Re: [rsyslog] filters question

[David Lang]

the latest versions don't have the ordering bug.

David Lang

On Tue, 6 Dec 2016, Swartz, Patrick wrote:


Date: Tue, 6 Dec 2016 02:43:09 +
From: "Swartz, Patrick" 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

Hi David,
Success!! I made a few other clean-ups, and reordered the IP list.  Not sure 
which was my final fix, but, all matches are being made now.
Now to move on to omfwd and impstats features...

Again, thank you for your help!

Patrick H Swartz

-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Monday, December 05, 2016 7:22 PM
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

try running a newer version

try re-ordering the following statement so that everything is in alpha order


if $fromhost-ip == ["100.31.20.101",
   "100.31.20.102",
   "100.200.20.231",
   "100.200.20.232"]
then {


to

if $fromhost-ip == ["100.200.20.231",
"100.200.20.232",
"100.31.20.101",
"100.31.20.102"]
then {

see if it makes any difference.

David Lang


On Tue, 6 Dec 2016, Swartz, Patrick wrote:


Date: Tue, 6 Dec 2016 00:46:39 +
From: "Swartz, Patrick" 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

Hi David,
I'm running rsyslog-8.4.0-8.3 on a SLES12sp1 server.
Okay... I'm learning, so your help has not been in vain, many thanks!
Each of the includes has a 'stop' statement at the end, like --
action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="ESXi_app") stop } And, my two $IncludeConfig parameters are listed in /etc/rsyslog.conf before the 
Unclassified filter, as that is my intent ... process through those includes then the last thing, go through the 
unclassified.  However, I'll put the Unclassified at the very bottom of the main config and see what happens.
And ... no ... some of the ESXi hosts still fell through to the Unclassified 
folder ... ugh...

Maybe I need to setup both "by host-ip" and an "if by-hostname".  If I double 
list everything, maybe then it will catch everything.

Thanks again,

Patrick H Swartz

-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Monday, December 05, 2016 5:15 PM
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

On Mon, 5 Dec 2016, Swartz, Patrick wrote:


Date: Mon, 5 Dec 2016 14:29:30 +
From: "Swartz, Patrick" 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

Hi,
I've made the changes you recommended (turning off message reduction, removing 
the trailing /, and took out more comments.

Your comment, " remember, it doesn't stop processing the log at the first match, it 
keeps going in case there are other matches as well."
Really?  I thought the " stop }" at the end of a specific config was telling 
rsyslog to stop processing the message and/or looking for other matches?
If rsyslog is still looking for other matches then why doesn't every message end up in my 
"Unclassified" folder since I'm matching against "*.*" for my Unknowns filter?


you are correct that "stop" stops processing of the log message, but I do not 
see a stop between the first action and the first if clause, which could match the 
messages you are talking about.


Is there a right/better way to have unmatched messages be dealt with?
The next step in our chain is Splunk, and it is setup to monitor
specific folders for a given "source/source-type" I need some way to
guarantee that messages that match "fromhost-ip" or "startswith" only end up in 
a specific folder.
And all other messages that do not match either of those go into
another folder that I can monitor and build new filters for or modify
existing filters (example, adding another ESXi host to the list).


you need to either use stop appropriately, or setup if-then-else trees
to handle the messages you want to handle, but not the ones you aren't
prepared to handle

filters are applied in the order they are seen, so since you do the
includes first, they should be processed before anything in the main
file

In the main file, you are writing out to the unclassified template before you 
do anything else, so you will always write out to there (and if hostname has 
garbage it will create garbage directories), only after that do you start doing 
specific tests.

by the way, you don't need to put the filter *.* in the file, you can
just have the line start with action()

what version are you running again? there was a bug at one point where
the items in an array match needed to be alpha sorted, so 10.2*
entries would need to be before 10.3* entries. That was fixed a while
ago, but if you are running an old enough version, that could be why
it's not matching

David Lang


Here is my current rsyslog.conf, the e

Re: [rsyslog] filters question

[Swartz, Patrick]

Hi David,
Success!! I made a few other clean-ups, and reordered the IP list.  Not sure 
which was my final fix, but, all matches are being made now.  
Now to move on to omfwd and impstats features... 

Again, thank you for your help!

Patrick H Swartz

-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Monday, December 05, 2016 7:22 PM
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

try running a newer version

try re-ordering the following statement so that everything is in alpha order

>> if $fromhost-ip == ["100.31.20.101",
>>"100.31.20.102",
>>"100.200.20.231",
>>"100.200.20.232"]
>> then {

to

if $fromhost-ip == ["100.200.20.231",
 "100.200.20.232",
 "100.31.20.101",
 "100.31.20.102"]
then {

see if it makes any difference.

David Lang


On Tue, 6 Dec 2016, Swartz, Patrick wrote:

> Date: Tue, 6 Dec 2016 00:46:39 +
> From: "Swartz, Patrick" 
> Reply-To: rsyslog-users 
> To: rsyslog-users 
> Subject: Re: [rsyslog] filters question
> 
> Hi David,
> I'm running rsyslog-8.4.0-8.3 on a SLES12sp1 server.
> Okay... I'm learning, so your help has not been in vain, many thanks!
> Each of the includes has a 'stop' statement at the end, like -- 
> action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
> dynaFile="ESXi_app") stop } And, my two $IncludeConfig parameters are listed 
> in /etc/rsyslog.conf before the Unclassified filter, as that is my intent ... 
> process through those includes then the last thing, go through the 
> unclassified.  However, I'll put the Unclassified at the very bottom of the 
> main config and see what happens.
> And ... no ... some of the ESXi hosts still fell through to the Unclassified 
> folder ... ugh...
>
> Maybe I need to setup both "by host-ip" and an "if by-hostname".  If I double 
> list everything, maybe then it will catch everything.
>
> Thanks again,
>
> Patrick H Swartz
>
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com 
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
> Sent: Monday, December 05, 2016 5:15 PM
> To: rsyslog-users 
> Subject: Re: [rsyslog] filters question
>
> On Mon, 5 Dec 2016, Swartz, Patrick wrote:
>
>> Date: Mon, 5 Dec 2016 14:29:30 +
>> From: "Swartz, Patrick" 
>> Reply-To: rsyslog-users 
>> To: rsyslog-users 
>> Subject: Re: [rsyslog] filters question
>>
>> Hi,
>> I've made the changes you recommended (turning off message reduction, 
>> removing the trailing /, and took out more comments.
>>
>> Your comment, " remember, it doesn't stop processing the log at the first 
>> match, it keeps going in case there are other matches as well."
>> Really?  I thought the " stop }" at the end of a specific config was telling 
>> rsyslog to stop processing the message and/or looking for other matches?
>> If rsyslog is still looking for other matches then why doesn't every message 
>> end up in my "Unclassified" folder since I'm matching against "*.*" for my 
>> Unknowns filter?
>
> you are correct that "stop" stops processing of the log message, but I do not 
> see a stop between the first action and the first if clause, which could 
> match the messages you are talking about.
>
>> Is there a right/better way to have unmatched messages be dealt with?
>> The next step in our chain is Splunk, and it is setup to monitor 
>> specific folders for a given "source/source-type" I need some way to 
>> guarantee that messages that match "fromhost-ip" or "startswith" only end up 
>> in a specific folder.
>> And all other messages that do not match either of those go into 
>> another folder that I can monitor and build new filters for or modify 
>> existing filters (example, adding another ESXi host to the list).
>
> you need to either use stop appropriately, or setup if-then-else trees 
> to handle the messages you want to handle, but not the ones you aren't 
> prepared to handle
>
> filters are applied in the order they are seen, so since you do the 
> includes first, they should be processed before anything in the main 
> file
>
> In the main file, you are writing out to the unclassified template before you 
> do anything else, so you will always write out to there (and if hostname has 
> garbage it will create garbage directories), only after that do you start 
> doing specific tests.
>
> by the way, you don't need to put the filter *.* in the file, you can 
> just have the line start with action()
>
> what version are you running again? there was a bug at one point where 
> the items in an array match needed to be alpha sorted, so 10.2* 
> entries would need to be before 10.3* entries. That was fixed a while 
> ago, but if you are running an old enough version, that could be why 
> it's not matching
>
> David Lang
>
>> Here is my current rsyslog.conf, the extra ESXi.conf, and an example ou

Re: [rsyslog] Rsyslog stops relaying messages

[David Lang]

On Tue, 6 Dec 2016, Arik Mitschang wrote:


Hi David,


the problem is probably not on the system that stops forwarding messages, but
rather on the system they are forwarding the messages to.

When the queues fill up, unles you have configured rsyslog to throw away
messages, it will stop accepting any new messages as it can't put them in the
queue. This is "working as designed" (one of these days I've got to sit down and
finish writing my "how to make your logs unreliable" article :-)


There are several reasons I do not think this is the case:

We have multiple relays downstream connected to upstream relays, and see
messages come through these other paths when this situation occurs.

Also, a frequent solution to the problem is to restart the stuck process
(and only that one), where we see the messages flush through upstream
relays when shutting down, implying they are not holding back messages.

Finally, we do have impstats enabled, it is going through he main queue
but this actually allows to probe the status of the queue. We have
nagios alert when there are no stats messages coming in a fixed time
window. Before getting stuck, messages in the queue are at maximum
(actually we see 700k in the main queue which is set at 1M), then we see
no more stats from only the stuck relays, others keep pushing stats and
reflect the reduction in message throughput in their main queue sizes.


do you have the stats messages configured to go through the main queue (like any 
other message)? or do you have them set to use a separate queue so that they 
will get through even if the main queue is blocked?


can you configure one to write to either a separate queue (i.e. ruleset with 
it's own queue) or to a file so that we can see what the stats look like when 
things break? On my system I created a 'high priority' ruleset with it's own 
queue for the stats to go through that bypassed my intermediate relays and 
delivered directly to my central servers so that if anything happened to the 
main queue, I would still get the stats data. I also had this write to the local 
disk and send stats to my monitoring system.


If the stats messages are queued and sent after the restart, what do they show 
during the time when you have trouble? do they show any of the actions being 
suspended?


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] dynamicly read configuration file

[David Lang]

On Tue, 6 Dec 2016, gao...@bdcom.com.cn wrote:


deal all！
who can tell me whether rsyslog can read configuration when rsyslog is
executing?


Rsyslog reads and optimizes it's config file at startup time. It does not access 
the config file after that.


