Ok,
So I could get rid of the *.* and the ruleset= in the inputs as shown? That
would create a simpler config that works the same, meaning it forwards anything
configured, correct? I'm being pedantic I guess...
# cat rsyslog.all.conf
module(load="imfile" mode="inotify")
global (
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)
ruleset(
name="linux_forward"
queue.type="LinkedList"
queue.filename="FwdRule0"
queue.maxDiskSpace="1g"
queue.saveOnShutdown="on"
) {
action(
type="omfwd"
target="2001:4888:a00:3154:f0:ff2:0:b01" # logserver VIP
protocol="tcp"
port="5544"
action.resumeRetryCount="-1"
)
}
call linux_forward
cat rsyslog.linux.conf
input(
type="imfile"
# ruleset="linux_forward"
tag="ansible"
file="/var/log/ansible.log"
)
input(
type="imfile"
# ruleset="linux_forward"
tag="audit"
file="/var/log/audit/audit.log"
)
-----Original Message-----
From: David Lang [mailto:[email protected]]
Sent: Wednesday, April 03, 2019 2:34 PM
To: Gorman, Kevin via rsyslog
Cc: Gorman, Kevin
Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding
On Wed, 3 Apr 2019, Gorman, Kevin via rsyslog wrote:
> The *.* call linux_forward was the key. Much cleaner. Thanks!
There was nothing in your old config to tell it to execute the ruleset, you
needed to either call the ruleset unconditionally (in which case you don't need
the *.*), or you needto add a ruleset="linux_forward" to each of the imfile
inputs.
putting a call in unconditionally will send all logs, not just the ones from
imfile, to the remote system.
it all depends on what you are trying to do.
> I also see the audit logs in the debug log and at the other end in tcpdump. I
> don't see the messages in the remote log system data, but that's another
> issue and product receiving the logs.
>
> I added addMetadata to the module load and a metadata entry to the input but
> get debug errors. I guess metadata isn't supported in this old version or am
> I missing something else?
>
> ...
> rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog.all.conf,
> on or before line 1: parameter 'addMetadata' not known -- typo in config
> file? [v8.24.0-34.el7 try
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_e_2207&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=KmZ2o6OytdrJSRYlV7ukoXSDhbAGd-va7dY5DwHA4Us&s=uwoGMRPzHCxGkHFc_Vc-6dMRKey8VspWpXTBYgPnIrk&e=
> ] ...
> 1789.633979501:main thread : Called LogMsg, msg: error during parsing file
> /etc/rsyslog.d/rsyslog.linux.conf, on or before line 17: parameter 'metadata'
> not known -- typo in config file?
> rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog.linux.conf,
> on or before line 17: parameter 'metadata' not known -- typo in config file?
> [v8.24.0-34.el7 try
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_e_2207&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=KmZ2o6OytdrJSRYlV7ukoXSDhbAGd-va7dY5DwHA4Us&s=uwoGMRPzHCxGkHFc_Vc-6dMRKey8VspWpXTBYgPnIrk&e=
> ] ...
I don't remember when addMetadata was added to imfile. we were at 8.40 when we
changed the naming scheme, 40-24 - 16 versions * 1.5 months/version = 2 years
between the version you are running and when we changed our naming scheme to
make it more obvious how old the version is. :-)
there were a lot of changes during that time, IIRC they included a complete
overhaul of imfile.
check the docs shipped with RedHat to see if they mention addMetadata (and do
they define it on the module() call or the input() call) or try upgrading to a
more current version.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
