I would need to get approval before updating the rsyslog for some of our prod servers. I may ask the guys to just add it to part of their monthly patching. I know a few emails ago you brought up the fact the rsyslog monitors multiple files in the rsyslog.conf at the same time. Could you expand on that a bit more? I can't figure out why sometimes when I look to see if the file was sent to the log server, if you look at the following config, report01 would stop before the end of file, and report02 will start and also not even finish. In other words, report01 is 87mb big on the client server, but on the log server, it stops prematurely at 34mb. Report02 is 187mb on the client server, but only sends 81mb to the log server. Those files aren't being written to, so I don't think I need to poll them. Could it be a facility issue? Probably an upgrade would fix it as well. Thanks again.
... $ModLoad imfile $InputFileName /home/user/report01.txt $InputFileTag report01 $InputFileStateFile report01-Audit $InputFileFacility local3 $InputRunFileMonitor $InputFileName /home/user/report02.txt $InputFileTag report02 $InputFileStateFile report02-Audit $InputFileFacility local4 $InputRunFileMonitor -----Original Message----- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, March 30, 2015 2:21 PM To: rsyslog-users Subject: Re: [rsyslog] Sending file to remote rsyslog server On Mon, 30 Mar 2015, Bautista, Ramon wrote: > Ok, I thought it would read the files in the conf file top-down. It > doesn't look like lines are being intermingled, however the files are > similar, just that the first file would end before it should, and the > second one would start, and even then it doesn't seem to get the first few > lines. > > Admittedly, I don't know rsyslog that well, but I'm not sure what you > mean by new config format. Are referring to how my config is using > the legacy configuration? For the most part here, they've been using > the legacy format so I am somewhat accustomed to using it. I'll try > the new-age format once I get this to work :). It does look much > cleaner than legacy > > The template I used is because they use something similar here for > other log files. On the client, it is rsyslogd 3.22.1, they probably > haven't patched it because it is a prod server and they were just > using it with its default config. The server is rsyslogd 5.8.10. > Thanks David the new config format was introduced in rsyslog v6 Rsyslog v3.22 was released almost a decade ago. Rsyslog 5.8.10 is still several years old. The currently supported version is v8.9 There have been so many changes and improvements between v3 and v8 that the first thin that you should do is upgrade to a current version. Just about anything you want to ask about has changed in this timeframe. David Lang > -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang > Sent: Friday, March 27, 2015 10:04 PM > To: rsyslog-users > Subject: Re: [rsyslog] Sending file to remote rsyslog server > > Rsyslog doesn't read one file entirely then read the other one. It > watches both files at the same time and grabs new lines that show up > in them. As a result, lines will be intermingled from both files > > Also, I just notices that you set the facility after you do the > filerunmonitor, that means that the facility won't have an effect on that > first section. you really should run something current enough to use the new > config format. it will make it much clearer as to what's going on. > > I also don't know what you are trying to do with the templates. Again, using > the new config format would make what is happening much clearer. What version > are you running? > > David Lang > > On Fri, 27 Mar 2015, Bautista, Ramon wrote: > >> Date: Fri, 27 Mar 2015 20:42:44 +0000 >> From: "Bautista, Ramon" <rbauti...@novantas.com> >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> >> To: rsyslog-users <rsyslog@lists.adiscon.com> >> Subject: Re: [rsyslog] Sending file to remote rsyslog server >> >> Hi David, I'm currently looking into that debugformat line. I'm going to >> add it to my client server after this email. However, I figured out why I >> was getting the duplicate lines. The " if $programname == 'AuditReport' >> then @rsyslogserver01" was the culprit. Thanks for helping me figure that >> out. That's all set now. Now I am trying to do more than one file at a time >> in the same rsyslog.conf file, but it seems to stop the first file >> prematurely, and start the second, but even then, it doesn't get the entire >> file. Not sure if I should send a new email for that, but if you have any >> suggestions, I'm all ears. I'm going to try to figure this one want before >> I go to the forums/mailing list. This is my config now: >> >> >> $InputFileName /home/user/weeklyReport.txt $InputFileTag AuditReport >> $InputFileStateFile AuditReport-stat $InputFileSeverity info >> #$InputFilePersistStateInterval 60 $InputRunFileMonitor >> $InputFileFacility local5 >> >> $template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n" >> >> $InputFileName /home/user/weeklyReport2.txt $InputFileTag >> AuditReport2 $InputFileStateFile AuditReport2-stat $InputFileSeverity >> info #$InputFilePersistStateInterval 60 $InputRunFileMonitor >> $InputFileFacility local6 >> >> >> $template AuditReport2,"%timestamp:::date-rfc3164% %HOSTNAME%\n" >> >> -----Original Message----- >> From: rsyslog-boun...@lists.adiscon.com >> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang >> Sent: Friday, March 27, 2015 3:28 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] Sending file to remote rsyslog server >> >> a couple of things to start with >> >> First, write logs using the RSYSLOG_DebugFormat so you can see >> everything about the log message >> >> If you are getting logs showing up twice, you probably have two rules that >> are matching the file. What file are the duplicate logs showing up in? >> >> It looks like you have two rules that send the logs out. If they are being >> sent to the same destination, then the receiving system will see the log >> arrive twice. >> >> Does this get you started? >> >> >> On Fri, 27 Mar 2015, Bautista, Ramon wrote: >> >>> Date: Fri, 27 Mar 2015 17:27:35 +0000 >>> From: "Bautista, Ramon" <rbauti...