by the way, if you can write the message usingthe RYSYLOG_DebugFormat it will
help us understand exactly what the state of the message is.
David Lang
On Tue, 2 Apr 2019, David Lang via rsyslog wrote:
Date: Tue, 2 Apr 2019 07:45:34 -0700 (PDT)
From: David Lang via rsyslog
To: Bruno Manzoni
On Tue, 2 Apr 2019, Marc Haber via rsyslog wrote:
Hi David,
On Mon, Mar 25, 2019 at 03:58:26AM -0700, David Lang wrote:
On Mon, 25 Mar 2019, Marc Haber via rsyslog wrote:
> On Thu, Feb 07, 2019 at 08:01:26AM +0800, 杨华杰 via rsyslog wrote:
> > Most of the tutorials I found on the internet are
On Tue, 2 Apr 2019, Marc Haber via rsyslog wrote:
On Tue, Apr 02, 2019 at 04:21:07PM +0200, Rainer Gerhards wrote:
It may make sense to document this on the doc as well. Up for a PR?
Yes, I'll try having something before the weekend. Unfortunately, in
current day-job I'm quite far away from
On Tue, 2 Apr 2019, Marc Haber via rsyslog wrote:
On Tue, Apr 02, 2019 at 03:08:15PM +0200, Rainer Gerhards via rsyslog wrote:
El mar., 2 abr. 2019 a las 14:54, Mauricio Tavares via rsyslog
() escribió:
> > Are the docs in a public git? Where can people ask for clarification
> > about things
in recent versions of rsyslog there is an option to make the field names case
sensitive (in the past they were all squashed to lower case internally as
referenced in rsyslog configs, but if they are created with a parser in
mixed/upper case you could not access them)
I believe you need to set
On Tue, 2 Apr 2019, John Chivian via rsyslog wrote:
Old:
kern.* /var/log/kern.log
New:
kern.* {
action(
type="omfile"
name="kern"
file="/var/log/kern.log"
)
}
This is a case where we recommend continuing to use the old style, it's enough
there is no input defined in the config snipet you are showing us, this is why
we are asking for the ful config
David Lang
On Tue, 2 Apr 2019, Gorman, Kevin via rsyslog wrote:
Date: Tue, 2 Apr 2019 19:28:37 +
From: "Gorman, Kevin via rsyslog"
To: rsyslog-users
Cc: "Gorman, Kevin"
t;) are not parsed by
rsyslog, I think I cannot "manipulate" / "match" them with Reinerscript
(I think only the fields (fisrts fields in my output, mainly in upper case) be
manipulated as they were
parsed by the the default parser. (5424)
If did understand i cannot do what i want (ma
the new format looks like functions, the obsolete format sets things with lines
that start with $, legacy format is everything else.
If it takes more than one line to specify something, you are probably using the
obsolete format. It continues to work, but is not recommended as it has a much
in the latest version or two there are options to truncate overlylong messages
imfile doesn't get the filename from the message, but when you send it over the
network the fallback parser is the old format (rfc3164) which tries really hard
to make _some_ sense out of even malformed logs, and so
look for dynafile templates
David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC
same as with the old format, some external tool (like logrotate) renames the
files and then sends a HUP to rsyslog to tell rsyslog to close the files (which
it continues writing to under their new names) and rsyslog will
re-open/re-create the file the next time it has a message to write to that
On Sun, 24 Mar 2019, Kanniganti Kalyani via rsyslog wrote:
Hi
How can we configure below ssh and auth in rsyslog.conf file.
# auth,authpriv.* -/var/log/secure
filter f_secure { facility(auth, authpriv); };
destination d_secure { file("/var/log/secure" fsync(no)); };
log { source(src);
On Mon, 25 Mar 2019, Marc Haber via rsyslog wrote:
Hi,
On Thu, Feb 07, 2019 at 08:01:26AM +0800, 杨华杰 via rsyslog wrote:
Most of the tutorials I found on the internet are out of dated, and I have
found old syntax configuration are not supported anymore.
we've been pretty good about
On Wed, 3 Apr 2019, Gorman, Kevin via rsyslog wrote:
So I could get rid of the *.* and the ruleset= in the inputs as shown? That
would create a simpler config that works the same, meaning it forwards anything
configured, correct? I'm being pedantic I guess...
yes, you want either the call,
If you really want everything to be sent, you don't need to use a specfic
ruleset at all, just have the action be in the main config and all logs, from
all inputs (or at least, all inputs that don't specify a specific ruleset) will
be processed by the main config.
you could put a queue on the
On Wed, 3 Apr 2019, Gorman, Kevin via rsyslog wrote:
The *.* call linux_forward was the key. Much cleaner. Thanks!
