Sorry, The log messages aren't being forwarded. -----Original Message----- From: David Lang [mailto:[email protected]] Sent: Friday, March 29, 2019 6:12 PM To: Gorman, Kevin via rsyslog Cc: Gorman, Kevin Subject: [E] Re: [rsyslog] Help with newer syntax a ruleset and forwarding
can you clarify a bit more about what's not working? I will point out that in the old syntax, only the first action has a queue, and unless that queue is full, that action will always succeed, so the fallback isn't going to work as expected. David Lang On Fri, 29 Mar 2019, Gorman, Kevin via rsyslog wrote: > Date: Fri, 29 Mar 2019 23:05:54 +0000 > From: "Gorman, Kevin via rsyslog" <[email protected]> > To: "[email protected]" <[email protected]> > Cc: "Gorman, Kevin" <[email protected]> > Subject: [rsyslog] Help with newer syntax a ruleset and forwarding > > I currently have log forwarding using the older syntax shown at the bottom of > this message. App logs are forwarded with individual .conf files that repeat > the addresses in each file. I'd like to move to the newer syntax and a > ruleset as shown. This actually works on another system. The all file is read > first due to the naming. Things get ugly if it isn't. > > My question is why is this not working? The debug output isn't showing > anything I can see is incorrect. > > Also, any pointers to more info on the newer syntax would be helpful. I've > spent hours poring over the docs w/ minimal success. > > Thanks! > > The ruleset and initial config > > # cat /etc/rsyslog.d/rsyslog.all.conf > > module(load="imfile" mode="inotify") > > global ( > parser.dropTrailingLFOnReception="on" > parser.escapeControlCharactersOnReceive="on" > workDirectory="/var/lib/rsyslog" > ) > > ruleset(name="linux_forward") { > action( > type="omfwd" > target="2001:4888:a00:3154:f0:ff2:0:b01" > protocol="tcp" > port="5544" > ) > stop > } > > # cat /etc/rsyslog.d/rsyslog.linux.conf > > input( > type="imfile" > ruleset="linux_forward" > file="*.*" > escapeLF="on" > tag="syslog" > ) > > input( > type="imfile" > ruleset="linux_forward" > tag="ansible" > file="/var/log/ansible.log" > escapeLF="on" > ) > > input( > type="imfile" > ruleset="linux_forward" > tag="audit" > file="/var/log/audit/audit.log" > escapeLF="on" > ) > > An example of forwarding an application file. > > # head rsyslog.app.conf > > input( > type="imfile" > ruleset="linux_forward" > tag="caapiconfigservice_events" > file="/var/log/mcs/caapi01/caapiconfigservice_events.log" > escapeLF="on" > ) > > The original and working log forwarding: > > # cat /root/nagioslogserver.conf > > $WorkDirectory /var/lib/rsyslog # Where spool > files will live > $ActionQueueFileName nlsFwdRule0 # Unique name > prefix for spool files > $ActionQueueMaxDiskSpace 1g # 1GB space > limit (use as much as possible) > $ActionQueueSaveOnShutdown on # Save messages > to disk on shutdown > $ActionQueueType LinkedList # Use > asynchronous processing > $ActionResumeRetryCount -1 # Infinite > retries if host is down > > *.* @@[2001:4888:a00:3154:f0:ff2:0:b01]:5544 # *.*: send > everything in rsyslog.conf, @@: use TCP > $ActionExecOnlyWhenPreviousIsSuspended on # If the 1st log > server is down send to the next, etc. > & @@[2001:4888:a00:3154:f0:ff2:0:b02]:5544 > & @@[2001:4888:a00:3154:f0:ff2:0:b03]:5544 > $ActionExecOnlyWhenPreviousIsSuspended off > > _______________________________________________ > rsyslog mailing list > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_ > mailman_listinfo_rsyslog&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6 > __0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kRO > yg52hTO_S-Tx90Iq5t0Hihub_kqcoHY&s=Ri5XX2f9BwX7iDSyb4HsT19_Svp2k6EBlW6q > MWS_vIs&e= > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_pr > ofessional-2Dservices_&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__ > 0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kROyg > 52hTO_S-Tx90Iq5t0Hihub_kqcoHY&s=hqHbQrrSzB0w8X0_v-25Yqh0UFuR1dLvzumXJa > WC0uE&e= What's up with rsyslog? Follow > https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerh > ards&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_y > qJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kROyg52hTO_S-Tx90Iq5t0H > ihub_kqcoHY&s=vkpTLA5cHNT4buQwLTkh_SgBXSQkRuogmQ227YlvTGU&e= > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
