I'm using any and all docs on https://www.rsyslog.com/doc/v8-stable, posts on
the internet, etc. The thing is there are few actual configuration examples and
info on how to actually use the various syntax for rsyslog, but lots of
references on what individual parts do, which makes it difficult for someone
not familiar with it to get anything done.
The version is 8.24 on RHEL 7.6 using the default rsyslog.conf. Here is the
complete config.
There is no problem collecting or forwarding log data defined in rsyslog.conf.
I simply want to define the address, port and protocol once and only once.
I am having trouble forwarding the other 2 sample log files, or rather
audit.log since ansible.log is always empty. Audit.log is not defined in
rsyslog.conf and is pretty busy, but I don't see data in tcpdump on the local
server or in the remote log server.
>From the debug output below, everything looks ok to me.
# cat rsyslog.all.conf
module(load="imfile" mode="inotify")
global (
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)
ruleset(name="linux_forward") {
action(
type="omfwd"
target="2001:4888:a00:3154:f0:ff2:0:b01" # logserver VIP
protocol="tcp"
port="5544"
)
stop
}
*.* action(
type="omfwd"
target="2001:4888:a00:3154:f0:ff2:0:b01"
port="5544"
protocol="tcp"
)
# cat rsyslog.linux.conf
input(
type="imfile"
ruleset="linux_forward"
tag="ansible"
file="/var/log/ansible.log"
)
input(
type="imfile"
ruleset="linux_forward"
tag="audit"
file="/var/log/audit/audit.log"
)
# grep -v ^# /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
# rsyslogd -N2 2>&1
rsyslogd: version 8.24.0-34.el7, config validation run (level 2), master config
/etc/rsyslog.conf
2612.391124552:main thread : debug level 2 set via config file
2612.391137687:main thread : This is rsyslog version 8.24.0-34.el7
2612.391142024:main thread : config parser: reached end of file
/etc/rsyslog.d/rsyslog.debug.conf
2612.391146245:main thread : config parser: resume parsing of file
/etc/rsyslog.d/rsyslog.linux.conf at line 1
2612.391154903:main thread : Decoding traditional PRI filter '*.*'
2612.391159063:main thread : symbolic name: * ==> 255
2612.391170453:main thread : cnf:global:script
2612.391176927:main thread : cnf:global:obj: obj: 'input'
2612.391183238:main thread : nvlst 0x560db7113bc0:
2612.391187084:main thread : name: 'file', value
'/var/log/ansible.log'
2612.391191163:main thread : name: 'tag', value 'ansible'
2612.391195088:main thread : name: 'ruleset', value 'linux_forward'
2612.391199275:main thread : name: 'type', value 'imfile'
2612.391204860:main thread : nvlstGetParam: name 'type', type 14,
valnode->bUsed 0
2612.391208413:main thread : input param blk after inputProcessCnf:
2612.391211869:main thread : type: 'imfile'
2612.391221168:main thread : newInpInst (imfile)
2612.391224994:main thread : nvlstGetParam: name 'file', type 14,
valnode->bUsed 0
2612.391228725:main thread : nvlstGetParam: name 'tag', type 14,
valnode->bUsed 0
2612.391232424:main thread : nvlstGetParam: name 'ruleset', type 14,
valnode->bUsed 0
2612.391237025:main thread : input param blk in imfile:
2612.391240208:main thread : file: '/var/log/ansible.log'
2612.391248365:main thread : tag: 'ansible'
2612.391256434:main thread : severity: (unset)
2612.391264148:main thread : facility: (unset)
2612.391272112:main thread : ruleset: 'linux_forward'
2612.391279796:main thread : readmode: (unset)
2612.391287307:main thread : startmsg.regex: (unset)
2612.391295630:main thread : escapelf: (unset)
2612.391303151:main thread : reopenontruncate: (unset)
2612.391310792:main thread : maxlinesatonce: (unset)
2612.391318320:main thread : trimlineoverbytes: (unset)
2612.391326421:main thread : maxsubmitatonce: (unset)
2612.391334036:main thread : removestateondelete: (unset)
2612.391341658:main thread : persiststateinterval: (unset)
2612.391349184:main thread : deletestateonfiledelete: (unset)
2612.391356688:main thread : addmetadata: (unset)
2612.391364063:main thread : addceetag: (unset)