David Lang___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] dynamicly read configuration file

[gaohui]

deal all！
who can tell me whether rsyslog can read configuration when rsyslog is 
executing?
Thank you!

上海博达数据通信有限公司
交换机项目部   高辉 
Tel：021-50800666-3208
E-mail：gao...@bdcom.com.cn

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Rsyslog stops relaying messages

[Arik Mitschang]

Hi David,

> the problem is probably not on the system that stops forwarding messages, but 
> rather on the system they are forwarding the messages to.
> 
> When the queues fill up, unles you have configured rsyslog to throw away 
> messages, it will stop accepting any new messages as it can't put them in the 
> queue. This is "working as designed" (one of these days I've got to sit down 
> and 
> finish writing my "how to make your logs unreliable" article :-)

There are several reasons I do not think this is the case:

We have multiple relays downstream connected to upstream relays, and see
messages come through these other paths when this situation occurs.

Also, a frequent solution to the problem is to restart the stuck process
(and only that one), where we see the messages flush through upstream
relays when shutting down, implying they are not holding back messages.

Finally, we do have impstats enabled, it is going through he main queue
but this actually allows to probe the status of the queue. We have
nagios alert when there are no stats messages coming in a fixed time
window. Before getting stuck, messages in the queue are at maximum
(actually we see 700k in the main queue which is set at 1M), then we see
no more stats from only the stuck relays, others keep pushing stats and
reflect the reduction in message throughput in their main queue sizes.

> what version are you running, there have been some unicode related fixes in 
> the 
> last few versions.

We have a mix of systems but in general rsyslog is at least version
8.22, with a number of systems being 8.23.

> A couple things to do would be
> 
> 1. make sure you have impstats enabled, and since you are having problems 
> delivering messages, make sure it either uses a different ruleset (with a 
> queue) 
> or writes a file to disk so that you don't risk the pstats data getting stuck 
> as 
> well.

As above, we have it enabled, but it is going through the default
ruleset at the moment. I can look into getting it into a different
ruleset and both write maybe a days worth to disk as well as sending
upstream.

> 2. as a debugging tool, consider writing the logs to disk before forwarding 
> them. You don't need to keep a very long history of them, but seeing the 
> message 
> that rsyslog was trying to send could be very helpful

Will look into this as well, though I suspect it cannot be done anytime
real soon. It would be nice to see what message was being processed,
though it is possible the issue would prevent its writing to disk as
well, if it gets stuck in the main queue and not the omrelp action...

> 3. look at the systems receiving the messages to see if anything odd happens 
> there around the time that things start failing.

As above, I don't believe it is the receiving systems, but if anythings
still stands out let me know. Thanks for all your input.

Arik

P.S. I only got the digest, not the original response, so apologies if
this does not get properly inserted in the thread.

-- 
*This correspondence (including any attachments) is for the intended 
recipient(s) only. It may contain confidential or privileged information or 
both. No confidentiality or privilege is waived or lost by any 
mis-transmission. If you receive this correspondence by mistake, please 
contact the sender immediately, delete this correspondence (and all 
attachments) and destroy any hard copies. You must not use, disclose, copy, 
distribute or rely on any part of this correspondence (including any 
attachments) if you are not the intended 
recipient(s).本メッセージに記載および添付されている情報（以下、総称して「本情報」といいます。）は、本来の受信者による使用のみを意図しています。誤送信等により本情報を取得された場合でも、本情報に係る秘密、または法律上の秘匿特権が失われるものではありません。本電子メールを受取られた方が、本来の受信者ではない場合には、本情報及びそのコピーすべてを削除・破棄し、本電子メールが誤って届いた旨を発信者宛てにご通知下さいますようお願いします。本情報の閲覧、発信または本情報に基づくいかなる行為も明確に禁止されていることをご了承ください。*
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] filters question

[David Lang]

try running a newer version

try re-ordering the following statement so that everything is in alpha order


if $fromhost-ip == ["100.31.20.101",
   "100.31.20.102",
   "100.200.20.231",
   "100.200.20.232"]
then {


to

if $fromhost-ip == ["100.200.20.231",
"100.200.20.232",
"100.31.20.101",
"100.31.20.102"]
then {

see if it makes any difference.

David Lang


On Tue, 6 Dec 2016, Swartz, Patrick wrote:


Date: Tue, 6 Dec 2016 00:46:39 +
From: "Swartz, Patrick" 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

Hi David,
I'm running rsyslog-8.4.0-8.3 on a SLES12sp1 server.
Okay... I'm learning, so your help has not been in vain, many thanks!
Each of the includes has a 'stop' statement at the end, like -- action(type="omfile" 
dirCreateMode="0755" FileCreateMode="0644" dynaFile="ESXi_app") stop }
And, my two $IncludeConfig parameters are listed in /etc/rsyslog.conf before 
the Unclassified filter, as that is my intent ... process through those 
includes then the last thing, go through the unclassified.  However, I'll put 
the Unclassified at the very bottom of the main config and see what happens.
And ... no ... some of the ESXi hosts still fell through to the Unclassified 
folder ... ugh...

Maybe I need to setup both "by host-ip" and an "if by-hostname".  If I double 
list everything, maybe then it will catch everything.

Thanks again,

Patrick H Swartz

-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Monday, December 05, 2016 5:15 PM
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

On Mon, 5 Dec 2016, Swartz, Patrick wrote:


Date: Mon, 5 Dec 2016 14:29:30 +
From: "Swartz, Patrick" 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

Hi,
I've made the changes you recommended (turning off message reduction, removing 
the trailing /, and took out more comments.

Your comment, " remember, it doesn't stop processing the log at the first match, it 
keeps going in case there are other matches as well."
Really?  I thought the " stop }" at the end of a specific config was telling 
rsyslog to stop processing the message and/or looking for other matches?
If rsyslog is still looking for other matches then why doesn't every message end up in my 
"Unclassified" folder since I'm matching against "*.*" for my Unknowns filter?


you are correct that "stop" stops processing of the log message, but I do not 
see a stop between the first action and the first if clause, which could match the 
messages you are talking about.


Is there a right/better way to have unmatched messages be dealt with?
The next step in our chain is Splunk, and it is setup to monitor
specific folders for a given "source/source-type" I need some way to
guarantee that messages that match "fromhost-ip" or "startswith" only end up in 
a specific folder.
And all other messages that do not match either of those go into
another folder that I can monitor and build new filters for or modify
existing filters (example, adding another ESXi host to the list).


you need to either use stop appropriately, or setup if-then-else trees to 
handle the messages you want to handle, but not the ones you aren't prepared to 
handle

filters are applied in the order they are seen, so since you do the includes 
first, they should be processed before anything in the main file

In the main file, you are writing out to the unclassified template before you 
do anything else, so you will always write out to there (and if hostname has 
garbage it will create garbage directories), only after that do you start doing 
specific tests.

by the way, you don't need to put the filter *.* in the file, you can just have 
the line start with action()

what version are you running again? there was a bug at one point where the 
items in an array match needed to be alpha sorted, so 10.2* entries would need 
to be before 10.3* entries. That was fixed a while ago, but if you are running 
an old enough version, that could be why it's not matching

David Lang


Here is my current rsyslog.conf, the extra ESXi.conf, and an example output 
from the msgdebug.log of a message that ended up in the Unclassified folder:
MAIN CONFIG FILE:
root@whqlrsyslog02 # cat /etc/rsyslog.conf $umask 

### for debug
*.* /var/splunk-syslog/msgdebug.log;RSYSLOG_DebugFormat

$ModLoad immark.so
$MarkMessagePeriod  3600
$ModLoad imuxsock.so
$RepeatedMsgReduction   off
$ModLoad imklog.so
$klogConsoleLogLevel1
$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.template

# Unknowns
$umask 
template(name="Unclassified" type="string"
string="/var/splunk-syslog/Unclassified/%HOSTNAME%/%FROMHOST%-%$NOW%.l
og")
*.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="Unclassified")

if  

Re: [rsyslog] filters question

[Swartz, Patrick]

Hi David,
I'm running rsyslog-8.4.0-8.3 on a SLES12sp1 server.
Okay... I'm learning, so your help has not been in vain, many thanks!
Each of the includes has a 'stop' statement at the end, like -- 
action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="ESXi_app") stop }
And, my two $IncludeConfig parameters are listed in /etc/rsyslog.conf before 
the Unclassified filter, as that is my intent ... process through those 
includes then the last thing, go through the unclassified.  However, I'll put 
the Unclassified at the very bottom of the main config and see what happens.
And ... no ... some of the ESXi hosts still fell through to the Unclassified 
folder ... ugh... 

Maybe I need to setup both "by host-ip" and an "if by-hostname".  If I double 
list everything, maybe then it will catch everything.

Thanks again,

Patrick H Swartz

-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Monday, December 05, 2016 5:15 PM
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

On Mon, 5 Dec 2016, Swartz, Patrick wrote:

> Date: Mon, 5 Dec 2016 14:29:30 +
> From: "Swartz, Patrick" 
> Reply-To: rsyslog-users 
> To: rsyslog-users 
> Subject: Re: [rsyslog] filters question
> 
> Hi,
> I've made the changes you recommended (turning off message reduction, 
> removing the trailing /, and took out more comments.
>
> Your comment, " remember, it doesn't stop processing the log at the first 
> match, it keeps going in case there are other matches as well."
> Really?  I thought the " stop }" at the end of a specific config was telling 
> rsyslog to stop processing the message and/or looking for other matches?
> If rsyslog is still looking for other matches then why doesn't every message 
> end up in my "Unclassified" folder since I'm matching against "*.*" for my 
> Unknowns filter?

you are correct that "stop" stops processing of the log message, but I do not 
see a stop between the first action and the first if clause, which could match 
the messages you are talking about.

