I use a similar config to forward from my servers.
ruleset(name="linux_forward" queue.type="LinkedList"
queue.filename="nlsFwdRule0" queue.maxDiskSpace="1g"
queue.saveOnShutdown="on") {
action(type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01"
protocol="udp" port="5544" resumeRetryCount="-1")
}
and it's called like that:
if (....) then {
call linux_forward
stop
}
Flo
On Mon, Apr 1, 2019 at 9:27 PM Gorman, Kevin via rsyslog <
[email protected]> wrote:
> For the moment, I've removed the app part of the configuration. Redhat
> suggested changing action to the config that's below. Still, nothing is
> forwarded, which is the sole purpose of the configuration. I'm trying to
> use the rule to avoid repeating the IP address over and over as well as to
> not use lots of files.
>
> I imagine I could use the earlier format and combine the files, so that's
> not really a big issue. If it's better I'm not against just using the
> earlier format.
>
> # cat rsyslog.all.conf
> module(load="imfile" mode="inotify")
>
> global (
> parser.dropTrailingLFOnReception="on"
> parser.escapeControlCharactersOnReceive="on"
> workDirectory="/var/lib/rsyslog"
> )
>
> ruleset(
> name="linux_forward"
> queue.type="LinkedList"
> queue.filename="nlsFwdRule0"
> queue.maxDiskSpace="1g"
> queue.saveOnShutdown="on"
> ) {
> action(
> type="omfwd"
> target="2001:4888:a00:3154:f0:ff2:0:b01" # VIP address of
> logserver
> protocol="udp"
> port="5544"
> #resumeRetryCount="-1"
> )
> stop
> }
>
> # cat rsyslog.linux.conf
>
> input(
> type="imfile"
> ruleset="linux_forward"
> file="*.*"
> escapeLF="on"
> tag="syslog"
> )
>
> input(
> type="imfile"
> ruleset="linux_forward"
> tag="ansible"
> file="/var/log/ansible.log"
> escapeLF="on"
> )
>
> input(
> type="imfile"
> ruleset="linux_forward"
> tag="audit"
> file="/var/log/audit/audit.log"
> escapeLF="on"
> )
>
> ]# rsyslogd -N2
> rsyslogd: version 8.24.0-34.el7, config validation run (level 2), master
> config /etc/rsyslog.conf
>
> 6396.163499269:main thread : debug level 2 set via config file
> 6396.163515320:main thread : This is rsyslog version 8.24.0-34.el7
> 6396.163520128:main thread : config parser: reached end of file
> /etc/rsyslog.d/rsyslog.debug.conf
> 6396.163524390:main thread : config parser: resume parsing of file
> /etc/rsyslog.d/rsyslog.linux.conf at line 1
> 6396.163531565:main thread : cnf:global:obj: obj: 'input'
> 6396.163538048:main thread : nvlst 0x562f39069bb0:
> 6396.163541541:main thread : name: 'tag', value 'syslog'
> 6396.163545544:main thread : name: 'escapeLF', value 'on'
> 6396.163549402:main thread : name: 'file', value '*.*'
> 6396.163553221:main thread : name: 'ruleset', value
> 'linux_forward'
> 6396.163557231:main thread : name: 'type', value 'imfile'
> 6396.163562884:main thread : nvlstGetParam: name 'type', type 14,
> valnode->bUsed 0
> 6396.163566743:main thread : input param blk after inputProcessCnf:
> 6396.163570295:main thread : type: 'imfile'
> 6396.163579084:main thread : newInpInst (imfile)
> 6396.163582949:main thread : nvlstGetParam: name 'file', type 14,
> valnode->bUsed 0
> 6396.163586431:main thread : nvlstGetParam: name 'tag', type 14,
> valnode->bUsed 0
> 6396.163590393:main thread : nvlstGetParam: name 'ruleset', type 14,
> valnode->bUsed 0
> 6396.163594337:main thread : nvlstGetParam: name 'escapelf', type 4,
> valnode->bUsed 0
> 6396.163598668:main thread : input param blk in imfile:
> 6396.163601763:main thread : file: '*.*'
> 6396.163609748:main thread : tag: 'syslog'
> 6396.163617468:main thread : severity: (unset)
> 6396.163625204:main thread : facility: (unset)
> 6396.163632741:main thread : ruleset: 'linux_forward'
> 6396.163640567:main thread : readmode: (unset)
> 6396.163647878:main thread : startmsg.regex: (unset)
> 6396.163655402:main thread : escapelf: 1
> 6396.163663156:main thread : reopenontruncate: (unset)
> 6396.163670723:main thread : maxlinesatonce: (unset)
> 6396.163678123:main thread : trimlineoverbytes: (unset)
> 6396.163685535:main thread : maxsubmitatonce: (unset)
> 6396.163693026:main thread : removestateondelete: (unset)
> 6396.163700527:main thread : persiststateinterval: (unset)
> 6396.163707941:main thread : deletestateonfiledelete: (unset)
> 6396.163715616:main thread : addmetadata: (unset)
> 6396.163723134:main thread : addceetag: (unset)
> 6396.163730628:main thread : statefile: (unset)
> 6396.163738023:main thread : readtimeout: (unset)
> 6396.163745561:main thread : freshstarttail: (unset)
> 6396.163753288:main thread : filenotfounderror: (unset)
> 6396.163766549:main thread : imfile: adding file monitor for
> '/etc/rsyslog.d/*.*'
> 6396.163773257:main thread : cnf:global:obj: obj: 'input'
> 6396.163779160:main thread : nvlst 0x562f39069bb0:
> 6396.163782591:main thread : name: 'escapeLF', value 'on'
> 6396.163786546:main thread : name: 'file', value
> '/var/log/ansible.log'
> 6396.163790411:main thread : name: 'tag', value 'ansible'