2612.391371440:main thread : statefile: (unset)
2612.391378812:main thread : readtimeout: (unset)
2612.391386557:main thread : freshstarttail: (unset)
2612.391394141:main thread : filenotfounderror: (unset)
2612.391402788:main thread : imfile: adding file monitor for
'/var/log/ansible.log'
2612.391409410:main thread : cnf:global:obj: obj: 'input'
2612.391415255:main thread : nvlst 0x560db7113bc0:
2612.391418640:main thread : name: 'file', value
'/var/log/audit/audit.log'
2612.391422778:main thread : name: 'tag', value 'audit'
2612.391426629:main thread : name: 'ruleset', value 'linux_forward'
2612.391430354:main thread : name: 'type', value 'imfile'
2612.391434215:main thread : nvlstGetParam: name 'type', type 14,
valnode->bUsed 0
2612.391437515:main thread : input param blk after inputProcessCnf:
2612.391440594:main thread : type: 'imfile'
2612.391448503:main thread : newInpInst (imfile)
2612.391452229:main thread : nvlstGetParam: name 'file', type 14,
valnode->bUsed 0
2612.391455730:main thread : nvlstGetParam: name 'tag', type 14,
valnode->bUsed 0
2612.391459296:main thread : nvlstGetParam: name 'ruleset', type 14,
valnode->bUsed 0
2612.391463339:main thread : input param blk in imfile:
2612.391466399:main thread : file: '/var/log/audit/audit.log'
2612.391474415:main thread : tag: 'audit'
2612.391482343:main thread : severity: (unset)
2612.391490200:main thread : facility: (unset)
2612.391497757:main thread : ruleset: 'linux_forward'
2612.391505588:main thread : readmode: (unset)
2612.391513078:main thread : startmsg.regex: (unset)
2612.391520611:main thread : escapelf: (unset)
2612.391531572:main thread : reopenontruncate: (unset)
2612.391539048:main thread : maxlinesatonce: (unset)
2612.391546406:main thread : trimlineoverbytes: (unset)
2612.391568251:main thread : maxsubmitatonce: (unset)
2612.391577729:main thread : removestateondelete: (unset)
2612.391585306:main thread : persiststateinterval: (unset)
2612.391592844:main thread : deletestateonfiledelete: (unset)
2612.391600547:main thread : addmetadata: (unset)
2612.391608050:main thread : addceetag: (unset)
2612.391615543:main thread : statefile: (unset)
2612.391622911:main thread : readtimeout: (unset)
2612.391630669:main thread : freshstarttail: (unset)
2612.391638140:main thread : filenotfounderror: (unset)
2612.391646727:main thread : imfile: adding file monitor for
'/var/log/audit/audit.log'
2612.391651821:main thread : config parser: reached end of file
/etc/rsyslog.d/rsyslog.linux.conf
2612.391655692:main thread : config parser: resume parsing of file
/etc/rsyslog.conf at line 36
2612.391660704:main thread : cnf:global:cfsysline: $OmitLocalLogging on
2612.391667646:main thread : cnf:global:cfsysline: $IMJournalStateFile
imjournal.state
2612.391675125:main thread : doGetWord: get newval 'imjournal.state' (len
15), hdlr (nil)
2612.391684466:main thread : tried selector action for builtin:omfile: 0
2612.391688143:main thread : Module builtin:omfile processes this action.
2612.391692191:main thread : template: 'RSYSLOG_TraditionalFileFormat'
assigned
2612.391698000:main thread : action 2 queue: parameter dump:
2612.391701544:main thread : action 2 queue: queue.filename '[NONE]'
2612.391704997:main thread : action 2 queue: queue.size: 1000
2612.391708219:main thread : action 2 queue: queue.dequeuebatchsize: 16
2612.391711679:main thread : action 2 queue: queue.maxdiskspace: 0
2612.391715044:main thread : action 2 queue: queue.highwatermark: 800
2612.391718758:main thread : action 2 queue: queue.lowwatermark: 200
2612.391722103:main thread : action 2 queue: queue.fulldelaymark: -1
2612.391725266:main thread : action 2 queue: queue.lightdelaymark: -1
2612.391728391:main thread : action 2 queue: queue.discardmark: 980
2612.391745474:main thread : action 2 queue: queue.discardseverity: 8
2612.391749239:main thread : action 2 queue: queue.checkpointinterval: 0
2612.391752659:main thread : action 2 queue: queue.syncqueuefiles: 0
