Re: [rsyslog] Sending file to remote rsyslog server

David Lang Fri, 27 Mar 2015 19:13:17 -0700

Rsyslog doesn't read one file entirely then read the other one. It watches bothfiles at the same time and grabs new lines that show up in them. As a result,lines will be intermingled from both files

Also, I just notices that you set the facility after you do the filerunmonitor,that means that the facility won't have an effect on that first section. youreally should run something current enough to use the new config format. it willmake it much clearer as to what's going on.

I also don't know what you are trying to do with the templates. Again, using thenew config format would make what is happening much clearer. What version areyou running?


David Lang

On Fri, 27 Mar 2015, Bautista, Ramon wrote:

Date: Fri, 27 Mar 2015 20:42:44 +0000
From: "Bautista, Ramon" <rbauti...@novantas.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Sending file to remote rsyslog server

Hi David, I'm currently looking into that debugformat line.  I'm going to add it to my 
client server after this email. However, I figured out why I was getting the duplicate 
lines.  The " if $programname == 'AuditReport' then @rsyslogserver01" was the 
culprit.  Thanks for helping me figure that out. That's all set now.  Now I am trying to 
do more than one file at a time in the same rsyslog.conf file, but it seems to stop the 
first file prematurely, and start the second, but even then, it doesn't get the entire 
file. Not sure if I should send a new email for that, but if you have any suggestions, 
I'm all ears.  I'm going to try to figure this one want before I go to the forums/mailing 
list.  This is my config now:

$InputFileName /home/user/weeklyReport.txt
$InputFileTag AuditReport
$InputFileStateFile AuditReport-stat
$InputFileSeverity info
#$InputFilePersistStateInterval 60
$InputRunFileMonitor
$InputFileFacility local5

$template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n"

$InputFileName /home/user/weeklyReport2.txt
$InputFileTag AuditReport2
$InputFileStateFile AuditReport2-stat
$InputFileSeverity info
#$InputFilePersistStateInterval 60
$InputRunFileMonitor
$InputFileFacility local6

$template AuditReport2,"%timestamp:::date-rfc3164% %HOSTNAME%\n"

-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Friday, March 27, 2015 3:28 PM
To: rsyslog-users
Subject: Re: [rsyslog] Sending file to remote rsyslog server

a couple of things to start with

First, write logs using the RSYSLOG_DebugFormat so you can see everything about 
the log message

If you are getting logs showing up twice, you probably have two rules that are 
matching the file. What file are the duplicate logs showing up in?

It looks like you have two rules that send the logs out. If they are being sent 
to the same destination, then the receiving system will see the log arrive 
twice.

Does this get you started?

On Fri, 27 Mar 2015, Bautista, Ramon wrote:

Date: Fri, 27 Mar 2015 17:27:35 +0000
From: "Bautista, Ramon" <rbauti...@novantas.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Subject: [rsyslog] Sending file to remote rsyslog server

Hello, I am having trouble sending a file that I created to my remote rsyslog 
server. The server is fine and is receiving logs from other clients on my 
network, so I am pretty sure it is my config that isn't working. I have a file 
that is generated weekly that I want sent to my remote server. When I restart 
my rsylsog, it sends the file to the remote server, but it duplicates every 
line on the server end. For example, here is a piece of the file called 
weeklyReport.txt:

########################################################
####### Audit Report on : schema01 #################
########################################################

DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME OS_USERNAME USERHOST
--------------- --------------- ---------------
------------------------------ ----------------------------
--------------- ------------------------------
03142015:0000 schema_user schema_user mon_queue EXECUTE PROCEDURE
oracle server01.domain.com
03142015:0000 schema_user schema_user mon_woker SELECT oracle
server01.domain.com

on the rsyslog server, it will show up as:

Mar 23 17:32:51 server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport ####### Audit Report on :
schema01 ################# Mar 23 17:32:51 server01 AuditReport
####### Audit Report on : schema01 ################# Mar 23 17:32:51
server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport DATE_TIME USERNAME OWNER OBJ_NAME
ACTION_NAME OS_USERNAME USERHOST Mar 23 17:32:51 server01 AuditReport
DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME OS_USERNAME USERHOST Mar
23 17:32:51 server01 AuditReport --------------- ---------------
--------------- ------------------------------ ---------------------------- 
--------------- ------------------------------ Mar 23 17:32:51 server01 
AuditReport --------------- --------------- --------------- 
------------------------------ ---------------------------- --------------- 
------------------------------ etc...

This is my config on server01:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd) $ModLoad
imklog # Provides support for local system logging (e.g. via logger
command) $ModLoad imuxsock

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
*.* @server01

$ModLoad imfile

$InputFileName /home/user/weeklyReport.txt $InputFileTag AuditReport
#$InputFileStateFile AuditReport $InputFileSeverity info
#$InputFilePersistStateInterval 60 $InputRunFileMonitor
$InputFileFacility local5

$template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n"
if $programname == 'AuditReport' then @rsyslogserver01 if $programname
== 'AuditReport' then ~

I'm not sure what am I missing or overlooking here. The restart of
rsyslog looks fine and even outputs the file fine in /var/log/messages.

The second thing is that I want to send out more than one file as
well, but the rsyslog seems to cut off part of the second file, but i
first would like to get the top resolved first. Many thanks in advance
for your help or pointing me in the right direction.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is 
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

IMPORTANT NOTICE: The information contained within this message and any 
attachment is intended only for the use of the individual or entity to whom it 
is addressed and may contain information that is privileged, confidential and 
exempt from disclosure under applicable law. If you have received this 
communication in error, please notify the sender by reply e-mail and delete the 
message and any attachments immediately. Statements or opinions in this message 
and any attachment not related to the official business of Novantas are those 
of the author, and are not necessarily agreed or endorsed by Novantas, Inc. We 
reserve the right to monitor emails sent or received for operational or 
business reasons as permitted by law. No representation is made that this 
message or its attachments are without defect.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Sending file to remote rsyslog server

Reply via email to