> 6396.163794224:main thread : name: 'ruleset', value
> 'linux_forward'
> 6396.163797976:main thread : name: 'type', value 'imfile'
> 6396.163801795:main thread : nvlstGetParam: name 'type', type 14,
> valnode->bUsed 0
> 6396.163805261:main thread : input param blk after inputProcessCnf:
> 6396.163808489:main thread : type: 'imfile'
> 6396.163816432:main thread : newInpInst (imfile)
> 6396.163819936:main thread : nvlstGetParam: name 'file', type 14,
> valnode->bUsed 0
> 6396.163823434:main thread : nvlstGetParam: name 'tag', type 14,
> valnode->bUsed 0
> 6396.163826995:main thread : nvlstGetParam: name 'ruleset', type 14,
> valnode->bUsed 0
> 6396.163831104:main thread : nvlstGetParam: name 'escapelf', type 4,
> valnode->bUsed 0
> 6396.163834918:main thread : input param blk in imfile:
> 6396.163838094:main thread : file: '/var/log/ansible.log'
> 6396.163846164:main thread : tag: 'ansible'
> 6396.163853819:main thread : severity: (unset)
> 6396.163861180:main thread : facility: (unset)
> 6396.163868499:main thread : ruleset: 'linux_forward'
> 6396.163876167:main thread : readmode: (unset)
> 6396.163887346:main thread : startmsg.regex: (unset)
> 6396.163894769:main thread : escapelf: 1
> 6396.163902192:main thread : reopenontruncate: (unset)
> 6396.163909580:main thread : maxlinesatonce: (unset)
> 6396.163917049:main thread : trimlineoverbytes: (unset)
> 6396.163924368:main thread : maxsubmitatonce: (unset)
> 6396.163931741:main thread : removestateondelete: (unset)
> 6396.163939088:main thread : persiststateinterval: (unset)
> 6396.163946539:main thread : deletestateonfiledelete: (unset)
> 6396.163953922:main thread : addmetadata: (unset)
> 6396.163961245:main thread : addceetag: (unset)
> 6396.163968548:main thread : statefile: (unset)
> 6396.163976034:main thread : readtimeout: (unset)
> 6396.163983654:main thread : freshstarttail: (unset)
> 6396.163990987:main thread : filenotfounderror: (unset)
> 6396.163999425:main thread : imfile: adding file monitor for
> '/var/log/ansible.log'
> 6396.164005230:main thread : cnf:global:obj: obj: 'input'
> 6396.164010915:main thread : nvlst 0x562f39069b50:
> 6396.164014145:main thread : name: 'escapeLF', value 'on'
> 6396.164017884:main thread : name: 'file', value
> '/var/log/audit/audit.log'
> 6396.164021570:main thread : name: 'tag', value 'audit'
> 6396.164025149:main thread : name: 'ruleset', value
> 'linux_forward'
> 6396.164028710:main thread : name: 'type', value 'imfile'
> 6396.164032501:main thread : nvlstGetParam: name 'type', type 14,
> valnode->bUsed 0
> 6396.164035773:main thread : input param blk after inputProcessCnf:
> 6396.164038848:main thread : type: 'imfile'
> 6396.164046776:main thread : newInpInst (imfile)
> 6396.164050055:main thread : nvlstGetParam: name 'file', type 14,
> valnode->bUsed 0
> 6396.164053369:main thread : nvlstGetParam: name 'tag', type 14,
> valnode->bUsed 0
> 6396.164057322:main thread : nvlstGetParam: name 'ruleset', type 14,
> valnode->bUsed 0
> 6396.164060945:main thread : nvlstGetParam: name 'escapelf', type 4,
> valnode->bUsed 0
> 6396.164065406:main thread : input param blk in imfile:
> 6396.164068477:main thread : file: '/var/log/audit/audit.log'
> 6396.164076510:main thread : tag: 'audit'
> 6396.164084408:main thread : severity: (unset)
> 6396.164091877:main thread : facility: (unset)
> 6396.164099363:main thread : ruleset: 'linux_forward'
> 6396.164107182:main thread : readmode: (unset)
> 6396.164114585:main thread : startmsg.regex: (unset)
> 6396.164122030:main thread : escapelf: 1
> 6396.164129589:main thread : reopenontruncate: (unset)
> 6396.164137143:main thread : maxlinesatonce: (unset)
> 6396.164144594:main thread : trimlineoverbytes: (unset)
> 6396.164186518:main thread : maxsubmitatonce: (unset)
> 6396.164194316:main thread : removestateondelete: (unset)
> 6396.164203193:main thread : persiststateinterval: (unset)
> 6396.164211781:main thread : deletestateonfiledelete: (unset)
> 6396.164219445:main thread : addmetadata: (unset)
> 6396.164226847:main thread : addceetag: (unset)
> 6396.164234219:main thread : statefile: (unset)
> 6396.164241554:main thread : readtimeout: (unset)
> 6396.164248996:main thread : freshstarttail: (unset)
> 6396.164256436:main thread : filenotfounderror: (unset)
> 6396.164265510:main thread : imfile: adding file monitor for
> '/var/log/audit/audit.log'
> 6396.164270419:main thread : config parser: reached end of file
> /etc/rsyslog.d/rsyslog.linux.conf
> 6396.164274127:main thread : config parser: resume parsing of file
> /etc/rsyslog.conf at line 36
> 6396.164279275:main thread : cnf:global:cfsysline: $OmitLocalLogging on
> 6396.164286427:main thread : cnf:global:cfsysline: $IMJournalStateFile
> imjournal.state
> 6396.164294137:main thread : doGetWord: get newval 'imjournal.state'
> (len 15), hdlr (nil)
> 6396.164303495:main thread : tried selector action for builtin:omfile: 0
> 6396.164311978:main thread : Module builtin:omfile processes this
> action.
