You need to specify them in the ruleset object, e.g. ruleset(name="remote" parser=["rsyslog.srcipinject","rsyslog.lastline", ... ]);
I think this is not well documented. Rainer 2016-06-16 15:28 GMT+02:00 Christopher Racky <[email protected]>: > Hello, > > I have the issue, that with rulesets only the 2 default Parsers are > used, but without rulesets the load parsers are applied. > Is this a missconfiguration or understanding issue? > Do you have some hints? > > regards > Chris > > > I have the following configuration: > ------------------------------------rsyslog.conf------------------------------------ > global ( > net.enabledns="off" > ) > $modload pmsrcipinject > $modload pmlastmsg > $modload pmaixforwardedfrom > $rulesetparser rsyslog.srcipinject > $rulesetparser rsyslog.lastline > $rulesetparser rsyslog.aixforwardedfrom > $rulesetparser rsyslog.rfc5424 > $rulesetparser rsyslog.rfc3164 > module(load="imuxsock") # provides support for local system logging > (e.g. via logger command) > module(load="imklog") # provides kernel logging support (previously > done by rklogd) > module(load="imudp") > input (type="imudp" port="514" ruleset="remote") > #### GLOBAL DIRECTIVES #### > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > ruleset(name="remote"){ > $rulesetparser rsyslog.srcipinject > $rulesetparser rsyslog.lastline > $rulesetparser rsyslog.aixforwardedfrom > $rulesetparser rsyslog.rfc5424 > $rulesetparser rsyslog.rfc3164 > *.* /var/log/output.log;RSYSLOG_DebugFormat > stop > } > ------------------------------------------------------------------------------------------------ > > When I do not use rulesets, the output.message is correctly processing > the all 5 message-parsers. > But when I use rulsets in debug I can see for the ruleset only the 2 > Default Parsers are processed. > > See here: > ------------------------------------------------------------------------------------------------ > 9125.288246895:main thread : processinternalmessages: (unset) > 9125.288268911:main thread : cnf:global:cfsysline: $modload pmsrcipinject > 9125.288284929:main thread : Requested to load module 'pmsrcipinject' > 9125.288289686:main thread : loading module > '/lib64/rsyslog/pmsrcipinject.so' > 9125.288343939:main thread : srcipinject parser init called, > compiled with version 8.18.0 > 9125.288350754:main thread : module pmsrcipinject of type 3 being > loaded (keepType=0). > 9125.288354029:main thread : entry point 'setModCnf' not present in module > 9125.288356922:main thread : entry point 'getModCnfName' not > present in module > 9125.288359713:main thread : entry point 'beginCnfLoad' not present in > module > 9125.288362387:main thread : entry point 'parse2' not present in module > 9125.288366220:main thread : DDDDD: added parser > 'rsyslog.srcipinject' to list 0x7fb63f0899a8 > 9125.288369035:main thread : Parser 'rsyslog.srcipinject' added to > list of available parsers. > 9125.288374739:main thread : cnf:global:cfsysline: $modload pmlastmsg > 9125.288380281:main thread : Requested to load module 'pmlastmsg' > 9125.288383695:main thread : loading module '/lib64/rsyslog/pmlastmsg.so' > 9125.288438324:main thread : lastmsg parser init called, compiled > with version 8.18.0 > 9125.288545207:main thread : module pmlastmsg of type 3 being > loaded (keepType=0). > 9125.288551770:main thread : entry point 'setModCnf' not present in module > 9125.288554637:main thread : entry point 'getModCnfName' not > present in module > 9125.288567701:main thread : entry point 'beginCnfLoad' not present in > module > 9125.288570612:main thread : entry point 'parse2' not present in module > 9125.288581066:main thread : DDDDD: added parser 'rsyslog.lastline' > to list 0x7fb63f0899a8 > 9125.288584073:main thread : Parser 'rsyslog.lastline' added to > list of available parsers. > 9125.288590302:main thread : cnf:global:cfsysline: $modload > pmaixforwardedfrom > 9125.288596316:main thread : Requested to load module 'pmaixforwardedfrom' > 9125.288600167:main thread : loading module > '/lib64/rsyslog/pmaixforwardedfrom.so' > 9125.288660648:main thread : aixforwardedfrom parser init called, > compiled with version 8.18.0 > 9125.288668453:main thread : module pmaixforwardedfrom of type 3 > being loaded (keepType=0). > 9125.288671692:main thread : entry point 'setModCnf' not