I can't extract log message because there is sensible informations.
But this is our rsyslog configuration:
We use rsyslog 5.10 (compiled on redhat 5.9 x86_64), with module omrelp,
omoracle, impstats, gnutls
The
rsyslog 5.10 installation on redhat 5.9:
[root@toto libestr-0.1.9]# CC="gcc
${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64
[root@toto libestr-0.1.9]# make &&
make install
[root@toto libee-0.4.1]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
--prefix=/usr --libdir=/usr/lib64
[root@toto libee-0.4.1]# make && make
install
[root@toto liblogging-1.0.3]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
--prefix=/usr --libdir=/usr/lib64 --disable-journal
[root@toto liblogging-1.0.3]# make &&
make install
[root@toto json-c]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
--prefix=/usr --libdir=/usr/lib64
[root@toto json-c]# make && make
install
[root@toto gmp-6.0.0]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
[root@toto gmp-6.0.0]# make && make
install
[root@toto nettle-2.7]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
--enable-shared --prefix=/usr --libdir=/usr/lib64
[root@toto nettle-2.7]# make install
[root@toto gnutls-3.2.9]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
--prefix=/usr --libdir=/usr/lib64
[root@toto gnutls-3.2.9]# make && make
install
[root@toto librelp-1.2.3]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
--prefix=/usr --libdir=/usr/lib64
[root@toto librelp-1.2.3]# make &&
make install
[root@toto rsyslog-5.10.0]# CC="gcc
${BUILD64}" PKG_CONFIG_PATH="${PKG_CONFIG_PATH64}" ./configure
--prefix=/usr --libdir=/usr/lib64 --enable-gnutls --enable-relp --enable-oracle
--enable-impstats --enable-cached-man-pages
[root@toto rsyslog-5.10.0]# make &&
make install
-rsyslog.conf:
#module(load="imuxsock") # provides support for local system logging (e.g. via
logger command)
$ModLoad imuxsock
#module(load="imklog") # provides kernel logging support (previously done by
rklogd)
$ModLoad imklog
##module(load"immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
$ModLoad imtcp
$InputTCPServerRun 514
$InputTCPFlowControl off
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$MaxMessageSize 1024k
$EscapeControlCharactersOnReceive off
$WorkDirectory /var/spool/rsyslog
$umask 0000
$DirGroup \dct_apl_syslog_admin
$FileGroup \dct_apl_syslog_admin
$DirCreateMode 0550
$FileCreateMode 0640
#$MaxOpenFiles 2048
# File syncing capability is disabled by default. This feature is usually not
required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
-templates.conf:
##################
#### TEMPLATES ###
##################
$MainMsgQueueFileName MainQueue
$MainMsgQueueType FixedArray
$MainMsgQueueType LinkedList
#$MainMsgQueueType Disk
$MainMsgQueueSize 2000000
$MainMsgQueueWorkerThreads 8
$MainMsgQueueSaveOnShutdown on
$MainMsgQueueMaxDiskSpace 7g # 7gb space limit (use as much as possible)
$MainMsgQueueDequeueSlowdown 50 # timeout in µs (1000 means --> max 1000
messages per second) [default 0 -> no delay]
$template DYNmessages,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/messages"
$template DYNsecure,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/secure"
$template DYNerror,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/error"
$template DYNmaillog,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/maillog"
$template DYNcron,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/cron"
$template DYNspooler,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/spooler"
$template DYNboot,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/boot.log"
$template DYNoracle,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/oracle.log"
$template DYNaudit,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/audit.log"
#$template DYNmmog_error,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/mmog_error.log"
#$template DYNmmog_debug,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/mmog_debug.log"
#$template DYNmmog_info,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/mmog_info.log"
#$template DYNmmog_access,"/syslog/%FROMHOST%/%$YEAR%.%$MONTH%/mmog_access.log"
#$RuleSet dctcentral