> 6396.164317464:main thread : template: 'RSYSLOG_TraditionalFileFormat'
> assigned
> 6396.164323448:main thread : action 1 queue: parameter dump:
> 6396.164326952:main thread : action 1 queue: queue.filename '[NONE]'
> 6396.164334718:main thread : action 1 queue: queue.size: 1000
> 6396.164338167:main thread : action 1 queue: queue.dequeuebatchsize: 16
> 6396.164341621:main thread : action 1 queue: queue.maxdiskspace: 0
> 6396.164345011:main thread : action 1 queue: queue.highwatermark: 800
> 6396.164348271:main thread : action 1 queue: queue.lowwatermark: 200
> 6396.164351572:main thread : action 1 queue: queue.fulldelaymark: -1
> 6396.164354802:main thread : action 1 queue: queue.lightdelaymark: -1
> 6396.164358063:main thread : action 1 queue: queue.discardmark: 980
> 6396.164361329:main thread : action 1 queue: queue.discardseverity: 8
> 6396.164364535:main thread : action 1 queue: queue.checkpointinterval: 0
> 6396.164367779:main thread : action 1 queue: queue.syncqueuefiles: 0
> 6396.164371177:main thread : action 1 queue: queue.type: 3 [Direct]
> 6396.164374406:main thread : action 1 queue: queue.workerthreads: 1
> 6396.164377529:main thread : action 1 queue: queue.timeoutshutdown: 0
> 6396.164381977:main thread : action 1 queue:
> queue.timeoutactioncompletion: 1000
> 6396.164385354:main thread : action 1 queue: queue.timeoutenqueue: 50
> 6396.164388562:main thread : action 1 queue:
> queue.timeoutworkerthreadshutdown: 60000
> 6396.164392010:main thread : action 1 queue:
> queue.workerthreadminimummessages: -1
> 6396.164395288:main thread : action 1 queue: queue.maxfilesize: 1048576
> 6396.164398450:main thread : action 1 queue: queue.saveonshutdown: 1
> 6396.164401606:main thread : action 1 queue: queue.dequeueslowdown: 0
> 6396.164404782:main thread : action 1 queue: queue.dequeuetimebegin: 0
> 6396.164408000:main thread : action 1 queue: queue.dequeuetimeend: 25
> 6396.164411451:main thread : Action 0x562f39069e20: queue
> 0x562f3906a110 created
> 6396.164420866:main thread : Decoding traditional PRI filter
> '*.info;mail.none;authpriv.none;cron.none'
> 6396.164425079:main thread : symbolic name: info ==> 6
> 6396.164434695:main thread : symbolic name: none ==> 16
> 6396.164440522:main thread : symbolic name: mail ==> 16
> 6396.164446156:main thread : symbolic name: none ==> 16
> 6396.164451686:main thread : symbolic name: authpriv ==> 80
> 6396.164457296:main thread : symbolic name: none ==> 16
> 6396.164462807:main thread : symbolic name: cron ==> 72
> 6396.164468480:main thread : cnf:global:script
> 6396.164473547:main thread : tried selector action for builtin:omfile: 0
> 6396.164476879:main thread : Module builtin:omfile processes this
> action.
> 6396.164490465:main thread : template: 'RSYSLOG_TraditionalFileFormat'
> assigned
> 6396.164497558:main thread : action 2 queue: parameter dump:
> 6396.164500967:main thread : action 2 queue: queue.filename '[NONE]'
> 6396.164504243:main thread : action 2 queue: queue.size: 1000
> 6396.164507445:main thread : action 2 queue: queue.dequeuebatchsize: 16
> 6396.164510706:main thread : action 2 queue: queue.maxdiskspace: 0
> 6396.164513894:main thread : action 2 queue: queue.highwatermark: 800
> 6396.164517149:main thread : action 2 queue: queue.lowwatermark: 200
> 6396.164520347:main thread : action 2 queue: queue.fulldelaymark: -1
> 6396.164523503:main thread : action 2 queue: queue.lightdelaymark: -1
> 6396.164526702:main thread : action 2 queue: queue.discardmark: 980
> 6396.164529882:main thread : action 2 queue: queue.discardseverity: 8
> 6396.164533057:main thread : action 2 queue: queue.checkpointinterval: 0
> 6396.164536250:main thread : action 2 queue: queue.syncqueuefiles: 0
> 6396.164539589:main thread : action 2 queue: queue.type: 3 [Direct]
> 6396.164542752:main thread : action 2 queue: queue.workerthreads: 1
> 6396.164545910:main thread : action 2 queue: queue.timeoutshutdown: 0
> 6396.164549154:main thread : action 2 queue:
> queue.timeoutactioncompletion: 1000
> 6396.164552402:main thread : action 2 queue: queue.timeoutenqueue: 50
> 6396.164555564:main thread : action 2 queue:
> queue.timeoutworkerthreadshutdown: 60000
> 6396.164558868:main thread : action 2 queue:
> queue.workerthreadminimummessages: -1
> 6396.164565093:main thread : action 2 queue: queue.maxfilesize: 1048576
> 6396.164568380:main thread : action 2 queue: queue.saveonshutdown: 1
> 6396.164571547:main thread : action 2 queue: queue.dequeueslowdown: 0
> 6396.164574747:main thread : action 2 queue: queue.dequeuetimebegin: 0
> 6396.164577911:main thread : action 2 queue: queue.dequeuetimeend: 25
> 6396.164581255:main thread : Action 0x562f3906a810: queue
> 0x562f3906b1e0 created
> 6396.164585997:main thread : Decoding traditional PRI filter
> 'authpriv.*'
> 6396.164589403:main thread : symbolic name: * ==> 255
> 6396.164595474:main thread : symbolic name: authpriv ==> 80
> 6396.164601271:main thread : cnf:global:script
> 6396.164606267:main thread : tried selector action for builtin:omfile: 0
> 6396.164609571:main thread : Module builtin:omfile processes this
> action.
