On 4/11/2018 8:24 AM, Plof Jacht via rsyslog wrote:
Hello,
Hoping this is not too RTFM , i see messages like this and dont know where
to start solving:
action 'hostname' resumed (module 'omrelp') [v8.32.0 try
http://www.rsyslog.com/e/2359 ]
action 'hostname' suspended (module 'omrelp'), retry
2018-02-21 15:25:50Login.Intruder.IP 111.222.333.444 mouse123456
rule=:%datestamp:date-iso%%-:whitespace%%timestamp:time-24hr%%-:whitespace%%event:word%%-:whitespace%%ip:ipv4%%-:whitespace%%auth:word%
I tried using both v1 and v2 rules, all with no luck; evidently I'm
doing something wro
I started with the example here:
https://github.com/rsyslog/liblognorm-rulebases/blob/master/rules/v2/apache_common.rb
and attempted to modify it like so:
rule=login_intruder_ip:%[
{"type": "date-iso", "name": "datestamp"},
{"type": "whitespace"},
{"type": "time-24hr", "name": "timestamp"
On 3/19/2018 11:49 AM, Carsten Lange via rsyslog wrote:
Dear all,
currently I am facing an issue with empty LOG entries.
I have setup a rsyslog server with TLS receiving events via the internet from a
cloud provider.
The rsyslog server is behind a load balancer which is doing some NAT.
I do get
Setup:
* Latest stable rsyslog from Ubuntu PPA
* 50-60 clients, sending to central receiver via omrelp (JSON payloads)
* About 5 clients, sending to central receiver via omfwd/tcp (standard
syslog)
I use a standard "client" configuration for all nodes, including a
central receiver that feeds
On 3/13/2018 12:34 PM, LuKreme wrote:
On Mar 13, 2018, at 11:15, deoren
wrote:
Here is an untested solution using the "advanced" format:
Oh my, that is fascinating,. I hadn't come across the advanced format yet, but
that does look like it's a lot more readable, at leas
is emerg
else if syslogseverity < 4 then {
action(type="omfile" file="/var/log/ftp-error.log")
}
# Drop all 'ftp' facility messages. By this point those messages
# should have already been logged in one of the previously
# specified fi
http://www.rsyslog.com/doc/v8-stable/configuration/templates.html#generating-json
Example from the docs:
template(name="outfmt" type="list" option.jsonf="on") {
property(outname="@timestamp" name="timereported"
dateFormat="rfc3339" format="jsonf")
property(outname="host" nam
On 3/9/2018 1:53 AM, deoren wrote:
On 3/9/2018 1:48 AM, Rainer Gerhards wrote:
2018-03-09 8:35 GMT+01:00 deoren
:
On 3/9/2018 1:24 AM, Rainer Gerhards wrote:
2018-03-09 8:21 GMT+01:00 deoren
:
On 3/9/2018 1:17 AM, Rainer Gerhards wrote:
2018-03-09 4:06 GMT+01:00 David Lang :
I would
On 3/10/2018 5:53 PM, David Lang wrote:
On Fri, 9 Mar 2018, Rainer Gerhards wrote:
1) switch forum to read-only
2) mention github as issue tracker (email integration is great)
3) try this e.g. for 3 month
If it works out - great. If not, move on to something else. New users
will probably not
On 3/9/2018 3:10 AM, Rainer Gerhards wrote:
So how about this?
- do not mention forum any longer
- say "github is for questions"
- say "SE is experimentally for questions, but less likely to draw
answers from team"
- keep "mailing list is great to ask questions"
update this in doc, site etc.
I
On 3/9/2018 1:53 AM, deoren wrote:
On 3/9/2018 1:48 AM, Rainer Gerhards wrote:
IMO its not the right thing to send it to the list. Whoever is
interested in those questions can subscribe. Actually I am for quite a
while.