2612.391756003:main thread : action 2 queue: queue.type: 3 [Direct]
2612.391759199:main thread : action 2 queue: queue.workerthreads: 1
2612.391762362:main thread : action 2 queue: queue.timeoutshutdown: 0
2612.391766943:main thread : action 2 queue: queue.timeoutactioncompletion:
1000
2612.391770284:main thread : action 2 queue: queue.timeoutenqueue: 50
2612.391773487:main thread : action 2 queue:
queue.timeoutworkerthreadshutdown: 60000
2612.391776657:main thread : action 2 queue:
queue.workerthreadminimummessages: -1
2612.391779925:main thread : action 2 queue: queue.maxfilesize: 1048576
2612.391783111:main thread : action 2 queue: queue.saveonshutdown: 1
2612.391786237:main thread : action 2 queue: queue.dequeueslowdown: 0
2612.391789424:main thread : action 2 queue: queue.dequeuetimebegin: 0
2612.391792662:main thread : action 2 queue: queue.dequeuetimeend: 25
2612.391796128:main thread : Action 0x560db7112df0: queue 0x560db7113160
created
2612.391801360:main thread : Decoding traditional PRI filter
'*.info;mail.none;authpriv.none;cron.none'
2612.391805034:main thread : symbolic name: info ==> 6
2612.391811611:main thread : symbolic name: none ==> 16
2612.391817311:main thread : symbolic name: mail ==> 16
2612.391822929:main thread : symbolic name: none ==> 16
2612.391828375:main thread : symbolic name: authpriv ==> 80
2612.391833922:main thread : symbolic name: none ==> 16
2612.391839287:main thread : symbolic name: cron ==> 72
2612.391844803:main thread : cnf:global:script
2612.391849842:main thread : tried selector action for builtin:omfile: 0
2612.391857380:main thread : Module builtin:omfile processes this action.
2612.391861270:main thread : template: 'RSYSLOG_TraditionalFileFormat'
assigned
2612.391866382:main thread : action 3 queue: parameter dump:
2612.391869685:main thread : action 3 queue: queue.filename '[NONE]'
2612.391872870:main thread : action 3 queue: queue.size: 1000
2612.391876080:main thread : action 3 queue: queue.dequeuebatchsize: 16
2612.391879301:main thread : action 3 queue: queue.maxdiskspace: 0
2612.391882477:main thread : action 3 queue: queue.highwatermark: 800
2612.391885705:main thread : action 3 queue: queue.lowwatermark: 200
2612.391888889:main thread : action 3 queue: queue.fulldelaymark: -1
2612.391891971:main thread : action 3 queue: queue.lightdelaymark: -1
2612.391895167:main thread : action 3 queue: queue.discardmark: 980
2612.391898665:main thread : action 3 queue: queue.discardseverity: 8
2612.391901815:main thread : action 3 queue: queue.checkpointinterval: 0
2612.391904982:main thread : action 3 queue: queue.syncqueuefiles: 0
2612.391908345:main thread : action 3 queue: queue.type: 3 [Direct]
2612.391911476:main thread : action 3 queue: queue.workerthreads: 1
2612.391914597:main thread : action 3 queue: queue.timeoutshutdown: 0
2612.391917900:main thread : action 3 queue: queue.timeoutactioncompletion:
1000
2612.391921062:main thread : action 3 queue: queue.timeoutenqueue: 50
2612.391924242:main thread : action 3 queue:
queue.timeoutworkerthreadshutdown: 60000
2612.391927456:main thread : action 3 queue:
queue.workerthreadminimummessages: -1
2612.391930753:main thread : action 3 queue: queue.maxfilesize: 1048576
2612.391933939:main thread : action 3 queue: queue.saveonshutdown: 1
2612.391937071:main thread : action 3 queue: queue.dequeueslowdown: 0
2612.391940194:main thread : action 3 queue: queue.dequeuetimebegin: 0
2612.391943404:main thread : action 3 queue: queue.dequeuetimeend: 25
2612.391946694:main thread : Action 0x560db7113860: queue 0x560db7114150
created
2612.391951146:main thread : Decoding traditional PRI filter 'authpriv.*'
2612.391954509:main thread : symbolic name: * ==> 255
2612.391960404:main thread : symbolic name: authpriv ==> 80
2612.392035949:main thread : cnf:global:script
2612.392042833:main thread : tried selector action for builtin:omfile: 0
2612.392046205:main thread : Module builtin:omfile processes this action.
