > Date: Wed, 2 Nov 2022 19:01:22 -
> > From: "Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog"
> > 
> > Reply-To: Gordon Marler ,
> > rsyslog-users 
> > To: rsyslog@lists.adiscon.com
> > Cc: "Gordon Marler (BLOOMBERG/ 120 PARK)" 
> > Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> >
> > I've stripped down my config to just this rule, and tried with and
> without the stop directive - after restarting rsyslogd, of course - no
> change.
> >
> > Also happens on the rsyslogd versions delivered with Solaris 11.4, RHEL
> 7.x and RHEL 8.x, which all hover around the 8.210x version
> >
> > From: rsyslog@lists.adiscon.com At: 11/02/22 03:45:01 UTC-4:00To:
> rsyslog@lists.adiscon.com
> > Cc:  k...@epsilon.eu.org
> > Subject: Re: [rsyslog] Reducing selector effect in RainerScript
> >
> > Generally, your config should work the way you indended. It's hard to
> > say however if other entries in your config don't cause any side effects.
> >
> > You could add a "stop" directive to make sure that events matching your
> > selector won't be processed further. Like:
> >
> > *.debug;local6.err {
> >action( type="omfile" file="/what/ever/file")
> >stop
> > }
> >
> > On 2.11.2022 01:26, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog
> wrote:
> >> I'm porting some configurations from syslog to rsyslog, and seeing some
> > unexpected selector behavior in rsyslog 8.2104
> >>
> >> After reading the selector examples from the configuration portion of
> the
> > rsyslog manual, I'm either misunderstanding how this is supposed to
> work, or
> > there's a long standing issue here.
> >>
> >> So, the original selector looks like this:
> >>
> >> *.debug;local6.err
> >>
> >> The intent is to log all facilities at debug or higher, except for
> local6,
> > which should only log at err or higher.  So I end up with a RainerScript
> block
> > like so:
> >>
> >> *.debug;local6.err {
> >> action( type="omfile" file="/what/ever/file")
> >> }
> >>
> >> But, I start to see messages at local6.info show up in the file,
> surprisingly.
> >>
> >> To get the desired end effect, I end up having to craft the selector
> like so
> > (which only works because only local6.info is chatty, nothing higher
> than
> > that), which surprises me:
> >>
> >> *.debug;local6.err;local6.!=info
> >>
> >> So, am I simply doing this wrong/misunderstanding how selectors work,
> or is
> > there something odd going on?
> >>
> >>
> >> ___
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE
> > THAT.
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE
> > THAT.
> >
> >
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] [ommongodb] how to pass content of %msg as raw insert not as a value

2022-10-06 Thread Rainer Gerhards via rsyslog 
It's contributed code.

Albeit I have done some improvements, I need to familiarize myself
again with the module. IAW: it will take some time ;-)