There was nothing in your old config to tell it to execute the ruleset, you
needed to either call the ruleset unconditionally (in which case you don't need
the *.*), or you
instead of using the $MainMsgQueueSaveOnShutdown parameter, you should set
queue parameters with the main_queue() call, be sure you set the filename as
well.
David Lang
On Wed, 3 Apr 2019, Jacobi, Daniel via rsyslog wrote:
Date: Wed, 3 Apr 2019 12:47:55 +
From: "Jacobi, Daniel via
please write a test log using the template RSYSLOG_DebugFormat, that will show
us exactly what rsyslog is seeing when you do this.
David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
On Sat, 6 Apr 2019, John Chivian via rsyslog wrote:
By new style syntax, what I personally mean is having all functionality
in specifically defined rulesets, and having each input explicitly
define which ruleset is applicable. In this way all traffic is
explicitly segregated, all queues have
can you clarify a bit more about what's not working?
I will point out that in the old syntax, only the first action has a queue, and
unless that queue is full, that action will always succeed, so the fallback
isn't going to work as expected.
David Lang
On Fri, 29 Mar 2019, Gorman, Kevin via
can we see the rest of your config?
do a rsyslogd -N 2 and show us the results.
David Lang
On Fri, 29 Mar 2019, Gorman, Kevin wrote:
Date: Fri, 29 Mar 2019 23:25:13 +
From: "Gorman, Kevin"
To: David Lang ,
"Gorman, Kevin via rsyslog"
Subject: RE: [E] Re: [rsyslog] Help with newer
how does mlogc collect the logs from ModSecurity? what mechanisms does
ModSecurity have to deliver logs to any destination?
If mlogc is just reading the files like imfile does, what benefit does it
provide?
If it's getting the logs in some other way, that would (probably) be what we
would
and the only thing mlogc can do is to transfer entire files via HTTP put?
Rsyslog does not have this capability, and I don't see it being a high priority
to add it (Adding the capability to fetch logs from AWS would be much higher on
the list for example), so I don't see this as something that
write a log using the template RSYSLOG_DebugFormat as that will show the rawmsg
(what arrived on the wire) and all the standard properties that it is parsed
into.
Then you can post a message that you think is not being parsed correctly and we
can help you understand what's happening.
Please
the first thing to do is to drop the thread counts down. having a lot of threads
can significantly slow down your processing.
I would consider bumping the batchsize up
but looking at the stats output, you are having problems writing to the ompipe
output (both from the failures on action 0 and
write the timestamp for example), while writing the entire
message to a file in parallel so you can check what's happening.
David Lang
On Sun, 7 Apr 2019, David Lang via
rsyslog wrote:
Date: Sun, 7 Apr 2019 22:34:18 -0700 (PDT)
From: David Lang via rsyslog
To: Derek DiFilippo via rsyslog
Cc
we would need to see your full config, but if rsyslog fills it's queue (commonly
because you have it configured to send to a different machine via TCP and the
remote machine is down), it is unable to accept new messages, and the system
will stall.
This is part of the spec for the syslog
like most other applications, rsyslog does not know that two instances would be
writing to the same file, the result could be interleaved writes (which are not
always going to be full records)
you need to tell your HA software to make sure that rsyslog is stopped (and
possibly restarted with
note that with the action() style syntax, owner and group need to be specified
in the action() statement as per
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html
David Lang
On Tue, 19 Mar 2019, Flo Rance via rsyslog wrote:
Yes, take a look at $FileOwner and $FileGroup
On Fri, 15 Mar 2019, Joan Tomàs i Buliart wrote:
And how can we put a ‘fire-and-forget’ strategy in place? Using UDP will
work?
Yes, this is why I normally make my first hop be UDP, I'd rather loose logs than
run the risk of stalling the production systems. If you can have a relay on the
On Tue, 12 Mar 2019, Ani Sinha via rsyslog wrote:
Can someone please throw some light as to what changed between rsyslog 5.8 and
rsyslog 7.10 that the issue has been fixed. Are there other issues with
rsyslog7 which I should be aware of?