> 6396.164613176:main thread : template: 'RSYSLOG_TraditionalFileFormat'
> assigned
> 6396.164617766:main thread : action 3 queue: parameter dump:
> 6396.164621051:main thread : action 3 queue: queue.filename '[NONE]'
> 6396.164633859:main thread : action 3 queue: queue.size: 1000
> 6396.164638023:main thread : action 3 queue: queue.dequeuebatchsize: 16
> 6396.164641286:main thread : action 3 queue: queue.maxdiskspace: 0
> 6396.164644507:main thread : action 3 queue: queue.highwatermark: 800
> 6396.164647725:main thread : action 3 queue: queue.lowwatermark: 200
> 6396.164650910:main thread : action 3 queue: queue.fulldelaymark: -1
> 6396.164654041:main thread : action 3 queue: queue.lightdelaymark: -1
> 6396.164657251:main thread : action 3 queue: queue.discardmark: 980
> 6396.164660480:main thread : action 3 queue: queue.discardseverity: 8
> 6396.164663607:main thread : action 3 queue: queue.checkpointinterval: 0
> 6396.164666793:main thread : action 3 queue: queue.syncqueuefiles: 0
> 6396.164670012:main thread : action 3 queue: queue.type: 3 [Direct]
> 6396.164673166:main thread : action 3 queue: queue.workerthreads: 1
> 6396.164676316:main thread : action 3 queue: queue.timeoutshutdown: 0
> 6396.164686565:main thread : action 3 queue:
> queue.timeoutactioncompletion: 1000
> 6396.164690042:main thread : action 3 queue: queue.timeoutenqueue: 50
> 6396.164693216:main thread : action 3 queue:
> queue.timeoutworkerthreadshutdown: 60000
> 6396.164696441:main thread : action 3 queue:
> queue.workerthreadminimummessages: -1
> 6396.164709045:main thread : action 3 queue: queue.maxfilesize: 1048576
> 6396.164712495:main thread : action 3 queue: queue.saveonshutdown: 1
> 6396.164715769:main thread : action 3 queue: queue.dequeueslowdown: 0
> 6396.164718975:main thread : action 3 queue: queue.dequeuetimebegin: 0
> 6396.164722151:main thread : action 3 queue: queue.dequeuetimeend: 25
> 6396.164729007:main thread : Action 0x562f3906b8e0: queue
> 0x562f3906bd30 created
> 6396.164733869:main thread : Decoding traditional PRI filter 'mail.*'
> 6396.164737273:main thread : symbolic name: * ==> 255
> 6396.164743260:main thread : symbolic name: mail ==> 16
> 6396.164748943:main thread : cnf:global:script
> 6396.164753785:main thread : tried selector action for builtin:omfile: 0
> 6396.164757093:main thread : Module builtin:omfile processes this
> action.
> 6396.164760757:main thread : template: 'RSYSLOG_TraditionalFileFormat'
> assigned
> 6396.164765553:main thread : action 4 queue: parameter dump:
> 6396.164768797:main thread : action 4 queue: queue.filename '[NONE]'
> 6396.164771979:main thread : action 4 queue: queue.size: 1000
> 6396.164775166:main thread : action 4 queue: queue.dequeuebatchsize: 16
> 6396.164778361:main thread : action 4 queue: queue.maxdiskspace: 0
> 6396.164781537:main thread : action 4 queue: queue.highwatermark: 800
> 6396.164784719:main thread : action 4 queue: queue.lowwatermark: 200
> 6396.164787938:main thread : action 4 queue: queue.fulldelaymark: -1
> 6396.164791085:main thread : action 4 queue: queue.lightdelaymark: -1
> 6396.164794280:main thread : action 4 queue: queue.discardmark: 980
> 6396.164797582:main thread : action 4 queue: queue.discardseverity: 8
> 6396.164804004:main thread : action 4 queue: queue.checkpointinterval: 0
> 6396.164807312:main thread : action 4 queue: queue.syncqueuefiles: 0
> 6396.164810574:main thread : action 4 queue: queue.type: 3 [Direct]
> 6396.164813731:main thread : action 4 queue: queue.workerthreads: 1
> 6396.164816875:main thread : action 4 queue: queue.timeoutshutdown: 0
> 6396.164820049:main thread : action 4 queue:
> queue.timeoutactioncompletion: 1000
> 6396.164823264:main thread : action 4 queue: queue.timeoutenqueue: 50
> 6396.164826455:main thread : action 4 queue:
> queue.timeoutworkerthreadshutdown: 60000
> 6396.164829673:main thread : action 4 queue:
> queue.workerthreadminimummessages: -1
> 6396.164832921:main thread : action 4 queue: queue.maxfilesize: 1048576
> 6396.164836104:main thread : action 4 queue: queue.saveonshutdown: 1
> 6396.164839272:main thread : action 4 queue: queue.dequeueslowdown: 0
> 6396.164842440:main thread : action 4 queue: queue.dequeuetimebegin: 0
> 6396.164845631:main thread : action 4 queue: queue.dequeuetimeend: 25
> 6396.164848906:main thread : Action 0x562f3906c430: queue
> 0x562f3906c880 created
> 6396.164853110:main thread : Decoding traditional PRI filter 'cron.*'
> 6396.164856359:main thread : symbolic name: * ==> 255
> 6396.164862042:main thread : symbolic name: cron ==> 72
> 6396.164867635:main thread : cnf:global:script
> 6396.164871861:main thread : tried selector action for builtin:omfile:
> -2001
> 6396.164875325:main thread : tried selector action for builtin:ompipe:
> -2001
> 6396.164878883:main thread : tried selector action for builtin-shell:
> -2001
> 6396.164882337:main thread : tried selector action for
> builtin:omdiscard: -2001
> 6396.164885969:main thread : tried selector action for builtin:omfwd:
> -2001
> 6396.164889484:main thread : write-alltried selector action for
> builtin:omusrmsg: 0
> 6396.164895511:main thread : Module builtin:omusrmsg processes this
> action.
