from:"David Lang"


On Tue, 13 Aug 2024, David Lang wrote:

by default, ethernet packets are limited to 1500 bytes, most OSs will 
fragment UDP messages >1500 bytes across multiple packets. As I noted before, 
this means that if one of the packets of a message get lost, the entore 
message is lost


Rsyslog supports this, but it sounds like something else in your environment 
is not allowing it.


the fact that you are seeing the messages via tcpdump still confuses me. But 
I'm glad you got things working


going back and looking at the tcpdump you provided, that's the 1st 1500 byte 
packet of the message, if the 2nd fragment is getting dropped by the OS 
(possible, fragment assembly is a common way to bypass firewall filters, so 
blocking additional packets that claim to be fragments of a message you already 
received is a valid security thing to do if you don't need longer UDP messages) 
and as such, rsyslog would never see them


note that you can increase the MTU to up to 9000 bytes (search for jumbo 
packets) if everything on your network supports it, and you will handle larger 
messages and in general your network will be more efficient.


David Lang


David Lang

On Tue, 13 Aug 2024, Drumm, Daniel wrote:


Date: Tue, 13 Aug 2024 23:19:42 +
From: "Drumm, Daniel" 
To: David Lang 
Cc: rsyslog-users 
Subject: RE: [rsyslog] Formatting CEF to log.

David -

After experimenting and speaking with a Microsoft engineer, the underlying 
issue is known to Microsoft. Rsyslog will truncate or drop long messages in 
CEF format unless TCP is used. UDP cannot be used. This was in a side note 
in their documentation I missed, early docs made it appear as they were 
agnostic about the syslog transport, but this is not the case.


Once I did this, and altered rsyslog.conf to listen with tcp:

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#
 MODULES 
#
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # load TCP listener
input(type="imtcp" port="514") # start TCP listener on port 514
$ModLoad imuxsock # needs to be done just once

# $AllowedSender - specifies which remote systems are allowed to send 
syslog messages to rsyslogd

# --
$AllowedSender TCP, UDP, 127.0.0.1, 10.40.0.0/16, 10.30.0.0/23

$SystemLogSocketFlowControl on # enable flow control (use if needed)
$ActionFileEnableSync off

... and so on...

Then, I would see the entirety of the CEF message when that format was sent 
in the log files. TCP had to be used.



2024-08-13 23:14:38 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo Alto 
Networks|PAN-OS|11.2.0|end|TRAFFIC|1|rt=Aug 13 2024 23:14:43 GMT 
deviceExternalId=007959000479054 src=178.128.104.233 dst=10.40.1.97 
sourceTranslatedAddress=178.128.104.233 
destinationTranslatedAddress=10.50.0.166 cs1Label=Rule cs1=Inbound to 
Untrust NAT Mapping suser= duser= app=web-browsing cs3Label=Virtual System 
cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone 
cs5=Trust deviceInboundInterface=ethernet1/2 
deviceOutboundInterface=ethernet1/1 cs6Label=LogProfile cs6=OCI Syslog 
Server Profile cn1Label=SessionID cn1=129748 cnt=1 spt=52452 dpt=443 
sourceTranslatedPort=52452 destinationTranslatedPort=443 
flexString1Label=Flags flexString1=0x1400010 proto=tcp act=allow 
flexNumber1Label=Total bytes flexNumber1=4857 in=997 out=3860 
cn2Label=Packets cn2=14 PanOSPacketsReceived=5 PanOSPacketsSent=9 start=Aug 
13 2024 23:14:43 GMT cn3Label=Elapsed time in seconds cn3=1 cs2Label=URL 
Category cs2=any externalId
=7392297676068849671 reason=threat PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 
PanOSDGl4=0 PanOSVsysName= dvchost=DOB-FW-HA-1 cat=from-policy 
PanOSActionFlags=0x0 PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 
PanOSMonitorTag= PanOSParentSessionID=0 PanOSParentStartTime= 
PanOSTunnelType=N/A PanOSSCTPAssocID=0 PanOSSCTPChunks=0 PanOSSCTPChunkSent=0 
PanOSSCTPChunksRcv=0 PanOSRuleUUID=940d959b-9f14-4032-acc5-5a59fa146d4b 
PanOSHTTP2Con=0 PanLinkChange=0 PanPolicyID= PanLinkDetail= PanSDWANCluster= 
PanSDWANDevice= PanSDWANClustype= PanSDWANSite= PanDynamicUsrgrp= PanXFFIP= 
PanSrcDeviceCat= PanSrcDeviceProf= PanSrcDeviceModel= PanSrcDeviceVendor= 
PanSrcDeviceOS= PanSrcDeviceOSv= PanSrcHostname= PanSrcMac= PanDstDeviceCat= 
PanDstDeviceProf= PanDstDeviceModel= PanDstDeviceVendor= PanDstDeviceOS= 
PanDstDeviceOSv= PanDstHostname= PanDstMac= PanContainerName= 
PanPODNamespace= PanPODName= PanSrcEDL= PanDstEDL= PanGPHostID= PanEPSerial= 
PanSrcDAG= PanDstDAG= PanHASessionOwner= PanTimeHighRes=2024-08-13T18:

14:44.446-05:00 PanASServiceType= PanASServiceDiff=


-Original Message-
From: David Lang 
Sent: Tuesday, August 13, 2024 3:43 PM
To: David Lan

Re: [rsyslog] Formatting CEF to log.

by default, ethernet packets are limited to 1500 bytes, most OSs will fragment 
UDP messages >1500 bytes across multiple packets. As I noted before, this means 
that if one of the packets of a message get lost, the entore message is lost


Rsyslog supports this, but it sounds like something else in your environment is 
not allowing it.


the fact that you are seeing the messages via tcpdump still confuses me. But I'm 
glad you got things working


David Lang

On Tue, 13 Aug 2024, Drumm, Daniel wrote:


Date: Tue, 13 Aug 2024 23:19:42 +
From: "Drumm, Daniel" 
To: David Lang 
Cc: rsyslog-users 
Subject: RE: [rsyslog] Formatting CEF to log.

David -

After experimenting and speaking with a Microsoft engineer, the underlying 
issue is known to Microsoft. Rsyslog will truncate or drop long messages in CEF 
format unless TCP is used. UDP cannot be used. This was in a side note in their 
documentation I missed, early docs made it appear as they were agnostic about 
the syslog transport, but this is not the case.

Once I did this, and altered rsyslog.conf to listen with tcp:

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#
 MODULES 
#
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # load TCP listener
input(type="imtcp" port="514") # start TCP listener on port 514
$ModLoad imuxsock # needs to be done just once

# $AllowedSender - specifies which remote systems are allowed to send syslog 
messages to rsyslogd
# --
$AllowedSender TCP, UDP, 127.0.0.1, 10.40.0.0/16, 10.30.0.0/23

$SystemLogSocketFlowControl on # enable flow control (use if needed)
$ActionFileEnableSync off

... and so on...

Then, I would see the entirety of the CEF message when that format was sent in 
the log files. TCP had to be used.


2024-08-13 23:14:38 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo Alto 
Networks|PAN-OS|11.2.0|end|TRAFFIC|1|rt=Aug 13 2024 23:14:43 GMT 
deviceExternalId=007959000479054 src=178.128.104.233 dst=10.40.1.97 
sourceTranslatedAddress=178.128.104.233 
destinationTranslatedAddress=10.50.0.166 cs1Label=Rule cs1=Inbound to Untrust 
NAT Mapping suser= duser= app=web-browsing cs3Label=Virtual System cs3=vsys1 
cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust 
deviceInboundInterface=ethernet1/2 deviceOutboundInterface=ethernet1/1 
cs6Label=LogProfile cs6=OCI Syslog Server Profile cn1Label=SessionID cn1=129748 
cnt=1 spt=52452 dpt=443 sourceTranslatedPort=52452 
destinationTranslatedPort=443 flexString1Label=Flags flexString1=0x1400010 
proto=tcp act=allow flexNumber1Label=Total bytes flexNumber1=4857 in=997 
out=3860 cn2Label=Packets cn2=14 PanOSPacketsReceived=5 PanOSPacketsSent=9 
start=Aug 13 2024 23:14:43 GMT cn3Label=Elapsed time in seconds cn3=1 
cs2Label=URL Category cs2=any externalId

=7392297676068849671 reason=threat PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 
PanOSDGl4=0 PanOSVsysName= dvchost=DOB-FW-HA-1 cat=from-policy 
PanOSActionFlags=0x0 PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 
PanOSMonitorTag= PanOSParentSessionID=0 PanOSParentStartTime= 
PanOSTunnelType=N/A PanOSSCTPAssocID=0 PanOSSCTPChunks=0 PanOSSCTPChunkSent=0 
PanOSSCTPChunksRcv=0 PanOSRuleUUID=940d959b-9f14-4032-acc5-5a59fa146d4b 
PanOSHTTP2Con=0 PanLinkChange=0 PanPolicyID= PanLinkDetail= PanSDWANCluster= 
PanSDWANDevice= PanSDWANClustype= PanSDWANSite= PanDynamicUsrgrp= PanXFFIP= 
PanSrcDeviceCat= PanSrcDeviceProf= PanSrcDeviceModel= PanSrcDeviceVendor= 
PanSrcDeviceOS= PanSrcDeviceOSv= PanSrcHostname= PanSrcMac= PanDstDeviceCat= 
PanDstDeviceProf= PanDstDeviceModel= PanDstDeviceVendor= PanDstDeviceOS= 
PanDstDeviceOSv= PanDstHostname= PanDstMac= PanContainerName= PanPODNamespace= 
PanPODName= PanSrcEDL= PanDstEDL= PanGPHostID= PanEPSerial= PanSrcDAG= 
PanDstDAG= PanHASessionOwner= PanTimeHighRes=2024-08-13T18:
14:44.446-05:00 PanASServiceType= PanASServiceDiff=


-Original Message-
From: David Lang 
Sent: Tuesday, August 13, 2024 3:43 PM
To: David Lang 
Cc: Drumm, Daniel ; rsyslog-users 

Subject: RE: [rsyslog] Formatting CEF to log.

I will also point out that templates in rsyslog are for output only, they have 
no effect at all on parsing input.

David Lang

On Tue, 13 Aug 2024, David Lang wrote:


Date: Tue, 13 Aug 2024 13:42:38 -0700 (PDT)
From: David Lang 
To: "Drumm, Daniel" 
Cc: David Lang , rsyslog-users

Subject: RE: [rsyslog] Formatting CEF to log.

Drumm, Daniel wrote:


David -

If you want me to instance a brand-new Ubuntu 22.04 VM in the cloud,
get rsyslog on it, and move the 514/udp Palo flow to it, I can do that.

Conversely, if you have access to a PAN-OS instance or old physical
firewall, page 8-10 of this guide will set the CEF

Re: [rsyslog] Formatting CEF to log.

I will also point out that templates in rsyslog are for output only, they have 
no effect at all on parsing input.


David Lang

On Tue, 13 Aug 2024, David Lang wrote:


Date: Tue, 13 Aug 2024 13:42:38 -0700 (PDT)
From: David Lang 
To: "Drumm, Daniel" 
Cc: David Lang , rsyslog-users 
Subject: RE: [rsyslog] Formatting CEF to log.

Drumm, Daniel wrote:


David -

If you want me to instance a brand-new Ubuntu 22.04 VM in the cloud, get 
rsyslog on it, and move the 514/udp Palo flow to it, I can do that.


Conversely, if you have access to a PAN-OS instance or old physical 
firewall, page 8-10 of this guide will set the CEF parameters and, if I am 
guessing correctly, will cause rsyslogd not to log the messages anywhere 
even with a *.* directive.

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf

If, as you state, the behavior of rsyslog is best effort to write to log 
even if the fields are misaligned, then I cannot explain the behavior I 
see. Per the discussion on tcpdump, I do not believe these UDP packets to 
be corrupt or excessively fragmented beyond the MSS. I cannot explain why 
the basic *.* is not logging the messages when the CEF formatting is 
applied to the firewall. Again, looking at the packets using tcpdump -v, I 
know they are arriving, and are about 50% longer than the base log 
messages.


it's beyond that, rsyslog does not parse the fields out of the log as it 
receives them.


