Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding

[Rich Megginson via rsyslog]

On 4/3/19 11:19 AM, Gorman, Kevin via rsyslog wrote:

The *.* call linux_forward was the key. Much cleaner. Thanks!
I also see the audit logs in the debug log and at the other end in tcpdump. I 
don't see the messages in the remote log system data, but that's another issue 
and product receiving the logs.

I added addMetadata to the module load and a metadata entry to the input but 
get debug errors. I guess metadata isn't supported in this old version  or am I 
missing something else?

...
rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog.all.conf, on or 
before line 1: parameter 'addMetadata' not known -- typo in config file? 
[v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ]
...
1789.633979501:main thread    : Called LogMsg, msg: error during parsing file 
/etc/rsyslog.d/rsyslog.linux.conf, on or before line 17: parameter 'metadata' 
not known -- typo in config file?
rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog.linux.conf, on or 
before line 17: parameter 'metadata' not known -- typo in config file? 
[v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ]
...

module(load="imfile" mode="inotify" addMetadata="on")

global (
   parser.dropTrailingLFOnReception="on"
   parser.escapeControlCharactersOnReceive="on"
   workDirectory="/var/lib/rsyslog"
)

ruleset(
   name="linux_forward"
   queue.type="LinkedList"
   queue.filename="FwdRule0"
   queue.maxDiskSpace="1g"
   queue.saveOnShutdown="on"
) {
   action(
     type="omfwd"
     target="2001:4888:a00:3154:f0:ff2:0:b01"    # logserver VIP
     protocol="tcp"
     port="5544"
     action.resumeRetryCount="-1"
   )
}

*.* call linux_forward

input(
   type="imfile"
   ruleset="linux_forward"
   tag="audit"
   file="/var/log/audit/audit.log"
   metadata="filename"

1) there is no parameter "metadata" - you mean "addmetadata", except . . .

2) . . . you already added it to the module load

)

-----Original Message-----
From: Rainer Gerhards [mailto:rgerha...@hq.adiscon.com]
Sent: Wednesday, April 03, 2019 10:26 AM
To: Gorman, Kevin
Cc: rsyslog-users
Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding

El mié., 3 abr. 2019 a las 17:13, Gorman, Kevin
(<kevin.gor...@verizonwireless.com>) escribió:

I'm using any and all docs on 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rsyslog.com_doc_v8-2Dstable&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=l98nK1LGc7XvzQocBxz0C-beuBDTTA_0A-BxOzUwFG0&s=M4v2Mr09OpuPe6E_YDxsM_PPIOsvcPbnav9gu73kKaE&e=,
 posts on the internet, etc. The thing is there are few actual configuration examples and info on how 
to actually use the various syntax for rsyslog, but lots of references on what individual parts do, 
which makes it difficult for someone not familiar with it to get anything done.

I asked because the parameters you gave simply did not exist, thus the syntax 
error. The online doc is for the currently selected version.
With outdated versions like 8.24.0 you should probably stick to the OS provided 
doc package. That just as info.

It is impossible to provide full config examples for everything - there are 
more potential configs than atoms in the universe (really!).
It would be good if users would contribute their configs to the doc, but this 
does not happen so far :-(

The version is 8.24 on RHEL 7.6 using the default rsyslog.conf. Here is the 
complete config.

There is no problem collecting or forwarding log data defined in rsyslog.conf. 
I simply want to define the address, port and protocol once and only once.

I am having trouble forwarding the other 2 sample log files, or rather 
audit.log since ansible.log is always empty. Audit.log is not defined in 
rsyslog.conf and is pretty busy, but I don't see data in tcpdump on the local 
server or in the remote log server.

 From the debug output below, everything looks ok to me.

Let me have a look. Warning: I don't remember what was at the time we had 8.24 
(probably 2.5 yrs ago),

# cat rsyslog.all.conf
module(load="imfile" mode="inotify")

global (
          parser.dropTrailingLFOnReception="on"
          parser.escapeControlCharactersOnReceive="on"
          workDirectory="/var/lib/rsyslog"
  )

ruleset(name="linux_forward") {
   action(
     type="omfwd"
     target="2001:4888:a00:3154:f0:ff2:0:b01"    # logserver VIP
     protocol="tcp"
     port="5544"
   )
   stop

stop is unnecessary here, but causes no issue.

}
*.* action(
   type="omfwd"
   target="2001:4888:a00:3154:f0:ff2:0:b01"
   port="5544"
   protocol="tcp"
)

replace by

call linux_forward

# cat rsyslog.linux.conf

input(
   type="imfile"
   ruleset="linux_forward"
   tag="ansible"
   file="/var/log/ansible.log"
)

input(
   type="imfile"
   ruleset="linux_forward"
   tag="audit"
   file="/var/log/audit/audit.log"
)

looks good

# grep -v ^# /etc/rsyslog.conf

$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command) $ModLoad imjournal # provides access to the
systemd journal $WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

looks good

# rsyslogd -N2 2>&1
rsyslogd: version 8.24.0-34.el7, config validation run (level 2),
master config /etc/rsyslog.conf

2612.391124552:main thread    : debug level 2 set via config file
2612.391137687:main thread    : This is rsyslog version 8.24.0-34.el7
2612.391142024:main thread    : config parser: reached end of file 
/etc/rsyslog.d/rsyslog.debug.conf

at least one of the includede files is missing - if others are missing they may 
have problems...

[snip]

rsyslogd: End of config validation run. Bye.

except for the call, I don't see an issue.

As a test, do an upgrade to the currently supported version. If it works, you 
have hit an already solved bug.

HTH
Rainer

-----Original Message-----
From: Rainer Gerhards [mailto:rgerha...@hq.adiscon.com]
Sent: Wednesday, April 03, 2019 2:04 AM
To: rsyslog-users
Cc: Gorman, Kevin
Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and
forwarding

*.* action(
   type="omfwd"
   ruleset="linux_forward"
   tag="rsyslog"
   name="rsyslog"
)

Which doc do you use as reference for this? Or, more general, which doc link do 
you use to craft the configs?

Rainer

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.