> 6396.164899013:main thread : template: ' WallFmt' assigned
> 6396.164903376:main thread : action 5 queue: parameter dump:
> 6396.164906676:main thread : action 5 queue: queue.filename '[NONE]'
> 6396.164909836:main thread : action 5 queue: queue.size: 1000
> 6396.164913033:main thread : action 5 queue: queue.dequeuebatchsize: 16
> 6396.164916214:main thread : action 5 queue: queue.maxdiskspace: 0
> 6396.164919384:main thread : action 5 queue: queue.highwatermark: 800
> 6396.164999202:main thread : action 5 queue: queue.lowwatermark: 200
> 6396.165002813:main thread : action 5 queue: queue.fulldelaymark: -1
> 6396.165005988:main thread : action 5 queue: queue.lightdelaymark: -1
> 6396.165012911:main thread : action 5 queue: queue.discardmark: 980
> 6396.165017653:main thread : action 5 queue: queue.discardseverity: 8
> 6396.165021127:main thread : action 5 queue: queue.checkpointinterval: 0
> 6396.165025322:main thread : action 5 queue: queue.syncqueuefiles: 0
> 6396.165028683:main thread : action 5 queue: queue.type: 3 [Direct]
> 6396.165031997:main thread : action 5 queue: queue.workerthreads: 1
> 6396.165035322:main thread : action 5 queue: queue.timeoutshutdown: 0
> 6396.165038628:main thread : action 5 queue:
> queue.timeoutactioncompletion: 1000
> 6396.165041963:main thread : action 5 queue: queue.timeoutenqueue: 50
> 6396.165045189:main thread : action 5 queue:
> queue.timeoutworkerthreadshutdown: 60000
> 6396.165048469:main thread : action 5 queue:
> queue.workerthreadminimummessages: -1
> 6396.165051769:main thread : action 5 queue: queue.maxfilesize: 1048576
> 6396.165055096:main thread : action 5 queue: queue.saveonshutdown: 1
> 6396.165058313:main thread : action 5 queue: queue.dequeueslowdown: 0
> 6396.165061494:main thread : action 5 queue: queue.dequeuetimebegin: 0
> 6396.165064778:main thread : action 5 queue: queue.dequeuetimeend: 25
> 6396.165068218:main thread : Action 0x562f3906ce10: queue
> 0x562f3906d260 created
> 6396.165073756:main thread : Decoding traditional PRI filter '*.emerg'
> 6396.165077355:main thread : symbolic name: emerg ==> 0
> 6396.165087448:main thread : cnf:global:script
> 6396.165092447:main thread : tried selector action for builtin:omfile: 0
> 6396.165095801:main thread : Module builtin:omfile processes this
> action.
> 6396.165099618:main thread : template: 'RSYSLOG_TraditionalFileFormat'
> assigned
> 6396.165104462:main thread : action 6 queue: parameter dump:
> 6396.165107866:main thread : action 6 queue: queue.filename '[NONE]'
> 6396.165111099:main thread : action 6 queue: queue.size: 1000
> 6396.165114305:main thread : action 6 queue: queue.dequeuebatchsize: 16
> 6396.165117635:main thread : action 6 queue: queue.maxdiskspace: 0
> 6396.165120826:main thread : action 6 queue: queue.highwatermark: 800
> 6396.165124052:main thread : action 6 queue: queue.lowwatermark: 200
> 6396.165127310:main thread : action 6 queue: queue.fulldelaymark: -1
> 6396.165130490:main thread : action 6 queue: queue.lightdelaymark: -1
> 6396.165133698:main thread : action 6 queue: queue.discardmark: 980
> 6396.165136955:main thread : action 6 queue: queue.discardseverity: 8
> 6396.165140149:main thread : action 6 queue: queue.checkpointinterval: 0
> 6396.165143350:main thread : action 6 queue: queue.syncqueuefiles: 0
> 6396.165146649:main thread : action 6 queue: queue.type: 3 [Direct]
> 6396.165149834:main thread : action 6 queue: queue.workerthreads: 1
> 6396.165153030:main thread : action 6 queue: queue.timeoutshutdown: 0
> 6396.165156345:main thread : action 6 queue:
> queue.timeoutactioncompletion: 1000
> 6396.165159589:main thread : action 6 queue: queue.timeoutenqueue: 50
> 6396.165162713:main thread : action 6 queue:
> queue.timeoutworkerthreadshutdown: 60000
> 6396.165165965:main thread : action 6 queue:
> queue.workerthreadminimummessages: -1
> 6396.165169170:main thread : action 6 queue: queue.maxfilesize: 1048576
> 6396.165172310:main thread : action 6 queue: queue.saveonshutdown: 1
> 6396.165175541:main thread : action 6 queue: queue.dequeueslowdown: 0
> 6396.165178722:main thread : action 6 queue: queue.dequeuetimebegin: 0
> 6396.165181909:main thread : action 6 queue: queue.dequeuetimeend: 25
> 6396.165185279:main thread : Action 0x562f3906d940: queue
> 0x562f3906dd90 created
> 6396.165189528:main thread : Decoding traditional PRI filter
> 'uucp,news.crit'
> 6396.165192871:main thread : symbolic name: crit ==> 2
> 6396.165198642:main thread : symbolic name: uucp ==> 64
> 6396.165204535:main thread : symbolic name: news ==> 56
> 6396.165210123:main thread : cnf:global:script
> 6396.165214553:main thread : tried selector action for builtin:omfile: 0
> 6396.165217855:main thread : Module builtin:omfile processes this
> action.