2612.392050343:main thread : template: 'RSYSLOG_TraditionalFileFormat'
assigned
2612.392055599:main thread : action 4 queue: parameter dump:
2612.392058858:main thread : action 4 queue: queue.filename '[NONE]'
2612.392062126:main thread : action 4 queue: queue.size: 1000
2612.392065352:main thread : action 4 queue: queue.dequeuebatchsize: 16
2612.392068536:main thread : action 4 queue: queue.maxdiskspace: 0
2612.392071810:main thread : action 4 queue: queue.highwatermark: 800
2612.392074988:main thread : action 4 queue: queue.lowwatermark: 200
2612.392078221:main thread : action 4 queue: queue.fulldelaymark: -1
2612.392081373:main thread : action 4 queue: queue.lightdelaymark: -1
2612.392084510:main thread : action 4 queue: queue.discardmark: 980
2612.392088532:main thread : action 4 queue: queue.discardseverity: 8
2612.392091905:main thread : action 4 queue: queue.checkpointinterval: 0
2612.392095045:main thread : action 4 queue: queue.syncqueuefiles: 0
2612.392099328:main thread : action 4 queue: queue.type: 3 [Direct]
2612.392102725:main thread : action 4 queue: queue.workerthreads: 1
2612.392105876:main thread : action 4 queue: queue.timeoutshutdown: 0
2612.392109011:main thread : action 4 queue: queue.timeoutactioncompletion:
1000
2612.392112231:main thread : action 4 queue: queue.timeoutenqueue: 50
2612.392115377:main thread : action 4 queue:
queue.timeoutworkerthreadshutdown: 60000
2612.392118545:main thread : action 4 queue:
queue.workerthreadminimummessages: -1
2612.392121805:main thread : action 4 queue: queue.maxfilesize: 1048576
2612.392128724:main thread : action 4 queue: queue.saveonshutdown: 1
2612.392131959:main thread : action 4 queue: queue.dequeueslowdown: 0
2612.392135126:main thread : action 4 queue: queue.dequeuetimebegin: 0
2612.392138295:main thread : action 4 queue: queue.dequeuetimeend: 25
2612.392141607:main thread : Action 0x560db7114850: queue 0x560db7114ca0
created
2612.392146445:main thread : Decoding traditional PRI filter 'mail.*'
2612.392149861:main thread : symbolic name: * ==> 255
2612.392155756:main thread : symbolic name: mail ==> 16
2612.392161389:main thread : cnf:global:script
2612.392166082:main thread : tried selector action for builtin:omfile: 0
2612.392169345:main thread : Module builtin:omfile processes this action.
2612.392172922:main thread : template: 'RSYSLOG_TraditionalFileFormat'
assigned
2612.392177229:main thread : action 5 queue: parameter dump:
2612.392180387:main thread : action 5 queue: queue.filename '[NONE]'
2612.392183673:main thread : action 5 queue: queue.size: 1000
2612.392186868:main thread : action 5 queue: queue.dequeuebatchsize: 16
2612.392190051:main thread : action 5 queue: queue.maxdiskspace: 0
2612.392193204:main thread : action 5 queue: queue.highwatermark: 800
2612.392196342:main thread : action 5 queue: queue.lowwatermark: 200
2612.392199510:main thread : action 5 queue: queue.fulldelaymark: -1
2612.392202704:main thread : action 5 queue: queue.lightdelaymark: -1
2612.392205868:main thread : action 5 queue: queue.discardmark: 980
2612.392209072:main thread : action 5 queue: queue.discardseverity: 8
2612.392212259:main thread : action 5 queue: queue.checkpointinterval: 0
2612.392215396:main thread : action 5 queue: queue.syncqueuefiles: 0
2612.392218622:main thread : action 5 queue: queue.type: 3 [Direct]
2612.392221826:main thread : action 5 queue: queue.workerthreads: 1
2612.392224949:main thread : action 5 queue: queue.timeoutshutdown: 0
2612.392228134:main thread : action 5 queue: queue.timeoutactioncompletion:
1000
2612.392231440:main thread : action 5 queue: queue.timeoutenqueue: 50
2612.392234626:main thread : action 5 queue:
queue.timeoutworkerthreadshutdown: 60000
2612.392237790:main thread : action 5 queue:
queue.workerthreadminimummessages: -1
2612.392241047:main thread : action 5 queue: queue.maxfilesize: 1048576
2612.392244213:main thread : action 5 queue: queue.saveonshutdown: 1
2612.392247309:main thread : action 5 queue: queue.dequeueslowdown: 0
2612.392250543:main thread : action 5 queue: queue.dequeuetimebegin: 0
2612.392253691:main thread : action 5 queue: queue.dequeuetimeend: 25
2612.392256944:main thread : Action 0x560db71153a0: queue 0x560db71157f0
created
2612.392261081:main thread : Decoding traditional PRI filter 'cron.*'
2612.392264239:main thread : symbolic name: * ==> 255
2612.392269775:main thread : symbolic name: cron ==> 72
2612.392275295:main thread : cnf:global:script
2612.392279571:main thread : tried selector action for builtin:omfile: -2001
2612.392283122:main thread : tried selector action for builtin:ompipe: -2001
2612.392286726:main thread : tried selector action for builtin-shell: -2001
2612.392290130:main thread : tried selector action for builtin:omdiscard:
-2001
2612.392293739:main thread : tried selector action for builtin:omfwd: -2001
2612.392297300:main thread : write-alltried selector action for
builtin:omusrmsg: 0
2612.392303288:main thread : Module builtin:omusrmsg processes this action.