> Is there a right/better way to have unmatched messages be dealt with?  
> The next step in our chain is Splunk, and it is setup to monitor 
> specific folders for a given "source/source-type" I need some way to 
> guarantee that messages that match "fromhost-ip" or "startswith" only end up 
> in a specific folder.
> And all other messages that do not match either of those go into 
> another folder that I can monitor and build new filters for or modify 
> existing filters (example, adding another ESXi host to the list).

you need to either use stop appropriately, or setup if-then-else trees to 
handle the messages you want to handle, but not the ones you aren't prepared to 
handle

filters are applied in the order they are seen, so since you do the includes 
first, they should be processed before anything in the main file

In the main file, you are writing out to the unclassified template before you 
do anything else, so you will always write out to there (and if hostname has 
garbage it will create garbage directories), only after that do you start doing 
specific tests.

by the way, you don't need to put the filter *.* in the file, you can just have 
the line start with action()

what version are you running again? there was a bug at one point where the 
items in an array match needed to be alpha sorted, so 10.2* entries would need 
to be before 10.3* entries. That was fixed a while ago, but if you are running 
an old enough version, that could be why it's not matching

David Lang

> Here is my current rsyslog.conf, the extra ESXi.conf, and an example output 
> from the msgdebug.log of a message that ended up in the Unclassified folder:
> MAIN CONFIG FILE:
> root@whqlrsyslog02 # cat /etc/rsyslog.conf $umask 
>
> ### for debug
> *.* /var/splunk-syslog/msgdebug.log;RSYSLOG_DebugFormat
>
> $ModLoad immark.so
> $MarkMessagePeriod  3600
> $ModLoad imuxsock.so
> $RepeatedMsgReduction   off
> $ModLoad imklog.so
> $klogConsoleLogLevel1
> $IncludeConfig /etc/rsyslog.d/*.conf
> $IncludeConfig /etc/rsyslog.d/*.template
>
> # Unknowns
> $umask 
> template(name="Unclassified" type="string" 
> string="/var/splunk-syslog/Unclassified/%HOSTNAME%/%FROMHOST%-%$NOW%.l
> og")
> *.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
> dynaFile="Unclassified")
>
> if  (
>($syslogfacility-text == 'kern')  and
>($syslogseverity <= 4 ) and not
>($msg contains 'IN=' and $msg contains 'OUT=')
>) or (
>($syslogseverity <= 3 ) and not
>($syslogfacility-text == 'authpriv')
>)
> then {
>/dev/tty10
>|/dev/xconsole
> }
>
> *.emerg  :omusrmsg:*
>
> if  ($syslogfacility-text == 'kern') and
>($msg contains 'IN=' and $msg contains 'OUT=') then {
>/var/log/firewall
>stop
> }
>
> if 

Re: [rsyslog] liblognorm vs grok

[David Lang]

On Mon, 5 Dec 2016, mosto...@gmail.com wrote:


I forgot:

With provided rule file...why I'm getting a bunch of this errors when 
using /usr/lib/lognorm/lognormalizer?


{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:15:31 +0100] \"GET 
\/redacted\/page HTTP\/1.1\" 200 1234", "unparsed-data": "" }


when troubleshooting things like this, create a rule file that is as minimal as 
you can get and parse with the -v option, it will show you what it's doing as it 
walks through the line.


In this case, I seem to remember that number is defined as being followed by a 
space, so you can't use it if the number is followed by a newline.


David Lang



El 05/12/16 a las 15:41, mosto...@gmail.com escribió:

Hi


Coming back to liblognorm, I have a few questions I'll love an expert 
reply.  0:D


*- Documentation [1] states how to define a type, but not how to use 
it. Are we properly using defined type "apache" in the configuration 
below?*


- Apache access log seem to have 2 formats: common and combined [2]
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif 
HTTP/1.0" 200 2326
127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif 
HTTP/1.0" 200 2326 "referrer" "useragent"

*How should we define our rulesets to have /optional/ fields?

- Our current workaround is to have a defined type and use it as part 
of a longer rule. Is that ok?*


*- How could we define logic to set a filed to "0" when content is 
"-"? (bytes field)*


type=@apache:%[
{"type":"ipv4", "name":"ip"},
{"type":"literal", "text":" "},
{"type":"word", "name":"ident"},
{"type":"literal", "text":" "},
{"type":"word", "name":"user"},
{"type":"literal", "text":" ["},
{"type":"char-to", "name":"date", "extradata":"]"},
{"type":"literal", "text":"] \""},
{"type":"word", "name":"method"},
{"type":"literal", "text":" "},
{"type":"char-to", "name":"request", "extradata":" "},
{"type":"literal", "text":" HTTP/"},
{"type":"float", "name":"httpversion"},
{"type":"literal", "text":"\" "},
{"type":"number", "name":"response"},
{"type":"literal", "text":" "},
{"type":"number", "name":"bytes"}
]%

rule=access:%[
{"type":"@apache"},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"referrer", "extradata":"\""},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"useragent", "extradata":"\""}
]%
rule=access:%@apache%

[1] http://www.liblognorm.com/files/manual/configuration.html
[2] https://httpd.apache.org/docs/2.4/logs.html#accesslog


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

[David Lang]

On Mon, 5 Dec 2016, mosto...@gmail.com wrote:


Hi


Coming back to liblognorm, I have a few questions I'll love an expert reply. 
0:D


*- Documentation [1] states how to define a type, but not how to use it. Are 
we properly using defined type "apache" in the configuration below?*


almost, %@apache% makes no more sense than %word%, you need to give the match a 
name


so %log:@apache% would work, or if you want to move everything up a later 
(rather than having $!apache!ip) you could do %.:@apache%



- Apache access log seem to have 2 formats: common and combined [2]
   127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif 
HTTP/1.0" 200 2326
   127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 
200 2326 "referrer" "useragent"

*How should we define our rulesets to have /optional/ fields?


there is the alturnative capability in the v2 language, or define multiple rules

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] filters question

[David Lang]

On Mon, 5 Dec 2016, Swartz, Patrick wrote:


This is what I was looking for when I composed my email below and just found again 
concerning the " stop } "--

From: http://www.rsyslog.com/filter-optimization-with-arrays/
"The second action is represented by stop. Please note that this is case sensitive. 
Basically, stop means to stop the message processing. No further processing of the 
message will take place."

Is there a way to prioritize/process filters? Something like; process all 
filters/configs in /etc/rsyslog.d/, before the filters in /etc/rsyslog.conf, 
for example?


the prioity is the order that rsyslog sees the filters, which is the order that 
they appear in the file. If you use includes, it's as if you pasted the file 
contents in the file at that point (in an older version, rsyslog included files 
in reverse alpha order, now it includes them in alpha order)


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] filters question

[David Lang]

On Mon, 5 Dec 2016, Swartz, Patrick wrote:


Date: Mon, 5 Dec 2016 14:29:30 +
From: "Swartz, Patrick" 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] filters question

Hi,
I've made the changes you recommended (turning off message reduction, removing 
the trailing /, and took out more comments.

Your comment, " remember, it doesn't stop processing the log at the first match, it 
keeps going in case there are other matches as well."
Really?  I thought the " stop }" at the end of a specific config was telling 
rsyslog to stop processing the message and/or looking for other matches?
If rsyslog is still looking for other matches then why doesn't every message end up in my 
"Unclassified" folder since I'm matching against "*.*" for my Unknowns filter?


you are correct that "stop" stops processing of the log message, but I do not 
see a stop between the first action and the first if clause, which could match 
the messages you are talking about.


Is there a right/better way to have unmatched messages be dealt with?  The 
next step in our chain is Splunk, and it is setup to monitor specific folders 
for a given "source/source-type" I need some way to guarantee that messages 
that match "fromhost-ip" or "startswith" only end up in a specific folder. 
And all other messages that do not match either of those go into another 
folder that I can monitor and build new filters for or modify existing filters 
(example, adding another ESXi host to the list).


you need to either use stop appropriately, or setup if-then-else trees to handle 
the messages you want to handle, but not the ones you aren't prepared to handle


filters are applied in the order they are seen, so since you do the includes 
first, they should be processed before anything in the main file


In the main file, you are writing out to the unclassified template before you do 
anything else, so you will always write out to there (and if hostname has 
garbage it will create garbage directories), only after that do you start doing 
specific tests.


by the way, you don't need to put the filter *.* in the file, you can just have 
the line start with action()


what version are you running again? there was a bug at one point where the items 
in an array match needed to be alpha sorted, so 10.2* entries would need to be 
before 10.3* entries. That was fixed a while ago, but if you are running an old 
enough version, that could be why it's not matching


David Lang


Here is my current rsyslog.conf, the extra ESXi.conf, and an example output 
from the msgdebug.log of a message that ended up in the Unclassified folder:
MAIN CONFIG FILE:
root@whqlrsyslog02 # cat /etc/rsyslog.conf
$umask 

### for debug
*.* /var/splunk-syslog/msgdebug.log;RSYSLOG_DebugFormat

$ModLoad immark.so
$MarkMessagePeriod  3600
$ModLoad imuxsock.so
$RepeatedMsgReduction   off
$ModLoad imklog.so
$klogConsoleLogLevel1
$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.template

# Unknowns
$umask 
template(name="Unclassified" type="string" 
string="/var/splunk-syslog/Unclassified/%HOSTNAME%/%FROMHOST%-%$NOW%.log")
*.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="Unclassified")

if  (
   ($syslogfacility-text == 'kern')  and
   ($syslogseverity <= 4 ) and not
   ($msg contains 'IN=' and $msg contains 'OUT=')
   ) or (
   ($syslogseverity <= 3 ) and not
   ($syslogfacility-text == 'authpriv')
   )
then {
   /dev/tty10
   |/dev/xconsole
}

*.emerg  :omusrmsg:*

if  ($syslogfacility-text == 'kern') and
   ($msg contains 'IN=' and $msg contains 'OUT=')
then {
   /var/log/firewall
   stop
}

if  ($programname == 'acpid' or $syslogtag == '[acpid]:') and
   ($syslogseverity <= 5 )
then {
   /var/log/acpid
   stop
}

if  ($programname == 'NetworkManager') or
   ($programname startswith 'nm-')
then {
   /var/log/NetworkManager
   stop
}

mail.*  /var/log/mail
mail.info   /var/log/mail.info
mail.warning/var/log/mail.warn
mail.err/var/log/mail.err

news.crit   /var/log/news/news.crit
news.err/var/log/news/news.err
news.notice /var/log/news/news.notice

*.=warning;*.=err   /var/log/warn
*.crit  /var/log/warn

*.*;mail.none;news.none /var/log/messages

local0.*;local1.*   /var/log/localmessages
local2.*;local3.*   /var/log/localmessages
local4.*;local5.*   /var/log/localmessages
local6.*;local7.*   /var/log/localmessages
###

FROM EXTRA CONFIG FILE:
root@whqlrsyslog02 # cat /etc/rsyslog.d/ESXi.conf
template(name="ESXi_ap

Re: [rsyslog] filters question

[Swartz, Patrick]

This is what I was looking for when I composed my email below and just found 
again concerning the " stop } "-- 

From: http://www.rsyslog.com/filter-optimization-with-arrays/ 
"The second action is represented by stop. Please note that this is case 
sensitive. Basically, stop means to stop the message processing. No further 
processing of the message will take place."