> 6396.165221356:main thread : template: 'RSYSLOG_TraditionalFileFormat'
> assigned
> 6396.165225575:main thread : action 7 queue: parameter dump:
> 6396.165228845:main thread : action 7 queue: queue.filename '[NONE]'
> 6396.165232086:main thread : action 7 queue: queue.size: 1000
> 6396.165235280:main thread : action 7 queue: queue.dequeuebatchsize: 16
> 6396.165238591:main thread : action 7 queue: queue.maxdiskspace: 0
> 6396.165241801:main thread : action 7 queue: queue.highwatermark: 800
> 6396.165245069:main thread : action 7 queue: queue.lowwatermark: 200
> 6396.165248270:main thread : action 7 queue: queue.fulldelaymark: -1
> 6396.165251431:main thread : action 7 queue: queue.lightdelaymark: -1
> 6396.165254600:main thread : action 7 queue: queue.discardmark: 980
> 6396.165257824:main thread : action 7 queue: queue.discardseverity: 8
> 6396.165261012:main thread : action 7 queue: queue.checkpointinterval: 0
> 6396.165264150:main thread : action 7 queue: queue.syncqueuefiles: 0
> 6396.165267457:main thread : action 7 queue: queue.type: 3 [Direct]
> 6396.165270595:main thread : action 7 queue: queue.workerthreads: 1
> 6396.165273795:main thread : action 7 queue: queue.timeoutshutdown: 0
> 6396.165277098:main thread : action 7 queue:
> queue.timeoutactioncompletion: 1000
> 6396.165280335:main thread : action 7 queue: queue.timeoutenqueue: 50
> 6396.165283481:main thread : action 7 queue:
> queue.timeoutworkerthreadshutdown: 60000
> 6396.165289125:main thread : action 7 queue:
> queue.workerthreadminimummessages: -1
> 6396.165292488:main thread : action 7 queue: queue.maxfilesize: 1048576
> 6396.165295652:main thread : action 7 queue: queue.saveonshutdown: 1
> 6396.165298878:main thread : action 7 queue: queue.dequeueslowdown: 0
> 6396.165302031:main thread : action 7 queue: queue.dequeuetimebegin: 0
> 6396.165305174:main thread : action 7 queue: queue.dequeuetimeend: 25
> 6396.165308524:main thread : Action 0x562f3906e490: queue
> 0x562f3906e8e0 created
> 6396.165318316:main thread : config parser: reached end of file
> /etc/rsyslog.conf
> 6396.165321770:main thread : config parser: parsing completed
> 6396.165325412:main thread : Decoding traditional PRI filter 'local7.*'
> 6396.165328690:main thread : symbolic name: * ==> 255
> 6396.165334562:main thread : symbolic name: local7 ==> 184
> 6396.165340471:main thread : cnf:global:script
> 6396.165348534:main thread : Number of actions in this configuration: 8
> 6396.165352230:main thread : begin ruleset optimization phase
> 6396.165355632:main thread : ruleset 'RSYSLOG_DefaultRuleset' before
> optimization:
> 6396.165361066:main thread : ruleset 0x562f39053ee0: rsyslog ruleset
> RSYSLOG_DefaultRuleset:
> 6396.165365264:main thread : PRIFILT
> '*.info;mail.none;authpriv.none;cron.none'
> 6396.165377207:main thread : pmask: 7F 7F X 7F 7F 7F 7F 7F 7F X X 7F
> 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
> 6396.165443422:main thread : ACTION 1
> [builtin:omfile:/var/log/messages]
> 6396.165449603:main thread : END PRIFILT
> 6396.165452825:main thread : PRIFILT 'authpriv.*'
> 6396.165455875:main thread : pmask: X X X X X X X X X X FF
> X X X X X X X X X X X X X X X
> 6396.165527168:main thread : ACTION 2 [builtin:omfile:/var/log/secure]
> 6396.165533089:main thread : END PRIFILT
> 6396.165536267:main thread : PRIFILT 'mail.*'
> 6396.165539290:main thread : pmask: X X FF X X X X X X X X
> X X X X X X X X X X X X X X X
> 6396.165601826:main thread : ACTION 3
> [builtin:omfile:-/var/log/maillog]
> 6396.165607420:main thread : END PRIFILT
> 6396.165610474:main thread : PRIFILT 'cron.*'
> 6396.165613459:main thread : pmask: X X X X X X X X X FF X
> X X X X X X X X X X X X X X X
> 6396.165703605:main thread : ACTION 4 [builtin:omfile:/var/log/cron]
> 6396.165709467:main thread : END PRIFILT
> 6396.165712567:main thread : PRIFILT '*.emerg'
> 6396.165715713:main thread : pmask: 1 1 1 1 1 1 1 1 1 1 1
> 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
> 6396.165780695:main thread : ACTION 5 [builtin:omusrmsg::omusrmsg:*]
> 6396.165786330:main thread : END PRIFILT
> 6396.165789551:main thread : PRIFILT 'uucp,news.crit'
> 6396.165792593:main thread : pmask: X X X X X X X 7 7 X X
> X X X X X X X X X X X X X X X
> 6396.165855340:main thread : ACTION 6
> [builtin:omfile:/var/log/spooler]
> 6396.165861053:main thread : END PRIFILT
> 6396.165864116:main thread : PRIFILT 'local7.*'
> 6396.165867102:main thread : pmask: X X X X X X X X X X X
> X X X X X X X X X X X X FF X X
> 6396.165929648:main thread : ACTION 7
> [builtin:omfile:/var/log/boot.log]
> 6396.165935241:main thread : END PRIFILT
> 6396.165938521:main thread : ruleset 0x562f39053ee0: ruleset
> RSYSLOG_DefaultRuleset assigned parser list:
> 6396.165943030:main thread : ruleset 'RSYSLOG_DefaultRuleset' after
> optimization:
> 6396.165946291:main thread : ruleset 0x562f39053ee0: rsyslog ruleset
> RSYSLOG_DefaultRuleset:
> 6396.165949661:main thread : PRIFILT
> '*.info;mail.none;authpriv.none;cron.none'
> 6396.165952724:main thread : pmask: 7F 7F X 7F 7F 7F 7F 7F 7F X X 7F
> 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
> 6396.166016807:main thread : ACTION 1
> [builtin:omfile:/var/log/messages]
> 6396.166022499:main thread : END PRIFILT
> 6396.166025605:main thread : PRIFILT 'authpriv.*'
> 6396.166028609:main thread : pmask: X X X X X X X X X X FF
> X X X X X X X X X X X X X X X
> 6396.166096291:main thread : ACTION 2 [builtin:omfile:/var/log/secure]
> 6396.166102020:main thread : END PRIFILT
> 6396.166105139:main thread : PRIFILT 'mail.*'
> 6396.166108150:main thread : pmask: X X FF X X X X X X X X
> X X X X X X X X X X X X X X X
> 6396.166171729:main thread : ACTION 3
> [builtin:omfile:-/var/log/maillog]
> 6396.166177353:main thread : END PRIFILT
> 6396.166180415:main thread : PRIFILT 'cron.*'
> 6396.166183373:main thread : pmask: X X X X X X X X X FF X
> X X X X X X X X X X X X X X X
> 6396.166246357:main thread : ACTION 4 [builtin:omfile:/var/log/cron]
> 6396.166251964:main thread : END PRIFILT
> 6396.166254981:main thread : PRIFILT '*.emerg'
> 6396.166258080:main thread : pmask: 1 1 1 1 1 1 1 1 1 1 1
> 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
> 6396.166323090:main thread : ACTION 5 [builtin:omusrmsg::omusrmsg:*]
> 6396.166328650:main thread : END PRIFILT
> 6396.166331797:main thread : PRIFILT 'uucp,news.crit'
> 6396.166334827:main thread : pmask: X X X X X X X 7 7 X X
> X X X X X X X X X X X X X X X
> 6396.166397632:main thread : ACTION 6
> [builtin:omfile:/var/log/spooler]
> 6396.166403215:main thread : END PRIFILT
> 6396.166406302:main thread : PRIFILT 'local7.*'
> 6396.166409280:main thread : pmask: X X X X X X X X X X X
> X X X X X X X X X X X X FF X X
> 6396.166471810:main thread : ACTION 7
> [builtin:omfile:/var/log/boot.log]
> 6396.166477361:main thread : END PRIFILT
> 6396.166489361:main thread : ruleset 0x562f39053ee0: ruleset
> RSYSLOG_DefaultRuleset assigned parser list:
> 6396.166494547:main thread : ruleset 'linux_forward' before
> optimization:
> 6396.166498468:main thread : ruleset 0x562f39072780: rsyslog ruleset
> linux_forward:
> 6396.166502166:main thread : ACTION 0
> [builtin:omfwd:action(type="builtin:omfwd" ...)]