I don't have a pan firewall handy, so please run this test and show the 
results.


David Lang



Daniel Drumm, CISSP
Information Security Officer
Texas Department of Banking
512-475-1328
daniel.dr...@dob.texas.gov


-Original Message-----
From: David Lang 
Sent: Tuesday, August 13, 2024 2:20 PM
To: Drumm, Daniel 
Cc: David Lang ; rsyslog-users 
Subject: RE: [rsyslog] Formatting CEF to log.

Drumm, Daniel wrote:


Is there a rsyslog Template that exists to take the data in this
format and log it? As you state, when rsyslogd gets a malformed
message, or one with fields additional to that it understands or
knows, it will not log it at all, will not write it to disk at all, not 
even a partial malformed log.


No, that is the opposite of what I stated.

When Rsyslog recieves a message, it attempts to parse the timestamp, 
fromhost, and syslog tag out of it, and everything else is the string 
'msg'. If the log is not properly formatted, it may put the wrong things in 
these fields, but it will put SOMETHING there (best effort) It also 
populates the filed 'rawmsg' with whatever arrived.


it does not care if the msg field is CEF:whatever or 'the quick brown 
fox...'


you can then parse fields out of the message if you care to, but the msg 
and rawmsg fields will be there no matter what.


If the message is longer than your configured maxmessagelength, you will 
get a log message that is truncated at that length (and then, depending on 
the config, either throw away the rest of the message, or split it at that 
point into a second, malformed message containing the next maxmessagelength 
characters that are sent)


but it will not just throw them away because it doesn't understand them.

I have seen the OS IP stack throw away UDP messages when they are extremely 
long and get fragmented into multiple packets and some of the packets never 
arrive due to congestion problems on the network, but that is an 
intermittent problem, you would have some get through and others not (and 
it's been a long time since I saw this because networks are now much faster 
than they used to be, so it's far less common for a network to be that 
congested, but is still possible)


but the fact that you are seeing them via tcpdump would make it unlikely 
that this is the problem.


Can you setup a test where the Palo Alto is only sending the traffic 
messages to a test machine and setup a very trivial rsyslog config just 
writing it to a file? we may end up wanting to get a debug log if it still 
fails there.


David Lang





___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Formatting CEF to log.


Drumm, Daniel wrote:


David -

If you want me to instance a brand-new Ubuntu 22.04 VM in the cloud, get 
rsyslog on it, and move the 514/udp Palo flow to it, I can do that.

Conversely, if you have access to a PAN-OS instance or old physical firewall, 
page 8-10 of this guide will set the CEF parameters and, if I am guessing 
correctly, will cause rsyslogd not to log the messages anywhere even with a *.* 
directive.
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf

If, as you state, the behavior of rsyslog is best effort to write to log even 
if the fields are misaligned, then I cannot explain the behavior I see. Per 
the discussion on tcpdump, I do not believe these UDP packets to be corrupt or 
excessively fragmented beyond the MSS. I cannot explain why the basic *.* is 
not logging the messages when the CEF formatting is applied to the firewall. 
Again, looking at the packets using tcpdump -v, I know they are arriving, and 
are about 50% longer than the base log messages.


it's beyond that, rsyslog does not parse the fields out of the log as it 
receives them.


I don't have a pan firewall handy, so please run this test and show the results.

David Lang



Daniel Drumm, CISSP
Information Security Officer
Texas Department of Banking
512-475-1328
daniel.dr...@dob.texas.gov


-Original Message-----
From: David Lang 
Sent: Tuesday, August 13, 2024 2:20 PM
To: Drumm, Daniel 
Cc: David Lang ; rsyslog-users 
Subject: RE: [rsyslog] Formatting CEF to log.

Drumm, Daniel wrote:


Is there a rsyslog Template that exists to take the data in this
format and log it? As you state, when rsyslogd gets a malformed
message, or one with fields additional to that it understands or
knows, it will not log it at all, will not write it to disk at all, not even a 
partial malformed log.


No, that is the opposite of what I stated.

When Rsyslog recieves a message, it attempts to parse the timestamp, fromhost, 
and syslog tag out of it, and everything else is the string 'msg'. If the log 
is not properly formatted, it may put the wrong things in these fields, but it 
will put SOMETHING there (best effort) It also populates the filed 'rawmsg' 
with whatever arrived.

it does not care if the msg field is CEF:whatever or 'the quick brown fox...'

you can then parse fields out of the message if you care to, but the msg and 
rawmsg fields will be there no matter what.

If the message is longer than your configured maxmessagelength, you will get a 
log message that is truncated at that length (and then, depending on the 
config, either throw away the rest of the message, or split it at that point 
into a second, malformed message containing the next maxmessagelength 
characters that are sent)

but it will not just throw them away because it doesn't understand them.

I have seen the OS IP stack throw away UDP messages when they are extremely 
long and get fragmented into multiple packets and some of the packets never 
arrive due to congestion problems on the network, but that is an intermittent 
problem, you would have some get through and others not (and it's been a long 
time since I saw this because networks are now much faster than they used to 
be, so it's far less common for a network to be that congested, but is still 
possible)

but the fact that you are seeing them via tcpdump would make it unlikely that 
this is the problem.

Can you setup a test where the Palo Alto is only sending the traffic messages 
to a test machine and setup a very trivial rsyslog config just writing it to a 
file? we may end up wanting to get a debug log if it still fails there.

David Lang



___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Formatting CEF to log.


Drumm, Daniel wrote:

Is there a rsyslog Template that exists to take the data in this format and 
log it? As you state, when rsyslogd gets a malformed message, or one with 
fields additional to that it understands or knows, it will not log it at all, 
will not write it to disk at all, not even a partial malformed log.


No, that is the opposite of what I stated.

When Rsyslog recieves a message, it attempts to parse the timestamp, fromhost, 
and syslog tag out of it, and everything else is the string 'msg'. If the log is 
not properly formatted, it may put the wrong things in these fields, but it will 
put SOMETHING there (best effort) It also populates the filed 'rawmsg' with 
whatever arrived.


it does not care if the msg field is CEF:whatever or 'the quick brown fox...'

you can then parse fields out of the message if you care to, but the msg and 
rawmsg fields will be there no matter what.


If the message is longer than your configured maxmessagelength, you will get a 
log message that is truncated at that length (and then, depending on the config, 
either throw away the rest of the message, or split it at that point into a 
second, malformed message containing the next maxmessagelength characters that 
are sent)


but it will not just throw them away because it doesn't understand them.

I have seen the OS IP stack throw away UDP messages when they are extremely long 
and get fragmented into multiple packets and some of the packets never arrive 
due to congestion problems on the network, but that is an intermittent problem, 
you would have some get through and others not (and it's been a long time since 
I saw this because networks are now much faster than they used to be, so it's 
far less common for a network to be that congested, but is still possible)


but the fact that you are seeing them via tcpdump would make it unlikely that 
this is the problem.


Can you setup a test where the Palo Alto is only sending the traffic messages to 
a test machine and setup a very trivial rsyslog config just writing it to a 
file? we may end up wanting to get a debug log if it still fails there.


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Formatting CEF to log.


Drumm, Daniel wrote:


David -

That appears to be it. Rsyslogd is not understanding the CEF formatting being 
passed in and dropping it. When I go into the Palo and revert to the Default 
syslog format, I start seeing the TRAFFIC messages logging into the catch-all 
rule file.


this is why I was having you write with the RSYSLOG_DebugFormat, it will show 
everything, including exactly what is received (the rawmeg field)


when rsyslog receives things, it doesn't reject anything based on the 
formatting, it parses what it can out of the message, making a best-effort 
result out of malformed messages. The body of the message is just a text string.


If the message is too long (see maxmessagelength) it will truncate/split the 
message. This could make it so that your database is not parsing the message 
correctly, but rsyslog would still recevie it and write it to a local file.


try sending it to a copy of rsyslog that is not sending it to a database, just 
to a file, if your database is not accepting the message, that could be blocking 
other processing of the message (I don't expect this to be the case, but trying 
to work through the various possibilities)


David Lang


So now the issue is, what must be done configuration wise to rsyslog template 
to allow the CEF based fields to log? I can't pass to the Azure agent the 
syslog in this format, it is expecting CEF.

root@syslog-server-vnic-primary:/var/log/rsyslog# tail -f all-the-stuff.log
FROMHOST: '10.40.0.210', fromhost-ip: '10.40.0.210', HOSTNAME: 
'DOB-FW-HA-1.OCI', PRI: 134,
syslogtag 'Ashburn', programname: 'Ashburn', APP-NAME: 'Ashburn', PROCID: '-', 
MSGID: '-',
TIMESTAMP: 'Aug 13 10:14:41', STRUCTURED-DATA: '-',
msg: ' FD1 1,2024/08/13 10:14:39,007959000479054,TRAFFIC,drop,2818,2024/08/13 
10:14:39,184.168.122.26,10.40.1.98,0.0.0.0,0.0.0.0,Inbound Drop Logging 
Rule,,,not-applicable,vsys1,Untrust,Trust,ethernet1/2,,OCI Syslog Server 
Profile,2024/08/13 
10:14:41,0,1,55585,3389,0,0,0x0,tcp,drop,56,56,0,1,2024/08/13 
10:14:39,0,any,,7392297676068843279,0x0,Singapore,10.0.0.0-10.255.255.255,,1,0,policy-deny,0,0,0,0,,DOB-FW-HA-1,from-policy,,,0,,0,,N/A,0,0,0,0,d6ca6ff0-71e9-4f09-8e8d-2204deb98205,0,0,,,2024-08-13T10:14:41.917-05:00,,,unknown,unknown,unknown,1,,,not-applicable,no,no,0,NonProxyTraffic,'
escaped msg: ' FD1 1,2024/08/13 
10:14:39,007959000479054,TRAFFIC,drop,2818,2024/08/13 
10:14:39,184.168.122.26,10.40.1.98,0.0.0.0,0.0.0.0,Inbound Drop Logging 
Rule,,,not-applicable,vsys1,Untrust,Trust,ethernet1/2,,OCI Syslog Server 
Profile,2024/08/13 
10:14:41,0,1,55585,3389,0,0,0x0,tcp,drop,56,56,0,1,2024/08/13 
10:14:39,0,any,,7392297676068843279,0x0,Singapore,10.0.0.0-10.255.255.255,,1,0,policy-deny,0,0,0,0,,DOB-FW-HA-1,from-policy,,,0,,0,,N/A,0,0,0,0,d6ca6ff0-71e9-4f09-8e8d-2204deb98205,0,0,,,2024-08-13T10:14:41.917-05:00,,,unknown,unknown,unknown,1,,,not-applicable,no,no,0,NonProxyTraffic,'
inputname: imudp rawmsg: '<134>Aug 13 10:14:41 DOB-FW-HA-1.OCI Ashburn FD1 
1,2024/08/13 10:14:39,007959000479054,TRAFFIC,drop,2818,2024/08/13 
10:14:39,184.168.122.26,10.40.1.98,0.0.0.0,0.0.0.0,Inbound Drop Logging 
Rule,,,not-applicable,vsys1,Untrust,Trust,ethernet1/2,,OCI Syslog Server 
Profile,2024/08/13 10:14:41,0,1,55585,3389,0,0,0x0,tcp,drop,56,56,0,1,2024/08/13 
10:14:39,0,any,,7392297676068843279,0x0,Singapore,10.0.0.0-10.255.255.255,,1,0,policy-deny,0,0,0,0,,DOB-FW-HA-1,from-policy,,,0,,0,,N/A,0,0,0,0,d6ca6ff0-71e9-4f09-8e8d-2204deb98205,0,0,,,2024-08-13T10:14:41.917-05:00,,,unknown,unknown,unknown,1,,,not-applicable,no,no,0,NonProxyTraffic,'
$!:
$.:
$/:


-Original Message-
From: rsyslog  On Behalf Of Drumm, Daniel 
via rsyslog
Sent: Tuesday, August 13, 2024 9:51 AM
To: David Lang 
Cc: Drumm, Daniel ; Drumm, Daniel via rsyslog 

Subject: Re: [rsyslog] Formatting CEF to log.