Is there a way to prioritize/process filters? Something like; process all 
filters/configs in /etc/rsyslog.d/, before the filters in /etc/rsyslog.conf, 
for example? 

Patrick H Swartz


-Original Message-
From: Swartz, Patrick 
Sent: Monday, December 05, 2016 8:30 AM
To: rsyslog-users 
Subject: RE: [rsyslog] filters question

Hi,
I've made the changes you recommended (turning off message reduction, removing 
the trailing /, and took out more comments.  

Your comment, " remember, it doesn't stop processing the log at the first 
match, it keeps going in case there are other matches as well."
Really?  I thought the " stop }" at the end of a specific config was telling 
rsyslog to stop processing the message and/or looking for other matches?
If rsyslog is still looking for other matches then why doesn't every message 
end up in my "Unclassified" folder since I'm matching against "*.*" for my 
Unknowns filter? 

Is there a right/better way to have unmatched messages be dealt with?  The next 
step in our chain is Splunk, and it is setup to monitor specific folders for a 
given "source/source-type" I need some way to guarantee that messages that 
match "fromhost-ip" or "startswith" only end up in a specific folder.  And all 
other messages that do not match either of those go into another folder that I 
can monitor and build new filters for or modify existing filters (example, 
adding another ESXi host to the list).
 
Here is my current rsyslog.conf, the extra ESXi.conf, and an example output 
from the msgdebug.log of a message that ended up in the Unclassified folder:
MAIN CONFIG FILE:
root@whqlrsyslog02 # cat /etc/rsyslog.conf $umask 

### for debug
*.* /var/splunk-syslog/msgdebug.log;RSYSLOG_DebugFormat

$ModLoad immark.so
$MarkMessagePeriod  3600
$ModLoad imuxsock.so
$RepeatedMsgReduction   off
$ModLoad imklog.so
$klogConsoleLogLevel1
$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.template

# Unknowns
$umask 
template(name="Unclassified" type="string" 
string="/var/splunk-syslog/Unclassified/%HOSTNAME%/%FROMHOST%-%$NOW%.log")
*.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="Unclassified")

if  (
($syslogfacility-text == 'kern')  and
($syslogseverity <= 4 ) and not
($msg contains 'IN=' and $msg contains 'OUT=')
) or (
($syslogseverity <= 3 ) and not
($syslogfacility-text == 'authpriv')
)
then {
/dev/tty10
|/dev/xconsole
}

*.emerg  :omusrmsg:*

if  ($syslogfacility-text == 'kern') and
($msg contains 'IN=' and $msg contains 'OUT=') then {
/var/log/firewall
stop
}

if  ($programname == 'acpid' or $syslogtag == '[acpid]:') and
($syslogseverity <= 5 )
then {
/var/log/acpid
stop
}

if  ($programname == 'NetworkManager') or
($programname startswith 'nm-')
then {
/var/log/NetworkManager
stop
}

mail.*  /var/log/mail
mail.info   /var/log/mail.info
mail.warning/var/log/mail.warn
mail.err/var/log/mail.err

news.crit   /var/log/news/news.crit
news.err/var/log/news/news.err
news.notice /var/log/news/news.notice

*.=warning;*.=err   /var/log/warn
*.crit  /var/log/warn

*.*;mail.none;news.none /var/log/messages

local0.*;local1.*   /var/log/localmessages
local2.*;local3.*   /var/log/localmessages
local4.*;local5.*   /var/log/localmessages
local6.*;local7.*   /var/log/localmessages
###

FROM EXTRA CONFIG FILE:
root@whqlrsyslog02 # cat /etc/rsyslog.d/ESXi.conf template(name="ESXi_app" 
type="string" string="/var/splunk-syslog/ESXi/%FROMHOST%/%FROMHOST%-%$NOW%.log")
if $fromhost-ip == ["100.31.20.101",
"100.31.20.102",
"100.200.20.231",
"100.200.20.232"]
then {
 action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="ESXi_app") stop }

FROM THE DEBUG FILE:
Debug line with all properties:
FROMHOST: 'sdcurpe02.mycompany.com', fromhost-ip: '100.200.20.232', HOSTNAME: 
'sdcurpe02.mycompany.com', PRI: 14, syslogtag 'storageRM:', programname: 
'storageRM', APP-NAME: 'storageRM', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Dec  5 13:50:52',

Re: [rsyslog] HUP causes delay in message forwarding

[Woodruff, Dan]

Thank you for the tips. I increased impstats to 5 seconds (had it at 30
seconds previously) and saw that the main queue was building up while the
counters on the outputs queues were not incrementing. Your comment about one
of the outputs blocking made me think about our antivirus, which was
installed a couple months ago. I disabled it and the delay in output closing
went away. I'll be pursuing AV exclusions for the paths where logs are being
written on the system, which I expect will solve the delay.

Thank you,
Dan 

-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Tuesday, November 29, 2016 12:47 PM
To: rsyslog-users 
Subject: Re: [rsyslog] HUP causes delay in message forwarding


we would need to see more stats and probably more config to know what's
happening here.

All that the HUP does is to close all outputs, if you have logs to deliver,
they should get re-opened immediately.

so make sure you enable impstats, have it write out to a file (so that the
delays you are seeing in log processing can't affect it) and given that you
are seeing delays in the 5-60 sec range, set it for something small like 5
seconds. 
Then start things up and send it a HUP, let it recover, and repeat a couple
times. Then send us the pstats output.


There are two things to be looking at here.

1. if there are no incoming messages during this time and the main queue is
empty, how are you getting logs? if it's through imjournal, that could point
at a systemd issue.

2. if you have messages in the main queue during this time, then one of your
outputs (not neccessarily the one going to the SIEM) is blocking and taking
a bunch of time to restart. we should see this in the pstats output.

David Lang
___
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailma
n_listinfo_rsyslog&d=CwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=
0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=1Am6_BpWpyt-iCBCbfMNAKGF8GVhy5
Nw80WBbMmzXmo&s=itSOhS_kwlpw_xXDIBFi79vKMWn4qQX8UkHs1ozI6Xw&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professi
onal-2Dservices_&d=CwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S
5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=1Am6_BpWpyt-iCBCbfMNAKGF8GVhy5Nw
80WBbMmzXmo&s=ur1fnqP1jZyCNLUYJFW6aM9yftoD47CYu-mUu07aYuk&e=
What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d
=CwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4
U9EYbkCcMc4ijDuyUem89Lk&m=1Am6_BpWpyt-iCBCbfMNAKGF8GVhy5Nw80WBbMmzXmo&s=wpm9
OJ_fXodtPZxxX0MpDQhDTop0_87PfgUzXdg19nw&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.


smime.p7s
Description: S/MIME cryptographic signature
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

[mosto...@gmail.com]

I forgot:

With provided rule file...why I'm getting a bunch of this errors when 
using /usr/lib/lognorm/lognormalizer?


{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:15:31 +0100] \"GET 
\/redacted\/page HTTP\/1.1\" 200 1234", "unparsed-data": "" }



El 05/12/16 a las 15:41, mosto...@gmail.com escribió:

Hi


Coming back to liblognorm, I have a few questions I'll love an expert 
reply.  0:D


*- Documentation [1] states how to define a type, but not how to use 
it. Are we properly using defined type "apache" in the configuration 
below?*


- Apache access log seem to have 2 formats: common and combined [2]
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif 
HTTP/1.0" 200 2326
127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif 
HTTP/1.0" 200 2326 "referrer" "useragent"

*How should we define our rulesets to have /optional/ fields?

- Our current workaround is to have a defined type and use it as part 
of a longer rule. Is that ok?*


*- How could we define logic to set a filed to "0" when content is 
"-"? (bytes field)*


type=@apache:%[
{"type":"ipv4", "name":"ip"},
{"type":"literal", "text":" "},
{"type":"word", "name":"ident"},
{"type":"literal", "text":" "},
{"type":"word", "name":"user"},
{"type":"literal", "text":" ["},
{"type":"char-to", "name":"date", "extradata":"]"},
{"type":"literal", "text":"] \""},
{"type":"word", "name":"method"},
{"type":"literal", "text":" "},
{"type":"char-to", "name":"request", "extradata":" "},
{"type":"literal", "text":" HTTP/"},
{"type":"float", "name":"httpversion"},
{"type":"literal", "text":"\" "},
{"type":"number", "name":"response"},
{"type":"literal", "text":" "},
{"type":"number", "name":"bytes"}
]%

rule=access:%[
{"type":"@apache"},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"referrer", "extradata":"\""},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"useragent", "extradata":"\""}
]%
rule=access:%@apache%

[1] http://www.liblognorm.com/files/manual/configuration.html
[2] https://httpd.apache.org/docs/2.4/logs.html#accesslog


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

[mosto...@gmail.com]

Hi


Coming back to liblognorm, I have a few questions I'll love an expert 
reply.  0:D


*- Documentation [1] states how to define a type, but not how to use it. 
Are we properly using defined type "apache" in the configuration below?*


- Apache access log seem to have 2 formats: common and combined [2]
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif 
HTTP/1.0" 200 2326
127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif 
HTTP/1.0" 200 2326 "referrer" "useragent"

*How should we define our rulesets to have /optional/ fields?

- Our current workaround is to have a defined type and use it as part of 
a longer rule. Is that ok?*


*- How could we define logic to set a filed to "0" when content is "-"? 
(bytes field)*


type=@apache:%[
{"type":"ipv4", "name":"ip"},
{"type":"literal", "text":" "},
{"type":"word", "name":"ident"},
{"type":"literal", "text":" "},
{"type":"word", "name":"user"},
{"type":"literal", "text":" ["},
{"type":"char-to", "name":"date", "extradata":"]"},
{"type":"literal", "text":"] \""},
{"type":"word", "name":"method"},
{"type":"literal", "text":" "},
{"type":"char-to", "name":"request", "extradata":" "},
{"type":"literal", "text":" HTTP/"},
{"type":"float", "name":"httpversion"},
{"type":"literal", "text":"\" "},
{"type":"number", "name":"response"},
{"type":"literal", "text":" "},
{"type":"number", "name":"bytes"}
]%

rule=access:%[
{"type":"@apache"},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"referrer", "extradata":"\""},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"useragent", "extradata":"\""}
]%
rule=access:%@apache%

[1] http://www.liblognorm.com/files/manual/configuration.html
[2] https://httpd.apache.org/docs/2.4/logs.html#accesslog
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] filters question

[Swartz, Patrick]

Hi,
I've made the changes you recommended (turning off message reduction, removing 
the trailing /, and took out more comments.  

