Thank you so much Rainer... :) Indeed this seems to be missing in the ruleset documentation.
I wonder if there is no way to define this generally. My assumption was that if I defined this for the Default this Default is used as long it is not overwritten... regards Chris 2016-06-16 15:55 GMT+02:00 Rainer Gerhards <[email protected]>: > You need to specify them in the ruleset object, e.g. > > ruleset(name="remote" parser=["rsyslog.srcipinject","rsyslog.lastline", ... > ]); > > I think this is not well documented. > > Rainer > > 2016-06-16 15:28 GMT+02:00 Christopher Racky <[email protected]>: >> Hello, >> >> I have the issue, that with rulesets only the 2 default Parsers are >> used, but without rulesets the load parsers are applied. >> Is this a missconfiguration or understanding issue? >> Do you have some hints? >> >> regards >> Chris >> >> >> I have the following configuration: >> ------------------------------------rsyslog.conf------------------------------------ >> global ( >> net.enabledns="off" >> ) >> $modload pmsrcipinject >> $modload pmlastmsg >> $modload pmaixforwardedfrom >> $rulesetparser rsyslog.srcipinject >> $rulesetparser rsyslog.lastline >> $rulesetparser rsyslog.aixforwardedfrom >> $rulesetparser rsyslog.rfc5424 >> $rulesetparser rsyslog.rfc3164 >> module(load="imuxsock") # provides support for local system logging >> (e.g. via logger command) >> module(load="imklog") # provides kernel logging support (previously >> done by rklogd) >> module(load="imudp") >> input (type="imudp" port="514" ruleset="remote") >> #### GLOBAL DIRECTIVES #### >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> ruleset(name="remote"){ >> $rulesetparser rsyslog.srcipinject >> $rulesetparser rsyslog.lastline >> $rulesetparser rsyslog.aixforwardedfrom >> $rulesetparser rsyslog.rfc5424 >> $rulesetparser rsyslog.rfc3164 >> *.* /var/log/output.log;RSYSLOG_DebugFormat >> stop >> } >> ------------------------------------------------------------------------------------------------ >> >> When I do not use rulesets, the output.message is correctly processing >> the all 5 message-parsers. >> But when I use rulsets in debug I can see for the ruleset only the 2 >> Default Parsers are processed. >> >> See here: >> ------------------------------------------------------------------------------------------------ >> 9125.288246895:main thread : processinternalmessages: (unset) >> 9125.288268911:main thread : cnf:global:cfsysline: $modload pmsrcipinject >> 9125.288284929:main thread : Requested to load module 'pmsrcipinject' >> 9125.288289686:main thread : loading module >> '/lib64/rsyslog/pmsrcipinject.so' >> 9125.288343939:main thread : srcipinject parser init called, >> compiled with version 8.18.0 >> 9125.288350754:main thread : module pmsrcipinject of type 3 being >> loaded (keepType=0). >> 9125.288354029:main thread : entry point 'setModCnf' not present in module >> 9125.288356922:main thread : entry point 'getModCnfName' not >> present in module >> 9125.288359713:main thread : entry point 'beginCnfLoad' not present in >> module >> 9125.288362387:main thread : entry point 'parse2' not present in module >> 9125.288366220:main thread : DDDDD: added parser >> 'rsyslog.srcipinject' to list 0x7fb63f0899a8 >> 9125.288369035:main thread : Parser 'rsyslog.srcipinject' added to >> list of available parsers. >> 9125.288374739:main thread : cnf:global:cfsysline: $modload pmlastmsg >> 9125.288380281:main thread : Requested to load module 'pmlastmsg' >> 9125.288383695:main thread : loading module '/lib64/rsyslog/pmlastmsg.so' >> 9125.288438324:main thread : lastmsg parser init called, compiled >> with version 8.18.0 >> 9125.288545207:main thread : module pmlastmsg of type 3 being >> loaded (keepType=0). >> 9125.288551770:main thread : entry point 'setModCnf' not present in module >> 9125.288554637:main thread : entry point 'getModCnfName' not >> present in module >> 9125.288567701:main thread : entry point 'beginCnfLoad' not present in >> module >> 9125.288570612:main thread : entry point 'parse2' not present in module >> 9125.288581066:main thread : DDDDD: added parser 'rsyslog.lastline' >> to list 0x7fb63f0899a8 >> 9125.288584073:main thread : Parser 'rsyslog.lastline' added to >> list of available parsers. >> 9125.288590302:main thread : cnf:global:cfsysline: $modload >> pmaixforwardedfrom >> 9125.288596316:main thread : Requested to load module 'pmaixforwardedfrom' >> 9125.288600167:main thread : loading module >> '/lib64/rsyslog/pmaixforwardedfrom.so' >> 9125.288660648:main thread : aixforwardedfrom parser init called, >> compiled