2612.392307217:main thread : template: ' WallFmt' assigned
2612.392312237:main thread : action 6 queue: parameter dump:
2612.392315489:main thread : action 6 queue: queue.filename '[NONE]'
2612.392318624:main thread : action 6 queue: queue.size: 1000
2612.392321800:main thread : action 6 queue: queue.dequeuebatchsize: 16
2612.392324963:main thread : action 6 queue: queue.maxdiskspace: 0
2612.392328072:main thread : action 6 queue: queue.highwatermark: 800
2612.392334127:main thread : action 6 queue: queue.lowwatermark: 200
2612.392337371:main thread : action 6 queue: queue.fulldelaymark: -1
2612.392340837:main thread : action 6 queue: queue.lightdelaymark: -1
2612.392344000:main thread : action 6 queue: queue.discardmark: 980
2612.392347133:main thread : action 6 queue: queue.discardseverity: 8
2612.392350274:main thread : action 6 queue: queue.checkpointinterval: 0
2612.392353419:main thread : action 6 queue: queue.syncqueuefiles: 0
2612.392356643:main thread : action 6 queue: queue.type: 3 [Direct]
2612.392359855:main thread : action 6 queue: queue.workerthreads: 1
2612.392363027:main thread : action 6 queue: queue.timeoutshutdown: 0
2612.392366217:main thread : action 6 queue: queue.timeoutactioncompletion:
1000
2612.392369514:main thread : action 6 queue: queue.timeoutenqueue: 50
2612.392372702:main thread : action 6 queue:
queue.timeoutworkerthreadshutdown: 60000
2612.392375865:main thread : action 6 queue:
queue.workerthreadminimummessages: -1
2612.392379145:main thread : action 6 queue: queue.maxfilesize: 1048576
2612.392382300:main thread : action 6 queue: queue.saveonshutdown: 1
2612.392385429:main thread : action 6 queue: queue.dequeueslowdown: 0
2612.392388509:main thread : action 6 queue: queue.dequeuetimebegin: 0
2612.392391758:main thread : action 6 queue: queue.dequeuetimeend: 25
2612.392395042:main thread : Action 0x560db7119b70: queue 0x560db7119f00
created
2612.392399674:main thread : Decoding traditional PRI filter '*.emerg'
2612.392403179:main thread : symbolic name: emerg ==> 0
2612.392409238:main thread : cnf:global:script
2612.392413744:main thread : tried selector action for builtin:omfile: 0
2612.392417063:main thread : Module builtin:omfile processes this action.
2612.392420619:main thread : template: 'RSYSLOG_TraditionalFileFormat'
assigned
2612.392425028:main thread : action 7 queue: parameter dump:
2612.392436440:main thread : action 7 queue: queue.filename '[NONE]'
2612.392439831:main thread : action 7 queue: queue.size: 1000
2612.392442979:main thread : action 7 queue: queue.dequeuebatchsize: 16
2612.392446168:main thread : action 7 queue: queue.maxdiskspace: 0
2612.392449260:main thread : action 7 queue: queue.highwatermark: 800
2612.392452354:main thread : action 7 queue: queue.lowwatermark: 200
2612.392460213:main thread : action 7 queue: queue.fulldelaymark: -1
2612.392463362:main thread : action 7 queue: queue.lightdelaymark: -1
2612.392466504:main thread : action 7 queue: queue.discardmark: 980
2612.392469640:main thread : action 7 queue: queue.discardseverity: 8
2612.392472752:main thread : action 7 queue: queue.checkpointinterval: 0
2612.392475903:main thread : action 7 queue: queue.syncqueuefiles: 0
2612.392479128:main thread : action 7 queue: queue.type: 3 [Direct]
2612.392482268:main thread : action 7 queue: queue.workerthreads: 1
2612.392485409:main thread : action 7 queue: queue.timeoutshutdown: 0
2612.392488553:main thread : action 7 queue: queue.timeoutactioncompletion:
1000
2612.392491705:main thread : action 7 queue: queue.timeoutenqueue: 50
2612.392494808:main thread : action 7 queue:
queue.timeoutworkerthreadshutdown: 60000
2612.392497987:main thread : action 7 queue:
queue.workerthreadminimummessages: -1
2612.392501208:main thread : action 7 queue: queue.maxfilesize: 1048576
2612.392504300:main thread : action 7 queue: queue.saveonshutdown: 1
2612.392507377:main thread : action 7 queue: queue.dequeueslowdown: 0
2612.392510458:main thread : action 7 queue: queue.dequeuetimebegin: 0
2612.392513596:main thread : action 7 queue: queue.dequeuetimeend: 25
2612.392516843:main thread : Action 0x560db711a5e0: queue 0x560db711aa30
created
2612.392521564:main thread : Decoding traditional PRI filter 'uucp,news.crit'
2612.392524997:main thread : symbolic name: crit ==> 2
2612.392530633:main thread : symbolic name: uucp ==> 64
2612.392536400:main thread : symbolic name: news ==> 56
2612.392544955:main thread : cnf:global:script
2612.392552335:main thread : tried selector action for builtin:omfile: 0
2612.392569675:main thread : Module builtin:omfile processes this action.