There are many years of development between the two.
On Tue, 5 Mar 2019, FONT Olivier via rsyslog wrote:
Hello everyone,
I just installed and configured my rsyslog client on a windows machine.
Logs are well sent to my log correlator but the taxonomy cannot be done because
the correlator logs expects a snare format.
I have found how to re-format
On Wed, 6 Mar 2019, Rainer Gerhards wrote:
Seems the same is valid for in-memory part of the queue. Does it make sense
or would it be possible to implement some special mode in which the message
will be "queued" before the variables/templates will be applied (in similar
way the main queue is
nobody else has reported it, can you post your config?
David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE
your text didn't come through again.
David Lang
On Fri, 22 Mar 2019, Daniel Rubio wrote:
Date: Fri, 22 Mar 2019 12:30:42 +0100
From: Daniel Rubio
Reply-To: rsyslog-users
To: rsyslog-users
Subject: Re: [rsyslog] Failover config over NFS shared disk
config and debug log would help.
a core dump may end up being needed.
David Lang
On Tue, 5 Feb 2019, Amrut Shetty wrote:
Hi,
I'm observing segfaults with rsyslog version 8.22.
Segfault is observed at strlen function for passing NULL pointer, pRes pointer
is passed to strlen.
In the code I
I believe that with the old syntax, you have to set all the values before you
load the module, not after.
This is one of the reasons why you should really use the new syntax. It makes it
much clearer what you are doing.
David Lang
On Tue, 5 Feb 2019, Peter Viskup via rsyslog wrote:
The
take a look at the dyn_stats() capability, it lets you create your own stats
that get reported as part of the pstats output.
https://www.rsyslog.com/doc/master/configuration/dyn_stats.html
David Lang
___
rsyslog mailing list
On Fri, 12 Apr 2019, Rainer Gerhards wrote:
does that mean rsyslog now also needs to provide functionality to set
elasticsearch config params?
I don't think so, I see this as part of the job of setting up and configuring
elasticsearch. It's stuff that should be done once when the index is
to clarify, what elasticsearch and Splunk call an 'index' is not the same thing
that you know of as an index under any other systems.
An "Index" in Splunk or Elasticsearch is what Postgres/MYSql/Oracle/etc call a
databass or table (it blurs the line a little bit).
When you connect to a
a google search for "elasticsearch set the number of shards" returned
https://discuss.elastic.co/t/how-change-default-number-of-shards/117985 as it's
first hit.
apparently this needs to be set via the API, not the config files on current
versions of elasticsearch.
David Lang
if you write the logs with the template RSYSLOG_DebugFormat there is an entry
'rawmsg' that shows what you received on the wire, that will help you debug
this.
but the version you are running is > 5 years old, so if there is a bug in that
version, the answer will be to upgrade to a current
On Tue, 16 Apr 2019, Kelly McCubbin via rsyslog wrote:
I may have posed this before, but I haven't found a solution yet; so I'm
going to come at it from a different angle.
We're processing syslogs from Cisco nextgen firewalls (FTDs). The firewall
sends the logs with no time zone stamp, but the
rsyslog doesn't convert the timestamps that it receives.
a better bet would be to change the other system(s) to run in UTC. It's a good
idea anyway, if you run in local time you have crontab entries that can not be
run or run twice when time shifts, and if you write logs to files that have the
timestampmanipulation is an area that we just have the very beginnings of.
parse_time() and format_time() were only recently added, they open up a number
of possibilities, but work needs to be done to implement them, and there just
hasn't been enough priority for Adiscon to work on it, and
when machine A is configured to send logs to machine B via TCP, you are saying
that when machine B isn't processing logs fast enough, you want machine A to
pause sending the logs (note that you can still loose logs via tcp, you need to
use relp to avoid loosing logs).
When the omfwd using tcp
I saw a issue that said that the version of gnutls shipped in RHEL6 has
serious problems. I'm not finding detals easily, can someone give a brief
explination of the problem?
David Lang
___
rsyslog mailing list
no, rsyslog does not support having conditional around startup-time parameters.
David Lang
On Mon, 27 May 2019, A via rsyslog wrote:
Date: Mon, 27 May 2019 13:14:47 -0400
From: A via rsyslog
To: rsyslog@lists.adiscon.com
Cc: arif+rsys...@bifb.org
Subject: [rsyslog] start listening only on
Every queue has one or more worker threads
each worker thread dequeues a batch of messages from the queue and then
processes all actions in the ruleset.