David -

Here is tcpdump -v, showing that I get both the SYSTEM and TRAFFIC messages 
from the Palo Alto. What you see is that the TRAFFIC messages have been set to 
pass in all the variables that conform to CEF specification.

CEF Specification: (Page 8) calls for a number of extended variables getting 
passed, and this is what Palo Alto recommends:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf

So you can see that a SYSTEM message is parsed by rsyslog, but a TRAFFIC 
message is not. Is this perhaps because the rsyslogd does not know how, or 
requires some additional configuration, to pass in CEF messages? None of the 
guides I have read that speak about this say this. The goal here is to use 
rsyslog to pass these messages up to Azure Sentinel.

To that end, I have installed Microsoft's Azure Forwarder:
root@syslog-server-vnic-primary:/home/ubuntu# su

Re: [rsyslog] Formatting CEF to log.


On Mon, 12 Aug 2024, Drumm, Daniel wrote:


Messages roll into the rsyslog.debug file from SYSTEM without issue and are 
processed:

Debug line with all properties:
FROMHOST: '10.40.0.210', fromhost-ip: '10.40.0.210', HOSTNAME: 
'DOB-FW-HA-1.OCI', PRI: 131,
syslogtag 'Ashburn', programname: 'Ashburn', APP-NAME: 'Ashburn', PROCID: '-', 
MSGID: '-',
TIMESTAMP: 'Aug 12 18:23:59', STRUCTURED-DATA: '-',
msg: ' FD1 CEF:0|Palo Alto#012Networks|PAN-OS|11.2.0|userid|SYSTEM|4|rt=Aug 12 2024 
23:23:58 GMT#012deviceExternalId=007959000479054 cs3Label=Virtual System cs3= fname= 
flexString2Label=Module#012flexString2=general msg="gRPC connection to 
identity.services-edge.paloaltonetworks.com:443 is broken, error: rpc error: code = 
Unknown desc = [UploadCUID] [007959000479054] tenantId is empty time: 2024-08-12 
18:23:59" externalId=7392297676068400080 cat=cuid-conn PanOSDGl1=0#012PanOSDGl2=0 
PanOSDGl3=0 PanOSDGl4=0#012PanOSVsysName= dvchost=DOB-FW-HA-1 
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T18:23:59.046-05:00'
escaped msg: ' FD1 CEF:0|Palo Alto#012Networks|PAN-OS|11.2.0|userid|SYSTEM|4|rt=Aug 12 
2024 23:23:58 GMT#012deviceExternalId=007959000479054 cs3Label=Virtual System cs3= fname= 
flexString2Label=Module#012flexString2=general msg="gRPC connection to 
identity.services-edge.paloaltonetworks.com:443 is broken, error: rpc error: code = 
Unknown desc = [UploadCUID] [007959000479054] tenantId is empty time: 2024-08-12 
18:23:59" externalId=7392297676068400080 cat=cuid-conn PanOSDGl1=0#012PanOSDGl2=0 
PanOSDGl3=0 PanOSDGl4=0#012PanOSVsysName= dvchost=DOB-FW-HA-1 
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T18:23:59.046-05:00'
inputname: imudp rawmsg: '<131>Aug 12 18:23:59 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo 
Alto#012Networks|PAN-OS|11.2.0|userid|SYSTEM|4|rt=Aug 12 2024 23:23:58 
GMT#012deviceExternalId=007959000479054 cs3Label=Virtual System cs3= fname= 
flexString2Label=Module#012flexString2=general msg="gRPC connection to 
identity.services-edge.paloaltonetworks.com:443 is broken, error: rpc error: code = Unknown 
desc = [UploadCUID] [007959000479054] tenantId is empty time: 2024-08-12 18:23:59" 
externalId=7392297676068400080 cat=cuid-conn PanOSDGl1=0#012PanOSDGl2=0 PanOSDGl3=0 
PanOSDGl4=0#012PanOSVsysName= dvchost=DOB-FW-HA-1 
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T18:23:59.046-05:00'
$!:
$.:
$/:

TRAFFIC messages are not processed despite hitting the VNIC.


did you get this by logging *.* to a file? or by logging things from 
10.40.0.210, or ??


can you show a tcpdump of a message getting through from the device vs the 
traffic messages that are failing?


David Lang



-Original Message-
From: David Lang 
Sent: Monday, August 12, 2024 6:15 PM
To: Drumm, Daniel 
Cc: David Lang ; Drumm, Daniel via rsyslog 

Subject: RE: [rsyslog] Formatting CEF to log.

try logging all traffic with the template RSYSLOG_DebugFormat for a short time 
(long enough that it should have some of these TRAFFIC messages) and find the 
messages in there it could be that the messages is not showing up as you would 
expect

David Lang

On Mon, 12 Aug 2024, Drumm, Daniel wrote:


Date: Mon, 12 Aug 2024 23:11:15 +
From: "Drumm, Daniel" 
To: David Lang 
Cc: "Drumm, Daniel via rsyslog" 
Subject: RE: [rsyslog] Formatting CEF to log.

I removed the 'stop' from every single directive, as this is confusing the 
matter.

It looks as such, and yet the TRAFFIC messages do not log anywhere.

--

root@syslog-server-vnic-primary:/etc/rsyslog.d# more
11-paloalto-cef.conf # Use the template for logs coming from your Palo
Alto firewall if $fromhost-ip == '10.40.0.210' then {
   *.* /var/log/rsyslog/palo-alto-cef.log
}
root@syslog-server-vnic-primary:/etc/rsyslog.d# more
10-paloalto-traffic.conf # Define a template for Palo Alto TRAFFIC
logs $template PaloAltoTraffic,"/var/log/rsyslog/paloalto/traffic.log"

# Filter and direct TRAFFIC logs to the specified file if $fromhost-ip
== '10.40.0.210' and $msg contains 'TRAFFIC' then {
   action(type="omfile" dynaFile="PaloAltoTraffic") }
root@syslog-server-vnic-primary:/etc/rsyslog.d# more 10-
10-azuremonitoragent-omfwd.conf  10-paloalto-traffic.conf
root@syslog-server-vnic-primary:/etc/rsyslog.d# more
10-azuremonitoragent-omfwd.conf # Azure Monitor Agent configuration:
forward logs to azuremonitoragent

template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string"
string="<%PRI%>%TIMESTAMP% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg%")
# queue.workerThreads sets the maximum worker threads, it will scale
back to 0 if there is no activity # Forwarding all events through TCP
port
*.* action(type="omfwd"
tem

Re: [rsyslog] Formatting CEF to log.

try logging all traffic with the template RSYSLOG_DebugFormat for a short time 
(long enough that it should have some of these TRAFFIC messages) and find the 
messages in there it could be that the messages is not showing up as you would 
expect


David Lang

On Mon, 12 Aug 2024, Drumm, Daniel wrote:


Date: Mon, 12 Aug 2024 23:11:15 +
From: "Drumm, Daniel" 
To: David Lang 
Cc: "Drumm, Daniel via rsyslog" 
Subject: RE: [rsyslog] Formatting CEF to log.

I removed the 'stop' from every single directive, as this is confusing the 
matter.

It looks as such, and yet the TRAFFIC messages do not log anywhere.

--

root@syslog-server-vnic-primary:/etc/rsyslog.d# more 11-paloalto-cef.conf
# Use the template for logs coming from your Palo Alto firewall
if $fromhost-ip == '10.40.0.210' then {
   *.* /var/log/rsyslog/palo-alto-cef.log
}
root@syslog-server-vnic-primary:/etc/rsyslog.d# more 10-paloalto-traffic.conf
# Define a template for Palo Alto TRAFFIC logs
$template PaloAltoTraffic,"/var/log/rsyslog/paloalto/traffic.log"

# Filter and direct TRAFFIC logs to the specified file
if $fromhost-ip == '10.40.0.210' and $msg contains 'TRAFFIC' then {
   action(type="omfile" dynaFile="PaloAltoTraffic")
}
root@syslog-server-vnic-primary:/etc/rsyslog.d# more 10-
10-azuremonitoragent-omfwd.conf  10-paloalto-traffic.conf
root@syslog-server-vnic-primary:/etc/rsyslog.d# more 
10-azuremonitoragent-omfwd.conf
# Azure Monitor Agent configuration: forward logs to azuremonitoragent

template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" 
string="<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%")
# queue.workerThreads sets the maximum worker threads, it will scale back to 0 
if there is no activity
# Forwarding all events through TCP port
*.* action(type="omfwd"
template="AMA_RSYSLOG_TraditionalForwardFormat"
queue.type="LinkedList"
queue.filename="omfwd-azuremonitoragent"
queue.maxFileSize="32m"
action.resumeRetryCount="-1"
action.resumeInterval="5"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
queue.size="25000"
queue.workerThreads="100"
queue.dequeueBatchSize="2048"
queue.saveonshutdown="on"
target="127.0.0.1" Port="28330" Protocol="tcp")

-Original Message-----
From: David Lang 
Sent: Monday, August 12, 2024 5:58 PM
To: Drumm, Daniel 
Cc: David Lang ; Drumm, Daniel via rsyslog 

Subject: RE: [rsyslog] Formatting CEF to log.

On Mon, 12 Aug 2024, Drumm, Daniel wrote:


Date: Mon, 12 Aug 2024 22:41:21 +
From: "Drumm, Daniel" 
To: David Lang 
Cc: "Drumm, Daniel via rsyslog" 
Subject: RE: [rsyslog] Formatting CEF to log.

Here is that file with the -o flag:

root@syslog-server-vnic-primary:/tmp# more rsyslog_combined.conf ##
full conf created by rsyslog version 8.2001.0 at 2024-08-12 22:38:01
##

# BEGIN CONFIG: /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog # # For more
information install rsyslog-doc and see #
/usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#
 MODULES 
#
module(load="imudp") # needs to be done just once input(type="imudp"
port="514")

$ModLoad imuxsock # needs to be done just once

# $AllowedSender - specifies which remote systems are allowed to send
syslog messages to rsyslogd # -- $AllowedSender UDP,
127.0.0.1, 10.40.0.0/16, 10.30.0.0/23

$SystemLogSocketFlowControl on # enable flow control (use if needed)
$ActionFileEnableSync off

# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% 
%syslogtag%%msg:::drop-last-lf%\n"
# A more verbose template:
$template 
precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n 
%syslogtag%%msg%\n\r"
# The template below emulates winsyslog format, but we need to check
the time # stamps used. It is also a good sampleof the property replacer in 
action.
$template
WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenera
ted:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerat
ed:12:19:date-rfc3339%,%syslogfacility%,%syslo
gpriority%,%syslogtag%%msg%\n"
# A template used for database writing (no

Re: [rsyslog] Formatting CEF to log.

On Mon, 12 Aug 2024, Drumm, Daniel wrote:

Date: Mon, 12 Aug 2024 22:41:21 +
From: "Drumm, Daniel" 
To: David Lang 
Cc: "Drumm, Daniel via rsyslog" 
Subject: RE: [rsyslog] Formatting CEF to log.

