I currently have log forwarding using the older syntax shown at the bottom of
this message. App logs are forwarded with individual .conf files that repeat
the addresses in each file. I'd like to move to the newer syntax and a ruleset
as shown. This actually works on another system. The all file is read first due
to the naming. Things get ugly if it isn't.
My question is why is this not working? The debug output isn't showing anything
I can see is incorrect.
Also, any pointers to more info on the newer syntax would be helpful. I've
spent hours poring over the docs w/ minimal success.
Thanks!
The ruleset and initial config
# cat /etc/rsyslog.d/rsyslog.all.conf
module(load="imfile" mode="inotify")
global (
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)
ruleset(name="linux_forward") {
action(
type="omfwd"
target="2001:4888:a00:3154:f0:ff2:0:b01"
protocol="tcp"
port="5544"
)
stop
}
# cat /etc/rsyslog.d/rsyslog.linux.conf
input(
type="imfile"
ruleset="linux_forward"
file="*.*"
escapeLF="on"
tag="syslog"
)
input(
type="imfile"
ruleset="linux_forward"
tag="ansible"
file="/var/log/ansible.log"
escapeLF="on"
)
input(
type="imfile"
ruleset="linux_forward"
tag="audit"
file="/var/log/audit/audit.log"
escapeLF="on"
)
An example of forwarding an application file.
# head rsyslog.app.conf
input(
type="imfile"
ruleset="linux_forward"
tag="caapiconfigservice_events"
file="/var/log/mcs/caapi01/caapiconfigservice_events.log"
escapeLF="on"
)
The original and working log forwarding:
# cat /root/nagioslogserver.conf
$WorkDirectory /var/lib/rsyslog # Where spool
files will live
$ActionQueueFileName nlsFwdRule0 # Unique name
prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1GB space limit
(use as much as possible)
$ActionQueueSaveOnShutdown on # Save messages to
disk on shutdown
$ActionQueueType LinkedList # Use asynchronous
processing
$ActionResumeRetryCount -1 # Infinite retries
if host is down
*.* @@[2001:4888:a00:3154:f0:ff2:0:b01]:5544 # *.*: send
everything in rsyslog.conf, @@: use TCP
$ActionExecOnlyWhenPreviousIsSuspended on # If the 1st log
server is down send to the next, etc.
& @@[2001:4888:a00:3154:f0:ff2:0:b02]:5544
& @@[2001:4888:a00:3154:f0:ff2:0:b03]:5544
$ActionExecOnlyWhenPreviousIsSuspended off
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