If any ruleset/action has a queue, the worker thread attempts to insert the
message into that queue. If it can't, it blocks like any other
at the time that rsyslog is started, there may not be a path defined (especially
if it's started by systemd)
I'm not sure how much value there is in adding anything to specifically enable
this (it may be that it would 'just work' as-is, but I wouldn't want to rely on
it)
David Lang
On Tue,
On Fri, 31 May 2019, Peter Viskup via rsyslog wrote:
Date: Fri, 31 May 2019 09:03:20 +0200
From: Peter Viskup via rsyslog
To: rsyslog-users
Cc: Peter Viskup
Subject: [rsyslog] call ruleset
From reading the call documentation [1] I understand the call ruleset can
be used to independent
rate limiting is defined at module load time, not at runtime. one of the reasons
to change to rainerscript is that it makes it clearer as to when things are
defined, you would need to change the module load command (using the old style
config, your $ rate limiting lines would need to be in the
There does appear to be some problem with 8.1905, so far we don't have enough
information to figure out what. If it's possible to get a debug log and/or
pstats output from a box that's not logging it would help (ideally a debug log
that includes when it stops, but that's harder to get)
one
thanks for the good report, one thing to note is that the timestamp you have in
the log is in the future, but since rsyslog is failing to parse it, it's using
the current time as the timestamp and is treating the timestamp as being part of
the text of the message
I think I've seen this before
On Wed, 29 May 2019, John Jasen wrote:
a) I'll note the simple reversion to 1904 restores functionality. I'll also
note 1905 works for about half an hour, then just ... stops.
b) impstats stopped when rsyslog stopped logging.
If you set it to log to a file, it's logs will be independent of
do you have impstats configured? that would help identify what's going wrong.
Can you share your config? without that we don't have any place to start.
I have not seen other reports of problems, which isn't saying you didn't run
into something, just that it's not something common enough to
no, you can't have one action() statement direct to multiple sockets. you should
be able to have separate action() statements with filters as to what goes to
which action.
David Lang
On Fri, 14 Jun 2019, Doug Wussler via rsyslog wrote:
I have a way around this but wanted to know if I am
On Mon, 10 Jun 2019, Heaton, Tobias wrote:
I configured impstats, updated rsyslog, restarted and awaited the failure.
Tailing the busiest logs, behavior starts normal. Over the course of a few
minutes, the logs seems to arrive in chunks...or at least appear to write that
way to disk.
That
do you have impstats configured to reset it's counters each time it outputs?
David Lang
On Mon, 10 Jun 2019, Heaton, Tobias wrote:
Date: Mon, 10 Jun 2019 19:37:31 +
From: "Heaton, Tobias"
To: David Lang
Cc: "Heaton, Tobias via rsyslog"
Subject: RE: [rsyslog] 8.1905.0 Logging Stops
by the way, looking at your evicted stats, you probably want to tweak your
dynafilecachesize on some of your outputs (performance issue, probably not
related to this issue)
data was still being processed by outputs through the 15:00:17 window. It didn't
stop until the 15:00:22 window.
If
On Mon, 10 Jun 2019, Heaton, Tobias wrote:
I do - should I not?
the stats are a little more inaccurate (there is a race condition between
the time that the stats are reported and when they are cleared that new events
can be lost) beyond that it's mostly preference, but the stats analysis
by default, a message longer than maxmessagesize will get split into multiple
messages, and that can cause the problem that you are seeing.
v8.24 is a couple years old, we got up to 8.40 before switching version numbers
to one that indicates dates.
upgrading will not solve your problem, but
on old versions like that, I thought the maxmessagsize was 2k.
check that you have it set to 8k on the receiving side.
David Lang
On Mon, 17 Jun 2019, Tomoaki_Hashizaki via rsyslog wrote:
Date: Mon, 17 Jun 2019 12:09:58 -0700 (MST)
From: Tomoaki_Hashizaki via rsyslog
To:
what repository are you installing this from?
David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL:
first off, try disabling rate limiting entirely
second, are you on a system that has systemd on it? if so you are running things
through journald and it has it's own rate limiting.