Your comment, " remember, it doesn't stop processing the log at the first 
match, it keeps going in case there are other matches as well."
Really?  I thought the " stop }" at the end of a specific config was telling 
rsyslog to stop processing the message and/or looking for other matches?
If rsyslog is still looking for other matches then why doesn't every message 
end up in my "Unclassified" folder since I'm matching against "*.*" for my 
Unknowns filter? 

Is there a right/better way to have unmatched messages be dealt with?  The next 
step in our chain is Splunk, and it is setup to monitor specific folders for a 
given "source/source-type" I need some way to guarantee that messages that 
match "fromhost-ip" or "startswith" only end up in a specific folder.  And all 
other messages that do not match either of those go into another folder that I 
can monitor and build new filters for or modify existing filters (example, 
adding another ESXi host to the list).
 
Here is my current rsyslog.conf, the extra ESXi.conf, and an example output 
from the msgdebug.log of a message that ended up in the Unclassified folder:
MAIN CONFIG FILE:
root@whqlrsyslog02 # cat /etc/rsyslog.conf
$umask 

### for debug
*.* /var/splunk-syslog/msgdebug.log;RSYSLOG_DebugFormat

$ModLoad immark.so
$MarkMessagePeriod  3600
$ModLoad imuxsock.so
$RepeatedMsgReduction   off
$ModLoad imklog.so
$klogConsoleLogLevel1
$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.template

# Unknowns
$umask 
template(name="Unclassified" type="string" 
string="/var/splunk-syslog/Unclassified/%HOSTNAME%/%FROMHOST%-%$NOW%.log")
*.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="Unclassified")

if  (
($syslogfacility-text == 'kern')  and
($syslogseverity <= 4 ) and not
($msg contains 'IN=' and $msg contains 'OUT=')
) or (
($syslogseverity <= 3 ) and not
($syslogfacility-text == 'authpriv')
)
then {
/dev/tty10
|/dev/xconsole
}

*.emerg  :omusrmsg:*

if  ($syslogfacility-text == 'kern') and
($msg contains 'IN=' and $msg contains 'OUT=')
then {
/var/log/firewall
stop
}

if  ($programname == 'acpid' or $syslogtag == '[acpid]:') and
($syslogseverity <= 5 )
then {
/var/log/acpid
stop
}

if  ($programname == 'NetworkManager') or
($programname startswith 'nm-')
then {
/var/log/NetworkManager
stop
}

mail.*  /var/log/mail
mail.info   /var/log/mail.info
mail.warning/var/log/mail.warn
mail.err/var/log/mail.err

news.crit   /var/log/news/news.crit
news.err/var/log/news/news.err
news.notice /var/log/news/news.notice

*.=warning;*.=err   /var/log/warn
*.crit  /var/log/warn

*.*;mail.none;news.none /var/log/messages

local0.*;local1.*   /var/log/localmessages
local2.*;local3.*   /var/log/localmessages
local4.*;local5.*   /var/log/localmessages
local6.*;local7.*   /var/log/localmessages
###

FROM EXTRA CONFIG FILE:
root@whqlrsyslog02 # cat /etc/rsyslog.d/ESXi.conf
template(name="ESXi_app" type="string" 
string="/var/splunk-syslog/ESXi/%FROMHOST%/%FROMHOST%-%$NOW%.log")
if $fromhost-ip == ["100.31.20.101",
"100.31.20.102",
"100.200.20.231",
"100.200.20.232"]
then {
 action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="ESXi_app")
stop }

FROM THE DEBUG FILE:
Debug line with all properties:
FROMHOST: 'sdcurpe02.mycompany.com', fromhost-ip: '100.200.20.232', HOSTNAME: 
'sdcurpe02.mycompany.com', PRI: 14,
syslogtag 'storageRM:', programname: 'storageRM', APP-NAME: 'storageRM', 
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Dec  5 13:50:52', STRUCTURED-DATA: '-',
msg: '   Some host is down, need to reset the slot allocation'
escaped msg: '   Some host is down, need to reset the slot 
allocation'
inputname: imtcp rawmsg: '<14>2016-12-05T13:50:52.367Z sdcurpe02.mycompany.com 
storageRM:   Some host is down, need to reset the slot 
allocation'

Debug line with all properties:
FROMHOST: 'sdcurpe01.mycompany.com', fromhost-ip: '100.200.20.231', HOSTNAME: 
'sdcurpe01.mycompany.com', PRI: 14,
syslogtag 'storageRM:', programname: 'storageRM', APP-NAME: 'storageRM', 
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Dec  5 13:42:37', STRUCTURED-DATA: '-',
msg: '   Number of hosts has changed to 6'
escaped msg: '   Number of hosts has changed to 6'
inputname: 

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[David Lang]

On Mon, 5 Dec 2016, Bob Gregory wrote:


action(type="omriemann" metric="1") will send {host:$hostname, time:
$timereported,   service: $programname}


One point of clarification, rsyslog doesn't currently have a config parameter 
type that allows for a parameter to sometimes be a constant and sometimes be a 
variable name.


so either you would need to do

set $.mymetric="1";
action(type="omriemann" metric="$.mymetric")

or you would need to introduce the capability to have a parameter that can be 
either a constant or a variable.


allowing a parameter to be something more complex (a function, or includ math) 
is a step even further.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[Bob Gregory]

So internally, Riemann just creates a clojure hashmap for each event {host:
blah, metric: foo, ttl: 60, ... }.

It holds a snapshot of recent events in memory, and it indexes certain
fields - host, service etc.

You can add whatever additional attributes you like, because riemann will
just add them to the map. They operate a little slower than the built-in
fields, but you can work with them in the same way:
http://riemann.io/howto.html#custom-event-attributes

On Mon, 5 Dec 2016 at 12:29 David Lang  wrote:

> I still have a question about what the attributes are. They weren't
> mentioned
> in the video you posted.
>
> David Lang
>
> On Mon, 5 Dec 2016, Bob Gregory wrote:
>
> > Date: Mon, 05 Dec 2016 12:26:17 +
> > From: Bob Gregory 
> > Reply-To: rsyslog-users 
> > To: rsyslog-users 
> > Subject: Re: [rsyslog] omriemann configuration (was musing on ERK stack)
> >
> >> what about status? is it normally/commonly left blank?
> >
> > It depends on the use case, for something like cpu usage, the state would
> > be blank; likewise for rsyslog message throughput. I would expect to see
> a
> > state for something like monitoring redis operations, or HTTP calls,
> where
> > the metric represents the latency of an operation, and the state is "ok"
> if
> > the operation succeeded, otherwise "error".
> >
> > This is really my point, that most of the fields are left empty in most
> > cases - you're right that there's a lot of flexibility in how to
> represent
> > an event, and it's really down to an end-user to understand how they want
> > to format their data.
> >
> >> as long as the syntax checker for the module can report a config error
> if
> > you
> >> don't have at least one
> >
> > Works for me.
> >
> > -- Bob.
> >
> >
> > On Mon, 5 Dec 2016 at 12:20 David Lang  wrote:
> >
> >> On Mon, 5 Dec 2016, Bob Gregory wrote:
> >>
> >>> Yo yo, David.
> >>>
> >>> I think you're convincing me, at least on the service/programname. That
> >>> means we can default all of the required host, service, timestamp
> >> fields. I
> >>> also like the simpler approach of using the fractional part to decide
> >> which
> >>> kind of metric we're sending. That's a better user-experience.
> >>>
> >>> I still feel reasonably strongly that we oughtn't to default the other
> >>> fields, since the usual case of riemann is for them to be absent.
> >>>
> >>> Are you satisfied with the host, service, timestamp fields having
> >> defaults?
> >>> That means that the following
> >>>
> >>> action(type="omriemann" metric="1") will send {host:$hostname, time:
> >>> $timereported,   service: $programname}
> >>>
> >>> While it's not going to be very useful, it's at least something you can
> >>> dump to console on the Riemann host and see that data are flowing.
> >>
> >> what about status? is it normally/commonly left blank?
> >>
> >> as long as the syntax checker for the module can report a config error
> if
> >> you
> >> don't have at least one of description, metric, status defined in an
> >> action()
> >> call (with an error message that will make it obvious to the admin why
> >> they are
> >> getting the error)
> >>
> >> David Lang
> >>
> >>>
> >>>
> >>> On Mon, 5 Dec 2016 at 11:39 David Lang  wrote:
> >>>
> >>> On Mon, 5 Dec 2016, Bob Gregory wrote:
> >>>
>  @ David Lang, moving omriemann discussion back over here.
> 
> > we need to try and come up with a reasonable default value for
> >>> parameters.
> 
>  I think I disagree with that. Most of the fields aren't required, and
> we
>  shouldn't send them unless configured otherwise. The intention isn't
> >> that
>  all logs will go to riemann, but only a small subset of logs, after
> >> being
>  substantially transformed.
> >>>
> >>> the biggest thing we need to do is make sure that whatever the user
> >>> attempts to
> >>> send should not stall the feed, so it will either need to be discarded
> >>> (IMHO a
> >>> bad idea) or 'fixed up' if it's not valid.
> >>>
>  * Description is an unusual field to include - I definitely wouldn't
>  include the entire log message as a default.
>  * The programname makes little sense as a service. IF I see that
> "nginx"
> >>> or
>  "rsyslog" is oscillating between 20 and 57 on a graph, what does that
> >> tell
>  me?
> >>>
> >>> the number of lines of rsyslog data you are getting if nothing else
> >> (which
> >>> may be something you want to monitor :-)
> >>>
> >>> again, I'm trying to make the defaults do something sane if nothing is
> >>> configured. It's better to have someone do a trivial configuration and
> >> get
> >>> flooded with data than to have them have to get a lot of things right
> >> before
> >>> anything shows up.
> >>>
>  * TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
>  actually sure what happens with a TTL of 0, I'd guess the event
> >>> immediately
>  expires, which would be problematic for many cases.
> >>>
> >>> Ok, as long as Riemann is designed to survi

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[David Lang]

I still have a question about what the attributes are. They weren't mentioned 
in the video you posted.


David Lang

On Mon, 5 Dec 2016, Bob Gregory wrote:


Date: Mon, 05 Dec 2016 12:26:17 +
From: Bob Gregory 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: Re: [rsyslog] omriemann configuration (was musing on ERK stack)


what about status? is it normally/commonly left blank?