2612.392573701:main thread : template: 'RSYSLOG_TraditionalFileFormat'
assigned
2612.392578538:main thread : action 8 queue: parameter dump:
2612.392581831:main thread : action 8 queue: queue.filename '[NONE]'
2612.392585003:main thread : action 8 queue: queue.size: 1000
2612.392588168:main thread : action 8 queue: queue.dequeuebatchsize: 16
2612.392591408:main thread : action 8 queue: queue.maxdiskspace: 0
2612.392594549:main thread : action 8 queue: queue.highwatermark: 800
2612.392597720:main thread : action 8 queue: queue.lowwatermark: 200
2612.392600838:main thread : action 8 queue: queue.fulldelaymark: -1
2612.392603924:main thread : action 8 queue: queue.lightdelaymark: -1
2612.392607112:main thread : action 8 queue: queue.discardmark: 980
2612.392610237:main thread : action 8 queue: queue.discardseverity: 8
2612.392613342:main thread : action 8 queue: queue.checkpointinterval: 0
2612.392616477:main thread : action 8 queue: queue.syncqueuefiles: 0
2612.392619701:main thread : action 8 queue: queue.type: 3 [Direct]
2612.392622811:main thread : action 8 queue: queue.workerthreads: 1
2612.392625955:main thread : action 8 queue: queue.timeoutshutdown: 0
2612.392629081:main thread : action 8 queue: queue.timeoutactioncompletion:
1000
2612.392632265:main thread : action 8 queue: queue.timeoutenqueue: 50
2612.392635400:main thread : action 8 queue:
queue.timeoutworkerthreadshutdown: 60000
2612.392638617:main thread : action 8 queue:
queue.workerthreadminimummessages: -1
2612.392641847:main thread : action 8 queue: queue.maxfilesize: 1048576
2612.392644962:main thread : action 8 queue: queue.saveonshutdown: 1
2612.392648058:main thread : action 8 queue: queue.dequeueslowdown: 0
2612.392651170:main thread : action 8 queue: queue.dequeuetimebegin: 0
2612.392654313:main thread : action 8 queue: queue.dequeuetimeend: 25
2612.392657571:main thread : Action 0x560db711b130: queue 0x560db711b580
created
2612.392667671:main thread : config parser: reached end of file
/etc/rsyslog.conf
2612.392671220:main thread : config parser: parsing completed
2612.392737367:main thread : Decoding traditional PRI filter 'local7.*'
2612.392741177:main thread : symbolic name: * ==> 255
2612.392747202:main thread : symbolic name: local7 ==> 184
2612.392753469:main thread : cnf:global:script
2612.392763166:main thread : Number of actions in this configuration: 9
2612.392767815:main thread : begin ruleset optimization phase
2612.392771277:main thread : ruleset 'RSYSLOG_DefaultRuleset' before
optimization:
2612.392776921:main thread : ruleset 0x560db70fcee0: rsyslog ruleset
RSYSLOG_DefaultRuleset:
2612.392780698:main thread : PRIFILT '*.*'
2612.392783772:main thread : pmask: FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF
2612.392848232:main thread : ACTION 1
[builtin:omfwd:action(type="builtin:omfwd" ...)]