@novantas.com> >>> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> >>> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com> >>> Subject: [rsyslog] Sending file to remote rsyslog server >>> >>> Hello, I am having trouble sending a file that I created to my remote >>> rsyslog server. The server is fine and is receiving logs from other clients >>> on my network, so I am pretty sure it is my config that isn't working. I >>> have a file that is generated weekly that I want sent to my remote server. >>> When I restart my rsylsog, it sends the file to the remote server, but it >>> duplicates every line on the server end. For example, here is a piece of >>> the file called weeklyReport.txt: >>> >>> ######################################################## >>> ####### Audit Report on : schema01 ################# >>> ######################################################## >>> >>> DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME OS_USERNAME USERHOST >>> --------------- --------------- --------------- >>> ------------------------------ ---------------------------- >>> --------------- ------------------------------ >>> 03142015:0000 schema_user schema_user mon_queue EXECUTE PROCEDURE >>> oracle server01.domain.com >>> 03142015:0000 schema_user schema_user mon_woker SELECT oracle >>> server01.domain.com >>> >>> on the rsyslog server, it will show up as: >>> >>> Mar 23 17:32:51 server01 AuditReport >>> ######################################################## >>> Mar 23 17:32:51 server01 AuditReport >>> ######################################################## >>> Mar 23 17:32:51 server01 AuditReport ####### Audit Report on : >>> schema01 ################# Mar 23 17:32:51 server01 AuditReport >>> ####### Audit Report on : schema01 ################# Mar 23 17:32:51 >>> server01 AuditReport >>> ######################################################## >>> Mar 23 17:32:51 server01 AuditReport >>> ######################################################## >>> Mar 23 17:32:51 server01 AuditReport DATE_TIME USERNAME OWNER >>> OBJ_NAME ACTION_NAME OS_USERNAME USERHOST Mar 23 17:32:51 server01 >>> AuditReport DATE_TIME USERNAME OWNER OBJ_NAME ACTION_NAME >>> OS_USERNAME USERHOST Mar >>> 23 17:32:51 server01 AuditReport --------------- --------------- >>> --------------- ------------------------------ ---------------------------- >>> --------------- ------------------------------ Mar 23 17:32:51 server01 >>> AuditReport --------------- --------------- --------------- >>> ------------------------------ ---------------------------- --------------- >>> ------------------------------ etc... >>> >>> This is my config on server01: >>> >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>> >>> # Provides kernel logging support (previously done by rklogd) >>> $ModLoad imklog # Provides support for local system logging (e.g. >>> via logger >>> command) $ModLoad imuxsock >>> >>> # Log all kernel messages to the console. >>> # Logging much else clutters up the screen. >>> #kern.* /dev/console >>> >>> # Log anything (except mail) of level info or higher. >>> # Don't log private authentication messages! >>> *.info;mail.none;authpriv.none;cron.none /var/log/messages >>> >>> # The authpriv file has restricted access. >>> authpriv.* /var/log/secure >>> >>> # Log all the mail messages in one place. >>> mail.* -/var/log/maillog >>> >>> # Log cron stuff >>> cron.* /var/log/cron >>> >>> # Everybody gets emergency messages >>> *.emerg * >>> >>> # Save news errors of level crit and higher in a special file. >>> uucp,news.crit /var/log/spooler >>> >>> # Save boot messages also to boot.log >>> local7.* /var/log/boot.log >>> *.* @server01 >>> >>> $ModLoad imfile >>> >>> $InputFileName /home/user/weeklyReport.txt $InputFileTag AuditReport >>> #$InputFileStateFile AuditReport $InputFileSeverity info >>> #$InputFilePersistStateInterval 60 $InputRunFileMonitor >>> $InputFileFacility local5 >>> >>> $template AuditReport,"%timestamp:::date-rfc3164% %HOSTNAME%\n" >>> if $programname == 'AuditReport' then @rsyslogserver01 if >>> $programname == 'AuditReport' then ~ >>> >>> I'm not sure what am I missing or overlooking here. The restart of >>> rsyslog looks fine and even outputs the file fine in /var/log/messages. >>> >>> The second thing is that I want to send out more than one file as >>> well, but the rsyslog seems to cut off part of the second file, but >>> i first would like to get the top resolved first. Many thanks in >>> advance for your help or pointing me in the right direction. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This >> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our >> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. >> >> IMPORTANT NOTICE: The information contained within this message and any >> attachment is intended only for the use of the individual or entity to whom >> it is addressed and may contain information that is privileged, confidential >> and exempt from disclosure under applicable law. If you have received this >> communication in error, please notify the sender by reply e-mail and delete >> the message and any attachments immediately. Statements or opinions in this >> message and any attachment not related to the official business of Novantas >> are those of the author, and are not necessarily agreed or endorsed by >> Novantas, Inc. We reserve the right to monitor emails sent or received for >> operational or business reasons as permitted by law. No representation is >> made that this message or its attachments are without defect. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >> THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > IMPORTANT NOTICE: The information contained within this message and any > attachment is intended only for the use of the individual or entity to whom > it is addressed and may contain information that is privileged, confidential > and exempt from disclosure under applicable law. If you have received this > communication in error, please notify the sender by reply e-mail and delete > the message and any attachments immediately. Statements or opinions in this > message and any attachment not related to the official business of Novantas > are those of the author, and are not necessarily agreed or endorsed by > Novantas, Inc. We reserve the right to monitor emails sent or received for > operational or business reasons as permitted by law. No representation is > made that this message or its attachments are without defect. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. IMPORTANT NOTICE: The information contained within this message and any attachment is intended only for the use of the individual or entity to whom it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please notify the sender by reply e-mail and delete the message and any attachments immediately. Statements or opinions in this message and any attachment not related to the official business of Novantas are those of the author, and are not necessarily agreed or endorsed by Novantas, Inc. We reserve the right to monitor emails sent or received for operational or business reasons as permitted by law. No representation is made that this message or its attachments are without defect. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
