Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding

[David Lang via rsyslog]

can we see the rest of your config?

do a rsyslogd -N 2 and show us the results.

David Lang

On Fri, 29 Mar 2019, Gorman, Kevin wrote:

Date: Fri, 29 Mar 2019 23:25:13 +0000
From: "Gorman, Kevin" <kevin.gor...@verizonwireless.com>
To: David Lang <da...@lang.hm>,
    "Gorman, Kevin via rsyslog" <rsyslog@lists.adiscon.com>
Subject: RE: [E] Re: [rsyslog] Help with newer syntax a ruleset and forwarding

Sorry,
The log messages aren't being forwarded.

-----Original Message-----
From: David Lang [mailto:da...@lang.hm]
Sent: Friday, March 29, 2019 6:12 PM
To: Gorman, Kevin via rsyslog
Cc: Gorman, Kevin
Subject: [E] Re: [rsyslog] Help with newer syntax a ruleset and forwarding

can you clarify a bit more about what's not working?

I will point out that in the old syntax, only the first action has a queue, and 
unless that queue is full, that action will always succeed, so the fallback 
isn't going to work as expected.

David Lang

On Fri, 29 Mar 2019, Gorman, Kevin via rsyslog wrote:

Date: Fri, 29 Mar 2019 23:05:54 +0000
From: "Gorman, Kevin via rsyslog" <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Cc: "Gorman, Kevin" <kevin.gor...@verizonwireless.com>
Subject: [rsyslog] Help with newer syntax a ruleset and forwarding

I currently have log forwarding using the older syntax shown at the bottom of 
this message. App logs are forwarded with individual .conf files that repeat 
the addresses in each file. I'd like to move to the newer syntax and a ruleset 
as shown. This actually works on another system. The all file is read first due 
to the naming. Things get ugly if it isn't.

My question is why is this not working? The debug output isn't showing anything 
I can see is incorrect.

Also, any pointers to more info on the newer syntax would be helpful. I've 
spent hours poring over the docs w/ minimal success.

Thanks!

The ruleset and initial config

# cat /etc/rsyslog.d/rsyslog.all.conf

module(load="imfile" mode="inotify")

global (
        parser.dropTrailingLFOnReception="on"
        parser.escapeControlCharactersOnReceive="on"
        workDirectory="/var/lib/rsyslog"
)

ruleset(name="linux_forward") {
 action(
   type="omfwd"
   target="2001:4888:a00:3154:f0:ff2:0:b01"
   protocol="tcp"
   port="5544"
 )
 stop
}

# cat /etc/rsyslog.d/rsyslog.linux.conf

input(
 type="imfile"
 ruleset="linux_forward"
 file="*.*"
 escapeLF="on"
 tag="syslog"
)

input(
 type="imfile"
 ruleset="linux_forward"
 tag="ansible"
 file="/var/log/ansible.log"
 escapeLF="on"
)

input(
 type="imfile"
 ruleset="linux_forward"
 tag="audit"
 file="/var/log/audit/audit.log"
 escapeLF="on"
)

An example of forwarding an application file.

# head rsyslog.app.conf

input(
 type="imfile"
 ruleset="linux_forward"
 tag="caapiconfigservice_events"
 file="/var/log/mcs/caapi01/caapiconfigservice_events.log"
 escapeLF="on"
)

The original and working log forwarding:

# cat /root/nagioslogserver.conf

$WorkDirectory /var/lib/rsyslog                              # Where spool 
files will live
$ActionQueueFileName nlsFwdRule0                             # Unique name 
prefix for spool files
$ActionQueueMaxDiskSpace 1g                                  # 1GB space limit 
(use as much as possible)
$ActionQueueSaveOnShutdown on                                # Save messages to 
disk on shutdown
$ActionQueueType LinkedList                                  # Use asynchronous 
processing
$ActionResumeRetryCount -1                                   # Infinite retries 
if host is down

*.* @@[2001:4888:a00:3154:f0:ff2:0:b01]:5544                 # *.*: send 
everything in rsyslog.conf, @@: use TCP
$ActionExecOnlyWhenPreviousIsSuspended on                    # If the 1st log 
server is down send to the next, etc.
& @@[2001:4888:a00:3154:f0:ff2:0:b02]:5544
& @@[2001:4888:a00:3154:f0:ff2:0:b03]:5544
$ActionExecOnlyWhenPreviousIsSuspended off

_______________________________________________
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_
mailman_listinfo_rsyslog&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6
__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kRO
yg52hTO_S-Tx90Iq5t0Hihub_kqcoHY&s=Ri5XX2f9BwX7iDSyb4HsT19_Svp2k6EBlW6q
MWS_vIs&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_pr
ofessional-2Dservices_&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__
0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kROyg
52hTO_S-Tx90Iq5t0Hihub_kqcoHY&s=hqHbQrrSzB0w8X0_v-25Yqh0UFuR1dLvzumXJa
WC0uE&e= What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerh
ards&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_y
qJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kROyg52hTO_S-Tx90Iq5t0H
ihub_kqcoHY&s=vkpTLA5cHNT4buQwLTkh_SgBXSQkRuogmQ227YlvTGU&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.