Rainer

El mié, 5 oct 2022 a las 16:04, Marcin Mirosław via rsyslog
() escribió:
>
> It would be easier to fix if it would be my misconfiguration :(
> Rainer, would you look into ommongodb module, please?
> Marcin
>
> W dniu 2022-10-05 12:20, Mariusz Kruk via rsyslog napisał(a):
> > There is also some inconsistency within the documentation page (it
> > lists OMSR_TPL_AS_MSG as the default template whereas few lines later
> > it shows a definition of a template named BSON which is supposed to be
> > default).
> >
> > So I suspect that something wasn't quite finished here ;-)
> >
> > On 5.10.2022 12:03, Mariusz Kruk wrote:
> >> Out of sheer curiosity I looked into the ommongodb.c and found this:
> >>
> >> 557 if(pData->tplName == NULL) {
> >> 558 doc = getDefaultBSON(*(smsg_t**)pMsgData);
> >> 559 } else {
> >> 560 doc = BSONFromJSONObject(*(struct json_object
> >> **)pMsgData);
> >> 561 }
> >>
> >> I'm not that good in rsyslog internals but for me it seems as if the
> >> module does not use the specified template at all. If the template is
> >> not specified, it creates a BSON with pre-defined files. If the
> >> template is specified, it just dumps a bson object from the message
> >> data.
> >>
> >>
> >> On 5.10.2022 11:28, Marcin Mirosław via rsyslog wrote:
> >>> Hi!
> >>> If I use omfile then logs contains messages in my desired format but
> >>> not with ommongodb. tcpdump shows:
> >>>
> >>> ..msg.{"foo":"bar"}..
> >>>
> >>> Marcin
> >>>
> >>>
> >>> W dniu 2022-10-05 08:05, Mariusz Kruk via rsyslog napisał(a):
>  Looks relatively normal.
> 
>  You can of course try writing to a file with your "i-json" template
>  to
>  make sure that's what you want to be sent to mongodb.
> 
>  But then, if your ommongodb action does contain the
>  template="i-json"
>  parameter, it simply should work.
> 
>  The only other thing you can do to make sure what's going on over
>  the
>  wire is of course the tcpdump (unless your traffic is encrypted).
> 
>  Ot simply looks that it should work - it should not need any more
>  "processing" as it is.
> 
>  On 4.10.2022 15:45, Marcin Mirosław wrote:
> > :)
> > I had to censore log...
> >
> >
> > Debug line with all properties:
> > FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'linux',
> > PRI: 174,
> > syslogtag 'a1', programname: 'x1', APP-NAME: 'x1', PROCID: '-',
> > MSGID: '-',
> > TIMESTAMP: 'Oct  4 15:38:53', STRUCTURED-DATA: '[timeQuality
> > tzKnown="1" isSynced="1" syncAccuracy="415383"]',
> > msg: '{"foo":"bar","mode":750,"date":"2022-10-04T15:38:53"}'
> > escaped msg:
> > '{"foo":"bar","mode":750,"date":"2022-10-04T15:38:53"}'
> > inputname: imtcp rawmsg: '<174>1 2022-10-04T15:38:53.219052+02:00
> > linux a1 - - [timeQuality tzKnown="1" isSynced="1"
> > syncAccuracy="415383"] {"foo":"bar
> > ","mode":750,"date":"2022-10-04T15:38:53"}'
> > $!:
> > $.:
> > $/:
> >
> >
> >
> >
> > W dniu 2022-10-04 09:18, Mariusz Kruk via rsyslog napisał(a):
> >> :-)
> >>
> >> OK, I understand that you did
> >>
> >> template(name="i-json" type="string" string="%msg%")
> >>
> >> action(type="ommongodb" server="..." [...] template="i-json")
> >>
> >> right?
> >>
> >> This way you should indeed be pushing the %msg% part of the
> >> incoming
> >> syslog message.
> >>
> >> Try adding
> >>
> >> action(type="omfile" file="/tmp/debug.log"
> >> template="RSYSLOG_DebugFormat")
> >>
> >> immediately before your ommongodb action to see what exactly your
> >> properties look like. That usually helps finding what's happening
> >> inside your processing pipeline.
> >>
> >> On 4.10.2022 09:03, Marcin Mirosław wrote:
> >>>
> >>> I did in the part about connection to mongodb ;)
> >>>
> >>> "It will be used automatically if no other template is specified
> >>> to be used"
> >>>
> >>> But I specified template: template(name="ui-json" type="string"
> >>> string="%msg%")
> >>>
> >>> so if I understand qutoed docs correctly, all about default,
> >>> canned template doesn't apply to my case, am I right?
> >>>
> >>>
> >>> W dniu 2022-10-04 08:27, Mariusz Kruk napisał(a):
> >>>
>  You didn't read the docs, did you? ;-)
> 
>  https://www.rsyslog.com/doc/v8-stable/configuration/modules/ommongodb.html
>  
>  "Note rsyslog contains a canned default template to write to the
>  MongoDB. It will be used automatically if no other template is
>  specified to be used. This

Re: [rsyslog] unescaped %msg% in a template?

