I think I have pinpointed the problem where even though *.* @@172.16.16.1:2514 was placed before any rules, the discard &~ affected it.
I used to have *.* @@172.16.16.1:2514 right above $IncludeConfig (I also tried every ridiculous options like Modules section, the very bottom of the /etc/rsyslog.conf file -- all producing the same effect). Only when I created /etc/rsyslog.d/10-send-to-remote.conf which contains a single line "*.* @@172.16.16.1:2514" it started to work as I expected it too. So, my question to subscribers of this list now is if something like that is expected? If it is, it seems rather counterintuitive because if I place *.* @@172.16.16.1:2514 BEFORE $IncludeConfig I naturally assume that it will be treated as the first line preceding any rules contained in configuration include files. Ivan On Aug 13, 2014, at 11:17 PM, David Lang <[email protected]> wrote: > On Wed, 13 Aug 2014, Ivan Lezhnjov IV wrote: > >> I finally got around to this. >> >> So, in my configuration, which is rather simple and doesn't differ from a >> default one much I do this: >> >> :syslogtag, contains, "postgres" >> /var/log/postgresql.log >> &~ >> >> *.* >> /var/log/syslog >> >> *.* @@172.16.16.1:2514 >> >> I want PostgreSQL logs in a separate file (and only this one file), and to >> also send them to a remote server for further processing there. However, if >> i stop processing on the client with the discard command &~, they never get >> sent to the remote server. >> >> After reading documentation (a while ago), I somehow was under impression >> that rsyslog would process rules in the order of their appearance in a >> configuration file. > > they are. > >> So, I naturally tried to move the "*.* @@172.16.16.1:2514" line up and >> rearranged the order to the effect of this: >> >> >> *.* @@172.16.16.1:2514 >> >> :syslogtag, contains, "postgres" >> /var/log/postgresql.log >> &~ >> >> *.* >> /var/log/syslog >> >> But it still wouldn't work. i would see /var/log/postgresql.log being >> written to on the client, but nothing arriving to the remote server. >> >> If I do away with the &~, messages are logged to /var/log/postgresql.log, >> /var/log/syslog and are sent to the remote server. Regardless of where I >> place the "*.* @@172.16.16.1:2514" line, at the top or at the bottom of >> configuration file. > > something is very wrong if removing & ~ affects lines prior to where it > appears. > > Now, this isn't something to be chased down in v5 since it's so old, but if > you can duplicate that with v8 it will get attention real fast. > >> Unless there is some other way, it appears I need to use the an >> expressions-based filter. I have another question regarding this, however. >> How does one express the *.* in an expression like this: >> >> if $syslogfacility-text == '*.*' and not \ >> ($syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' \ >> or $syslogtag contains 'postgres') then /var/log/syslog >> >> ? >> >> That clearly doesn't work, the *.* part. > > correct, syslogfacility is the part before the . in *.* > > but with v8, if you want *.* you can just leave it out > > @@172.16.16.4:2514 > > David Lang > >> Ivan >> >> >> On Aug 8, 2014, at 2:38 AM, David Lang <[email protected]> wrote: >> >>> On Fri, 8 Aug 2014, Ivan Lezhnjov IV wrote: >>> >>>> Just to be clear, is this configuration syntax supported by the legacy v5? >>>> Because that's all I can use. >>> >>> that syntax is v8, you can do it in v5 but it would be a different syntax. >>> >>> David Lang >>> >>>> Ivan >>>> >>>> On Aug 7, 2014, at 10:19 PM, Eugene Istomin <[email protected]> wrote: >>>> >>>>> Hello, >>>>> >>>>> if by 'directly' you mean just not to write a local text log - >>>>> >>>>> >>>>> if $hostname == $$myhostname and $programname == [ ....] >>>>> then { >>>>> call send_log & stop >>>>> } >>>>> >>>>> } >>>>> >>>>> ruleset(name="send_log") >>>>> { >>>>> action(type="om*" .....) >>>>> } >>>>> >>>>> >>>>> Of course, this should be written/included before any omfile/other local >>>>> textlog actions. >>>>> --- >>>>> Best regards, >>>>> Eugene Istomin >>>>> >>>>> On Thursday, August 07, 2014 09:16:04 PM Ivan Lezhnjov IV wrote: >>>>>> Hello, >>>>>> >>>>>> I was wondering if it is possible to send messages that are coming in >>>>>> from >>>>>> text files monitored by imfile directly to a remote server. That is, >>>>>> these >>>>>> messages must never appear in any syslog log files on the client machine. >>>>>> >>>>>> The reason I'm looking for this sort of configuration is because it >>>>>> strikes >>>>>> me as redundant and utterly superfluous to duplicate other programs' log >>>>>> file in syslog. >>>>>> >>>>>> Ivan >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>>>> of >>>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>>>> LIKE THAT. >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