Here is that file with the -o flag:

root@syslog-server-vnic-primary:/tmp# more rsyslog_combined.conf
## full conf created by rsyslog version 8.2001.0 at 2024-08-12 22:38:01 ##

# BEGIN CONFIG: /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#
 MODULES 
#
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

$ModLoad imuxsock # needs to be done just once

# $AllowedSender - specifies which remote systems are allowed to send syslog 
messages to rsyslogd
# --
$AllowedSender UDP, 127.0.0.1, 10.40.0.0/16, 10.30.0.0/23

$SystemLogSocketFlowControl on # enable flow control (use if needed)
$ActionFileEnableSync off

# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% 
%syslogtag%%msg:::drop-last-lf%\n"
# A more verbose template:
$template 
precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n 
%syslogtag%%msg%\n\r"
# The template below emulates winsyslog format, but we need to check the time
# stamps used. It is also a good sampleof the property replacer in action.
$template 
WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslo
gpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, 
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', 
%syslogfacility%, '%HOSTNAME%',%syslogpr
iority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, 
'%syslogtag%')",sql

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
# $OmitLocalLogging on

###
 GLOBAL DIRECTIVES 
###
$DebugLevel 2
$DebugFile /var/log/rsyslog/rsyslog.debug
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup syslog
$FileCreateMode 0660
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/log/rsyslog

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain 
the final slash)/etc/rsyslog.d/
# BEGIN CONFIG: /etc/rsyslog.d/50-default.conf

# BEGIN CONFIG: /etc/rsyslog.d/21-cloudinit.conf

# BEGIN CONFIG: /etc/rsyslog.d/20-ufw.conf

# BEGIN CONFIG: /etc/rsyslog.d/12-azuremonitoragent-omfwd.conf

# BEGIN CONFIG: /etc/rsyslog.d/11-paloalto-cef.conf

# BEGIN CONFIG: /etc/rsyslog.d/10-paloalto-traffic.conf

# BEGIN CONFIG: /etc/rsyslog.d/10-azuremonitoragent-omfwd.conf
# Azure Monitor Agent configuration: forward logs to azuremonitoragent

template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" 
string="<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%")
# queue.workerThreads sets the maximum worker threads, it will scale back to 0 
if there is no activity
# Forwarding all events through TCP port
*.* action(type="omfwd"
template="AMA_RSYSLOG_TraditionalForwardFormat"
queue.type="LinkedList"
queue.filename="omfwd-azuremonitoragent"
queue.maxFileSize="32m"
action.resumeRetryCount="-1"
action.resumeInterval="5"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
queue.size="25000"
queue.workerThreads="100"
queue.dequeueBatchSize="2048"
queue.saveonshutdown="on"
target="127.0.0.1" Port="28330&qu

Re: [rsyslog] Formatting CEF to log.


start rsyslog with the command line option -o /path/to/file

that will write the combined config files to that file as rsyslog sees it. Post 
that and we can look for other interactions that may cause some logs to be 
thrown away first


look especially for othe stop commands earlier than the clause looking at the 
fromhost-ip


David Lang

 On Mon, 12 Aug 2024, Drumm, Daniel wrote:


Date: Mon, 12 Aug 2024 22:18:02 +
From: "Drumm, Daniel" 
To: David Lang ,
"Drumm, Daniel via rsyslog" 
Subject: RE: [rsyslog] Formatting CEF to log.

Thank you, I should have corrected that as I iterated.

What I see with this directive:

root@syslog-server-vnic-primary:/etc/rsyslog.d# more 10-paloalto-cef.conf
# Define a template for CEF logs
$template PaloAltoCEF,"/var/log/rsyslog/DOB-FW-HA-1.OCI/%programname%.log"

# Use the template for logs coming from your Palo Alto firewall
if $fromhost-ip == '10.40.0.210' then {
   *.* /var/log/rsyslog/palo-alto-cef.log
   stop
}

Is that the log has SYSTEM messages, but none of the Traffic messages:

root@syslog-server-vnic-primary:/var/log/rsyslog# tail -f palo-alto-cef.log
Aug 12 17:07:12 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo 
Alto#012Networks|PAN-OS|11.2.0|url-filtering|SYSTEM|1|rt=Aug 12 2024 22:07:12 
GMT#012deviceExternalId=007959000479054 cs3Label=Virtual System cs3= fname= 
flexString2Label=Module#012flexString2=general msg="PAN-DB was upgraded to version 
20240812.20332." externalId=739229767606837 cat=upgrade-url-database-success 
PanOSDGl1=0#012PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0#012PanOSVsysName= dvchost=DOB-FW-HA-1 
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T17:07:12.563-05:00
Aug 12 17:08:17 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo 
Alto#012Networks|PAN-OS|11.2.0|url-filtering|SYSTEM|1|rt=Aug 12 2024 22:08:17 
GMT#012deviceExternalId=007959000479054 cs3Label=Virtual System cs3= fname= 
flexString2Label=Module#012flexString2=general msg="PAN-DB was upgraded to version 
20240812.20333." externalId=739229767606838 cat=upgrade-url-database-success 
PanOSDGl1=0#012PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0#012PanOSVsysName= dvchost=DOB-FW-HA-1 
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T17:08:17.737-05:00
Aug 12 17:08:50 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo 
Alto#012Networks|PAN-OS|11.2.0|userid|SYSTEM|1|rt=Aug 12 2024 22:08:49 
GMT#012deviceExternalId=007959000479054 cs3Label=Virtual System cs3= fname= 
flexString2Label=Module#012flexString2=general msg="gRPC connection to 
identity.services-edge.paloaltonetworks.com:443 is established, 10.40.0.210:46846 -> 
34.136.155.117:443 time: 2024-08-12 17:08:50" externalId=739229767606839 
cat=cuid-conn PanOSDGl1=0#012PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0#012PanOSVsysName= 
dvchost=DOB-FW-HA-1 
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T17:08:50.292-05:00
Aug 12 17:08:54 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo 
Alto#012Networks|PAN-OS|11.2.0|userid|SYSTEM|4|rt=Aug 12 2024 22:08:53 
GMT#012deviceExternalId=007959000479054 cs3Label=Virtual System cs3= fname= 
flexString2Label=Module#012flexString2=general msg="gRPC connection to 
identity.services-edge.paloaltonetworks.com:443 is broken, error: rpc error: code = 
Unknown desc = [UploadCUID] [007959000479054] tenantId is empty time: 2024-08-12 
17:08:54" externalId=739229767606840 cat=cuid-conn PanOSDGl1=0#012PanOSDGl2=0 
PanOSDGl3=0 PanOSDGl4=0#012PanOSVsysName= dvchost=DOB-FW-HA-1 
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T17:08:54.050-05:00

Yet I know for a fact that the TRAFFIC messages are hitting the NIC of the 
syslog server:

root@syslog-server-vnic-primary:/etc/rsyslog.d# tcpdump -v "port 514"
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 
bytes
22:16:32.237523 IP (tos 0x0, ttl 63, id 30088, offset 0, flags [+], proto UDP 
(17), length 1500)
   10.40.0.210.40933 > 10.30.0.18.syslog: SYSLOG, length: 1472
   Facility local0 (16), Severity info (6)
   Msg: Aug 12 17:16:36 DOB-FW-HA-1.OCI Ashburn FD1 CEF:0|Palo Alto 
Networks|PAN-OS|11.2.0|drop|TRAFFIC|1|rt=Aug 12 2024 22:16:31 
GMT\0x0adeviceExternalId=007959000479054 src=162.216.149.73 dst=10.40.1.97 
sourceTranslatedAddress=0.0.0.0\0x0adestinationTranslatedAddress=0.0.0.0 
cs1Label=Rule cs1=Inbound Drop Logging Rule suser= duser= 
app=not-applicable\0x0acs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone 
cs4=Untrust cs5Label=Destination Zone 
cs5=Trust\0x0adeviceInboundInterface=ethernet1/2 deviceOutboundInterface= 
cs6Label=LogProfile cs6=OCI Syslog Server Profile\0x0acn1Label=SessionID cn1=0 
cnt=1 spt=54491 dpt=9408 sourceTranslatedPort=0\0x0adestinationTranslatedPort=0 
flexString1Label=Flags flexString1=0x0 proto=tcp 
act=drop\0x0aflexNumber1Label=Total bytes flexNumber1=58 in=58 out=0 
cn2Label=Packets\0x0acn2=1 PanOSPacketsReceived=0 
PanOSPacketsSent=1\0x0astart=Au

Re: [rsyslog] Formatting CEF to log.

eivedAt, InfoUnitID, SysLogTag) values ('%msg%', 
%syslogfacility%, '%HOSTNAME%',%syslogpr

iority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, 
'%syslogtag%')",sql





# Turn off message reception via local log socket;

# local messages are retrieved through imjournal now.

# $OmitLocalLogging on



###

 GLOBAL DIRECTIVES 

###

$DebugLevel 2

$DebugFile /var/log/rsyslog/rsyslog.debug

#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# Filter duplicated messages

$RepeatedMsgReduction on



#

# Set the default permissions for all log files.

#

$FileOwner syslog

$FileGroup syslog

$FileCreateMode 0660

$DirCreateMode 0755

$Umask 0022

$PrivDropToUser syslog

$PrivDropToGroup syslog



#

# Where to place spool and state files

#

$WorkDirectory /var/log/rsyslog



# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/ # whole directory (must contain 
the final slash)



Here is my rsyslog.conf file for Palo Alto directive:

root@syslog-server-vnic-primary:/etc/rsyslog.d#<mailto:root@syslog-server-vnic-primary:/etc/rsyslog.d#>
 more 10-paloalto-cef.conf

# Define a template for CEF logs

$template PaloAltoCEF,"/var/log/rsyslog/DOB-FW-HA-1.OCI/%programname%.log"



# Use the template for logs coming from your Palo Alto firewall

if $fromhost-ip == '10.40.0.210' then {

   *.* ?PaloAltoCEF

   stop

}

Here is my rsyslog.conf file for Catch All directive:

root@syslog-server-vnic-primary:/etc/rsyslog.d#<mailto:root@syslog-server-vnic-primary:/etc/rsyslog.d#>
 more 50-default.conf

#  Default rules for rsyslog.

#

#   For more information see rsyslog.conf(5) and 
/etc/rsyslog.conf



#

# First some standard log files.  Log by facility.

#

auth,authpriv.* /var/log/rsyslog/auth.log

cron.*  /var/log/rsyslog/cron.log

daemon.*/var/log/rsyslog/daemon.log

kern.*  /var/log/rsyslog/kern.log

lpr.*   /var/log/rsyslog/lpr.log

mail.*  /var/log/rsyslog/mail.log

user.*  /var/log/rsyslog/user.log

local0.info /var/log/rsyslog/local0_info.log

#*.*
/var/log/rsyslog/traditionalfile.log;TraditionalFormat  # log to a file in 
the traditional format

*.* /var/log/rsyslog/all-the-stuff.log



#

# Logging for the mail system.  Split it up so that

# it is easy to write scripts to parse these files.

#

# mail.info -/var/log/rsyslog/mail.info

# mail.warn -/var/log/rsyslog/mail.warn

# mail.err  /var/log/rsyslog/mail.err



#

# Some "catch-all" log files.

#

*.=debug;\

   auth,authpriv.none;\

   news.none;mail.none /var/log/debug

*.=info;*.=notice;*.=warn;\

   auth,authpriv.none;\

   cron,daemon.none;\

   mail,news.none  /var/log/messages



#

# Emergencies are sent to everybody logged in.

#

*.emerg :omusrmsg:*



#

# I like to have messages displayed on the console, but only on a virtual

# console I usually leave idle.

#

#daemon,mail.*;\

#   news.=crit;news.=err;news.=notice;\

#   *.=debug;*.=info;\

#   *.=notice;*.=warn   /dev/tty8



I would think they would go to the all-the-stuff log file, but no. They are not 
being logged anywhere and I do not know why not since the PAN-OS system logs 
are being logged.


well, you have anything arriving from that IP address being written to 
/var/log/rsyslog/DOB-FW-HA-1.OCI/%programname%.log and then you throw away the 
log, so it would never get down to the action to write it to the all-the-stuff 
file.


David Lang




Dan.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog is not storing logs coming from specific device

2024-08-06 Thread David Lang via rsyslog

Mariusz Kruk wrote:

1. Do those log end up _somewhere_? (some default destination)

If you can find them anywhere, log them with the template RSYSLOG_DebugFormat so
you can see how they are parsed, usually the problem is that they aren't being
parsed as you expect them to be.

2. Are you sure that rsyslog actually gets those events? (tcpdump can still
show UDP packets on the wire even if they are filtered out by local firewall
(or rp_filter assuming you're running linux)).

one thing that can happen if you don't have a default route is that the IP stack
can throw away UDP packets where you don't have a route to the source IP

David Lang

3. I'm not familiar with the question mark syntax, but you have
"firepower_systemevents" there. Even assuming it should be a name of the
template, you have your template defined as "systemevents".