2022-10-06 Thread Rainer Gerhards via rsyslog 
El jue, 6 oct 2022 a las 14:54, Felipe Gasper via rsyslog
() escribió:
>
>
> > On Oct 6, 2022, at 03:41, Rainer Gerhards via rsyslog 
> >  wrote:
> >
> > El jue, 6 oct 2022 a las 8:20, Mariusz Kruk via rsyslog
> > () escribió:
> >>
> >> Escaping is done on input so you can't disable it on output. You could
> >> try to "unescape" it but there's no way of knowing if - for example -
> >> #11 is a literal string or escaped tab character.
> >> I don't remember if you can disable escaping or single input or is it a
> >> global setting.
> >
> > It's global. We could not envision that someone would need to do that
> > on an per-input level.
> >
> > Bottom line: the control characters usually cause large issues inside
> > the analysis pipeline.
> >
> > One approach would be to disable escaping globally and escape via
> > template in those actions that need it.
>
> Making global changes is a bit more aggressive than I’d like to be, 
> especially since we don’t fully control the servers that run our software.
>
> Our application writes (directly) to its own log file. We’d like to extend 
> that application such that plugins can log to the original application’s log 
> file, but without asking the plugins to append directly to the same log file.
>
> We’d rather tell those plugins to use syslog, and configure rsyslog to append 
> to the log file. The original application, though, sometimes prints stack 
> traces in its log that are useful for debugging. Those stack traces from 
> plugins will be less legible if they have octal escapes rather than newlines 
> and tabs.

I would actually recommend to have an option inside the application to
use the 2-char sequence "\n" rather than LF for "multi-line" messages.
This makes processing so much easier. And it is simple to convert it
to real multiline if needed.

Just my 2cts ;-)

Rainer

>
> It’s not a huge deal, but I thought I’d ask anyway.
>
> cheers,
> -Felipe Gasper
> Mississauga, Ontario
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unescaped %msg% in a template?

2022-10-06 Thread Rainer Gerhards via rsyslog 
El jue, 6 oct 2022 a las 8:20, Mariusz Kruk via rsyslog
() escribió:
>
> Escaping is done on input so you can't disable it on output. You could
> try to "unescape" it but there's no way of knowing if - for example -
> #11 is a literal string or escaped tab character.
> I don't remember if you can disable escaping or single input or is it a
> global setting.

It's global. We could not envision that someone would need to do that
on an per-input level.

Bottom line: the control characters usually cause large issues inside
the analysis pipeline.

One approach would be to disable escaping globally and escape via
template in those actions that need it.

Rainer

>
>
> On October 5, 2022 4:45:22 PM UTC, Felipe Gasper via rsyslog
>  wrote:
>
> Hello,
>
> I’d like to create a template that preserves newlines & tabs in the 
> original message (i.e., doesn’t octal-escape them). I’d also like, though, 
> not to alter rsyslog’s global configuration.
>
> Is it possible to disable rsyslog’s control-character escaping 
> locally?
>
> Thank you!
>
> cheers,
> -Felipe Gasper
> 
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] doc request

2022-10-04 Thread Rainer Gerhards via rsyslog 
Hi David,

I was out of office last week. I'll check and update. Legacy should be
mentioned, albeit IMHO only brief info is needed, a al

Legacy is
$template ,
as  should be defined. This, together with 1 or 2 samples.

What do you think?

Rainer

El mié, 28 sept 2022 a las 22:12, David Lang via rsyslog
() escribió:
>
> the template page has removed all references to the legacy format. For simple
> things, I still prefer it to the new formats, and for people needing to
> understand existing configs, the format should still be listed, even if it's
> with a note that it's not recommended
>
> could someone reserrect the old documentation and merge it with the current
> page?
>
> https://www.rsyslog.com/doc/master/configuration/templates.html
>
> David Lang
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

  1   2   3   4   5   >