Ah OK, I'm glad to hear I'm wrong. I'll look into
On 3/9/2018 1:48 AM, Rainer Gerhards wrote:
2018-03-09 8:35 GMT+01:00 deoren
:
On 3/9/2018 1:24 AM, Rainer Gerhards wrote:
2018-03-09 8:21 GMT+01:00 deoren
:
On 3/9/2018 1:17 AM, Rainer Gerhards wrote:
2018-03-09 4:06 GMT+01:00 David Lang :
I would like to replace the existing forum
On 3/9/2018 1:24 AM, Rainer Gerhards wrote:
2018-03-09 8:21 GMT+01:00 deoren
:
On 3/9/2018 1:17 AM, Rainer Gerhards wrote:
2018-03-09 4:06 GMT+01:00 David Lang :
I would like to replace the existing forum with something that ties in to
the mailing lists (and/or retire the forum entirely
On 3/9/2018 1:17 AM, Rainer Gerhards wrote:
2018-03-09 4:06 GMT+01:00 David Lang :
I would like to replace the existing forum with something that ties in to
the mailing lists (and/or retire the forum entirely if setting something up
that can integrate is too much work)
But I'm not the PR guy
On 3/8/2018 12:58 AM, Rainer Gerhards wrote:
2018-03-08 7:24 GMT+01:00 deoren
:
On 2/6/2018 1:56 PM, David Lang wrote:
Resurrecting this thread.
Any further thoughts regarding retiring the forums? Are we at a point where
the rsyslog team would feel comfortable deprecating the forum and
On 2/6/2018 1:56 PM, David Lang wrote:
On Tue, 6 Feb 2018, Simon Lundström wrote:
My only negative experience of the rsyslog unpaid community support is
github issues where I've submitted and they weren't answered and/or
the responses stopped coming after a while. I know that the Github
inter
On 2/13/2018 1:04 PM, deoren wrote:
On 2/13/2018 1:13 AM, Rainer Gerhards wrote:
2018-02-13 5:12 GMT+01:00 deoren
:
Setup:
* Ubuntu 16.04
* ppa:adiscon/v8-devel PPA
I was applying patches to an Ubuntu 16.04 test box (which uses the ) and
just happened to spot check the /var/log/rsyslog.log
On 3/6/2018 2:53 AM, Rainer Gerhards wrote:
2018-03-06 9:04 GMT+01:00 deoren
:
On 3/6/2018 1:43 AM, Rainer Gerhards wrote:
2018-03-05 19:17 GMT+01:00 deoren
:
Hi,
When refactoring an older configuration I figured I would give global
variables a try.
I'm attempting to create a ge
On 3/6/2018 1:43 AM, Rainer Gerhards wrote:
2018-03-05 19:17 GMT+01:00 deoren
:
Hi,
When refactoring an older configuration I figured I would give global
variables a try.
I'm attempting to create a generic email notification ruleset that can be
called after setting values in a subtree o
On 3/5/2018 7:48 PM, David Lang wrote:
On Mon, 5 Mar 2018, deoren wrote:
if $.email-notification!sender == '' then {
$.email-notification!sender = $/default-email-notification!sender;
This needs to be set $.email-notification!sender =
$/default-email-notification!sender;
(
Hi,
When refactoring an older configuration I figured I would give global
variables a try.
I'm attempting to create a generic email notification ruleset that can
be called after setting values in a subtree of the $.email-notification
local variable.
Example (email templates and associated
On 3/5/2018 8:09 AM, sophie.loewenthal--- via rsyslog wrote:
Dear all,
This was a Monday morning moment. Syslog works. However a restart of the
daemon earlier caused IP to name resolution is change name so the log files
were different. This threw me initially.
Can you elaborate on that? I
On 2/27/2018 2:40 PM, Naftuli Kay via rsyslog wrote:
I am emitting JSON lines using a custom template and attempting to forward
them to TCP logs-logstash port 515:
https://gist.github.com/naftulikay/47e5f7708cd422f29d97747de0e82869
If I simply "cat blob.json | nc logs-logstash 515", I can get lo
On 2/27/2018 11:59 AM, Naftuli Kay via rsyslog wrote:
These don't seem to address what I am trying to do, but thanks for looking
in the right direction :)
Welcome.
My regular expressions work. I just need to find a way to decode a map into
a valid JSON map.
Gotcha. I'm afraid that is proba
On 2/27/2018 5:39 AM, putcha narayana via rsyslog wrote:
Hi
I am set the variables and using them in filters. But the following are not
working as expected or not working at all.
Appreciate if you can share a working example or suggest what i am doing wrong.
Not Working:
set $!configuredseveri
On 2/27/2018 12:36 AM, David Lang wrote:
On Mon, 26 Feb 2018, deoren wrote:
you are better using mmnormalize, with your example you would have a
rule
rule=: %ip:ipv4% - %host:word% [%timestamp:char-to:]%]%-:rest%
this would create $!ip, $!host and $!timestamp (note I did this from
memory
On 2/26/2018 9:16 PM, Naftuli Kay via rsyslog wrote:
I am trying the following:
# RSYSLOG IS NOT PCRE COMPLIANT!!!
According to this site:
http://www.rsyslog.com/regex/
rsyslog uses POSIX ERE (and optionally BRE).