> 6396.166505378:main thread : STOP
> 6396.166508473:main thread : ruleset 0x562f39072780: ruleset
> linux_forward assigned parser list:
> 6396.166511948:main thread : ruleset 'linux_forward' after optimization:
> 6396.166515118:main thread : ruleset 0x562f39072780: rsyslog ruleset
> linux_forward:
> 6396.166518560:main thread : ACTION 0
> [builtin:omfwd:action(type="builtin:omfwd" ...)]
> 6396.166521606:main thread : STOP
> 6396.166524673:main thread : ruleset 0x562f39072780: ruleset
> linux_forward assigned parser list:
> 6396.166528081:main thread : ruleset optimization phase finished.
> 6396.166531354:main thread : telling rsyslog core that config load for
> 0x562f390508b0 is done
> 6396.166536199:main thread : Timezone information table (0 entries):
> 6396.166544177:main thread : telling modules that config load for
> 0x562f390508b0 is done
> 6396.166547866:main thread : beginCnfLoad(0x562f37af0130) for module
> 'builtin:omfile'
> 6396.166551072:main thread : calling endCnfLoad() for module
> 'builtin:omfile'
> 6396.166554537:main thread : beginCnfLoad(0x562f37af3150) for module
> 'builtin:ompipe'
> 6396.166557670:main thread : calling endCnfLoad() for module
> 'builtin:ompipe'
> 6396.166561052:main thread : beginCnfLoad((nil)) for module
> 'builtin-shell'
> 6396.166564313:main thread : beginCnfLoad((nil)) for module
> 'builtin:omdiscard'
> 6396.166567546:main thread : beginCnfLoad(0x562f37aed2e0) for module
> 'builtin:omfwd'
> 6396.166570711:main thread : calling endCnfLoad() for module
> 'builtin:omfwd'
> 6396.166573975:main thread : beginCnfLoad((nil)) for module
> 'builtin:omusrmsg'
> 6396.166577157:main thread : beginCnfLoad((nil)) for module
> 'builtin:pmrfc5424'
> 6396.166580336:main thread : beginCnfLoad((nil)) for module
> 'builtin:pmrfc3164'
> 6396.166583454:main thread : beginCnfLoad((nil)) for module
> 'builtin:smfile'
> 6396.166586598:main thread : beginCnfLoad((nil)) for module
> 'builtin:smtradfile'
> 6396.166589731:main thread : beginCnfLoad((nil)) for module
> 'builtin:smfwd'
> 6396.166592891:main thread : beginCnfLoad((nil)) for module
> 'builtin:smtradfwd'
> 6396.166596125:main thread : beginCnfLoad(0x7efca273d050) for module
> 'imuxsock'
> 6396.166602210:main thread : calling endCnfLoad() for module 'imuxsock'
> 6396.166605773:main thread : beginCnfLoad(0x7efca2536160) for module
> 'imjournal'
> 6396.166608896:main thread : calling endCnfLoad() for module 'imjournal'
> 6396.166612164:main thread : beginCnfLoad(0x7efca0415b20) for module
> 'imfile'
> 6396.166615281:main thread : calling endCnfLoad() for module 'imfile'
> 6396.166618594:main thread : imfile: opmode is 1, polling interval is 10
> 6396.166621772:main thread : telling modules to check config
> 0x562f390508b0
> 6396.166625251:main thread : module builtin:omfile tells us config can
> be activated
> 6396.166628629:main thread : module builtin:ompipe tells us config can
> be activated
> 6396.166631908:main thread : module builtin:omfwd tells us config can
> be activated
> 6396.166635379:main thread : module imuxsock tells us config can be
> activated
> 6396.166638588:main thread : module imjournal tells us config can be
> activated
> 6396.166646653:main thread : module imfile tells us config can be
> activated
> 6396.166650564:main thread : GenerateLocalHostName uses
> 'sandcaykhsc-v-sienags-01'
> rsyslogd: End of config validation run. Bye.
>
>
> -----Original Message-----
> From: David Lang [mailto:[email protected]]
> Sent: Friday, March 29, 2019 6:29 PM
> To: Gorman, Kevin
> Cc: David Lang; Gorman, Kevin via rsyslog
> Subject: RE: [E] Re: [rsyslog] Help with newer syntax a ruleset and
> forwarding
>
> can we see the rest of your config?
>
> do a rsyslogd -N 2 and show us the results.
