Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and severity levels

[sophie.loewenthal--- via rsyslog]

Hi John,

> You'll get the hang of it.  Enjoy.
I don't think I'll get the hang of this.

I tried with a copy and paste of your example & had nothing.   So I tried 
modifying this to be, 
# Default RuleSet
*.info { action (type="omelasticsearch"
         server="el7"
         serverport="10514"
         searchIndex="unix"
         bulkmode="on"
         template="ElasticSearchTemplate")
        }
*.info { action (type="omelasticsearch"
         server="el8"
         serverport="10514"
         searchIndex="unix"
         bulkmode="on"
         template="ElasticSearchTemplate")
        }

template(name="dynaName" type="string" string="/soft/rsyslog/%hostname%.log")

*.debug {
   action (
     type="omfile"
     name="debugActionName"
     template="dynaName"
     dynafile="dynaName"
   )
}

*.warn {
   action (
     type="omfile"
     name="infoActionName"
     #template="templateName"
     file="/soft/rsyslog/everything.warn.log"
   )
}

And this wrote nothing to any file. 



> -----Original Message-----
> From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of John
> Chivian
> Sent: Tuesday, October 30, 2018 3:24 PM
> To: sophie.loewenthal--- via rsyslog
> Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - dynafile and
> severity levels
> 
> template(name="dynaName" type="string"
> string="/soft/rsyslog/%hostname%.log")
> 
> *.debug {
>    action(
>      type="omfile"
>      name="debugActionName"
>      template="templateName"
>      dynafile="dynaName"
>    )
> }
> 
> *.info {
>    action(
>      type="omfile"
>      name="infoActionName"
>      template="templateName"
>      file="/soft/rsyslog/everything.warn.log"
>    )
> }
> 
> You'll get the hang of it.  Enjoy.
> 
> 
> 
> On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote:
> > Hi,
> >
> > I'm trying to change the rsyslog server to the new format, and decided to 
> > use
> the config generator on the rsyslogd.com website.
> >
> > Previously I used Dynafile to send logs into %HOSTNAME%.log, but I don't see
> DynaFile available in the config generator.
> > Also I had set up different severities to be sent to different files.  Can 
> > this
> filtering be achieved the the new format?
> > .eg
> > $template DynaFile,"/soft/rsyslog/%HOSTNAME%.log"
> > *.debug ?DynaFile
> >
> > Also I had set up this but cannot see yow to do this with the new format. I 
> > tried
> with omfile, but this did not work.  What is the recommended way?
> > *.info /soft/rsyslog/everything.warn.log
> > *.debuf /soft/rsyslog/everything.all.log
> >
> > Lastly, I don't think the bulk method for elasticsearch is correctly set:
> >      bulkmode="1"
> > Because of the message:   "error during parsing file /etc/rsyslog.conf, on 
> > or
> before line 41: parameter 'bulkmode' must be "on" or "off" but is neither.
> Results unpredictable."
> > Setting this to bulkmode="on" silenced the error message, but I don't know 
> > if
> this is correct.
> >
> > My rsyslog version: # rsyslogd -v
> > rsyslogd 8.24.0/ x86_64-redhat-linux-gnu
> >
> > Help, like usual, greatly appricated.
> >
> > Best wishes,
> > Sophie
> >
> >
> > -------------------------------------------------------
> > # This configuration has been generated by using the
> > # rsyslog Configuration Builder which can be found at:
> > # http://www.rsyslog.com/rsyslog-configuration-builder/
> > #
> > # Default Settings
> >
> > # Load Modules
> > module(load="imtcp")
> > module(load="imudp")
> > module(load="omelasticsearch")
> > module(load="imuxsock")
> >
> > # rsyslog Templates
> > template(name="ElasticSearchTemplate"
> > type="list"
> > option.json="on") {
> > constant(value="{")
> >   constant(value="\"timestamp\":\"")      property(name="timereported"
> dateFormat="rfc3339")
> >   constant(value="\",\"message\":\"")     property(name="msg")
> >   constant(value="\",\"host\":\"")        property(name="hostname")
> >   constant(value="\",\"severity\":\"")    
> > property(name="syslogseverity-text")
> >   constant(value="\",\"facility\":\"")    
> > property(name="syslogfacility-text")
> >   constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
> > constant(value="\"}")
> > }
> > template(name="ElasticSearchTemplate"
> > type="list"
> > option.json="on") {
> > constant(value="{")
> >   constant(value="\"timestamp\":\"")      property(name="timereported"
> dateFormat="rfc3339")
> >   constant(value="\",\"message\":\"")     property(name="msg")
> >   constant(value="\",\"host\":\"")        property(name="hostname")
> >   constant(value="\",\"severity\":\"")    
> > property(name="syslogseverity-text")
> >   constant(value="\",\"facility\":\"")    
> > property(name="syslogfacility-text")
> >   constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
> > constant(value="\"}")
> > }
> >
> > # rsyslog Input Modules
> > input(type="imtcp"
> >      port="")
> > input(type="imudp"
> >      port="")
> >
> > # rsyslog RuleSets
> > # Default RuleSet
> > action(type="omelasticsearch"
> >      server="el8 "
> >      serverport="10514"
> >      searchIndex="unix"
> >      bulkmode="1"
> >      template="ElasticSearchTemplate")
> > action(type="omelasticsearch"
> >      server="el7 "
> >      serverport="10514"
> >      searchIndex="unix"
> >      bulkmode="1"
> >      template="ElasticSearchTemplate")
> > action(type="omfile"
> >      File="/soft/rsyslog/%HOSTNAME%.log"
> >      template="RSYSLOG_ForwardFormat")
> >
> > # This configuration was generated on '2018-10-30 10:52:54'
> >
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
This message and any attachments (the "message") is
intended solely for the intended addressees and is confidential. 
If you receive this message in error,or are not the intended recipient(s), 
please delete it and any copies from your systems and immediately notify
the sender. Any unauthorized view, use that does not comply with its purpose, 
dissemination or disclosure, either whole or partial, is prohibited. Since the 
internet 
cannot guarantee the integrity of this message which may not be reliable, BNP 
PARIBAS 
(and its subsidiaries) shall not be liable for the message if modified, changed 
or falsified. 
Do not print this message unless it is necessary, consider the environment.

----------------------------------------------------------------------------------------------------------------------------------

Ce message et toutes les pieces jointes (ci-apres le "message") 
sont etablis a l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de 
ce message qui n'est pas conforme a sa destination, toute diffusion ou toute 
publication, totale ou partielle, est interdite. L'Internet ne permettant pas 
d'assurer
l'integrite de ce message electronique susceptible d'alteration, BNP Paribas 
(et ses filiales) decline(nt) toute responsabilite au titre de ce message dans 
l'hypothese
ou il aurait ete modifie, deforme ou falsifie. 
N'imprimez ce message que si necessaire, pensez a l'environnement.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.