On 6.08.2024 10:53, Gundlapally, Navanitha via rsyslog wrote:

Hi Team,

I've been using rsyslog extensively for our daily operations, but today I
ran into an issue where the rsyslog template is not getting applied to logs
from specific devices. I verified that logs are received from these devices
using tcpdump, and I created a basic template to store logs coming from the
specified IP addresses. However, it still isn't working.

I enabled debug logging to check for any errors, but there was nothing
relevant in the debug file, likely because rsyslog isn't able to read those
logs. Can you help me understand what's going wrong?

My template -
$template
systemevents,"/var/syslog/rsyslog/Systemevents/%fromhost-ip%/messages_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
if ($fromhost-ip startswith '1.10.5.2' or $fromhost startswith 'Cxx1'
or $msg contains Cxxx1') then ?firepower_systemevents

This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
e-mail and delete the message and any attachments from your system.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

Re: [rsyslog] rsyslog - imtcp - tls vs plaintext - too many tcp sessions

2024-08-01 Thread David Lang via rsyslog


Ricardo Esteves wrote:


Seems imtcp in TLS mode enforces the MaxSessions and in plaintext doesn't?


This seems odd.

If i want to enable TLS in our most populated region which has +/- 13000 
hosts, do i need to set MaxSessions to a value bigger the 13000 ?


Yes, I would expect that you need to set this higher than the number of expected 
connections. Also, you may need to add resources to the tcp stack at the OS 
level for such a busy server. (tcp bufferss, etc)


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog - imtcp - tls vs plaintext - too many tcp sessions

2024-08-01 Thread David Lang via rsyslog


we would need to see your full configs (including all the include files)

if you start rsyslog with the -o /path/to/file it will write out the combined 
config as it sees it.


The typical cause is that you have a stop statement somewhere that is blocking 
processing.


Also, whyh did you reply to another person's thread rather than starting your 
own?


David Lang

On Thu, 1 Aug 2024, Drumm, Daniel via rsyslog wrote:


Date: Thu, 1 Aug 2024 16:02:11 +
From: "Drumm, Daniel via rsyslog" 
To: rsyslog-users 
Cc: "Drumm, Daniel" 
Subject: Re: [rsyslog] rsyslog - imtcp - tls vs plaintext - too many tcp
sessions

I have a new Ubuntu server, and this is the rsyslog.conf. I cannot get the 
server to process the directives in /etc/rsyslog.d/ except for local processes. 
I use tcpdump to verify that there is a syslog flow coming into the server as 
well as loggen, but it only logs local events and I am baffled as to why.

D


ubuntu@syslog-server-vnic-primary:/etc/rsyslog.d$ sudo ss -plntu
Netid State  Recv-Q Send-QLocal Address:PortPeer 
Address:Port Process
udp   UNCONN 0  0 127.0.0.53%lo:53   0.0.0.0:* 
users:(("systemd-resolve",pid=811,fd=12))
udp   UNCONN 0  0   10.30.0.18%ens3:68   0.0.0.0:* 
users:(("systemd-network",pid=809,fd=15))
udp   UNCONN 0  0   0.0.0.0:111  0.0.0.0:* 
users:(("rpcbind",pid=756,fd=5),("systemd",pid=1,fd=41))
udp   UNCONN 0  010.30.0.18:123  0.0.0.0:* 
users:(("ntpd",pid=4875,fd=19))
udp   UNCONN 0  0 127.0.0.1:123  0.0.0.0:* 
users:(("ntpd",pid=4875,fd=18))
udp   UNCONN 0  0   0.0.0.0:123  0.0.0.0:* 
users:(("ntpd",pid=4875,fd=17))
udp   UNCONN 0  0   0.0.0.0:514  0.0.0.0:* 
users:(("rsyslogd",pid=247025,fd=5))
udp   UNCONN 0  0  [::]:111 [::]:* 
users:(("rpcbind",pid=756,fd=7),("systemd",pid=1,fd=43))
udp   UNCONN 0  0   [fe80::17ff:fe00:9608]%ens3:123 [::]:* 
users:(("ntpd",pid=4875,fd=21))
udp   UNCONN 0  0 [::1]:123 [::]:* 
users:(("ntpd",pid=4875,fd=20))
udp   UNCONN 0  0  [::]:123 [::]:* 
users:(("ntpd",pid=4875,fd=16))
udp   UNCONN 0  0  [::]:514 [::]:* 
users:(("rsyslogd",pid=247025,fd=6))

-Original Message-
From: rsyslog  On Behalf Of Ricardo Esteves 
via rsyslog
Sent: Thursday, August 1, 2024 10:34 AM
To: rsyslog@lists.adiscon.com
Cc: Ricardo Esteves 
Subject: [rsyslog] rsyslog - imtcp - tls vs plaintext - too many tcp sessions

Hi,

We have several central syslog servers, and we are on the process of enabling 
TLS for all syslog clients, we started in one of our less populated regions 
with just QA hosts, and as soon as we enabled TLS for all QA hosts (350) we 
started observing in the central syslog server this error:

rsyslogd: too many tcp sessions - dropping incoming request
[v8.2102.0-13.el8 try https://www.rsyslog.com/e/2079 ]

I then did some tests in our lab and see this behavior:

for syslog001 - imtcp (TLS)
  from client1 i used loggen to simulate 1000 connections
  loggen -U -P -r 1 -I 300 --active-connections=1000 syslog001 6514
  and started to see right away the "too many tcp sessions" on the
syslog001
  also watch -n5 "netstat -an | grep ip_client1 | wc -l" showed constantly 194 
connections

for syslog002 - imtcp (plain text)
  from client1 i used loggen to simulate 1000 connections
  loggen -S -P -r 1 -I 300 --active-connections=1000 syslog002 514
  no "too many tcp sessions" messages on the syslog002
  and watch -n5 "netstat -an | grep ip_client1 | wc -l" showed constantly 1000 
connections

Seems imtcp in TLS mode enforces the MaxSessions and in plaintext doesn't?

If i want to enable TLS in our most populated region which has +/- 13000 hosts, 
do i need to set MaxSessions to a value bigger the 13000 ?

Best regards.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


rsyslog.conf
Description: rsyslog.conf
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
Wh

Re: [rsyslog] Combining AuditD logs using Rsyslog

2024-07-23 Thread David Lang via rsyslog


You could use something like Simple Event Correlator to combine logs like this.

There is not a good way to do so inside rsyslog (and trying to do so would cause 
all sorts of grief with locking and multi-threaded processing)


best to do the combining before the logs go to rsyslog.

David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog stops accepting TCP for a minute or two

2024-07-16 Thread David Lang via rsyslog

it's not clear if this config and pstats output is for the sending or receiving 
system


Tue Jul 16 09:23:13 2024: action-2-builtin:omfwd queue: origin=core.queue 
size=1000 enqueued=248342 full=702 discarded.full=2 discarded.nf=0 maxqsize=1000

This indicates that the queue to deliver messages out from this system filled 
it's queue 702 times, that would cause processing on this system to receive 
messages to block (or at least spill over to the disk files for this queue, 
which are considerably slower) a larger queue size may help ride out short 
surges in traffic


one thing that can speed things up is to set a batch size of something on the 
order of 100-128, something like that on the sending side.


Also, naming the actions makes the pstats output much easier to read

you can run top and hit "H" to show threads and see if there is a thread that is 
using a lot of cpu.


Is there a firewall/router/switch that could be dropping packets in the path? 
tcp timeouts/retries could account for delays


David Lang

On Tue, 16 Jul 2024, Jesper Skou Jensen via rsyslog wrote:


Date: Tue, 16 Jul 2024 08:20:51 +
From: Jesper Skou Jensen via rsyslog 
To: "rsyslog@lists.adiscon.com" 
Cc: Jesper Skou Jensen 
Subject: [rsyslog] rsyslog stops accepting TCP for a minute or two

Hi guys

I hope that someone here have some good ideas because I've run out of things to 
tweak.

We have a few rsyslog servers in the company, the basic setup is a couple of 
collectors/relays that forwards syslog to two archive servers.

We have run this setup for years but recently we have started pushing 
considerable (3-4 times as much) more syslog towards the servers and it appears 
they can't quite handle the extra load. The servers stop accepting TCP 
connections every now and then, for a minute or two and then works fine again 
without any pattern that I can see. I'm trying to figure out why and what I can 
do about it.

Each relay server receives a few thousand message per second at about 
30-40Mbit/s syslog and forwards that to two other rsyslog servers with a total 
of 60-80Mbit/s.

The relay servers are hovering around 5-7% CPU usage and little load around 0.3 
so I don't think it's a hardware limitation.


Notable parts of the config includes:

$MaxOpenFiles 81920 #there are usually only a few thousand open files, but 
currently this is what it sits at. I tried raising it to a MUCH higher number, 
didn't change anything

#we accept both UDP and TCP but it appears to be only TCP that is acting up so 
I'll concentrate on that.
module(
   load="imptcp"
   Threads="6" #was 2 when we had 4 CPU cores, now we have 8 CPU cores
)
input(
   type="imptcp"
   port="514"
   KeepAlive="on" #was running without probes, I have enabled them to try 
to keep the open (idle) connections down
   KeepAlive.Probes="3"
   KeepAlive.Interval="60"
)

#we forward to two severs, here's the config for one of them. We did have zip 
activated but I have disabled that, in an attempt to fix our issues and it 
didn't compress much anyways.
action(
   type="omfwd"
   target="REDACTED"
   port="6514"
   protocol="tcp"

   template="format_forward"

   queue.type="linkedlist"
   queue.filename="forward_to_archive"
   action.resumeRetryCount="-1"
   queue.saveOnShutdown="on"

   #compress syslog message during transfer to save bandwidth
#ziplevel="1"
#compression.mode="single"

   #encrypt syslog traffic
   StreamDriverMode="1" # run driver in TLS-only mode
   StreamDriverAuthMode="x509/name"
   StreamDriverPermittedPeers="REDACTED" #only permit the certificate from 
the verified syslog server
)


#I have added the impstats module but don't qute know how to read the 
output, maybe it tells you guys something?

module(load="impstats"
   ResetCounters="on"
   interval="60"
   severity="7"
   log.syslog="off"
   log.file="/var/log/rsyslog-stats.log"
)

Tue Jul 16 09:23:13 2024: global: origin=dynstats
Tue Jul 16 09:23:13 2024: imuxsock: origin=imuxsock submitted=29 
ratelimit.discarded=0 ratelimit.numratelimiters=0
Tue Jul 16 09:23:13 2024: dynafile cache dynaFileDebug: origin=omfile 
requests=0 level0=0 missed=0 evicted=0 maxused=0 closetimeouts=0
Tue Jul 16 09:23:13 2024: action-0-builtin:omfile: origin=core.action 
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Jul 16 09:23:13 2024: action-1-builtin:omfwd: origin=core.action 
processed=248342 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Jul 16 09:23:13 2024: action-2-builtin:omfwd: origin=core.action 
processed=248

Re: [rsyslog] rsyslog / journald - el7 vs el8

2024-07-01 Thread David Lang via rsyslog


Sean Maguire wrote:


That meant that rsyslog would listen on that socket and journald would send
log entries there.  See "ForwardToSyslog" in journald.conf (5).  Now the
default is to use the rsyslog "imjournal" module to get logs from the
journal.

We (I) always change the setting on our servers to the earlier
configuration due to warnings about performance in
https://rsyslog.readthedocs.io/en/latest/configuration/modules/imjournal.html


readthedocs does not maintain the current rsyslog docs, the docs were uploaded 
there by someone outside of the rsyslog team and they will not allow the rsyslog 
team to update them


there isn't a performance problem with the systemd journal database, but in 
versions of journald several years ago, there was possible corruption that 
rsyslog did not catch and lead to infinite loops of messages. That should no 
longer be a problem.


journald deliberately refuses to pass data to rsyslog using the ForwardToSyslog 
method that is available via the imjournal module, so I would suggest comparing 
the two.


David Lang



-Sean

On Mon, Jul 1, 2024 at 5:47 AM Ricardo Esteves via rsyslog <
rsyslog@lists.adiscon.com> wrote:



Hi,

On RHEL7 (and clones) systemd package included /etc/rsyslog.d/listen.conf:

$SystemLogSocketName /run/systemd/journal/syslog

which made rsyslog get the logs from journald right?

