2015-07-13 15:18 GMT+02:00 Gerhardus Geldenhuis <[email protected]>: > Hi, > Thanks for the replies. I think the bulk of my problem was mixing old and > new config and I much further along to get something working. I have > discovered a few other niggles but will report back once I have something > working properly. As far as pull requests go, I would really consider doing > so but as always time is a factor.
yup - for everyone ;) And that is what it is like it currently is ;) > It does bug me so much that I must just > end up doing it for the documentation. I will give debug mode a go. > > Regards > > On 13 July 2015 at 13:17, Rainer Gerhards <[email protected]> wrote: > >> 2015-07-10 13:40 GMT+02:00 Gerhardus Geldenhuis >> <[email protected]>: >> > Hi >> > I am struggling a bit to get rsyslog to work as described. >> > >> > <rant> >> > Firstly the documentation is a struggle. There is some reference to old >> and >> > new style configuration but no clear differentiation between the two. >> What >> > makes it more confusing is that documents like >> > http://www.rsyslog.com/doc/queues.html then refers to what looks like >> the >> > old style of config and none of the examples contains new syntax >> examples. >> > >> > There was also an expectation that the new rsyslog package would install >> a >> > new style config but that turned out to be not the case. I deleted the >> > config file and did a yum reinstall just to be sure. >> > </rant> >> >> well, this is open source. Pull requests are always appreciated, >> anything else happens as time permits ;) >> >> > >> > OS: CentOS 7 >> > RSyslog: >> > rsyslog-8.11.0-1.el7.x86_64 >> > rsyslog-relp-8.11.0-1.el7.x86_64 >> > rsyslog-gnutls-8.11.0-1.el7.x86_64 >> > >> > So basically what I am trying to achieve is the following: >> > >> > - Log remotely to a rsyslog server >> > - Turn off the remote server ( via firewall ) >> > - Have logs be cached locally and saved to disk >> > - Restart client server >> > - Turn remote server back on >> > - See cached logs appear in the remote server >> > >> > It does not work... >> > >> > - So more specifically, if I turn the firewall off, log a few messages >> > and turn it back on then the caching works and I get the messages. >> > - If however I restart the client server, the logs never make it to >> the >> > remote sever, I can see the logs in the cached file but it does not >> get >> > send to the remote server. >> > >> > My config on the client: >> > #### MODULES #### >> > module(load="imuxsock") # provides support for local system logging (e.g. >> > via logger command) >> > module(load="imklog") # provides kernel logging support (previously >> done >> > by rklogd) >> > >> > #### GLOBAL DIRECTIVES #### >> > $IncludeConfig /etc/rsyslog.d/*.conf >> > >> > #### RULES #### >> > >> > *.info;mail.none;authpriv.none;cron.none /var/log/messages >> > authpriv.* /var/log/secure >> > mail.* /var/log/maillog >> > cron.* /var/log/cron >> > *.emerg :omusrmsg:* >> > uucp,news.crit /var/log/spooler >> > local7.* /var/log/boot.log >> > >> > # ### begin forwarding rule ### >> > $WorkDirectory /var/lib/rsyslog # where to place spool files >> > $MainMsgQueueFileName LocalCaching # unique name prefix for spool files >> > $MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown >> > # $MainMsgQueueType LinkedList >> > $MainMsgQueueType Disk >> > $MainMsgResumeRetryCount -1 # infinite retries if host is down >> > >> > *.* @@192.168.8.253:514 >> > >> > # ### end of the forwarding rule ### >> > >> > My config on the remote server: >> > module(load="imuxsock") # provides support for local system logging (e.g. >> > via logger command) >> > module(load="imklog") # provides kernel logging support (previously >> done >> > by rklogd) >> > module(load="imtcp") # needs to be done just once >> > input(type="imtcp" port="514") >> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> > $IncludeConfig /etc/rsyslog.d/*.conf >> > *.info;mail.none;authpriv.none;cron.none /var/log/messages >> > authpriv.* /var/log/secure >> > mail.* /var/log/maillog >> > cron.* /var/log/cron >> > *.emerg :omusrmsg:* >> > uucp,news.crit /var/log/spooler >> > local7.* >> > >> > Any pointers would be appreciated. I am hoping I am missing something >> > obvious or misunderstanding what I am suppose to be doing. >> > >> >> You should run rsyslog in such a situation in debug mode.From the >> debug log, we can see why it thinks it can't deliver to the remote >> system (well, hopefully ;)). >> >> HTH >> Rainer >> >> > Regards >> > >> > -- >> > Gerhardus Geldenhuis >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > > > -- > Gerhardus Geldenhuis > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
