On Mon, 30 Mar 2015, Bautista, Ramon wrote:
Ok, I thought it would read the files in the conf file top-down. It doesn't
look like lines are being intermingled, however the files are similar, just
that the first file would end before it should, and the second one would
start, and even then it doesn't seem to get the first few lines.
Admittedly, I don't know rsyslog that well, but I'm not sure what you mean by
new config format. Are referring to how my config is using the legacy
configuration? For the most part here, they've been using the legacy format
so I am somewhat accustomed to using it. I'll try the new-age format once I
get this to work :). It does look much cleaner than legacy
The template I used is because they use something similar here for other log
files. On the client, it is rsyslogd 3.22.1, they probably haven't patched it
because it is a prod server and they were just using it with its default
config. The server is rsyslogd 5.8.10. Thanks David
the new config format was introduced in rsyslog v6
Rsyslog v3.22 was released almost a decade ago. Rsyslog 5.8.10 is still several
years old. The currently supported version is v8.9
There have been so many changes and improvements between v3 and v8 that the
first thin that you should do is upgrade to a current version. Just about
anything you want to ask about has changed in this timeframe.
David Lang
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Friday, March 27, 2015 10:04 PM
To: rsyslog-users
Subject: Re: [rsyslog] Sending file to remote rsyslog server
Rsyslog doesn't read one file entirely then read the other one. It watches both
files at the same time and grabs new lines that show up in them. As a result,
lines will be intermingled from both files
Also, I just notices that you set the facility after you do the filerunmonitor,
that means that the facility won't have an effect on that first section. you
really should run something current enough to use the new config format. it
will make it much clearer as to what's going on.
I also don't know what you are trying to do with the templates. Again, using
the new config format would make what is happening much clearer. What version
are you running?
David Lang
On Fri, 27 Mar 2015, Bautista, Ramon wrote:
Date: Fri, 27 Mar 2015 20:42:44 +0000
From: "Bautista, Ramon" <rbauti...@novantas.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Sending file to remote rsyslog server
Hi David, I'm currently looking into that debugformat line. I'm going to add it to my
client server after this email. However, I figured out why I was getting the duplicate
lines. The " if $programname == 'AuditReport' then @rsyslogserver01" was the
culprit. Thanks for helping me figure that out. That's all set now. Now I am trying to
do more than one file at a time in the same rsyslog.conf file, but it seems to stop the
first file prematurely, and start the second, but even then, it doesn't get the entire
file. Not sure if I should send a new email for that, but if you have any suggestions,
I'm all ears. I'm going to try to figure this one want before I go to the forums/mailing
list. This is my config now:
$InputFileName /home/user/weeklyReport.txt $InputFileTag AuditReport
$InputFileStateFile AuditReport-stat $InputFileSeverity info
#$InputFilePersistStateInterval 60 $InputRunFileMonitor
$InputFileFacility local5
$template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n"
$InputFileName /home/user/weeklyReport2.txt $InputFileTag AuditReport2
$InputFileStateFile AuditReport2-stat $InputFileSeverity info
#$InputFilePersistStateInterval 60 $InputRunFileMonitor
$InputFileFacility local6
$template AuditReport2,"%timestamp:::date-rfc3164% %HOSTNAME%\n"
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Friday, March 27, 2015 3:28 PM
To: rsyslog-users
Subject: Re: [rsyslog] Sending file to remote rsyslog server
a couple of things to start with
First, write logs using the RSYSLOG_DebugFormat so you can see
everything about the log message
If you are getting logs showing up twice, you probably have two rules that are
matching the file. What file are the duplicate logs showing up in?
It looks like you have two rules that send the logs out. If they are being sent
to the same destination, then the receiving system will see the log arrive
twice.
Does this get you started?
On Fri, 27 Mar 2015, Bautista, Ramon wrote:
Date: Fri, 27 Mar 2015 17:27:35 +0000
From: "Bautista, Ramon" <rbauti...@novantas.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Subject: [rsyslog] Sending file to remote rsyslog server
Hello, I am having trouble sending a file that I created to my remote rsyslog
server. The server is fine and is receiving logs from other clients on my
network, so I am pretty sure it is my config that isn't working. I have a file
that is generated weekly that I want sent to my remote server. When I restart
my rsylsog, it sends the file to the remote server, but it duplicates every
line on the server end. For example, here is a piece of the file called
weeklyReport.txt:
########################################################
####### Audit Report on : schema01 #################
########################################################
DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME OS_USERNAME USERHOST
--------------- --------------- ---------------
------------------------------ ----------------------------
--------------- ------------------------------
03142015:0000 schema_user schema_user mon_queue EXECUTE PROCEDURE
oracle server01.domain.com
03142015:0000 schema_user schema_user mon_woker SELECT oracle
server01.domain.com
on the rsyslog server, it will show up as:
Mar 23 17:32:51 server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport ####### Audit Report on :
schema01 ################# Mar 23 17:32:51 server01 AuditReport
####### Audit Report on : schema01 ################# Mar 23 17:32:51
server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport
########################################################
Mar 23 17:32:51 server01 AuditReport DATE_TIME USERNAME OWNER
OBJ_NAME ACTION_NAME OS_USERNAME USERHOST Mar 23 17:32:51 server01
AuditReport DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME OS_USERNAME
USERHOST Mar
23 17:32:51 server01 AuditReport --------------- ---------------
--------------- ------------------------------ ----------------------------
--------------- ------------------------------ Mar 23 17:32:51 server01
AuditReport --------------- --------------- ---------------
------------------------------ ---------------------------- ---------------
------------------------------ etc...
This is my config on server01:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog # Provides support for local system logging (e.g. via
logger
command) $ModLoad imuxsock
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
*.* @server01
$ModLoad imfile
$InputFileName /home/user/weeklyReport.txt $InputFileTag AuditReport
#$InputFileStateFile AuditReport $InputFileSeverity info
#$InputFilePersistStateInterval 60 $InputRunFileMonitor
$InputFileFacility local5
$template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n"
if $programname == 'AuditReport' then @rsyslogserver01 if
$programname == 'AuditReport' then ~
I'm not sure what am I missing or overlooking here. The restart of
rsyslog looks fine and even outputs the file fine in /var/log/messages.
The second thing is that I want to send out more than one file as
well, but the rsyslog seems to cut off part of the second file, but i
first would like to get the top resolved first. Many thanks in
advance for your help or pointing me in the right direction.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
IMPORTANT NOTICE: The information contained within this message and any
attachment is intended only for the use of the individual or entity to whom it
is addressed and may contain information that is privileged, confidential and
exempt from disclosure under applicable law. If you have received this
communication in error, please notify the sender by reply e-mail and delete the
message and any attachments immediately. Statements or opinions in this message
and any attachment not related to the official business of Novantas are those
of the author, and are not necessarily agreed or endorsed by Novantas, Inc. We
reserve the right to monitor emails sent or received for operational or
business reasons as permitted by law. No representation is made that this
message or its attachments are without defect.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
IMPORTANT NOTICE: The information contained within this message and any
attachment is intended only for the use of the individual or entity to whom it
is addressed and may contain information that is privileged, confidential and
exempt from disclosure under applicable law. If you have received this
communication in error, please notify the sender by reply e-mail and delete the
message and any attachments immediately. Statements or opinions in this message
and any attachment not related to the official business of Novantas are those
of the author, and are not necessarily agreed or endorsed by Novantas, Inc. We
reserve the right to monitor emails sent or received for operational or
business reasons as permitted by law. No representation is made that this
message or its attachments are without defect.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.