It depends on the use case, for something like cpu usage, the state would
be blank; likewise for rsyslog message throughput. I would expect to see a
state for something like monitoring redis operations, or HTTP calls, where
the metric represents the latency of an operation, and the state is "ok" if
the operation succeeded, otherwise "error".

This is really my point, that most of the fields are left empty in most
cases - you're right that there's a lot of flexibility in how to represent
an event, and it's really down to an end-user to understand how they want
to format their data.


as long as the syntax checker for the module can report a config error  if

you

don't have at least one


Works for me.

-- Bob.


On Mon, 5 Dec 2016 at 12:20 David Lang  wrote:


On Mon, 5 Dec 2016, Bob Gregory wrote:


Yo yo, David.

I think you're convincing me, at least on the service/programname. That
means we can default all of the required host, service, timestamp

fields. I

also like the simpler approach of using the fractional part to decide

which

kind of metric we're sending. That's a better user-experience.

I still feel reasonably strongly that we oughtn't to default the other
fields, since the usual case of riemann is for them to be absent.

Are you satisfied with the host, service, timestamp fields having

defaults?

That means that the following

action(type="omriemann" metric="1") will send {host:$hostname, time:
$timereported,   service: $programname}

While it's not going to be very useful, it's at least something you can
dump to console on the Riemann host and see that data are flowing.


what about status? is it normally/commonly left blank?

as long as the syntax checker for the module can report a config error if
you
don't have at least one of description, metric, status defined in an
action()
call (with an error message that will make it obvious to the admin why
they are
getting the error)

David Lang




On Mon, 5 Dec 2016 at 11:39 David Lang  wrote:

On Mon, 5 Dec 2016, Bob Gregory wrote:


@ David Lang, moving omriemann discussion back over here.


we need to try and come up with a reasonable default value for

parameters.


I think I disagree with that. Most of the fields aren't required, and we
shouldn't send them unless configured otherwise. The intention isn't

that

all logs will go to riemann, but only a small subset of logs, after

being

substantially transformed.


the biggest thing we need to do is make sure that whatever the user
attempts to
send should not stall the feed, so it will either need to be discarded
(IMHO a
bad idea) or 'fixed up' if it's not valid.


* Description is an unusual field to include - I definitely wouldn't
include the entire log message as a default.
* The programname makes little sense as a service. IF I see that "nginx"

or

"rsyslog" is oscillating between 20 and 57 on a graph, what does that

tell

me?


the number of lines of rsyslog data you are getting if nothing else

(which

may be something you want to monitor :-)

again, I'm trying to make the defaults do something sane if nothing is
configured. It's better to have someone do a trivial configuration and

get

flooded with data than to have them have to get a lot of things right

before

anything shows up.


* TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
actually sure what happens with a TTL of 0, I'd guess the event

immediately

expires, which would be problematic for many cases.


Ok, as long as Riemann is designed to survive when no TTL is provided.


* The tags as used by rsyslog are unlikely to map meaningfully to the

tags

used by riemann because they have very different use cases. I  mostly

use

tags in rsyslog to tell me whether my logs are json, or HTTP access

logs,

or PHP exceptions etc so that I know how to handle the output of

mmnormalize

- that's not useful data in my monitoring stack.


again, I'm looking to set a default that has a chance of working, if you

are

always setting the tag, the default doesn't matter.

I set the tags to contain a lot more info, is this a connection or
disconnection, is this a login or failed login, etc.


It turns out, on a re-reading, that the metric isn't required either -

it's

absolutely valid to send the event {host: localhost, service: "openvpn",
status: "up | down" } for example.


ok, makes sense.


Given that we can't make reasonable guesses about what the user

intends, I

think the sensible approach is to _not send_ any field for which we

don't

have

a value specified, with the exception of the source host and the

timestamp

which 

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[Bob Gregory]

> what about status? is it normally/commonly left blank?

It depends on the use case, for something like cpu usage, the state would
be blank; likewise for rsyslog message throughput. I would expect to see a
state for something like monitoring redis operations, or HTTP calls, where
the metric represents the latency of an operation, and the state is "ok" if
the operation succeeded, otherwise "error".

This is really my point, that most of the fields are left empty in most
cases - you're right that there's a lot of flexibility in how to represent
an event, and it's really down to an end-user to understand how they want
to format their data.

> as long as the syntax checker for the module can report a config error  if
you
> don't have at least one

Works for me.

 -- Bob.


On Mon, 5 Dec 2016 at 12:20 David Lang  wrote:

> On Mon, 5 Dec 2016, Bob Gregory wrote:
>
> > Yo yo, David.
> >
> > I think you're convincing me, at least on the service/programname. That
> > means we can default all of the required host, service, timestamp
> fields. I
> > also like the simpler approach of using the fractional part to decide
> which
> > kind of metric we're sending. That's a better user-experience.
> >
> > I still feel reasonably strongly that we oughtn't to default the other
> > fields, since the usual case of riemann is for them to be absent.
> >
> > Are you satisfied with the host, service, timestamp fields having
> defaults?
> > That means that the following
> >
> > action(type="omriemann" metric="1") will send {host:$hostname, time:
> > $timereported,   service: $programname}
> >
> > While it's not going to be very useful, it's at least something you can
> > dump to console on the Riemann host and see that data are flowing.
>
> what about status? is it normally/commonly left blank?
>
> as long as the syntax checker for the module can report a config error if
> you
> don't have at least one of description, metric, status defined in an
> action()
> call (with an error message that will make it obvious to the admin why
> they are
> getting the error)
>
> David Lang
>
> >
> >
> > On Mon, 5 Dec 2016 at 11:39 David Lang  wrote:
> >
> > On Mon, 5 Dec 2016, Bob Gregory wrote:
> >
> >> @ David Lang, moving omriemann discussion back over here.
> >>
> >>> we need to try and come up with a reasonable default value for
> > parameters.
> >>
> >> I think I disagree with that. Most of the fields aren't required, and we
> >> shouldn't send them unless configured otherwise. The intention isn't
> that
> >> all logs will go to riemann, but only a small subset of logs, after
> being
> >> substantially transformed.
> >
> > the biggest thing we need to do is make sure that whatever the user
> > attempts to
> > send should not stall the feed, so it will either need to be discarded
> > (IMHO a
> > bad idea) or 'fixed up' if it's not valid.
> >
> >> * Description is an unusual field to include - I definitely wouldn't
> >> include the entire log message as a default.
> >> * The programname makes little sense as a service. IF I see that "nginx"
> > or
> >> "rsyslog" is oscillating between 20 and 57 on a graph, what does that
> tell
> >> me?
> >
> > the number of lines of rsyslog data you are getting if nothing else
> (which
> > may be something you want to monitor :-)
> >
> > again, I'm trying to make the defaults do something sane if nothing is
> > configured. It's better to have someone do a trivial configuration and
> get
> > flooded with data than to have them have to get a lot of things right
> before
> > anything shows up.
> >
> >> * TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
> >> actually sure what happens with a TTL of 0, I'd guess the event
> > immediately
> >> expires, which would be problematic for many cases.
> >
> > Ok, as long as Riemann is designed to survive when no TTL is provided.
> >
> >> * The tags as used by rsyslog are unlikely to map meaningfully to the
> tags
> >> used by riemann because they have very different use cases. I  mostly
> use
> >> tags in rsyslog to tell me whether my logs are json, or HTTP access
> logs,
> >> or PHP exceptions etc so that I know how to handle the output of
> > mmnormalize
> >> - that's not useful data in my monitoring stack.
> >
> > again, I'm looking to set a default that has a chance of working, if you
> are
> > always setting the tag, the default doesn't matter.
> >
> > I set the tags to contain a lot more info, is this a connection or
> > disconnection, is this a login or failed login, etc.
> >
> >> It turns out, on a re-reading, that the metric isn't required either -
> > it's
> >> absolutely valid to send the event {host: localhost, service: "openvpn",
> >> status: "up | down" } for example.
> >
> > ok, makes sense.
> >
> >> Given that we can't make reasonable guesses about what the user
> intends, I
> >> think the sensible approach is to _not send_ any field for which we
> don't
> > have
> >> a value specified, with the exception of the source host and the
> ti

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[David Lang]

On Mon, 5 Dec 2016, Bob Gregory wrote:


Yo yo, David.

I think you're convincing me, at least on the service/programname. That
means we can default all of the required host, service, timestamp fields. I
also like the simpler approach of using the fractional part to decide which
kind of metric we're sending. That's a better user-experience.

I still feel reasonably strongly that we oughtn't to default the other
fields, since the usual case of riemann is for them to be absent.

Are you satisfied with the host, service, timestamp fields having defaults?
That means that the following

action(type="omriemann" metric="1") will send {host:$hostname, time:
$timereported,   service: $programname}

While it's not going to be very useful, it's at least something you can
dump to console on the Riemann host and see that data are flowing.


what about status? is it normally/commonly left blank?

as long as the syntax checker for the module can report a config error if you 
don't have at least one of description, metric, status defined in an action() 
call (with an error message that will make it obvious to the admin why they are 
getting the error)


David Lang




On Mon, 5 Dec 2016 at 11:39 David Lang  wrote:

On Mon, 5 Dec 2016, Bob Gregory wrote:


@ David Lang, moving omriemann discussion back over here.


we need to try and come up with a reasonable default value for

parameters.


I think I disagree with that. Most of the fields aren't required, and we
shouldn't send them unless configured otherwise. The intention isn't that
all logs will go to riemann, but only a small subset of logs, after being
substantially transformed.


the biggest thing we need to do is make sure that whatever the user
attempts to
send should not stall the feed, so it will either need to be discarded
(IMHO a
bad idea) or 'fixed up' if it's not valid.


* Description is an unusual field to include - I definitely wouldn't
include the entire log message as a default.
* The programname makes little sense as a service. IF I see that "nginx"

or

"rsyslog" is oscillating between 20 and 57 on a graph, what does that tell
me?


the number of lines of rsyslog data you are getting if nothing else (which
may be something you want to monitor :-)

again, I'm trying to make the defaults do something sane if nothing is
configured. It's better to have someone do a trivial configuration and get
flooded with data than to have them have to get a lot of things right before
anything shows up.


* TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
actually sure what happens with a TTL of 0, I'd guess the event

immediately

expires, which would be problematic for many cases.