If dealing just with re_extract, I found I had to escape the backslash
wit
On 2/25/2018 5:37 PM, David Lang wrote:
On Fri, 23 Feb 2018, deoren wrote:
liblognorm is so fast you really have to use it to believe it. At
$lastjob I had a 1400 line ruleset handling >100K logs/sec without
the liblognorm effort being noticable
Wow, that's pretty impressive. I
On 2/20/2018 6:58 PM, David Lang wrote:
On Tue, 20 Feb 2018, deoren wrote:
On 2/20/2018 6:39 PM, deoren wrote:
I've been attempting to use the re_extract() function quite a bit
lately to write some simple "filters" for notification purposes. I
struggled with the syntax for
On 2/23/2018 3:19 AM, putcha narayana via rsyslog wrote:
Hello Experts,
Any help on my query about regular expression in rsyslog. The code below is not
stripping off the .cpp from syslog.
if ( $syslogseverity-text != 'debug')
then
{
if re_match($msg, "[a-zA-Z0-9]+\\.cpp:[0-9]+")
On 2/23/2018 8:35 AM, Berend De Schouwer via rsyslog wrote:
Hi,
I've recently come across some machines that flooded rsyslog via
/proc/kmsg on Linux. This means that printk_ratelimit doesn't apply to
all kernel messages.
This resulted in >100 GB log in 24 hours, so I added ratelimit to
imklog.
On 2/22/2018 4:11 AM, putcha narayana wrote:
Hi,
The changes to the description are clear, no ambiguity now. It is also
inline with the text provided for Facility and Severity.
I vote for it.
Warm Regards
Lak.
Thanks for your feedback. The changes have been merged. They'll show up
on in t
On 2/21/2018 11:23 PM, matthew.gaetano wrote:
Liblognorm is love, Liblognorm is life
To Echo Dave, $currentjob uses REK to provided services to various $client
at anywhere from 60-80k mps in realtime, plus spikes upwards of over 100k
mps. For redundancy (load balancing - waste not want not) we
On 2/21/2018 7:02 PM, David Lang wrote:
On Wed, 21 Feb 2018, deoren wrote:
On 2/20/2018 6:58 PM, David Lang wrote:
On 2/20/2018 6:39 PM, deoren wrote:
In this case, my specific goal is to look for log messages
containing "SPECIFIC_PATTERN_HERE" (as shown in sample log message)
On 2/20/2018 10:28 PM, Andrew Griffin via rsyslog wrote:
I’ll second David and say that mmnormalize is your better option. Though
whenever I get in a discussion about troubleshooting regex I always make a
point to recommend the Regex Rx app (if you’re a Mac user):
https://itunes.apple.com/us/
On 2/20/2018 6:58 PM, David Lang wrote:
On 2/20/2018 6:39 PM, deoren wrote:
>>
I've read that mmnormalize is recommended over regexes for performance
reasons, but I have little experience with liblognorm (other than
knowing it exists). Am I better off writing a few regex matche
On 2/20/2018 6:50 PM, David Lang wrote:
you really should look at using mmnormalize to extract fields from the
logs, it's FAR faster.
Will do. I was looking over the liblognorm doc last night and it makes a
little sense. The v2 options look to have expanded the support quite a
bit, at the cos
What do you think of these potential changes to the description?
https://github.com/rsyslog/rsyslog-doc/pull/584/files
Does that make the coverage any clearer, or worse?
On 2/21/2018 3:20 AM, putcha narayana via rsyslog wrote:
Thank you David Lang for a quick response.
Appreciate it.
Lak.
__
On 2/20/2018 6:39 PM, deoren wrote:
I've been attempting to use the re_extract() function quite a bit lately
to write some simple "filters" for notification purposes. I struggled
with the syntax for a while until I realized tha the and have been
struggling quite a bit with th
I've been attempting to use the re_extract() function quite a bit lately
to write some simple "filters" for notification purposes. I struggled
with the syntax for a while until I realized tha the and have been
struggling quite a bit with the regex support for the re_extract()
function. Accordi
On 2/19/2018 10:17 AM, sophie.loewenthal--- via rsyslog wrote:
Thank you Deoren for your thoughts.