present in module > 9125.288674407:main thread : entry point 'getModCnfName' not > present in module > 9125.288677039:main thread : entry point 'beginCnfLoad' not present in > module > 9125.288679686:main thread : entry point 'parse2' not present in module > 9125.288683583:main thread : DDDDD: added parser > 'rsyslog.aixforwardedfrom' to list 0x7fb63f0899a8 > 9125.288686410:main thread : Parser 'rsyslog.aixforwardedfrom' > added to list of available parsers. > > ------------------------------------------------------------------------------------------------ > ... > 9125.292019118:main thread : All Rulesets: > 9125.292021672:main thread : ruleset 0x7fb63f342170: rsyslog > ruleset RSYSLOG_DefaultRuleset: > 9125.292024628:main thread : ACTION 0 > [builtin:omfile:/var/log/alllog;RSYSLOG_DebugFormat] > 9125.292027170:main thread : ruleset 0x7fb63f342170: ruleset > RSYSLOG_DefaultRuleset assigned parser list: > 9125.292029861:main thread : parser: rsyslog.srcipinject > 9125.292032346:main thread : parser: rsyslog.lastline > 9125.292034806:main thread : parser: rsyslog.aixforwardedfrom > 9125.292037228:main thread : parser: rsyslog.rfc5424 > 9125.292039648:main thread : parser: rsyslog.rfc3164 > 9125.292042021:main thread : parser: rsyslog.srcipinject > 9125.292044382:main thread : parser: rsyslog.lastline > 9125.292046759:main thread : parser: rsyslog.aixforwardedfrom > 9125.292049162:main thread : parser: rsyslog.rfc5424 > 9125.292051499:main thread : parser: rsyslog.rfc3164 > 9125.292053896:main thread : ruleset 0x7fb63f355fb0: rsyslog ruleset > remote: > 9125.292056753:main thread : ACTION 1 > [builtin:omfile:/var/log/remotetest.log;RSYSLOG_DebugFormat] > 9125.292062732:main thread : STOP > 9125.292065419:main thread : ruleset 0x7fb63f355fb0: ruleset remote > assigned parser list: > 9125.292068039:main thread : End of Rulesets. > ------------------------------------------------------------------------------------------------ > ... > 9125.293007295:main thread : Modules used in this configuration: > 9125.293009906:main thread : builtin:omfile > 9125.293012352:main thread : builtin:ompipe > 9125.293014779:main thread : builtin-shell > 9125.293017235:main thread : builtin:omdiscard > 9125.293019676:main thread : builtin:omfwd > 9125.293022115:main thread : builtin:omusrmsg > 9125.293024551:main thread : builtin:pmrfc5424 > 9125.293026975:main thread : builtin:pmrfc3164 > 9125.293029384:main thread : builtin:smfile > 9125.293031817:main thread : builtin:smtradfile > 9125.293034258:main thread : builtin:smfwd > 9125.293036680:main thread : builtin:smtradfwd > 9125.293039073:main thread : pmsrcipinject > 9125.293041483:main thread : pmlastmsg > 9125.293043963:main thread : pmaixforwardedfrom > 9125.293046408:main thread : imuxsock > 9125.293048853:main thread : imklog > 9125.293051256:main thread : imudp > ------------------------------------------------------------------------------------------------ > ... > The Message processing: > ... > 9132.357724175:imudp.c : imudp: recvmmsg returned 1 > 9132.357735754:imudp.c : recv(5,106),acl:1,msg:<---message here---> > 9132.357747524:imudp.c : msg parser: flags 70, from > '~NOTRESOLVED~', msg '<---message here---> > 9132.357751989:imudp.c : parse using parser list 0x7fb63f341990 > (the default list). > 9132.357757501:imudp.c : dropped LF at very end of message > (DropTrailingLF is set) > 9132.357761667:imudp.c : Parser 'rsyslog.rfc5424' returned -2160 > 9132.357766965:imudp.c : Message will now be parsed by the > legacy syslog parser (one size fits all... ;)). > 9132.357772744:imudp.c : Parser 'rsyslog.rfc3164' returned 0 > 9132.357788989:imudp.c : imudp: recvmmsg returned -1 > 9132.357796825:imudp.c : main Q: qqueueAdd: entry added, size > now log 1, phys 1 entries > 9132.357807440:imudp.c : main Q: MultiEnqObj advised worker start > 9132.357818105:main Q:Reg/w0 : wti 0x7fb63f357360: worker awoke from > idle processing > 9132.357826204:main Q:Reg/w0 : DeleteProcessedBatch: we deleted 0 > objects and enqueued 0 objects > 9132.357830151:main Q:Reg/w0 : doDeleteBatch: delete batch from > store, new sizes: log 1, phys 1 > 9132.357844320:main Q:Reg/w0 : processBATCH: batch of 1 elements must > be processed > > > --------------------- > Thanks, Chris > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