On RHEL8 (and clones) this file is not included anymore. Does anyone
knows why?

I see that on RHEL8 rsyslog.conf now includes the module imjournal to
get the logs directly from journald db.

Though on rsyslog documentation says its not recommended because is
quite heavy.
Is the documentation still accurate about this? If yes what would be the
correct way (less heavy) to get logs from journald into rsyslog?

Best regards,
Ricardo Esteves.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] shutdown log to all facilities - opinion ?

2024-06-13 Thread David Lang via rsyslog


Dennis German wrote:

It seems to me that shutdown should send a syslog log message to all 
facilities.


i.e. cron ftp lpr kern mail news syslog uucp auth authpriv daemon user local0 
... local7


To do that, you would need to send multiple messages, one to each facility. 
There is no ability to specify more than one facility in a message


Also, this would break many 3rd party parsers who are setup for a particular 
message for a given facility to be only their specific messages.


What is it that you are trying to accomplish?

David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs rsyslog_queue_discarded_full_counter?

2024-06-04 Thread David Lang via rsyslog

anything about restarts, unresponsive, suspended, etc?

David Lang

On Tue, 4 Jun 2024, Johan Ryberg wrote:

Date: Tue, 4 Jun 2024 20:18:41 +0200
From: Johan Ryberg 
To: David Lang 
Cc: Johan Ryberg via rsyslog 
Subject: Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs
rsyslog_queue_discarded_full_counter?

Yes, I'm exporting that to Prometheus. That's how I found out the full
counter.

That's the only thing that I can find that stands out.

Regards Johan

Den tis 4 juni 2024 20:12David Lang  skrev:

to see what's happening with the queues, enable impstats so you can see
queue
and other performance stats.

David Lang

On Tue, 4 Jun 2024, Johan Ryberg via rsyslog wrote:

Date: Tue, 4 Jun 2024 16:16:27 +0200
From: Johan Ryberg via rsyslog 
To: rsyslog-users 
Cc: Johan Ryberg 
Subject: Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs
rsyslog_queue_discarded_full_counter?

Thank you both for your reply

The only config for the queue is in the action

   action(
   type="omprog"
   name="receiver"
   action.resumeInterval="5"
   binary="/usr/local/bin/receiver"
   killUnresponsive="on"
   signalOnClose="on"
   closeTimeout="20"
   output="/dev/stdout"
   queue.saveonshutdown="on"
   queue.type="fixedArray"
   template="syslog"
   )

The listener is tcp for my scenario and what I can tell is that the
pushback is an introduced delay in the psh ack to let off the pressure on
the queue?

Since the affected queue is my omprog it's probably safe to say that I'm

on

the limit of what the current code can handle or is there any other

tuning

that might be suggested if we play with the thought that my software can
handle the load?

Best regards Johan Ryberg

On Fri, 31 May 2024 at 20:40, Rainer Gerhards via rsyslog <
rsyslog@lists.adiscon.com> wrote:

Plus we wait a bit (pushback to sender) when the next messages come in.

But

all depends on queue config.

Rainer

Sent from phone, thus brief.

David Lang via rsyslog  schrieb am Fr., 31.

Mai

2024, 19:44:

when the queue hits full, you you aren't yet losing a message, it's the
next
message that arrives while the queue is full that is lost.

David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a

myriad

of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad

of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs rsyslog_queue_discarded_full_counter?

2024-06-04 Thread David Lang via rsyslog

to see what's happening with the queues, enable impstats so you can see queue 
and other performance stats.


David Lang

On Tue, 4 Jun 2024, Johan Ryberg via rsyslog wrote:


Date: Tue, 4 Jun 2024 16:16:27 +0200
From: Johan Ryberg via rsyslog 
To: rsyslog-users 
Cc: Johan Ryberg 
Subject: Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs
rsyslog_queue_discarded_full_counter?

Thank you both for your reply

The only config for the queue is in the action

   action(
   type="omprog"
   name="receiver"
   action.resumeInterval="5"
   binary="/usr/local/bin/receiver"
   killUnresponsive="on"
   signalOnClose="on"
   closeTimeout="20"
   output="/dev/stdout"
   queue.saveonshutdown="on"
   queue.type="fixedArray"
   template="syslog"
   )

The listener is tcp for my scenario and what I can tell is that the
pushback is an introduced delay in the psh ack to let off the pressure on
the queue?

Since the affected queue is my omprog it's probably safe to say that I'm on
the limit of what the current code can handle or is there any other tuning
that might be suggested if we play with the thought that my software can
handle the load?

Best regards Johan Ryberg

On Fri, 31 May 2024 at 20:40, Rainer Gerhards via rsyslog <
rsyslog@lists.adiscon.com> wrote:


Plus we wait a bit (pushback to sender) when the next messages come in. But
all depends on queue config.

Rainer

Sent from phone, thus brief.

David Lang via rsyslog  schrieb am Fr., 31. Mai
2024, 19:44:


when the queue hits full, you you aren't yet losing a message, it's the
next
message that arrives while the queue is full that is lost.

David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Question on legacy syntax vs action RainerScript

2024-05-31 Thread David Lang via rsyslog


Rory Toma wrote:


However, we are missing some messages on the backed that get logged locally. 
I'm trying to eliminate causes, and want to make sure of something.
Before, with legacy syntax, we'd use

*.*

Syntax so everything was logged. Is this the default or do I need to add 
something to the action statement?


That is the default, you don't need to use it (you still can use that format 
ahead of an action statement if you want, but *.* or a bare action of any format 
will do the same thing)


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Metrics: rsyslog_queue_full_counter vs rsyslog_queue_discarded_full_counter?

2024-05-31 Thread David Lang via rsyslog

when the queue hits full, you you aren't yet losing a message, it's the next 
message that arrives while the queue is full that is lost.


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-30 Thread David Lang via rsyslog


resending the configs

On Tue, 28 May 2024, David Lang wrote:


let's simplify this to the minimum needed


*Server**



# I've tried both with and without the line below
$ModLoad imtcp
$InputTCPServerRun 12345
$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
# 10.50.x.x is where the server sends its local data and that of the clients 
via udp port 514
if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
&stop
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* 
@10.50.x.x;LDSTag





**Client**



$template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
#Send Settings
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* 
@@10.10.10.10.1:12345;LDSTmpl


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-30 Thread David Lang via rsyslog


remove the PermittedPeer line.

that only applies to the encryption settings on the server receiving TLS 
connections.


and I don't think you need to set the NetStreamDriver, so I would remove those 
liens from both configs.


David Lang

On Thu, 30 May 2024, Kathy Lyons wrote:


Date: Thu, 30 May 2024 06:01:38 -0400
From: Kathy Lyons 
To: David Lang 
Cc: Rainer Gerhards ,
rsyslog-users 
Subject: Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

Sorry - hit send by mistake before.

Here is server conf file:

global(defaultNetStreamDriver="ptcp"
$InputTCPServerRun 12345

$template LDSTag,"<%PRI%>%TIMESTAMP% [nameofsystem] %syslogtag% %msg%"

if $fromhost-ip <> '127.0.0.1' then {
 @10.x.x.x:LDSTAG
 stop
}
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*;local5.*
@10.x.x.x;LDSTag

Client config:

global(defaultNetStreamDriver="ptcp" )
$ActionSendStreamDriverPermittedPeer 10.10.10.1 #wg server ip
$template LDCTmpl,"<%PRI%>%TIMESTAMP:::date-rfc3339% [HOSTNAME]
%syslogtag%%msg%"
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*;local5.*
@10.10.10.1:12345;LDCTmpl






On Thu, May 30, 2024 at 5:38 AM Kathy Lyons  wrote:


Here is my server conf file:

global(defaultNetStreamDriver="ptcp")


On Wed, May 29, 2024 at 12:12 PM David Lang  wrote:


you still have some encryption settings left in the file, please post
your full
config again so we can see what you have left.

I already posted the minimal config that removed all the encryption
settings.

David Lang

On Wed, 29 May 2024, Kathy Lyons wrote:


Date: Wed, 29 May 2024 06:35:44 -0400
From: Kathy Lyons 
To: Rainer Gerhards 
Cc: rsyslog-users , David Lang <

da...@lang.hm>

Subject: Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

Thanks.  I have removed that line from my files.  When I restart

rsyslog, I

get this error:

* authentication not supported by ptcp netstream

driver.*


Are there other lines I should remove?  Is the ptcp netstream driver the
default?

David, when I run tcpdump for the port 12345 on both client and server I
see data on both devices.  Do I not need a TCP connection data for both

the

client and server?

On Wed, May 29, 2024 at 5:45 AM Rainer Gerhards <

rgerha...@hq.adiscon.com>

wrote:


Mode 0 indeed does turn any encryption off. It's primarily there for
technical reasons, and it is the default.

I strongly advise against defining encryption settings and then
disabling them this way.

Rainer

El mié, 29 may 2024 a las 11:26, David Lang via rsyslog
() escribió:


On Wed, 29 May 2024, Kathy Lyons wrote:


which part sets encryption?  I thought these options set encryption

to

0,

or disabled.


leave out all the encryption settings to have them be disabled,

setting

the mode

to anon turns on encryption, but accepting any cert.

David Lang


On Tue, May 28, 2024 at 6:09 PM David Lang  wrote:


On Tue, 28 May 2024, Kathy Lyons wrote:


let's simplify this to the minimum needed


*Server**

# I've tried both with and without the line below
$ModLoad imtcp
$InputTCPServerRun 12345
$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
# 10.50.x.x is where the server sends its local data and that of

the

clients via udp port 514

if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
&stop
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*

@10.50.x.x;LDSTag



**Client**

*#*I've tried both with and without the line below
$ModLoad imtcp
$template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
#Send Settings
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
@@10.10.10.10.1:12345;LDSTmpl


also note that the format of setting a bunch of $foo lines that then
affect
future lines is discouraged, it's better to use the newer action()

syntax

that
sets all those things explicitly in the one place.

David Lang



On 5/28/2024 5:42 PM, David Lang wrote:

your message is badly linewrapped, can you please try again?

also note that while you can ping between the systems, that

doesn't

mean

that port 514 (TCP or UDP) can get through, either due to

firewalls

at

the

network layer or iptables on the systems

David Lang








___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a

myriad

of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.









___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-30 Thread David Lang via rsyslog


On Thu, 30 May 2024, Kathy Lyons wrote:


Here is my server conf file:

global(defaultNetStreamDriver="ptcp")


there needs to be more than that.

have you tried the configs that I posted?

David Lang



On Wed, May 29, 2024 at 12:12 PM David Lang  wrote:


you still have some encryption settings left in the file, please post your
full
config again so we can see what you have left.

I already posted the minimal config that removed all the encryption
settings.

David Lang

On Wed, 29 May 2024, Kathy Lyons wrote:


Date: Wed, 29 May 2024 06:35:44 -0400
From: Kathy Lyons 
To: Rainer Gerhards 
Cc: rsyslog-users , David Lang 
rsyslog, I

get this error:

* authentication not supported by ptcp netstream driver.*

Are there other lines I should remove?  Is the ptcp netstream driver the
default?

David, when I run tcpdump for the port 12345 on both client and server I
see data on both devices.  Do I not need a TCP connection data for both

the

client and server?

On Wed, May 29, 2024 at 5:45 AM Rainer Gerhards <

rgerha...@hq.adiscon.com>

wrote:


Mode 0 indeed does turn any encryption off. It's primarily there for
technical reasons, and it is the default.

I strongly advise against defining encryption settings and then
disabling them this way.

Rainer

El mié, 29 may 2024 a las 11:26, David Lang via rsyslog
() escribió:


On Wed, 29 May 2024, Kathy Lyons wrote:


which part sets encryption?  I thought these options set encryption to

0,

or disabled.


leave out all the encryption settings to have them be disabled, setting

the mode

to anon turns on encryption, but accepting any cert.

