[rsyslog] Need help converting RHEL7 Rsyslog to RHEL8 Rsyslog

[warron.french via rsyslog]

I need to translate rsyslogd-8.24.0-57, used on RHEL7 servers to be
effectively adapted for RHEL8 servers running rsyslogd-8.2102.0-15.

I have tried to do this on my own, with Python developers (who wrote
Ansible playbooks, etc..)  that were in the same environment and for some
reason assumed that the RHEL7*/*rsyslogd-8.24.0-57  rsyslog.conf file could
be used on a RHEL8 server.

I found issues,  I addressed them in the rsyslog.conf in our Dev Lab and
got things working to my expectations.

However, leaning into the Production environment, I made the assumptions
that I could take my own syntax adaptations and simply drop them into the
factory-fresh (newly installed) rsyslog.conf running on the RHEL8 server we
have in our Production environments.
*This did not work in our Prod environment as expected, like it did in our
Dev Lab.*

I am hoping that someone can help me, as I attempt to help you help me by
posting details in "sections,"  such as listeners, modules, templates, and
conditionals (that help parse incoming data into separate log files).

What  I had for RHEL7 rsyslog.conf config changes were the following (which
I got help on this List before to fine tune them):
*Listeners*
I had the following for listeners before:
$ModLoad  imudp
$UDPServerRun  514

$ModLoad  imtcp
$TCPServerRun  514

I need to have a UDP and a TCP listener because not all of our devices
transmit over TCP, and we need the syslog-data records to be recorded.
So, what I tried as an adaptation was:
module(load=”imudp”)  #  needs to be done just once
input(type=”imudp”   port=”514”  address=”172.20.46.101”)

module(load=”imtcp”)  #  needs to be done just once
input(type=”imtcp”   port=”514”  address=”172.20.46.101”)

I get listeners up on both protocols (udp & tcp), so I believe that I am
fine here.  If you have comments for improvements, please tell me.

*Modules*
In the RHEL7 rsyslog-8.24.0-57 config file, rsyslog.conf, I used the
following syntax, to ensure that logfiles were created and set to specific
custom ownerships, modes, etc.. etc...
Module(load=”builtin:omfile”)
$CreateDirs                           on
$DirCreateMode                  0700
$FileCreateMode                 0600
$FileGroupNum                   1037             <-- This is what I got
help with last time I reached out to the List; the use/being made aware of
this directive (FleGroupNum).

So with respect to rsyslog-8.2102.0-15, I adapted the syntax to this
(again, please  provide suggestions/corrections if necessary):
module(load="builtin:omfile" dirCreateMode="0700" fileCreateMode="0600"
fileGroupNum="1037")
action(type="omfile" createDirs="on")

Does this make sense?

*Templates*
I used templates that also employ Rsyslog properties, specifically I use
%HOSTNAME% so that I can get log files generated on the fly and not have to
hard-code the hostnames.
This is how I addressed the task/configuration in RHEL7 rsyslog-8.24.0-57
config file, rsyslog.conf:
$template  CATC,”/var/log/remote/%HOSTNAME%.log”
$template  SECU,”/var/log/remote/%HOSTNAME%/secure”
$template  MESG,”/var/log/remote/%HOSTNAME%/messages”

This is how I *attempted to* address the configuration with the
rsyslog-8.2102.0-15 config file, rsyslog.conf:
template(name="CATC" type="string" string="/var/log/remote/%HOSTNAME%.log")
template(name="SECU" type="string"
string="/var/log/remote/%HOSTNAME%/secure")
template(name="MESG" type="string"
string="/var/log/remote/%HOSTNAME%/messages")

I start getting lost right around this point, because I see references to
actions for rsyslog-8.2102.0-15 and am not sure what to do.
I honestly do not know, if:
   1.   I need to use the template syntax still or not; or is it deprecated
by the action(syntax)?
   2.   I also do not know if I can still use the %HOSTNAME% Rsyslog
property or not.

I definitely need help, inputs, corrections, adjustments that help me
understand the details immediately above.

*Conditionals*
Finally, I have this syntax for parsing incoming data from various sources,
then depositing it into a logfile using the aforementioned templates (using
%HOSTNAM%) with rsyslog-8.24.0-57:
if   ($fromhost-ip startswith  ‘172.20.245.5’  or $fromhost-ip contains
‘172.20.245.101’)  then  {
                    authpriv.*
                                                 -?SECU
                    *.info;mail.none;authpriv.none;cron.none
                      -?MESG
                    &  stop
}   else  if     ( $fromhost  contains  ‘i42tskvm’ ) then {
                    *.*
                                                      -?MESG
                    stop
}  else   {
                    *.*
                                                       /var/log/messages
                    stop
}

This syntax works perfectly for me on the older Rsyslog servers.  I am
really confused on what to do on RHEL8 rsyslog-8.2102.0-15.
I am not sure what to do with the action(syntax) in combination with the
template(syntax) to make this all come together.

Thank you for any guidance and suggestions.

--------------------------
Warron French
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.