Welcome. Hopefully others will chime in with more details.
I've seen some junk hostnames already appear in the logging directory. Thanks
for your explanation. I can create an IP to Hos
On 2/19/2018 9:26 AM, deoren wrote:
On 2/19/2018 8:52 AM, Graham Leggett via rsyslog wrote:
Hi all,
I have a number of java services that include support for logging to
syslog, but unfortunately they can only log by sending udp packets to
port 514.
This is not in itself a problem, however
On 2/19/2018 9:29 AM, sophie.loewenthal--- via rsyslog wrote:
Hi,
Does this configuration look ok begore I let this configuration rip in
production?
A server running rsyslog 8.7.4 on Solaris 11 that receives TCP and UDP messages
from a mixture of syslog and rsyslog clients .
Each client has
On 2/16/2018 3:56 PM, John Ratliff wrote:
When my rsyslog server receives packets from our cisco switches, instead
of logging it with the hostname, it logs it with the IP address. How can
I get rsyslog to use the hostname instead?
See the "how do I override the hostname when forwarding log mes
On 2/19/2018 8:52 AM, Graham Leggett via rsyslog wrote:
Hi all,
I have a number of java services that include support for logging to syslog,
but unfortunately they can only log by sending udp packets to port 514.
This is not in itself a problem, however these services have no stable
predictab
On 2/16/2018 1:15 PM, deoren wrote:
Hi all,
Can someone familiar with re_extract point out what I'm doing wrong?
I have this message:
Server bk_postfix/relay5 is UP/READY (leaving forced maintenance).
that I'm attempting to match on like so:
set $.relayserver = re_extract($msg,
Hi all,
Can someone familiar with re_extract point out what I'm doing wrong?
I have this message:
Server bk_postfix/relay5 is UP/READY (leaving forced maintenance).
that I'm attempting to match on like so:
set $.relayserver = re_extract($msg,
"Server bk_postfix\\/([0-9A-Za-z]+)",
0, 1
On 2/13/2018 1:13 AM, Rainer Gerhards wrote:
2018-02-13 5:12 GMT+01:00 deoren
:
Setup:
* Ubuntu 16.04
* ppa:adiscon/v8-devel PPA
I was applying patches to an Ubuntu 16.04 test box (which uses the ) and
just happened to spot check the /var/log/rsyslog.log when I saw that error.
When I run a
Setup:
* Ubuntu 16.04
* ppa:adiscon/v8-devel PPA
I was applying patches to an Ubuntu 16.04 test box (which uses the ) and
just happened to spot check the /var/log/rsyslog.log when I saw that
error. When I run a validation check I get the following:
root@sawmill3:/var/log# rsyslogd -N2
rsyslo
On 2/5/2018 4:46 AM, Simon Lundström wrote:
That's great! I was trying to make a point, but failed apparently, that
the docs that the original poster thinks are unclear which creates
frequently asked questions should be updated, not a FAQ article. Though
some questions have no natural place oth
On 2/4/2018 10:46 PM, David Lang wrote:
* Forums are shut down and visitors are directed to Stack
Exchange/Overflow/whatever instead.
It would appear there is already solid participation there for questions
tagged with rsyslog:
https://stackoverflow.com/questions/tagged/rsyslog
This is intere
@Rainer
+1 for logo 1 out of the provided options (also voted using the provided
poll)
On 2/2/2018 1:27 AM, Ciprian Hacman wrote:
> Nice. Logo 1 from me also (voted). Seems the cleanest one.
>
> Ciprian
>
> --
> Performance Monitoring * Log Analytics * Search Analytics
> Solr & Elasticsearch Su
On 2/2/2018 5:41 AM, Simon Lundström wrote:
Thank you for your feedback!
> I like mailinglists and IRC but the most important for me is that the
> questions are answered, be it by employees or the community
I completely agree with this. Seeing how spread out the current
community is between t
On 2/1/2018 6:27 AM, Radu Gheorghe wrote:
Hi,
Today we just published what I hope to be a quite complete eBook about
centralizing logs with rsyslog. The destination I had in mind was
Elasticsearch, but I think it should apply to many other use-cases.
Here's the blog post with more details on wh
Hi,
##
Forum support requests
##
I'd like to kick start some discussion around ways that we may better
support users seeking help, not those who are reporting bugs (perceived
or genuine). In particular, I have noticed the level of inactivity on
the
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of
deoren
Sent: Friday, January 26, 2018 4:36 PM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] Can a single logfile be part of multiple imfile configs?