Ok, as long as Riemann is designed to survive when no TTL is provided.


* The tags as used by rsyslog are unlikely to map meaningfully to the tags
used by riemann because they have very different use cases. I  mostly use
tags in rsyslog to tell me whether my logs are json, or HTTP access logs,
or PHP exceptions etc so that I know how to handle the output of

mmnormalize

- that's not useful data in my monitoring stack.


again, I'm looking to set a default that has a chance of working, if you are
always setting the tag, the default doesn't matter.

I set the tags to contain a lot more info, is this a connection or
disconnection, is this a login or failed login, etc.


It turns out, on a re-reading, that the metric isn't required either -

it's

absolutely valid to send the event {host: localhost, service: "openvpn",
status: "up | down" } for example.


ok, makes sense.


Given that we can't make reasonable guesses about what the user intends, I
think the sensible approach is to _not send_ any field for which we don't

have

a value specified, with the exception of the source host and the timestamp
which have obviously sane defaults.


Here I disagree, not sending anything is likely to generate support
requests of
"I configured omriemann and got a bunch of blank events, what's wrong". I'd
rather send extra data by default so that the people experimenting can at
least
see stuff show up. It's much easier to then tinker with what's showing up
than
to have to figure out what things you have to put in to get anything to
show up.


Other than that, I think we're in agreement. I particularly like the idea
of allowing metric to be a json object, that definitely simplifies the
impstats case.


how do you signal metric types?


I don't - that's down to upstream collectors. Riemann doesn't care what

the

metric represents, it's just a number. It has no concept of the type of a
metric, it just cares about the service name and host and allows you to do
interesting things with the data stream. We use Collectd at Made, and that
sends metrics with gauge/counter/derive in the service name.


ok, that's interesting. Every other montioring tool I've used wants it
specified
as it's passed in. In many cases, this can be configured to different
things on
different servers for the same metric

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[Bob Gregory]

Yo yo, David.

I think you're convincing me, at least on the service/programname. That
means we can default all of the required host, service, timestamp fields. I
also like the simpler approach of using the fractional part to decide which
kind of metric we're sending. That's a better user-experience.

I still feel reasonably strongly that we oughtn't to default the other
fields, since the usual case of riemann is for them to be absent.

Are you satisfied with the host, service, timestamp fields having defaults?
That means that the following

action(type="omriemann" metric="1") will send {host:$hostname, time:
$timereported,   service: $programname}

While it's not going to be very useful, it's at least something you can
dump to console on the Riemann host and see that data are flowing.



On Mon, 5 Dec 2016 at 11:39 David Lang  wrote:

On Mon, 5 Dec 2016, Bob Gregory wrote:

> @ David Lang, moving omriemann discussion back over here.
>
>> we need to try and come up with a reasonable default value for
parameters.
>
> I think I disagree with that. Most of the fields aren't required, and we
> shouldn't send them unless configured otherwise. The intention isn't that
> all logs will go to riemann, but only a small subset of logs, after being
> substantially transformed.

the biggest thing we need to do is make sure that whatever the user
attempts to
send should not stall the feed, so it will either need to be discarded
(IMHO a
bad idea) or 'fixed up' if it's not valid.

> * Description is an unusual field to include - I definitely wouldn't
> include the entire log message as a default.
> * The programname makes little sense as a service. IF I see that "nginx"
or
> "rsyslog" is oscillating between 20 and 57 on a graph, what does that tell
> me?

the number of lines of rsyslog data you are getting if nothing else (which
may be something you want to monitor :-)

again, I'm trying to make the defaults do something sane if nothing is
configured. It's better to have someone do a trivial configuration and get
flooded with data than to have them have to get a lot of things right before
anything shows up.

> * TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
> actually sure what happens with a TTL of 0, I'd guess the event
immediately
> expires, which would be problematic for many cases.

Ok, as long as Riemann is designed to survive when no TTL is provided.

> * The tags as used by rsyslog are unlikely to map meaningfully to the tags
> used by riemann because they have very different use cases. I  mostly use
> tags in rsyslog to tell me whether my logs are json, or HTTP access logs,
> or PHP exceptions etc so that I know how to handle the output of
mmnormalize
> - that's not useful data in my monitoring stack.

again, I'm looking to set a default that has a chance of working, if you are
always setting the tag, the default doesn't matter.

I set the tags to contain a lot more info, is this a connection or
disconnection, is this a login or failed login, etc.

> It turns out, on a re-reading, that the metric isn't required either -
it's
> absolutely valid to send the event {host: localhost, service: "openvpn",
> status: "up | down" } for example.

ok, makes sense.

> Given that we can't make reasonable guesses about what the user intends, I
> think the sensible approach is to _not send_ any field for which we don't
have
> a value specified, with the exception of the source host and the timestamp
> which have obviously sane defaults.

Here I disagree, not sending anything is likely to generate support
requests of
"I configured omriemann and got a bunch of blank events, what's wrong". I'd
rather send extra data by default so that the people experimenting can at
least
see stuff show up. It's much easier to then tinker with what's showing up
than
to have to figure out what things you have to put in to get anything to
show up.

> Other than that, I think we're in agreement. I particularly like the idea
> of allowing metric to be a json object, that definitely simplifies the
> impstats case.
>
>> how do you signal metric types?
>
> I don't - that's down to upstream collectors. Riemann doesn't care what
the
> metric represents, it's just a number. It has no concept of the type of a
> metric, it just cares about the service name and host and allows you to do
> interesting things with the data stream. We use Collectd at Made, and that
> sends metrics with gauge/counter/derive in the service name.

ok, that's interesting. Every other montioring tool I've used wants it
specified
as it's passed in. In many cases, this can be configured to different
things on
different servers for the same metric.

> There is an expectation that you would only use a single field from
metric,
> metric_f, metric_s64 etc. I've never actually tried sending more than one
> metric to riemann in a message, because clients tend to explicitly forbid
> it. Internally, all those protobuf fields map down to the same metric
> field, so I'm unsure

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[David Lang]

On Mon, 5 Dec 2016, Bob Gregory wrote:


@ David Lang, moving omriemann discussion back over here.


we need to try and come up with a reasonable default value for parameters.


I think I disagree with that. Most of the fields aren't required, and we
shouldn't send them unless configured otherwise. The intention isn't that
all logs will go to riemann, but only a small subset of logs, after being
substantially transformed.


the biggest thing we need to do is make sure that whatever the user attempts to 
send should not stall the feed, so it will either need to be discarded (IMHO a 
bad idea) or 'fixed up' if it's not valid.



* Description is an unusual field to include - I definitely wouldn't
include the entire log message as a default.
* The programname makes little sense as a service. IF I see that "nginx" or
"rsyslog" is oscillating between 20 and 57 on a graph, what does that tell
me?


the number of lines of rsyslog data you are getting if nothing else (which 
may be something you want to monitor :-)


again, I'm trying to make the defaults do something sane if nothing is 
configured. It's better to have someone do a trivial configuration and get 
flooded with data than to have them have to get a lot of things right before 
anything shows up.



* TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
actually sure what happens with a TTL of 0, I'd guess the event immediately
expires, which would be problematic for many cases.


Ok, as long as Riemann is designed to survive when no TTL is provided.


* The tags as used by rsyslog are unlikely to map meaningfully to the tags
used by riemann because they have very different use cases. I  mostly use
tags in rsyslog to tell me whether my logs are json, or HTTP access logs,
or PHP exceptions etc so that I know how to handle the output of mmnormalize
- that's not useful data in my monitoring stack.


again, I'm looking to set a default that has a chance of working, if you are 
always setting the tag, the default doesn't matter.


I set the tags to contain a lot more info, is this a connection or 
disconnection, is this a login or failed login, etc.



It turns out, on a re-reading, that the metric isn't required either - it's
absolutely valid to send the event {host: localhost, service: "openvpn",
status: "up | down" } for example.


ok, makes sense.

Given that we can't make reasonable guesses about what the user intends, I 
think the sensible approach is to _not send_ any field for which we don't have 
a value specified, with the exception of the source host and the timestamp 
which have obviously sane defaults.


Here I disagree, not sending anything is likely to generate support requests of 
"I configured omriemann and got a bunch of blank events, what's wrong". I'd 
rather send extra data by default so that the people experimenting can at least 
see stuff show up. It's much easier to then tinker with what's showing up than 
to have to figure out what things you have to put in to get anything to show up.



Other than that, I think we're in agreement. I particularly like the idea
of allowing metric to be a json object, that definitely simplifies the
impstats case.


how do you signal metric types?


I don't - that's down to upstream collectors. Riemann doesn't care what the
metric represents, it's just a number. It has no concept of the type of a
metric, it just cares about the service name and host and allows you to do
interesting things with the data stream. We use Collectd at Made, and that
sends metrics with gauge/counter/derive in the service name.


ok, that's interesting. Every other montioring tool I've used wants it specified 
as it's passed in. In many cases, this can be configured to different things on 
different servers for the same metric.



There is an expectation that you would only use a single field from metric,
metric_f, metric_s64 etc. I've never actually tried sending more than one
metric to riemann in a message, because clients tend to explicitly forbid
it. Internally, all those protobuf fields map down to the same metric
field, so I'm unsure whether riemann will reject the message or select one
of the fields in an unspecified precedence. Deciding which of those protobuf
fields to send is a open problem. Any thoughts on that?


we don't want the user to have to specify the specific type, that's too likely 
to lead to someone picking the wrong type. Everything is a string in rsyslog to 
start with, so I'd say that the metric should use the s64 if there is no 
fractinal portion and double if there is.



I have no idea what we would do if some anarchist sent us the json object {
"metrics": { "service": "trololol", "metric_f": 0.2, "metric_int": 27 }}.
We can either reject the message and log an error, or specify some
precedence order. I don't have a strong feeling either way; it's probably
ok if we reformat your integer as a double, but I generally like software
to fail fast instead of limping along doing something un

Re: [rsyslog] omriemann configuration (was musing on ERK stack)

[Bob Gregory]

@ David Lang, moving omriemann discussion back over here.

> we need to try and come up with a reasonable default value for parameters.

I think I disagree with that. Most of the fields aren't required, and we
shouldn't send them unless configured otherwise. The intention isn't that
all logs will go to riemann, but only a small subset of logs, after being
substantially transformed.