2612.392854384:main thread : END PRIFILT
2612.392857761:main thread : PRIFILT
'*.info;mail.none;authpriv.none;cron.none'
2612.392860904:main thread : pmask: 7F 7F X 7F 7F 7F 7F 7F 7F X X 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
2612.392925050:main thread : ACTION 2 [builtin:omfile:/var/log/messages]
2612.392930946:main thread : END PRIFILT
2612.392934217:main thread : PRIFILT 'authpriv.*'
2612.392937258:main thread : pmask: X X X X X X X X X X FF X X
X X X X X X X X X X X X X
2612.393000134:main thread : ACTION 3 [builtin:omfile:/var/log/secure]
2612.393005807:main thread : END PRIFILT
2612.393008948:main thread : PRIFILT 'mail.*'
2612.393011940:main thread : pmask: X X FF X X X X X X X X X X
X X X X X X X X X X X X X
2612.393074669:main thread : ACTION 4 [builtin:omfile:-/var/log/maillog]
2612.393084981:main thread : END PRIFILT
2612.393088442:main thread : PRIFILT 'cron.*'
2612.393091443:main thread : pmask: X X X X X X X X X FF X X X
X X X X X X X X X X X X X
2612.393155845:main thread : ACTION 5 [builtin:omfile:/var/log/cron]
2612.393161533:main thread : END PRIFILT
2612.393164649:main thread : PRIFILT '*.emerg'
2612.393167726:main thread : pmask: 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1
2612.393232913:main thread : ACTION 6 [builtin:omusrmsg::omusrmsg:*]
2612.393238565:main thread : END PRIFILT
2612.393241798:main thread : PRIFILT 'uucp,news.crit'
2612.393244926:main thread : pmask: X X X X X X X 7 7 X X X X
X X X X X X X X X X X X X
2612.393308231:main thread : ACTION 7 [builtin:omfile:/var/log/spooler]
2612.393313971:main thread : END PRIFILT
2612.393317119:main thread : PRIFILT 'local7.*'
2612.393320087:main thread : pmask: X X X X X X X X X X X X X
X X X X X X X X X X FF X X
2612.393383345:main thread : ACTION 8 [builtin:omfile:/var/log/boot.log]
2612.393389043:main thread : END PRIFILT
2612.393392279:main thread : ruleset 0x560db70fcee0: ruleset
RSYSLOG_DefaultRuleset assigned parser list:
2612.393396428:main thread : optimizer: removing always-true PRIFILT
0x560db71175b0
2612.393400326:main thread : ruleset 'RSYSLOG_DefaultRuleset' after
optimization:
2612.393403608:main thread : ruleset 0x560db70fcee0: rsyslog ruleset
RSYSLOG_DefaultRuleset:
2612.393407178:main thread : ACTION 1
[builtin:omfwd:action(type="builtin:omfwd" ...)]
2612.393410351:main thread : PRIFILT
'*.info;mail.none;authpriv.none;cron.none'
2612.393413422:main thread : pmask: 7F 7F X 7F 7F 7F 7F 7F 7F X X 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
2612.393477900:main thread : ACTION 2 [builtin:omfile:/var/log/messages]
2612.393483667:main thread : END PRIFILT
2612.393486839:main thread : PRIFILT 'authpriv.*'
2612.393489879:main thread : pmask: X X X X X X X X X X FF X X
X X X X X X X X X X X X X
2612.393553093:main thread : ACTION 3 [builtin:omfile:/var/log/secure]
2612.393573940:main thread : END PRIFILT
2612.393577121:main thread : PRIFILT 'mail.*'
2612.393580060:main thread : pmask: X X FF X X X X X X X X X X
X X X X X X X X X X X X X
2612.393643291:main thread : ACTION 4 [builtin:omfile:-/var/log/maillog]
2612.393648941:main thread : END PRIFILT
2612.393651956:main thread : PRIFILT 'cron.*'
2612.393654901:main thread : pmask: X X X X X X X X X FF X X X
X X X X X X X X X X X X X
2612.393717844:main thread : ACTION 5 [builtin:omfile:/var/log/cron]
2612.393723371:main thread : END PRIFILT
2612.393726413:main thread : PRIFILT '*.emerg'
2612.393729374:main thread : pmask: 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1
2612.393793949:main thread : ACTION 6 [builtin:omusrmsg::omusrmsg:*]
2612.393799502:main thread : END PRIFILT
2612.393802627:main thread : PRIFILT 'uucp,news.crit'
2612.393805676:main thread : pmask: X X X X X X X 7 7 X X X X
X X X X X X X X X X X X X
2612.393868589:main thread : ACTION 7 [builtin:omfile:/var/log/spooler]
2612.393874260:main thread : END PRIFILT
2612.393877329:main thread : PRIFILT 'local7.*'
2612.393880263:main thread : pmask: X X X X X X X X X X X X X
X X X X X X X X X X FF X X
2612.393943052:main thread : ACTION 8 [builtin:omfile:/var/log/boot.log]
2612.393948648:main thread : END PRIFILT
2612.393951848:main thread : ruleset 0x560db70fcee0: ruleset
RSYSLOG_DefaultRuleset assigned parser list:
2612.393955312:main thread : ruleset 'linux_forward' before optimization:
2612.393959053:main thread : ruleset 0x560db7117500: rsyslog ruleset
linux_forward:
2612.393962529:main thread : ACTION 0
[builtin:omfwd:action(type="builtin:omfwd" ...)]