David Lang
On Thu, 20 Jun 2019, David Terwilliger via rsyslog wrote:
Date: Thu, 20 Jun 2019 11:35:09 -0400
right now we have limited info on this problem
do you have impstats setup? can you show us what it outputs when logging stops?
if you can manage to get debug output over the time that it stops, that would be
wonderful.
David Lang
On Mon, 10 Jun 2019, Heaton, Tobias via rsyslog wrote:
the poor error reporting is why openssl was added as an option, you may want to
try using that (IIRC it's something like driver="ossl")
David Lang
On Mon, 10 Jun 2019, Asif Iqbal via rsyslog wrote:
I fixed the SLM-Prod-Intermediary.pem and openssl can read it now. It was
missing BEGIN.
what I would do is to make sure that imfile includes the metadata for the file
and then use a table_lookup() map to map the file/path to the source IP that you
want to use for that file.
David Lang
___
rsyslog mailing list
On Thu, 9 May 2019, Drew West wrote:
Unfortunately I don't quite understand what you mean, lol
Is there a way I can just make logger spoof the source IP? like.. 'tail
-n0 -f | logger'
where do you get the IP in that case?
rsyslog is not magic, it only knows what you give it.
If you are
On Thu, 9 May 2019, Adam Chalkley via rsyslog wrote:
Does rsyslog support the use of a variable when configuring action parameters?
no
Thanks for confirming. Any rsyslog-based workarounds that you're aware of that
we can use (aside from replicating the block and just changing the
I think that multiple UDPlisteners is undefined, I think I've seen some systems
where arrivng packets alternated between listeners rather than 'last loaded
wins'
if you look at the imudp module, you will see the code and exactly what it does.
David Lang
On Fri, 17 May 2019, John Chivian via
On Thu, 9 May 2019, Drew West wrote:
Wow, thanks David. That was a pretty solid answer; I'm starting to see how
it works now.
good.
What if I name each file with the IP address of the corresponding server to
eliminate the need to access a data table?
that would help, but you still will
On Mon, 20 May 2019, moan22 via rsyslog wrote:
I have following as a template to be used by the remote server:
*$template tpl1,"%timegenerated:::date-rfc3339% %HOSTNAME% %msg%\n"
$ActionFileDefaultTemplate tpl1*
This is actually not a valid syslog message over the wire, you need to include
quick version:
There are two types of config statements
startup statements
module loads
input definitions
global definitions
ruleset actions
actions
conditionals
functions
input modules accept messages (source depends on the module) and add them to a
queue (mail queue
On Thu, 16 May 2019, Rainer Gerhards wrote:
El jue., 16 may. 2019 a las 7:46, David Lang via rsyslog
() escribió:
I saw a issue that said that the version of gnutls shipped in RHEL6 has
serious problems. I'm not finding detals easily, can someone give a brief
explination of the problem?
I
On Thu, 16 May 2019, Rainer Gerhards wrote:
El jue., 16 may. 2019 a las 19:33, David Lang () escribió:
On Thu, 16 May 2019, Rainer Gerhards wrote:
I believe that the right thing to do is to abort the connection, but it seems
that rsyslog is dieing instead of just failing the connection (in
You already ask if there is an invalid escape sequence, possibly showing the
full string that you have parsed to the point of the error?? (unless it gets
too long I guess)
David Lang
On Thu, 16 May 2019, Rainer Gerhards via rsyslog wrote:
Great to hear! It's not that intuitive, I know. Any
On Thu, 16 May 2019, Rainer Gerhards wrote:
El jue., 16 may. 2019 a las 9:09, David Lang () escribió:
On Thu, 16 May 2019, Rainer Gerhards wrote:
El jue., 16 may. 2019 a las 7:46, David Lang via rsyslog
() escribió:
I saw a issue that said that the version of gnutls shipped in RHEL6 has
ahh, the rsyslog output shows errors. I don't see any way of knowing that a
single \ is wrong.
I think this is a case where the config output will help as it would not see a
need to escape the . and would output the regex without the \
David Lang
On Thu, 16 May 2019, Rainer Gerhards wrote:
On Thu, 16 May 2019, Rainer Gerhards wrote:
I believe that the right thing to do is to abort the connection, but it seems
that rsyslog is dieing instead of just failing the connection (in this case, it
seems to be an inbound connection)
I walked into this by seeing a discussion of how to
I'm not seeing anything obvious, but it would be clearer as to what's going on
if you were to use the new action() syntax (where you specify everything on the
action line, rather than there being side-effects from prior lines in the
config)
David Lang
On Wed, 8 May 2019, Andre via rsyslog wrote:
They both seem to work on messages using liblognorm rules, but one
(pmnormalize) seems to be targeting processing at input" while the other
(mmnormalize) as an action?