* Description is an unusual field to include - I definitely wouldn't
include the entire log message as a default.
* The programname makes little sense as a service. IF I see that "nginx" or
"rsyslog" is oscillating between 20 and 57 on a graph, what does that tell
me?
* TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
actually sure what happens with a TTL of 0, I'd guess the event immediately
expires, which would be problematic for many cases.
* The tags as used by rsyslog are unlikely to map meaningfully to the tags
used by riemann because they have very different use cases. I  mostly use
tags in rsyslog to tell me whether my logs are json, or HTTP access logs,
or PHP exceptions etc so that I know how to handle the output of mmnormalize
 - that's not useful data in my monitoring stack.

It turns out, on a re-reading, that the metric isn't required either - it's
absolutely valid to send the event {host: localhost, service: "openvpn",
status: "up | down" } for example. Given that we can't make reasonable
guesses about what the user intends, I think the sensible approach is to
_not send_ any field for which we don't have a value specified, with the
exception of the source host and the timestamp which have obviously sane
defaults.

Other than that, I think we're in agreement. I particularly like the idea
of allowing metric to be a json object, that definitely simplifies the
impstats case.

> there is only one set of metrics per event (sint64 metric_sint64, double
> metric_d, float metric_f), which do you use (or do you use multiple of
them?).
> Is there an expectation that you only use one?

> how do you signal metric types?

I don't - that's down to upstream collectors. Riemann doesn't care what the
metric represents, it's just a number. It has no concept of the type of a
metric, it just cares about the service name and host and allows you to do
interesting things with the data stream. We use Collectd at Made, and that
sends metrics with gauge/counter/derive in the service name.

There is an expectation that you would only use a single field from metric,
metric_f, metric_s64 etc. I've never actually tried sending more than one
metric to riemann in a message, because clients tend to explicitly forbid
it. Internally, all those protobuf fields map down to the same metric
field, so I'm unsure whether riemann will reject the message or select one
of the fields in an unspecified precedence. Deciding which of those protobuf
 fields to send is a open problem. Any thoughts on that?

Presumably we'll need to allow the user to specify "metric_f",
"metric_sint64" etc in their config, which means we need to be able to
select the one that was actually set to a valid value in the incoming
message. That implies that it is not an error to send an empty value to the
module where a metric was expected, eg.

action(type="omriemann"
  serverhost="riemann.internal"
  serverport=""
  host="$hostname"
  metric_sint64="$!metrics!metric_int"
  state="$!metrics!state"
  metric_f="$!metrics!metric_float"
  service="$!metrics!service")

would behave like this:

{ "metrics": {"service": "my-service", "metric_int": 1}} -> {time: 123,
host: localhost, metric_sint64: 1, service: my-service}
{ "metrics": {"service": "my-service", "metric_float": 98.7}} -> {time:
123, host: localhost, metric_f: 98.7, service: my-service}
{ "metrics": {"service": "my-service", "state": "red"}} -> {time: 123,
host: localhost, state: red, service: my-service}
{ "metrics": { "metric_int": {  "service-a": 1}, "metric_float": {
"service-b", 3.2 } }} -> [ { time: 123, host: localhost, metric_sint64: 1,
service: service-a},   {time:123, host:localhost, service: service-b,
metric_f: 3.2}]

which I guess is okay.

I have no idea what we would do if some anarchist sent us the json object {
"metrics": { "service": "trololol", "metric_f": 0.2, "metric_int": 27 }}.
We can either reject the message and log an error, or specify some
precedence order. I don't have a strong feeling either way; it's probably
ok if we reformat your integer as a double, but I generally like software
to fail fast instead of limping along doing something unexpected.

On Mon, 5 Dec 2016 at 07:32 Bob Gregory  wrote:

Will do, thanks!

I suspect the next step will be an open pull request, and I'll invite
people to have a play with it and tell me what needs to happen next.

 -- B

On Sun, 4 Dec 2016 at 23:10 Dave Cottlehuber  wrote:

Hi Bob,

I'm a riemann user and this sounds very interesting. I am behind on list
reading atm but if you want any f

Re: [rsyslog] liblognorm vs grok

[mosto...@gmail.com]

Is that documentation stored on a github like rsyslog's?

http://www.liblognorm.com/files/manual/index.html


El 05/12/16 a las 11:15, David Lang escribió:

On Mon, 5 Dec 2016, mosto...@gmail.com wrote:


Hi.

Is there an online liblognorm tester to check the rules we are writing?

Otherwise, could you provide a testing guide 
(http://www.liblognorm.com/files/manual/installation.html#testing) to 
build lognormalizer to test?


the liblognorm package includes lognormalizer, but it doesn't put it 
in a place where it's picked up by the default path


/usr/lib/lognorm/lognormalizer




El 04/10/16 a las 19:27, mosto...@gmail.com escribió:

Hi Radu


After reading 
http://lists.adiscon.net/pipermail/rsyslog/2013-December/035122.html 
and considering several years have passed, I would like to get some 
feedback of your experience, to help me choose between raw 
forwarding messages+logstash or split before forwarding with 
mmnormalize.


If this decision should've been made today, what you would've choosen?

Of course, everybody is welcome to join the thread.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

[David Lang]

On Mon, 5 Dec 2016, mosto...@gmail.com wrote:


Hi.

Is there an online liblognorm tester to check the rules we are writing?

Otherwise, could you provide a testing guide 
(http://www.liblognorm.com/files/manual/installation.html#testing) to 
build lognormalizer to test?


the liblognorm package includes lognormalizer, but it doesn't put it in a place 
where it's picked up by the default path


/usr/lib/lognorm/lognormalizer




El 04/10/16 a las 19:27, mosto...@gmail.com escribió:

Hi Radu


After reading 
http://lists.adiscon.net/pipermail/rsyslog/2013-December/035122.html 
and considering several years have passed, I would like to get some 
feedback of your experience, to help me choose between raw forwarding 
messages+logstash or split before forwarding with mmnormalize.


If this decision should've been made today, what you would've choosen?

Of course, everybody is welcome to join the thread.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

[mosto...@gmail.com]

Hi.

Is there an online liblognorm tester to check the rules we are writing?

Otherwise, could you provide a testing guide 
(http://www.liblognorm.com/files/manual/installation.html#testing) to 
build lognormalizer to test?



El 04/10/16 a las 19:27, mosto...@gmail.com escribió:

Hi Radu


After reading 
http://lists.adiscon.net/pipermail/rsyslog/2013-December/035122.html 
and considering several years have passed, I would like to get some 
feedback of your experience, to help me choose between raw forwarding 
messages+logstash or split before forwarding with mmnormalize.


If this decision should've been made today, what you would've choosen?

Of course, everybody is welcome to join the thread.



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] omriemann Re: Are we building an ERK stack?

[David Lang]

On Mon, 5 Dec 2016, Bob Gregory wrote:


Hi David,

It's probably best if you _don't_ try to map syslog fields into
riemann fields because the two technologies are accomplishing different
things. Riemann is for processing metrics - numerical data about the state
of our systems, while syslog is about logs - narrative textual data about
our systems.

Service, tags, etc will need to be configured by the end-user; we shouldn't
be guessing what they might be based on our understanding of the log
message.


we need to try and come up with a reasonable default value for parameters.


The reason I would need a Riemann output is that I have three use cases
where I forward data in logs to Riemann from logstash -

1) Logstash's heartbeat (so I can measure latency on my processing pipeline)
2) ERROR and CRITICAL logs so I can alert on them
3) Metrics encoded into json logs by applications.

Service is the "Thing under measurement". The closest analogue would be
programname, but one program might have many services. For example: "http
response time ms", "Bytes read", "Active users", "messages received". Each
of the keys in the key/value messages raised by impstats is a single
service.

Tags are used to aggregate and filter services, they're arbitrary bits of
data; eg. "Message type", "User account type", "ec2 instance type", "site
map area". Our biggest use case for them is in asynchronous processing
pipelines, where we use them to tag the messages we're processing so that
we can see overall throughput and latency, but drill down when we have to.

The metric is the actual measurement, it's a number.


there is only one set of metrics per event (sint64 metric_sint64, double 
metric_d, float metric_f), which do you use (or do you use multiple of them?). 
Is there an expectation that you only use one?


how do you signal metric types?

i.e.:

  values that are counters (running total of messages processed)
  vaues that are gauges (the number of messages in a queue)

what are attributes? they are name-value pairs of strings, and you can have an 
arbitrary number per event.



The closest analogue to severity is the "state", which is an arbitrary
string. Usually people use the statuses "ok", "warning", "error" etc. but
it's entirely arbitrary. They're mostly used to trigger state changes in
Riemann.

Description is a narrative description of an event. We only use these in a
single use-case, which is that we forward all logs of ERROR level and
higher to riemann so that it can count them, and send us roll-up emails
every hour, or trigger pagerduty. In this use-case, we set the description
to the incoming log message.

Lastly, the TTL is used to control how long a message should be held
in-memory by Riemann. It can be used to keep a snapshot of current state.
We use it for heartbeats - when an event's TTL expires, if we haven't
received another of the same event, we can raise an alert.

Hope that makes more sense - if you're interested in learning more about
Riemann, there's a great introductory video on the site. http://riemann.io/

The only fields that are required are the host, the service, and the metric.


so as I am understanding you, I would look at something along the lines of

host

  default to $hostname, point at a variable

time is a 64 bit number

  default to $timestamp, point at a either a timestamp variable (to be converted 
to unix time) or a strong variable that should be convertable to a number


service is a string

  default to programname, point at a variable

description is a string

  default to $!msg if it exists, otherwise $msg, point at a variable

state is a strong

  default to severity, point at a variable

tags are an array of one or more strings

  default to $!event.tags, point at a json object that contains objects and/or 
arrays, include only the values of those objects/arrays


TTL is a number

  default to 0 if not defined, point at json string variable that should be 
convertable to a number


metric is a number

  no default,
  point at a variable:

if the variable is a single json object, convert the value from a string to 
a number

if the variable contains multiple objects, flatten them and append the 
object name to the service and convert the value from a string to a number and 
send each item separately


so if you have service = "a ", the json object {"foo": {"bar":"1", "baz":"2.5"}} 
and pass $!foo as the metric, it will send two messages to riemann:


  1) service 'a bar' metric 1
  2) service 'a baz' metric 2.5

attributes are name-value pairs of items

  no default
  point at a json object that contains objects, flatten sub-objects and send as 
name-value pairs



This would not require any different formats for impstats, you could take the 
json output and feed it directly to this module.


you could also do some tweaking of the data before it's sent (using dyn-stats 
names as part of the service)


the statsd module would be very similar, it should have the option to