On 1/26/2018 3:29 PM, Scot Kreienkamp wrote:
Hi everyone,
My basic question: Can the same logfile
On 1/26/2018 3:29 PM, Scot Kreienkamp wrote:
Hi everyone,
My basic question: Can the same logfile be used in two imfile inputs?
There may be other ways of doing this, but this comes to mind:
1. A single input object which specifies the file you want to monitor.
2. Attach a single ruleset to
On 1/12/2018 2:43 PM, deoren wrote:
I'm looking through the docs and I haven't spotted it.
I think I answered my own question:
module(load="builtin:omfile" template="RSYSLOG_FileFormat")
or just:
module(load="builtin:omfile")
if I am fine with t
I'm looking through the docs and I haven't spotted it.
Thanks.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WEL
On 1/8/2018 9:22 AM, deoren wrote:
On 1/8/2018 9:11 AM, Andrew Griffin via rsyslog wrote:
This looks great, I love it!
Can someone refresh my memory on the process for contributing to the
documentation? I’d like to chip in
Andrew Griffin
Thanks for the feedback. Do I understand your
On 1/8/2018 3:30 AM, Simon Lundström wrote:
On Sun, 2018-01-07 at 23:56:27 -0600, deoren wrote:
Hi all,
I'd like to get your feedback on some proposed formatting changes to the
imuxsock module doc. I mention my preference below, but the end goal is
to standardize the formatting and mak
contributions without a set of standards in place. Everything from
typos, to clarifications of content to adding missing coverage.
I'm still learning the ins/outs of everything (including Git), but I'd
be happy to answer any questions that I'm able to. Just mention me
(e.g., &quo
Hi all,
I'd like to get your feedback on some proposed formatting changes to the
imuxsock module doc. I mention my preference below, but the end goal is
to standardize the formatting and make the docs easier to work with, so
my personal preferences can take a backseat in the scheme of things. ;)
On 12/21/2017 1:10 PM, Andrew Akins via rsyslog wrote:
> I was wondering if anyone had seen this. I’m running rsyslog on Alpine Linux,
> deployed as a container. Rsyslog was built from source, and is version 8.31.0
>
> Basically, initialization of a omkafka message is failing:
>
> 2648.0276888
On 12/22/2017 9:52 AM, Luigi Tagliamonte via rsyslog wrote:
> Hi there!
> What are the tunable parameters for this module, like:
> - an option to increase the number of threads for kafka processing
> - number of messages to process per req.
> - etc..
> Regards
> L.
Module docs:
* http://www.rs
On 12/20/2017 4:24 AM, deoren wrote:
> On 12/14/2017 8:19 PM, Rory Toma wrote:
>> I have put in
>> $ModLoad imklog
>> $klogLocalIPIF eth0
>>
>> in my rsyslog.conf file (8.30.0) However,
>> rsyslogd: invalid or yet-unknown config file command 'klogL
On 12/14/2017 8:19 PM, Rory Toma wrote:
I have put in
$ModLoad imklog
$klogLocalIPIF eth0
in my rsyslog.conf file (8.30.0) However,
rsyslogd: invalid or yet-unknown config file command 'klogLocalIPIF' -
have you forgotten to load a module? [v8.30.0 try
http://www.rsyslog.com/e/3003 ]
appears
On 12/13/2017 8:55 AM, Lars Kellogg-Stedman via rsyslog wrote:
On Wed, Dec 6, 2017 at 7:22 PM, David Lang wrote:
On Wed, 6 Dec 2017, deoren wrote:
Is this something that the Rsyslog team manages or is it someone at the
Read the Docs team that manages the content?
It's someone on
Is this something that the Rsyslog team manages or is it someone at the
Read the Docs team that manages the content?
I ask because it appears that the version of the docs (stable, latest)
available there are outdated and I wanted to make sure to report the
issue to the correct place.
Thanks.
On 11/30/2017 5:28 PM, deoren wrote:
Is that parameter used to specify the replacement for /dev/log or is
that parameter used to specify another socket that is in addition to
/dev/log as an input source?
I assume that SysSock.Use defaults to /dev/log, but if SysSock.Name is
specified, does
Is that parameter used to specify the replacement for /dev/log or is
that parameter used to specify another socket that is in addition to
/dev/log as an input source?