That is exactly the difference.
pmnormalize exists for cases where you don't
On Thu, 18 Apr 2019, Dave Caplinger via rsyslog wrote:
If the remote target goes down and stays down for a long time, the in-memory
queue will fill up to the
high-water mark (90% by default) and trigger writing to local disk-assist files
(1M each by default).
Eventually, the total size of
once you have received the logs (from whatever source), they are processed by
the same config lines, so if you look at /var/log/messages, you will see logs
from both systems
double check that you don't have iptables blocking port 514.
David Lang
On Wed, 26 Jun 2019, Andres Gacha Suarez via
you can also unset variables to make them disappear if you need them for part of
your actions, but not all of them.
This is also why the $. variables exist, so you can store data and not have it
be part of the $! variable set.
David Lang
___
Adiscon offers Professional Services contracts, but everyone else here are users
like you. In general, we are very willing to help teach you, but are less
willing to spend our free time to just do your configuration.
Please explain your problem a bit more clearly.
At minimum:
What is your
you would create a new parser with pmnormalize and then define a new parser
chain that would use the pmnormalize parser first, then the fallbacks that you
want.
most people use mmnormalize to parse the msg part later in the config, the
pmnormalize is normally used for situations where the log
On Wed, 24 Apr 2019, Gorman, Kevin wrote:
I'm trying to correlate on something currently not in the messages, or I'm not
seeing the tag, such as log filename.
you set tags as 'ansible' 'iptables' and 'firewalld' so you should see these as
the syslogtag in the messgaes you receive.
you can
On Wed, 24 Apr 2019, Gorman, Kevin via rsyslog wrote:
An earlier mail had a suggestion to add a name to the *.* action. That looks
easy enough since name is an action parameter.
by the way, with 8.x you can leave out the *.*, you could just to
call linux_forward
Unfortunately, my action
useless to try to fix it with that version.
Rainer
Sent from phone, thus brief.
rsyslog--- via rsyslog schrieb am Mi., 10.
Apr. 2019, 20:38:
Update on this. Since we changed we removed PollingInterval to module(load="imfile"
mode="inotify").
To followup is the way we hav
you are meaning files read via imfile?
rsyslog will periodically check to see if they exist and read from them if they
appear, but will not be bothered otherwise.
David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
that won't bother rsyslog at all.
However, I will point out the inefficiency of writing to disk and reading from
disk as opposed to passing the message directly.
David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
you are asking about rsyslog reading files, those are the files I'm talking
about.
Instead of having your apps writing to files that rsyslog then reads, have them
write to syslog directly (a different logging mechansim)
David Lang
___
rsyslog
where in the documentation does it say a ruleset can have a parser?
parsing of the message happens in the input module, before any ruleset
(including the default ruleset)
David Lang
___
rsyslog mailing list
you can put things directly into glacier
what version are you looking at? I seem to remember that we had one key signing
vendor disappear on us, but that there was a new one that showed up.
This module was contributed, and so the rsyslog team only keeps it running as
the core changes.
what about transmit buffers?
David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC
fix the dynafilecachesize, that is probably why you are loosing your inbound
logs.
this should help keep you from loosing your outbound logs
David Lang
On Fri, 2 Aug 2019, Singh, Radesh wrote:
Date: Fri, 2 Aug 2019 23:59:21 +
From: "Singh, Radesh"
To: David Lang
Cc: "Singh, Radesh via
so, one cycle of stats
2019-08-01T19:31:30.625929-04:00 lnx21648 rsyslogd-pstats: global:
origin=dynstats
2019-08-01T19:31:30.625943-04:00 lnx21648 rsyslogd-pstats: imuxsock:
origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
no stats from /dev/log
so this is indicating that you are unable to send messages as fast as you want
to, so rsyslog is periodically pausing (which causes more grief)
almost always this is going to be due to buffer space, not sockets. you only use
additional sockets for additional connections, so unless you are
1 - 100 of 766 matches
Mail list logo