>
> David Lang
>
> On Fri, 29 Mar 2019, Gorman, Kevin wrote:
>
> > Date: Fri, 29 Mar 2019 23:25:13 +0000
> > From: "Gorman, Kevin" <[email protected]>
> > To: David Lang <[email protected]>,
> > "Gorman, Kevin via rsyslog" <[email protected]>
> > Subject: RE: [E] Re: [rsyslog] Help with newer syntax a ruleset and
> > forwarding
> >
> > Sorry,
> > The log messages aren't being forwarded.
> >
> > -----Original Message-----
> > From: David Lang [mailto:[email protected]]
> > Sent: Friday, March 29, 2019 6:12 PM
> > To: Gorman, Kevin via rsyslog
> > Cc: Gorman, Kevin
> > Subject: [E] Re: [rsyslog] Help with newer syntax a ruleset and
> > forwarding
> >
> > can you clarify a bit more about what's not working?
> >
> > I will point out that in the old syntax, only the first action has a
> queue, and unless that queue is full, that action will always succeed, so
> the fallback isn't going to work as expected.
> >
> > David Lang
> >
> > On Fri, 29 Mar 2019, Gorman, Kevin via rsyslog wrote:
> >
> >> Date: Fri, 29 Mar 2019 23:05:54 +0000
> >> From: "Gorman, Kevin via rsyslog" <[email protected]>
> >> To: "[email protected]" <[email protected]>
> >> Cc: "Gorman, Kevin" <[email protected]>
> >> Subject: [rsyslog] Help with newer syntax a ruleset and forwarding
> >>
> >> I currently have log forwarding using the older syntax shown at the
> bottom of this message. App logs are forwarded with individual .conf files
> that repeat the addresses in each file. I'd like to move to the newer
> syntax and a ruleset as shown. This actually works on another system. The
> all file is read first due to the naming. Things get ugly if it isn't.
> >>
> >> My question is why is this not working? The debug output isn't showing
> anything I can see is incorrect.
> >>
> >> Also, any pointers to more info on the newer syntax would be helpful.
> I've spent hours poring over the docs w/ minimal success.
> >>
> >> Thanks!
> >>
> >> The ruleset and initial config
> >>
> >> # cat /etc/rsyslog.d/rsyslog.all.conf
> >>
> >> module(load="imfile" mode="inotify")
> >>
> >> global (
> >> parser.dropTrailingLFOnReception="on"
> >> parser.escapeControlCharactersOnReceive="on"
> >> workDirectory="/var/lib/rsyslog"
> >> )
> >>
> >> ruleset(name="linux_forward") {
> >> action(
> >> type="omfwd"
> >> target="2001:4888:a00:3154:f0:ff2:0:b01"
> >> protocol="tcp"
> >> port="5544"
> >> )
> >> stop
> >> }
> >>
> >> # cat /etc/rsyslog.d/rsyslog.linux.conf
> >>
> >> input(
> >> type="imfile"
> >> ruleset="linux_forward"
> >> file="*.*"
> >> escapeLF="on"
> >> tag="syslog"
> >> )
> >>
> >> input(
> >> type="imfile"
> >> ruleset="linux_forward"
> >> tag="ansible"
> >> file="/var/log/ansible.log"
> >> escapeLF="on"
> >> )
> >>
> >> input(
> >> type="imfile"
> >> ruleset="linux_forward"
> >> tag="audit"
> >> file="/var/log/audit/audit.log"
> >> escapeLF="on"
> >> )
> >>
> >> An example of forwarding an application file.
> >>
> >> # head rsyslog.app.conf
> >>
> >> input(
> >> type="imfile"
> >> ruleset="linux_forward"
> >> tag="caapiconfigservice_events"
> >> file="/var/log/mcs/caapi01/caapiconfigservice_events.log"
> >> escapeLF="on"
> >> )
> >>
> >> The original and working log forwarding:
> >>
> >> # cat /root/nagioslogserver.conf
> >>
> >> $WorkDirectory /var/lib/rsyslog # Where
> spool files will live
> >> $ActionQueueFileName nlsFwdRule0 # Unique
> name prefix for spool files
> >> $ActionQueueMaxDiskSpace 1g # 1GB
> space limit (use as much as possible)
> >> $ActionQueueSaveOnShutdown on # Save
> messages to disk on shutdown
> >> $ActionQueueType LinkedList # Use
> asynchronous processing
> >> $ActionResumeRetryCount -1 # Infinite
> retries if host is down
> >>
> >> *.* @@[2001:4888:a00:3154:f0:ff2:0:b01]:5544 # *.*:
> send everything in rsyslog.conf, @@: use TCP
> >> $ActionExecOnlyWhenPreviousIsSuspended on # If the
> 1st log server is down send to the next, etc.
> >> & @@[2001:4888:a00:3154:f0:ff2:0:b02]:5544
> >> & @@[2001:4888:a00:3154:f0:ff2:0:b03]:5544
> >> $ActionExecOnlyWhenPreviousIsSuspended off
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net
> >> _
> >> mailman_listinfo_rsyslog&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb
> >> 6
> >> __0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kR
> >> O
> >> yg52hTO_S-Tx90Iq5t0Hihub_kqcoHY&s=Ri5XX2f9BwX7iDSyb4HsT19_Svp2k6EBlW6
> >> q
> >> MWS_vIs&e=
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_p
> >> r
> >> ofessional-2Dservices_&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6_
> >> _
> >> 0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kROy
> >> g
> >> 52hTO_S-Tx90Iq5t0Hihub_kqcoHY&s=hqHbQrrSzB0w8X0_v-25Yqh0UFuR1dLvzumXJ
> >> a WC0uE&e= What's up with rsyslog? Follow
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rger
> >> h
> >> ards&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_
> >> y
> >> qJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=yMUnGb-a6kROyg52hTO_S-Tx90Iq5t0
> >> H ihub_kqcoHY&s=vkpTLA5cHNT4buQwLTkh_SgBXSQkRuogmQ227YlvTGU&e=
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> >>
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