if $programname == 'audispd' then ?DYNaudit
local6.warning ?DYNoracle
#Old rule before oracle migration
#if $programname == 'Oracle' then ?DYNoracle
#MMOG syslog
#if $programname == 'httpd' and $syslogfacility-text == 'local5' then
?DYNmmog_error
#if $programname == 'httpd' and $syslogfacility-text == 'local5.debug' then
?DYNmmog_debug
#if $programname == 'httpd' and $syslogfacility-text == 'local5.info' then
?DYNmmog_info
#if $programname == 'httpd' and $syslogfacility-text == 'local4' then
?DYNmmog_access
& ~
#Exclude syslog message from Oracle, audispd, httpd
:syslogtag, contains, "Oracle" ~
:syslogtag, contains, "audispd" ~
#:syslogtag, contains, "httpd" ~
kern.*,*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;mail.none;authpriv.none;cron.none
?DYNmessages
*.err ?DYNerror
authpriv.* ?DYNsecure
mail.* -?DYNmaillog
cron.* ?DYNcron
uucp,news.crit ?DYNspooler
local7.* ?DYNboot
-oracle.conf
$ModLoad omoracle
#$ActionQueueType Disk
$ActionQueueType FixedArray
$ActionQueueType LinkedList
$ActionQueueWorkerThreads 4
$ActionQueueSize 1000000
$ActionQueueFileName fwdRuleORACLE # set file name, also enables disk mode
$ActionQueueMaxDiskSpace 4g # 7gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionResumeRetryCount -1 # infinite retries if host is down
$ActionQueueDequeueSlowdown 50 # timeout in µs (5000 means --> max 200
messages per second)[[default0 -> no delay]
$OmoracleDBUser syslog
$OmoracleDBPassword syslog
$OmoracleDB rsyslog.gemalto.com
$OmoracleBatchSize 100
$OmoracleBatchItemSize 64000
$OmoracleStatementTemplate OmoracleStatement
$template OmoracleStatement, "insert into SystemEvents
(Message,FromHost,SysLogTag,Facility,Priority,ReceivedAt,DeviceReportedTime)
values
(:msg,:hostname,:syslogtag,:syslogfacility,:syslogpriority,to_date(:timegenerated,
'MON DD HH24:MI:SS'),to_date(:timereported, 'MON DD HH24:MI:SS'))"
$template
DCTTEMPLATESQL,"%msg:::space-cc%%hostname:::lowercase%%syslogtag%%syslogfacility%%syslogpriority%%timegenerated%%timereported%"
:fromhost,!contains, "gemalto.com" ~
#Inject all syslog messages in database
#*.* :omoracle:;DCTTEMPLATESQL
if $programname == 'audispd' then
:omoracle:;DCTTEMPLATESQL
if $programname == 'Oracle' then
:omoracle:;DCTTEMPLATESQL
if $programname == 'MSWinEventLog' then
:omoracle:;DCTTEMPLATESQL
#if $programname == 'httpd' and $syslogfacility-text == 'local4' then
:omoracle:;DCTTEMPLATESQL
#if $programname == 'httpd' and $syslogfacility-text == 'local5' then
:omoracle:;DCTTEMPLATESQL
-relp.conf:
#####################
#### RELP Client ####
#####################
$ModLoad omrelp # Provide RELP syslog emission
$ActionQueueType FixedArray # use asynchronous processing
$ActionQueueFileName fwdRuleRELP # set file name, also enables disk mode
$ActionQueueMaxDiskSpace 3g
$ActionResumeRetryCount 2 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
authpriv.*;user.info;auth.* :omrelp:
kern.debug;daemon.notice;mail.crit;*.err :omrelp:
mail.* :omrelp:
## send Windows/Auditd logs to central log server
user.* :omrelp:
THX in Advanced
> Date: Mon, 7 Apr 2014 20:10:31 +0200
> From: rgerha...@hq.adiscon.com
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] explications about this message: error -2033
> deserializing property name
>
> I think this can happen due to corrupt disk queue.
>
> Sent from phone, thus brief.
> Am 07.04.2014 19:05 schrieb "David Lang" <da...@lang.hm>:
>
> > we would need to see your config and possibly the data, but it sounds like
> > you probably have a typo in your config
> >
> > David Lang
> >
> > On Mon, 7 Apr 2014, gaelor couilleaux wrote:
> >
> > Date: Mon, 7 Apr 2014 11:46:01 +0200
> >> From: gaelor couilleaux <gae...@hotmail.fr>
> >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> >> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
> >> Subject: [rsyslog] explications about this message: error -2033
> >> deserializing
> >> property name
> >>
> >> Does anybody can give a good traduction of this error ?
> >>
> >> How to solve it ?
> >>
> >> THX in Advanced
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> >> _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