2612.393968838:main thread : STOP
2612.393972010:main thread : ruleset 0x560db7117500: ruleset linux_forward
assigned parser list:
2612.393975528:main thread : ruleset 'linux_forward' after optimization:
2612.393978722:main thread : ruleset 0x560db7117500: rsyslog ruleset
linux_forward:
2612.393982137:main thread : ACTION 0
[builtin:omfwd:action(type="builtin:omfwd" ...)]
2612.393985192:main thread : STOP
2612.393988182:main thread : ruleset 0x560db7117500: ruleset linux_forward
assigned parser list:
2612.393991616:main thread : ruleset optimization phase finished.
2612.393995114:main thread : telling rsyslog core that config load for
0x560db70f98b0 is done
2612.393999943:main thread : Timezone information table (0 entries):
2612.394007847:main thread : telling modules that config load for
0x560db70f98b0 is done
2612.394011612:main thread : beginCnfLoad(0x560db54fa130) for module
'builtin:omfile'
2612.394014883:main thread : calling endCnfLoad() for module 'builtin:omfile'
2612.394018326:main thread : beginCnfLoad(0x560db54fd150) for module
'builtin:ompipe'
2612.394021453:main thread : calling endCnfLoad() for module 'builtin:ompipe'
2612.394025075:main thread : beginCnfLoad((nil)) for module 'builtin-shell'
2612.394028488:main thread : beginCnfLoad((nil)) for module
'builtin:omdiscard'
2612.394031783:main thread : beginCnfLoad(0x560db54f72e0) for module
'builtin:omfwd'
2612.394034884:main thread : calling endCnfLoad() for module 'builtin:omfwd'
2612.394046689:main thread : beginCnfLoad((nil)) for module
'builtin:omusrmsg'
2612.394050150:main thread : beginCnfLoad((nil)) for module
'builtin:pmrfc5424'
2612.394053303:main thread : beginCnfLoad((nil)) for module
'builtin:pmrfc3164'
2612.394056467:main thread : beginCnfLoad((nil)) for module 'builtin:smfile'
2612.394059602:main thread : beginCnfLoad((nil)) for module
'builtin:smtradfile'
2612.394062781:main thread : beginCnfLoad((nil)) for module 'builtin:smfwd'
2612.394065911:main thread : beginCnfLoad((nil)) for module
'builtin:smtradfwd'
2612.394069228:main thread : beginCnfLoad(0x7f995e3ed050) for module
'imuxsock'
2612.394072383:main thread : calling endCnfLoad() for module 'imuxsock'
2612.394075896:main thread : beginCnfLoad(0x7f995e1e6160) for module
'imjournal'
2612.394078996:main thread : calling endCnfLoad() for module 'imjournal'
2612.394082302:main thread : beginCnfLoad(0x7f995c0c5b20) for module 'imfile'
2612.394093952:main thread : calling endCnfLoad() for module 'imfile'
2612.394097631:main thread : imfile: opmode is 1, polling interval is 10
2612.394100980:main thread : telling modules to check config 0x560db70f98b0
2612.394104500:main thread : module builtin:omfile tells us config can be
activated
2612.394107801:main thread : module builtin:ompipe tells us config can be
activated
2612.394111065:main thread : module builtin:omfwd tells us config can be
activated
2612.394114683:main thread : module imuxsock tells us config can be activated
2612.394117879:main thread : module imjournal tells us config can be
activated
2612.394123406:main thread : module imfile tells us config can be activated
2612.394126975:main thread : GenerateLocalHostName uses
'sandcaykhsc-v-sienags-01'
rsyslogd: End of config validation run. Bye.
-----Original Message-----
From: Rainer Gerhards [mailto:[email protected]]
Sent: Wednesday, April 03, 2019 2:04 AM
To: rsyslog-users
Cc: Gorman, Kevin
Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding
> *.* action(
> type="omfwd"
> ruleset="linux_forward"
> tag="rsyslog"
> name="rsyslog"
> )
Which doc do you use as reference for this? Or, more general, which doc link do
you use to craft the configs?
Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
