Ok, I thought it would read the files in the conf file top-down. It doesn't look like lines are being intermingled, however the files are similar, just that the first file would end before it should, and the second one would start, and even then it doesn't seem to get the first few lines.
Admittedly, I don't know rsyslog that well, but I'm not sure what you mean by new config format. Are referring to how my config is using the legacy configuration? For the most part here, they've been using the legacy format so I am somewhat accustomed to using it. I'll try the new-age format once I get this to work :). It does look much cleaner than legacy The template I used is because they use something similar here for other log files. On the client, it is rsyslogd 3.22.1, they probably haven't patched it because it is a prod server and they were just using it with its default config. The server is rsyslogd 5.8.10. Thanks David -----Original Message----- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Friday, March 27, 2015 10:04 PM To: rsyslog-users Subject: Re: [rsyslog] Sending file to remote rsyslog server Rsyslog doesn't read one file entirely then read the other one. It watches both files at the same time and grabs new lines that show up in them. As a result, lines will be intermingled from both files Also, I just notices that you set the facility after you do the filerunmonitor, that means that the facility won't have an effect on that first section. you really should run something current enough to use the new config format. it will make it much clearer as to what's going on. I also don't know what you are trying to do with the templates. Again, using the new config format would make what is happening much clearer. What version are you running? David Lang On Fri, 27 Mar 2015, Bautista, Ramon wrote: > Date: Fri, 27 Mar 2015 20:42:44 +0000 > From: "Bautista, Ramon" <rbauti...@novantas.com> > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Sending file to remote rsyslog server > > Hi David, I'm currently looking into that debugformat line. I'm going to add > it to my client server after this email. However, I figured out why I was > getting the duplicate lines. The " if $programname == 'AuditReport' then > @rsyslogserver01" was the culprit. Thanks for helping me figure that out. > That's all set now. Now I am trying to do more than one file at a time in > the same rsyslog.conf file, but it seems to stop the first file prematurely, > and start the second, but even then, it doesn't get the entire file. Not sure > if I should send a new email for that, but if you have any suggestions, I'm > all ears. I'm going to try to figure this one want before I go to the > forums/mailing list. This is my config now: > > > $InputFileName /home/user/weeklyReport.txt $InputFileTag AuditReport > $InputFileStateFile AuditReport-stat $InputFileSeverity info > #$InputFilePersistStateInterval 60 $InputRunFileMonitor > $InputFileFacility local5 > > $template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n" > > $InputFileName /home/user/weeklyReport2.txt $InputFileTag AuditReport2 > $InputFileStateFile AuditReport2-stat $InputFileSeverity info > #$InputFilePersistStateInterval 60 $InputRunFileMonitor > $InputFileFacility local6 > > > $template AuditReport2,"%timestamp:::date-rfc3164% %HOSTNAME%\n" > > -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang > Sent: Friday, March 27, 2015 3:28 PM > To: rsyslog-users > Subject: Re: [rsyslog] Sending file to remote rsyslog server > > a couple of things to start with > > First, write logs using the RSYSLOG_DebugFormat so you can see > everything about the log message > > If you are getting logs showing up twice, you probably have two rules that > are matching the file. What file are the duplicate logs showing up in? > > It looks like you have two rules that send the logs out. If they are being > sent to the same destination, then the receiving system will see the log > arrive twice. > > Does this get you started? > > > On Fri, 27 Mar 2015, Bautista, Ramon wrote: > >> Date: Fri, 27 Mar 2015 17:27:35 +0000 >> From: "Bautista, Ramon" <rbauti...@novantas.com> >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> >> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com> >> Subject: [rsyslog] Sending file to remote rsyslog server >> >> Hello, I am having trouble sending a file that I created to my remote >> rsyslog server. The server is fine and is receiving logs from other clients >> on my network, so I am pretty sure it is my config that isn't working. I >> have a file that is generated weekly that I want sent to my remote server. >> When I restart my rsylsog, it sends the file to the remote server, but it >> duplicates every line on the server end. For example, here is a piece of the >> file called weeklyReport.txt: >> >> ######################################################## >> ####### Audit Report on : schema01 ################# >> ######################################################## >> >> DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME OS_USERNAME USERHOST >> --------------- --------------- --------------- >> ------------------------------ ---------------------------- >> --------------- ------------------------------ >> 03142015:0000 schema_user schema_user mon_queue EXECUTE PROCEDURE >> oracle server01.domain.com >> 03142015:0000 schema_user schema_user mon_woker SELECT oracle >> server01.domain.com >> >> on the rsyslog server, it will show up as: >> >> Mar 23 17:32:51 server01 AuditReport >> ######################################################## >> Mar 23 17:32:51 server01 AuditReport >> ######################################################## >> Mar 23 17:32:51 server01 AuditReport ####### Audit Report on : >> schema01 ################# Mar 23 17:32:51 server01 AuditReport >> ####### Audit Report on : schema01 ################# Mar 23 17:32:51 >> server01 AuditReport >> ######################################################## >> Mar 23 17:32:51 server01 AuditReport >> ######################################################## >> Mar 23 17:32:51 server01 AuditReport DATE_TIME USERNAME OWNER >> OBJ_NAME ACTION_NAME OS_USERNAME USERHOST Mar 23 17:32:51 server01 >> AuditReport DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME OS_USERNAME >> USERHOST Mar >> 23 17:32:51 server01 AuditReport --------------- --------------- >> --------------- ------------------------------ ---------------------------- >> --------------- ------------------------------ Mar 23 17:32:51 server01 >> AuditReport --------------- --------------- --------------- >> ------------------------------ ---------------------------- --------------- >> ------------------------------ etc... >> >> This is my config on server01: >> >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> >> # Provides kernel logging support (previously done by rklogd) >> $ModLoad imklog # Provides support for local system logging (e.g. via >> logger >> command) $ModLoad imuxsock >> >> # Log all kernel messages to the console. >> # Logging much else clutters up the screen. >> #kern.* /dev/console >> >> # Log anything (except mail) of level info or higher. >> # Don't log private authentication messages! >> *.info;mail.none;authpriv.none;cron.none /var/log/messages >> >> # The authpriv file has restricted access. >> authpriv.* /var/log/secure >> >> # Log all the mail messages in one place. >> mail.* -/var/log/maillog >> >> # Log cron stuff >> cron.* /var/log/cron >> >> # Everybody gets emergency messages >> *.emerg * >> >> # Save news errors of level crit and higher in a special file. >> uucp,news.crit /var/log/spooler >> >> # Save boot messages also to boot.log >> local7.* /var/log/boot.log >> *.* @server01 >> >> $ModLoad imfile >> >> $InputFileName /home/user/weeklyReport.txt $InputFileTag AuditReport >> #$InputFileStateFile AuditReport $InputFileSeverity info >> #$InputFilePersistStateInterval 60 $InputRunFileMonitor >> $InputFileFacility local5 >> >> $template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n" >> if $programname == 'AuditReport' then @rsyslogserver01 if >> $programname == 'AuditReport' then ~ >> >> I'm not sure what am I missing or overlooking here. The restart of >> rsyslog looks fine and even outputs the file fine in /var/log/messages. >> >> The second thing is that I want to send out more than one file as >> well, but the rsyslog seems to cut off part of the second file, but i >> first would like to get the top resolved first. Many thanks in >> advance for your help or pointing me in the right direction. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > IMPORTANT NOTICE: The information contained within this message and any > attachment is intended only for the use of the individual or entity to whom > it is addressed and may contain information that is privileged, confidential > and exempt from disclosure under applicable law. If you have received this > communication in error, please notify the sender by reply e-mail and delete > the message and any attachments immediately. Statements or opinions in this > message and any attachment not related to the official business of Novantas > are those of the author, and are not necessarily agreed or endorsed by > Novantas, Inc. We reserve the right to monitor emails sent or received for > operational or business reasons as permitted by law. No representation is > made that this message or its attachments are without defect. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. IMPORTANT NOTICE: The information contained within this message and any attachment is intended only for the use of the individual or entity to whom it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please notify the sender by reply e-mail and delete the message and any attachments immediately. Statements or opinions in this message and any attachment not related to the official business of Novantas are those of the author, and are not necessarily agreed or endorsed by Novantas, Inc. We reserve the right to monitor emails sent or received for operational or business reasons as permitted by law. No representation is made that this message or its attachments are without defect. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