I assume that SysSock.Use defaults to /dev/log, but if SysSock.Name is
specified, does SysSock.Use now refer to using that loca
On 11/17/2017 11:05 AM, Rainer Gerhards wrote:
2017-11-17 18:04 GMT+01:00 deoren
:
I noticed this commit focused on fixing the case in the source code for
comparison purposes:
https://github.com/rgerhards/rsyslog/commit/b9cda4602b26a4778fdfec4990a62b6faf2bc86b
which leads me to ask:
Are
I noticed this commit focused on fixing the case in the source code for
comparison purposes:
https://github.com/rgerhards/rsyslog/commit/b9cda4602b26a4778fdfec4990a62b6faf2bc86b
which leads me to ask:
Are configuration parameters case sensitive?
For example, are these all equivalent?
global
On November 14, 2017 10:49:06 PM CST, "Войнович Андрей Александрович via
rsyslog" wrote:
>Thank you, David
>
>We have upgraded our linux box to the latest available (Debian 9) and
>now rsyslog version is 8.24 (the newest from deb repo), but we still
>experience the same problems. Seems we are doi
On 11/10/2017 9:33 AM, dchappelle via rsyslog wrote:
Thanks for all of the info deoren. I do have the file you speak of installed
on my system:
dchappelle@L164:~$ cat /usr/lib/tmpfiles.d/00rsyslog.conf
# Override systemd's default tmpfiles.d/var.conf to make /var/log
writab
On November 9, 2017 10:21:04 PM CST, dchappelle via rsyslog
wrote:
>Apologies for not including the config. Here is
>/etc/rsyslog.d/10-example.conf:
>
>dchappelle@L164:/etc/rsyslog.d$ cat 10-example.conf
>local0.* /var/log/test.log
>& stop
>
>The actual is
On November 9, 2017 6:47:11 PM CST, dchappelle via rsyslog
wrote:
>I am running a vanilla install of Ubuntu 16 and my rsyslogd is not
>creating
>new log files for me. I added a new filter rule and restarted rsyslogd.
>After doing so and generating log messages for that rule, the target
>log
>fi
hich actually have set it to a couple of
MB (and occasionally use it).
Rainer
2017-11-09 17:25 GMT+01:00 deoren
:
On 11/9/2017 10:24 AM, Scot Kreienkamp wrote:
I have it set at 128k now... I thought I read in the list archives that
was the maximium value?
https://github.c
On 11/9/2017 10:24 AM, Scot Kreienkamp wrote:
I have it set at 128k now... I thought I read in the list archives that was the
maximium value?
https://github.com/rsyslog/rsyslog/issues/1741
Looks like it (for now).
___
rsyslog mailing list
http://li
On 11/9/2017 9:00 AM, Rainer Gerhards wrote:
2017-11-09 14:46 GMT+01:00 Scot Kreienkamp :
Hi David,
Any ideas on any way to get around this if there's no way to preserve the
metadata on an oversized message?
You need to increase the message size. It's a simple config parmater
[global(maxmess
On 11/9/2017 4:08 AM, Thomas Deutschmann via rsyslog wrote:
Hi,
no distribution will probably _require_ network for rsyslog per
default because in the default configuration distributions are
shipping, no network is required. Due to the fact that most init
systems nowadays support parallel invoca
On 11/7/2017 12:25 PM, deoren wrote:
On 11/7/2017 10:31 AM, matthew.gaetano wrote:
With the exception of the relation to storage, yes, for the most part. We
encountered the issue on a physical server using SCSI/SATA drives. Our
secondary tester were in vmware.
I initially emphasized the boot
On 11/7/2017 10:31 AM, matthew.gaetano wrote:
With the exception of the relation to storage, yes, for the most part. We
encountered the issue on a physical server using SCSI/SATA drives. Our
secondary tester were in vmware.
I initially emphasized the boot speed from running the Ubuntu 16.04 VM
https://github.com/rsyslog/rsyslog/issues/1656
See if that matches what you are fighting with.
On November 7, 2017 9:51:51 AM CST, "matthew.gaetano"
wrote:
>Queue's aside, regardless of the order rsyslog loads (before or after
>network) its retry function should not stall. As it currently stand
On 10/31/2017 4:05 PM, matthew.gaetano wrote:
Seems like your on the right track. We changed the dns names in the conf to
the destination IPs and this somewhat resolved the issue.