David Lang


On Tue, May 28, 2024 at 6:09 PM David Lang  wrote:


On Tue, 28 May 2024, Kathy Lyons wrote:


let's simplify this to the minimum needed


*Server**

# I've tried both with and without the line below
$ModLoad imtcp
$InputTCPServerRun 12345
$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
# 10.50.x.x is where the server sends its local data and that of the

clients via udp port 514

if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
&stop
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*

@10.50.x.x;LDSTag



**Client**

*#*I've tried both with and without the line below
$ModLoad imtcp
$template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
#Send Settings
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
@@10.10.10.10.1:12345;LDSTmpl


also note that the format of setting a bunch of $foo lines that then
affect
future lines is discouraged, it's better to use the newer action()

syntax

that
sets all those things explicitly in the one place.

David Lang



On 5/28/2024 5:42 PM, David Lang wrote:

your message is badly linewrapped, can you please try again?

also note that while you can ping between the systems, that doesn't

mean

that port 514 (TCP or UDP) can get through, either due to firewalls

at

the

network layer or iptables on the systems

David Lang








___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a

myriad

of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.






___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] why is my config ignored


it can be matched, it's just not what you thought it was.

log with the RSYSLOG_DebugFormat template and you will see what $syslogtag 
contains.


David Lang

On Wed, 29 May 2024, sacawulu via rsyslog wrote:


ok...

but then... what's the use of being able to assign a tag with "logger -t 
TAG" when that tag cannot be used later on to do something with it?


syslogtag, isequal... is not meant as a logical duo with "logger -t"?

More tomorrow.

Goodnight!

Op 29-05-2024 om 23:07 schreef Mariusz Kruk via rsyslog:
See your logged event. You're matching against a string 
"intruder_lockout:" but your event is logged with a PID added to the 
progname so you have "intruder_lockout[]:" so your condition doesn't 
match.



On May 29, 2024 12:51:41 PM UTC, cyusedfzfb via rsyslog 
 wrote:


     I have found that when using programname to match, it DOES work.

     Why would this line:

     logger -t intruder_lockout -p local4.info "this account is now
     locked out"

     not match when filtering to match syslogtag isequal 
"intruder_lockout"?


     Anyway...I am (finally) able to proceed.

     Still hope someone can explain the observed behaviour.

     MJ

     On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:

     It's impossible to answer that without knowing your full config.
     My guess would be that your syslog.d contents are included at
     the end of the main config file and your event matches a
     different disposition first so it's matched to another action
     and the processing is stopped there not reaching your rule.

     On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:

     Hi all!

     I am generating log messages from a script with a syslogtag,
     like this:

     ]# logger -t intruder_lockout -p local4.info "this account
     is now locked out"

     Next I'm trying to filter these logs, based on syslogtag to
     a seperate file. (on RHEL9, with rsyslogd  8.2102.0-117.el9
     (aka 2021.02))

     To do that, I created the configfile
     /etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:

     :syslogtag, isequal, "intruder_lockout:"
     /var/log/intruder_lockout.log
     & stop

     But the logger messages continue to end-up in the regular
     /var/log/messages.

     My config file *is* processed:

     ]# rsyslogd -N1 -d | grep intruder

     9648.534580052:main thread    : rainerscript.c: PROPFILT
     9648.534581695:main thread    : rainerscript.c:
     Property.: 'syslogtag'
     9648.534584550:main thread    : rainerscript.c:
     Operation: 'isequal'
     9648.534587716:main thread    : rainerscript.c:
     Value: 'intruder_lockout:'
     9648.534589259:main thread    : rainerscript.c: THEN
     9648.534590852:main thread    : rainerscript.c:   ACTION 2
     [builtin:omfile:/data/log/intruder_lockout.log]
     9648.534593647:main thread    : rainerscript.c:   STOP
     9648.534596272:main thread    : rainerscript.c: END PROPFILT

     I have also disabled selinux for testing, just to make sure
     that is not getting in my way.

     Anyone here with some imput to help me on my way..? Why is
     this not working?!

     Thanks!


     rsyslog mailing list
     https://lists.adiscon.net/mailman/listinfo/rsyslog
     <https://lists.adiscon.net/mailman/listinfo/rsyslog>
     http://www.rsyslog.com/professional-services/
     <http://www.rsyslog.com/professional-services/>
     What's up with rsyslog? Follow https://twitter.com/rgerhards
     <https://twitter.com/rgerhards>
     NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
     by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
     and DO NOT POST if you DON'T LIKE THAT.



     rsyslog mailing list
     https://lists.adiscon.net/mailman/listinfo/rsyslog
     <https://lists.adiscon.net/mailman/listinfo/rsyslog>
     http://www.rsyslog.com/professional-services/
     <http://www.rsyslog.com/professional-services/>
     What's up with rsyslog? Follow https://twitter.com/rgerhards
     <https://twitter.com/rgerhards>
     NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
     a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
     NOT POST if you DON'T LIKE THAT.


--

Re: [rsyslog] why is my config ignored

log the message with the template RSYSLOG_DebugFormat so you can see all the 
details about how rsyslog is seeing the message.


I'm not sure if _ is valid as a syslog tag, but if the debug output shows that 
it's not being parsed into the tag field, try without that.


we really would need to see the complete log file (which includes all included 
files), if you start rsyslog with -o /path/to/file it will write the combine 
config file as it sees it into that file which makes it much easier to see how 
all the config snippets combine.


David Lang


On Wed, 29 May 2024, cyusedfzfb via rsyslog wrote:


Date: Wed, 29 May 2024 14:51:41 +0200
From: cyusedfzfb via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: cyusedfzfb 
Subject: Re: [rsyslog] why is my config ignored

I have found that when using programname to match, it DOES work.

Why would this line:

logger -t intruder_lockout -p local4.info "this account is now locked 
out" 

not match when filtering to match syslogtag isequal "intruder_lockout"?

Anyway...I am (finally) able to proceed.

Still hope someone can explain the observed behaviour.

MJ

On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:
It's impossible to answer that without knowing your full config. My 
guess would be that your syslog.d contents are included at the end of 
the main config file and your event matches a different disposition 
first so it's matched to another action and the processing is stopped 
there not reaching your rule.


On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:

Hi all!

I am generating log messages from a script with a syslogtag, like this:

]# logger -t intruder_lockout -p local4.info "this account is now 
locked out"


Next I'm trying to filter these logs, based on syslogtag to a 
seperate file. (on RHEL9, with rsyslogd  8.2102.0-117.el9 (aka 2021.02))


To do that, I created the configfile 
/etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:



:syslogtag, isequal, "intruder_lockout:" /var/log/intruder_lockout.log
& stop
But the logger messages continue to end-up in the regular 
/var/log/messages.


My config file *is* processed:

]# rsyslogd -N1 -d | grep intruder

9648.534580052:main thread    : rainerscript.c: PROPFILT
9648.534581695:main thread    : rainerscript.c:     Property.: 
'syslogtag'

9648.534584550:main thread    : rainerscript.c:     Operation: 'isequal'
9648.534587716:main thread    : rainerscript.c:     Value: 
'intruder_lockout:'

9648.534589259:main thread    : rainerscript.c: THEN
9648.534590852:main thread    : rainerscript.c:   ACTION 2 
[builtin:omfile:/data/log/intruder_lockout.log]

9648.534593647:main thread    : rainerscript.c:   STOP
9648.534596272:main thread    : rainerscript.c: END PROPFILT

I have also disabled selinux for testing, just to make sure that is 
not getting in my way.


Anyone here with some imput to help me on my way..? Why is this not 
working?!


Thanks!

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

you still have some encryption settings left in the file, please post your full 
config again so we can see what you have left.


I already posted the minimal config that removed all the encryption settings.

David Lang

On Wed, 29 May 2024, Kathy Lyons wrote:


Date: Wed, 29 May 2024 06:35:44 -0400
From: Kathy Lyons 
To: Rainer Gerhards 
Cc: rsyslog-users , David Lang 
Subject: Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

Thanks.  I have removed that line from my files.  When I restart rsyslog, I
get this error:

* authentication not supported by ptcp netstream driver.*

Are there other lines I should remove?  Is the ptcp netstream driver the
default?

David, when I run tcpdump for the port 12345 on both client and server I
see data on both devices.  Do I not need a TCP connection data for both the
client and server?

On Wed, May 29, 2024 at 5:45 AM Rainer Gerhards 
wrote:


Mode 0 indeed does turn any encryption off. It's primarily there for
technical reasons, and it is the default.

I strongly advise against defining encryption settings and then
disabling them this way.

Rainer

El mié, 29 may 2024 a las 11:26, David Lang via rsyslog
() escribió:


On Wed, 29 May 2024, Kathy Lyons wrote:


which part sets encryption?  I thought these options set encryption to

0,

or disabled.


leave out all the encryption settings to have them be disabled, setting

the mode

to anon turns on encryption, but accepting any cert.

David Lang


On Tue, May 28, 2024 at 6:09 PM David Lang  wrote:


On Tue, 28 May 2024, Kathy Lyons wrote:


let's simplify this to the minimum needed


*Server**

# I've tried both with and without the line below
$ModLoad imtcp
$InputTCPServerRun 12345
$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
# 10.50.x.x is where the server sends its local data and that of the

clients via udp port 514

if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
&stop
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*

@10.50.x.x;LDSTag



**Client**

*#*I've tried both with and without the line below
$ModLoad imtcp
$template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
#Send Settings
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
@@10.10.10.10.1:12345;LDSTmpl


also note that the format of setting a bunch of $foo lines that then
affect
future lines is discouraged, it's better to use the newer action()

syntax

that
sets all those things explicitly in the one place.

David Lang



On 5/28/2024 5:42 PM, David Lang wrote:

your message is badly linewrapped, can you please try again?

also note that while you can ping between the systems, that doesn't

mean

that port 514 (TCP or UDP) can get through, either due to firewalls

at

the

network layer or iptables on the systems

David Lang








___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad

of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.




___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal


On Wed, 29 May 2024, Kathy Lyons wrote:


which part sets encryption?  I thought these options set encryption to 0,
or disabled.


leave out all the encryption settings to have them be disabled, setting the mode 
to anon turns on encryption, but accepting any cert.


David Lang


On Tue, May 28, 2024 at 6:09 PM David Lang  wrote:


On Tue, 28 May 2024, Kathy Lyons wrote:


let's simplify this to the minimum needed


*Server**

# I've tried both with and without the line below
$ModLoad imtcp
$InputTCPServerRun 12345
$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
# 10.50.x.x is where the server sends its local data and that of the

clients via udp port 514

if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
&stop
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*

@10.50.x.x;LDSTag



**Client**

*#*I've tried both with and without the line below
$ModLoad imtcp
$template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
#Send Settings
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.*
@@10.10.10.10.1:12345;LDSTmpl


also note that the format of setting a bunch of $foo lines that then
affect
future lines is discouraged, it's better to use the newer action() syntax
that
sets all those things explicitly in the one place.

David Lang



On 5/28/2024 5:42 PM, David Lang wrote:

your message is badly linewrapped, can you please try again?

also note that while you can ping between the systems, that doesn't

mean

that port 514 (TCP or UDP) can get through, either due to firewalls at

the

network layer or iptables on the systems

David Lang








___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-28 Thread David Lang via rsyslog


On Tue, 28 May 2024, Kathy Lyons wrote:


let's simplify this to the minimum needed


*Server**

# I've tried both with and without the line below
$ModLoad imtcp
$InputTCPServerRun 12345
$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
# 10.50.x.x is where the server sends its local data and that of the clients 
via udp port 514
if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
&stop
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* @10.50.x.x;LDSTag


**Client**

*#*I've tried both with and without the line below
$ModLoad imtcp
$template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
#Send Settings
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* 
@@10.10.10.10.1:12345;LDSTmpl


also note that the format of setting a bunch of $foo lines that then affect 
future lines is discouraged, it's better to use the newer action() syntax that 
sets all those things explicitly in the one place.