with version 8.18.0 >> 9125.288668453:main thread : module pmaixforwardedfrom of type 3 >> being loaded (keepType=0). >> 9125.288671692:main thread : entry point 'setModCnf' not present in module >> 9125.288674407:main thread : entry point 'getModCnfName' not >> present in module >> 9125.288677039:main thread : entry point 'beginCnfLoad' not present in >> module >> 9125.288679686:main thread : entry point 'parse2' not present in module >> 9125.288683583:main thread : DDDDD: added parser >> 'rsyslog.aixforwardedfrom' to list 0x7fb63f0899a8 >> 9125.288686410:main thread : Parser 'rsyslog.aixforwardedfrom' >> added to list of available parsers. >> >> ------------------------------------------------------------------------------------------------ >> ... >> 9125.292019118:main thread : All Rulesets: >> 9125.292021672:main thread : ruleset 0x7fb63f342170: rsyslog >> ruleset RSYSLOG_DefaultRuleset: >> 9125.292024628:main thread : ACTION 0 >> [builtin:omfile:/var/log/alllog;RSYSLOG_DebugFormat] >> 9125.292027170:main thread : ruleset 0x7fb63f342170: ruleset >> RSYSLOG_DefaultRuleset assigned parser list: >> 9125.292029861:main thread : parser: rsyslog.srcipinject >> 9125.292032346:main thread : parser: rsyslog.lastline >> 9125.292034806:main thread : parser: rsyslog.aixforwardedfrom >> 9125.292037228:main thread : parser: rsyslog.rfc5424 >> 9125.292039648:main thread : parser: rsyslog.rfc3164 >> 9125.292042021:main thread : parser: rsyslog.srcipinject >> 9125.292044382:main thread : parser: rsyslog.lastline >> 9125.292046759:main thread : parser: rsyslog.aixforwardedfrom >> 9125.292049162:main thread : parser: rsyslog.rfc5424 >> 9125.292051499:main thread : parser: rsyslog.rfc3164 >> 9125.292053896:main thread : ruleset 0x7fb63f355fb0: rsyslog ruleset >> remote: >> 9125.292056753:main thread : ACTION 1 >> [builtin:omfile:/var/log/remotetest.log;RSYSLOG_DebugFormat] >> 9125.292062732:main thread : STOP >> 9125.292065419:main thread : ruleset 0x7fb63f355fb0: ruleset remote >> assigned parser list: >> 9125.292068039:main thread : End of Rulesets. >> ------------------------------------------------------------------------------------------------ >> ... >> 9125.293007295:main thread : Modules used in this configuration: >> 9125.293009906:main thread : builtin:omfile >> 9125.293012352:main thread : builtin:ompipe >> 9125.293014779:main thread : builtin-shell >> 9125.293017235:main thread : builtin:omdiscard >> 9125.293019676:main thread : builtin:omfwd >> 9125.293022115:main thread : builtin:omusrmsg >> 9125.293024551:main thread : builtin:pmrfc5424 >> 9125.293026975:main thread : builtin:pmrfc3164 >> 9125.293029384:main thread : builtin:smfile >> 9125.293031817:main thread : builtin:smtradfile >> 9125.293034258:main thread : builtin:smfwd >> 9125.293036680:main thread : builtin:smtradfwd >> 9125.293039073:main thread : pmsrcipinject >> 9125.293041483:main thread : pmlastmsg >> 9125.293043963:main thread : pmaixforwardedfrom >> 9125.293046408:main thread : imuxsock >> 9125.293048853:main thread : imklog >> 9125.293051256:main thread : imudp >> ------------------------------------------------------------------------------------------------ >> ... >> The Message processing: >> ... >> 9132.357724175:imudp.c : imudp: recvmmsg returned 1 >> 9132.357735754:imudp.c : recv(5,106),acl:1,msg:<---message here---> >> 9132.357747524:imudp.c : msg parser: flags 70, from >> '~NOTRESOLVED~', msg '<---message here---> >> 9132.357751989:imudp.c : parse using parser list 0x7fb63f341990 >> (the default list). >> 9132.357757501:imudp.c : dropped LF at very end of message >> (DropTrailingLF is set) >> 9132.357761667:imudp.c : Parser 'rsyslog.rfc5424' returned -2160 >> 9132.357766965:imudp.c : Message will now be parsed by the >> legacy syslog parser (one size fits all... ;)). >> 9132.357772744:imudp.c : Parser 'rsyslog.rfc3164' returned 0 >> 9132.357788989:imudp.c : imudp: recvmmsg returned -1 >> 9132.357796825:imudp.c : main Q: qqueueAdd: entry added, size >> now log 1, phys 1 entries >> 9132.357807440:imudp.c : main Q: MultiEnqObj advised worker start >> 9132.357818105:main Q:Reg/w0 : wti 0x7fb63f357360: worker awoke from >> idle processing >> 9132.357826204:main Q:Reg/w0 : DeleteProcessedBatch: we deleted 0 >> objects and enqueued 0 objects >> 9132.357830151:main Q:Reg/w0 : doDeleteBatch: delete batch from >> store, new sizes: log 1, phys 1 >> 9132.357844320:main Q:Reg/w0 : processBATCH: batch of 1 elements must >> be processed >> >> >> --------------------- >> Thanks, Chris >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