Rsyslog would still suspend the two destination actions however once the
system settled the actions were resumed. Si
On 10/31/2017 12:42 PM, matthew.gaetano wrote:
Hello,
I'm not sure this is an issue considering Legacy format shouldn't really be
used in version 8, however it seems that when using legacy forwarding (as
described in the default rsyslog.conf file) rsyslog suspends the actions and
never retries.
parameter messages that were previously "stuck", flow once more.
On 10/29/2017 1:22 PM, Rainer Gerhards wrote:
quick answer: I guess you ran into this
https://github.com/rsyslog/rsyslog/issues/1741
Let me know if more info is needed.
Rainer
2017-10-29 19:15 GMT+01:00 deoren
:
I origi
I originally sent this as part of another thread, but I think this got
buried and lost among the noise the rest of my notes generated. Posting
a cleaner version here in case others know the answer.
I'm trying to avoid using legacy configuration options where I can, but
just in case the order
On 10/23/2017 7:55 PM, deoren wrote:
On 10/23/2017 7:51 PM, deoren wrote:
On 10/23/2017 7:38 PM, deoren wrote:
On 10/23/2017 7:11 PM, David Lang wrote:
do you have a tcpdump or info from Qualys saying what it sends as
part of the scan?
David Lang
Thankfully (for troubleshooting purposes
On 10/27/2017 5:19 PM, Naftuli Kay via rsyslog wrote:
Can anyone shed any light on how to set global variables? Environment
variables won't change over the lifetime of the process so it would make
sense to not have to allocate for every log message.
Thanks,
- Naftuli Kay
I've not used them y
On 10/25/2017 4:18 PM, Naftuli Kay via rsyslog wrote:
So would I do "set $deploy_env = getenv('DEPLOY_ENV')"? How would I then
reference this variable? I'm still trying to learn more about rsyslog
variables and how to use them in templates.
I'm still learning myself, so I completely understand.
On 10/25/2017 3:48 PM, Naftuli Kay via rsyslog wrote:
I have a few environment variables that I'd like to include in my log
messages that I'm formatting in JSON format. I have a service that runs on
boot which generates /etc/sysconfig/ec2 which contains variables like
EC2_INSTANCE_ID, EC2_AMI_ID,
On 10/19/2017 6:58 PM, deoren wrote:
On 10/19/2017 3:12 PM, Rainer Gerhards wrote:
Am 19.10.2017 21:55 schrieb "David Lang" :
RELP has it's place, but most of the time I'm willing to loose some logs
under rare failure conditions and so haven't bothered to use it.
larg
On 10/23/2017 7:51 PM, deoren wrote:
On 10/23/2017 7:38 PM, deoren wrote:
On 10/23/2017 7:11 PM, David Lang wrote:
do you have a tcpdump or info from Qualys saying what it sends as
part of the scan?
David Lang
Thankfully (for troubleshooting purposes), the problem isn't specific
t
On 10/23/2017 7:38 PM, deoren wrote:
On 10/23/2017 7:11 PM, David Lang wrote:
do you have a tcpdump or info from Qualys saying what it sends as part
of the scan?
David Lang
Thankfully (for troubleshooting purposes), the problem isn't specific to
the Qualys scan. I later learned
On 10/23/2017 7:11 PM, David Lang wrote:
do you have a tcpdump or info from Qualys saying what it sends as part
of the scan?
David Lang
Thankfully (for troubleshooting purposes), the problem isn't specific to
the Qualys scan. I later learned that messages coming from our ESXi
hosts trigge
On 10/7/2017 10:44 AM, deoren wrote:
On 10/7/2017 5:25 AM, Rainer Gerhards wrote:
2017-10-07 7:57 GMT+02:00 deoren
:
As I dig more into this, I'm beginning to think the only thing the
Qualys
scan did was aggravate an existing problem and cause rsyslog to tip over
more quickly.
Wh
This is a tangent of another issue I was dealing with a few weeks back, but it
appears that problem was related to checking whether a non-existent $!variable
was empty.
Is the expected behavior for that check to fail?
This is with v8.29.0 and I have not tested with 8.30.0 yet, but I am more
i
On 10/19/2017 3:12 PM, Rainer Gerhards wrote:
Am 19.10.2017 21:55 schrieb "David Lang" :
RELP has it's place, but most of the time I'm willing to loose some logs
under rare failure conditions and so haven't bothered to use it.
large maxmessagesize leads to wasted memory in rsyslog, but nothing
1 - 100 of 158 matches
Mail list logo