Sent from phone, thus brief. Gorman, Kevin via rsyslog <[email protected]> schrieb am Mi., 3. Apr. 2019, 21:57:
> I want everything to go through the ruleset to the remote system. > As I understand it, the inputs are each forwarded by the ruleset= and > everything in rsyslog.conf is forwarded as *.* in the call. > Then there's the question of where the ruleset gets called (if it > matters). It's defined in a file read before the file inputs, so I'd think > rsyslog might not like that. > > -----Original Message----- > From: David Lang [mailto:[email protected]] > Sent: Wednesday, April 03, 2019 2:51 PM > To: Gorman, Kevin via rsyslog > Cc: Gorman, Kevin > Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and > forwarding > > On Wed, 3 Apr 2019, Gorman, Kevin via rsyslog wrote: > > > So I could get rid of the *.* and the ruleset= in the inputs as shown? > That would create a simpler config that works the same, meaning it forwards > anything configured, correct? I'm being pedantic I guess... > > yes, you want either the call, or the ruleset=, not both. If you want all > your locally generated logs (and any logs from any other inputs) forwarded, > then you want the call. If you only want to send the logs from the imfile > sources, then you want the ruleset= lines and not the call. > Going to the ruleset directly is actually quicker, especially if it has a queue defined. So I would not change the input definitions. Rainer > > David Lang > > > # cat rsyslog.all.conf > > > > module(load="imfile" mode="inotify") > > > > global ( > > parser.dropTrailingLFOnReception="on" > > parser.escapeControlCharactersOnReceive="on" > > workDirectory="/var/lib/rsyslog" > > ) > > > > ruleset( > > name="linux_forward" > > queue.type="LinkedList" > > queue.filename="FwdRule0" > > queue.maxDiskSpace="1g" > > queue.saveOnShutdown="on" > > ) { > > action( > > type="omfwd" > > target="2001:4888:a00:3154:f0:ff2:0:b01" # logserver VIP > > protocol="tcp" > > port="5544" > > action.resumeRetryCount="-1" > > ) > > } > > > > call linux_forward > > > > > > cat rsyslog.linux.conf > > > > input( > > type="imfile" > > # ruleset="linux_forward" > > tag="ansible" > > file="/var/log/ansible.log" > > ) > > > > input( > > type="imfile" > > # ruleset="linux_forward" > > tag="audit" > > file="/var/log/audit/audit.log" > > ) > > > > -----Original Message----- > > From: David Lang [mailto:[email protected]] > > Sent: Wednesday, April 03, 2019 2:34 PM > > To: Gorman, Kevin via rsyslog > > Cc: Gorman, Kevin > > Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and > > forwarding > > > > On Wed, 3 Apr 2019, Gorman, Kevin via rsyslog wrote: > > > >> The *.* call linux_forward was the key. Much cleaner. Thanks! > > > > There was nothing in your old config to tell it to execute the ruleset, > you needed to either call the ruleset unconditionally (in which case you > don't need the *.*), or you needto add a ruleset="linux_forward" to each of > the imfile inputs. > > > > putting a call in unconditionally will send all logs, not just the ones > from imfile, to the remote system. > > > > it all depends on what you are trying to do. > > > >> I also see the audit logs in the debug log and at the other end in > tcpdump. I don't see the messages in the remote log system data, but that's > another issue and product receiving the logs. > >> > >> I added addMetadata to the module load and a metadata entry to the > input but get debug errors. I guess metadata isn't supported in this old > version or am I missing something else? > >> > >> ... > >> rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog.all.conf, > >> on or before line 1: parameter 'addMetadata' not known -- typo in > config file? [v8.24.0-34.el7 try > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_e_2207&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=KmZ2o6OytdrJSRYlV7ukoXSDhbAGd-va7dY5DwHA4Us&s=uwoGMRPzHCxGkHFc_Vc-6dMRKey8VspWpXTBYgPnIrk&e= > ] ... > >> 1789.633979501:main thread : Called LogMsg, msg: error during > parsing file /etc/rsyslog.d/rsyslog.linux.conf, on or before line 17: > parameter 'metadata' not known -- typo in config file? > >> rsyslogd: error during parsing file > >> /etc/rsyslog.d/rsyslog.linux.conf, > >> on or before line 17: parameter 'metadata' not known -- typo in config > file? [v8.24.0-34.el7 try > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_e_2207&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=KmZ2o6OytdrJSRYlV7ukoXSDhbAGd-va7dY5DwHA4Us&s=uwoGMRPzHCxGkHFc_Vc-6dMRKey8VspWpXTBYgPnIrk&e= > ] ... > > > > I don't remember when addMetadata was added to imfile. we were at 8.40 > > when we changed the naming scheme, 40-24 - 16 versions * 1.5 > > months/version = 2 years between the version you are running and when > > we changed our naming scheme to make it more obvious how old the > > version is. :-) > > > > there were a lot of changes during that time, IIRC they included a > complete overhaul of imfile. > > > > check the docs shipped with RedHat to see if they mention addMetadata > (and do they define it on the module() call or the input() call) or try > upgrading to a more current version. > > > > David Lang > > _______________________________________________ > > rsyslog mailing list > > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_ > > mailman_listinfo_rsyslog&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6 > > __0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=K3BnaRMXrvc- > > __JT_m56c2vp7KXDi6-shwSYLcnPXU0&s=vM8-Cf2VYSS-wKgKVFwpsAZc-p55gELsYycd > > cK-I9LU&e= > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_pr > > ofessional-2Dservices_&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__ > > 0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=K3BnaRMXrvc-__ > > JT_m56c2vp7KXDi6-shwSYLcnPXU0&s=xXtdEP6M3dhV7zKEzW4ZHtJ7QOdQAs5BV_A3iC > > 3Mk9A&e= What's up with rsyslog? Follow > > https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerh > > ards&d=DwIBAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_y > > qJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=K3BnaRMXrvc-__JT_m56c2vp7KXDi6-s > > hwSYLcnPXU0&s=aLbxAt79Idm2rjQvo82bSszgyMihItBJ--ExLytXdNA&e= > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