David Lang



On 5/28/2024 5:42 PM, David Lang wrote:

your message is badly linewrapped, can you please try again?

also note that while you can ping between the systems, that doesn't mean 
that port 514 (TCP or UDP) can get through, either due to firewalls at the 
network layer or iptables on the systems


David Lang




___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-28 Thread David Lang via rsyslog


On Tue, 28 May 2024, Kathy Lyons wrote:


I hope this is better.


much better

We have a server and two clients with wireguard on them. The server is 
10.10.10.1, the first client is 10.10.10.2 and the second client is 
10.10.10.3. The tunnel works and I can ping from server -> clients and vice 
versa.


Rsyslog on the server is listening on TCP port 12345 and that is confirmed 
via ss/netstat.


Both clients can reach the server at TCP port 12345 (used netcat)

Iptables is wide open for now.

There are no firewalls between the server and clients.

I want to send logs from both clients to the server via rsyslog through the 
wireguard tunnel. The server will then forwards all logs to another server 
via udp port 514.


For the rsyslog portion I do not need or want data traversing the tunnel to 
be encrypted.  As of now I cannot get an established TCP connection from 
either client to the server.


Here are my configs - what am I doing wrong?
*
*Server**

# I've tried both with and without the line below
global(defaultNetStreamDriver="ptcp")
$ModLoad imtcp
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 0
$InputTCPServerRun 12345


If they don't need to be encrypted, why are you setting encryption?


$template LDSTag, "<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%"
# 10.50.x.x is where the server sends its local data and that of the clients 
via udp port 514

if $fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag
&stop


note that a clearer way of writing this is:

if $fromhost-ip <> '127.0.0.1' then {
  @10.50.x.x;LDSTag
  stop
}


auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* @10.50.x.x;LDSTag


**Client**

*#*I've tried both with and without the line below
global(defaultNetStreamDriver="ptcp")
$ModLoad imtcp
$template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] %syslog% %msg%"
#Send Settings
$ActionWriteAllMarkMessages on
$ActionSendStreamDriverPermittedPeer "10.10.10.1"
$ActionSendStreamDriverMode 0
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* 
@@10.10.10.10.1:12345;LDSTmpl


if you do a tcpdump on port 12345 what do you see happening on each side?

David Lang



On 5/28/2024 5:42 PM, David Lang wrote:

your message is badly linewrapped, can you please try again?

also note that while you can ping between the systems, that doesn't mean 
that port 514 (TCP or UDP) can get through, either due to firewalls at the 
network layer or iptables on the systems


David Lang




___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] unencrypted rsyslog through a wireguard terminal

2024-05-28 Thread David Lang via rsyslog


your message is badly linewrapped, can you please try again?

also note that while you can ping between the systems, that doesn't mean that 
port 514 (TCP or UDP) can get through, either due to firewalls at the network 
layer or iptables on the systems


David Lang

 On Tue, 28 May 2024, Kathy Lyons via rsyslog wrote:


Date: Tue, 28 May 2024 17:34:59 -0400
From: Kathy Lyons via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Kathy Lyons 
Subject: [rsyslog] unencrypted rsyslog through a wireguard terminal

We have a server and two clients with wireguard on them. The server is 
10.10.10.1, the first client is 10.10.10.2 and the second client is 
10.10.10.3. The tunnel works and I can ping from server -> clients and vice 
versa.


I now want to send logs from both clients to the server. The server then 
forwards all logs to another server. For the rsyslog portion, I do not need 
or want data traversing the tunnel to be encrypted. As of now I cannot get an 
established, unencrypted TCP connection from either client to the server. 
Here are my configs - what am I doing wrong?


*Server:*

|global(defaultNetStreamDriver="ptcp") - I've tried both with and without 
this line $ModLoad imtcp $InputTCPServerStreamDriverAuthMode anon 
$InputTCPServerStreamDriverMode 0 $InputTCPServerRun 6514 $template LDSTag, 
"<%PRI>%TIMESTAMP [nameofsystem] %syslog% %msg%" # 10.50.x.x is where the 
server sends its local data and that of the clients via udp port 514 if 
$fromhost-ip <> '127.0.0.1' then @10.50.x.x;LDSTag &stop 
auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* @10.50.x.x;LDSTag 
|


*Here is my client setup:*

|global(defaultNetStreamDriver="ptcp") - I've tried both with and without 
this line $ModLoad imtcp $template LDSTag,"<%PRI>%TIMESTAMP [PUBLIC_IP] 
%syslog% %msg%" #Send Settings $ActionWriteAllMarkMessages on 
$ActionSendStreamDriverPermittedPeer "10.10.10.1" $ActionSendStreamDriverMode 
0 auth.*;authpriv.*;cron.*;daemon.*;kern.*;local0.*;local4.* 
@@10.10.10.10.1:6514;LDSTmpl |

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.



___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] need help with rsyslog

2024-05-27 Thread David Lang via rsyslog

8.24 is ancient (with some unknown additional backports by redhat), so it's very 
possible that you are using options that it doesn't know about


if you do rsyslogd -N1 does it report any errors in the config file?

I know that imfile has been re-written at least once since 8.24

It would be far better for you to update to a current version.

David Lang

On Tue, 28 May 2024, Chun-An Lee via rsyslog wrote:


Date: Tue, 28 May 2024 10:31:54 +0800
From: Chun-An Lee via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Chun-An Lee 
Subject: [rsyslog] need help with rsyslog

Dear All,
I installed the Rsyslog(8.24.55)  on Redhat 7.5.
everything looks like okay, but i found an issue that I can only receive
the last input block log(oracle: mysky) from the remote soc
server(192.168.1.1).
If i rearranged them, move the Tag="oracle: mysyk" to the top one and  the
Tag="oracle: pce" move to the last one than I only received Tag="oracle:
pce" log. the configuration showed as below

module(load="imfile" mode="inotify")

input(
   type="imfile"
   File="/PC/PCDB/PCDB_ora_*.xml"
   Tag="oracle: pce"
   ignoreOlderThan="86400"
   startmsg.regex="^(|).*"
   freshStartTail="off"
   deleteStateOnFileDelete="on"
   Severity="info"
   Facility="local5"
   ruleset="sentinel-1468"
)

input(
   type="imfile"
   File="/PC/PDDB/PDDB_ora*.xml"
   Tag="oracle: pde"
   ignoreOlderThan="86400"
   startmsg.regex="^(|).*"
   freshStartTail="off"
   deleteStateOnFileDelete="on"
   Severity="info"
   Facility="local5"
   ruleset="sentinel-1468"
)

input(
   type="imfile"
   File="/PC/MYSYK/MYSYK_ora_*.xml"
   Tag="oracle: mysyk"
   ignoreOlderThan="86400"
   startmsg.regex="^(|).*"
   freshStartTail="off"
   deleteStateOnFileDelete="on"
   Severity="info"
   Facility="local5"
   ruleset="sentinel-1468"
)

ruleset(name="sentinel-1468"){
   action(type="omfwd" target="192.168.1.1" port="1468" protocol="tcp")
}

Could members help me to find out the root cause.
Thanks in advance
TerenceLee
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Problem with omprog

2024-05-24 Thread David Lang via rsyslog

If you specify omprog in your config and then try to start rsyslog, do you get 
any error messages? if the omprog module is not installed, you should get an 
error trying to load it.


David Lang

 On Fri, 24 May 2024, Mårten Persson via rsyslog wrote:


Date: Fri, 24 May 2024 21:03:56 +0200
From: Mårten Persson via rsyslog 
To: rsyslog-users 
Cc: Mårten Persson 
Subject: [rsyslog] Problem with omprog

Hi,
Running raspbian and can't get the omprog to work..
I suspect that omprog itself may not be my problem but it might be
missing instead.
Looked thoug the source and saw config options...
So my quick question at this point would be:
Is therer a way to find out if my rsyslog supports omprog and if the
module exists?

Regards, Mårten

--
Mårten Persson
Räften 272
24791 Södra Sandby
+46707311298
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Stop actions

2024-05-24 Thread David Lang via rsyslog

if you start rsyslog with the -o /path/to/file option, it will write a copy of 
the config file as it sees it with all includes, that is what you should look 
at to figure the order of things. Many distros put the includes late in the 
config, so putting things in an included file may be too late for some things.


David Lang


On Fri, 24 May 2024, Thomas Raef wrote:


Date: Fri, 24 May 2024 12:37:15 -0400
From: Thomas Raef 
To: David Lang 
Cc: Rainer Gerhards via rsyslog ,
Rainer Gerhards 
Subject: Re: [rsyslog] Stop actions

I created a lower numbered rules file with just this in it:

ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
($rawmsg contains "/bb-plugin/cache") then {
stop
}
}

input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit_logs"
ruleset="drop"
reopenOnTruncate="on"
)

And it appears to be working.
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>



On Fri, May 24, 2024 at 12:21 PM David Lang  wrote:


or you have other actions in the config that happen before your stop takes
place.

David Lang

On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:


Date: Fri, 24 May 2024 13:57:07 +0200
From: Rainer Gerhards via rsyslog 
To: Thomas Raef 
Cc: Rainer Gerhards ,
rsyslog-users 
Subject: Re: [rsyslog] Stop actions

pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.

Rainer

El vie, 24 may 2024 a las 13:43, Thomas Raef
() escribió:


I changed it to:

ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains

"-mc.log") or ($rawmsg contains "/bb-plugin/cache") then {

stop
}
}

But the messages still show up.

If the message is malformed, what can I do?

This is one such message I'm still getting:

"message": type=PATH msg=audit(1715691166.683:1235018): item=1

name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID=\"[redacted\" OGID=\"redacted\"


Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn
Facebook



On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <

rgerha...@hq.adiscon.com> wrote:


I guess the message is malformed and the string you look for is inside
another field.

I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.

HTH
Rainer

El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
() escribió:


I have rules setup but I want to ignore all entries like this:

 "message": type=PATH msg=audit(1715687344.694:1226486): item=3


name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"

inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID=\"[redacted]\" OGID=\"[redacted]\"

I want to ignore all entries that have temp-write-test- in the

message.


I've tried:

:msg, contains, "temp-write-test-" stop



But I continually get messages with that string in them. I've tried

it with

that as the first rule.


And I've tried this as well:


ruleset(name="drop") {
if ($msg contains "temp-write-test-") or ($msg contains "-mc.log")

or ($msg

contains "/bb-plugin/cache") then {
stop
}
}

input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit_logs"
ruleset="drop"
reopenOnTruncate="on"
)


Nothing works.


Can anyone shed some light? Please?


Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a

myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/m

Re: [rsyslog] Stop actions

2024-05-24 Thread David Lang via rsyslog

or you have other actions in the config that happen before your stop takes 
place.

David Lang

On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:

Date: Fri, 24 May 2024 13:57:07 +0200
From: Rainer Gerhards via rsyslog 
To: Thomas Raef 
Cc: Rainer Gerhards ,
rsyslog-users 
Subject: Re: [rsyslog] Stop actions

pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.

Rainer

El vie, 24 may 2024 a las 13:43, Thomas Raef
() escribió:

I changed it to:

ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or ($rawmsg 
contains "/bb-plugin/cache") then {
stop
}
}

But the messages still show up.

If the message is malformed, what can I do?

This is one such message I'm still getting:

"message": type=PATH msg=audit(1715691166.683:1235018): item=1 
name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\" inode=2427162 
dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 
cap_frootid=0 OUID=\"[redacted\" OGID=\"redacted\"

Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn
Facebook

On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards  
wrote:

I guess the message is malformed and the string you look for is inside
another field.

I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.

HTH
Rainer

El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
() escribió:
>
> I have rules setup but I want to ignore all entries like this:
>
>  "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted]\" OGID=\"[redacted]\"
>
> I want to ignore all entries that have temp-write-test- in the message.
>
> I've tried:
>
> :msg, contains, "temp-write-test-" stop
>
>
>
> But I continually get messages with that string in them. I've tried it with
> that as the first rule.
>
>
> And I've tried this as well:
>
>
> ruleset(name="drop") {
> if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
> contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> input(type="imfile"
> File="/var/log/audit/audit.log"
> Tag="audit_logs"
> ruleset="drop"
> reopenOnTruncate="on"
> )
>
>
> Nothing works.
>
>
> Can anyone shed some light? Please?
>
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
> Facebook <https://www.facebook.com/WeWatchYourWebsite>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Unable to re-use variable generated by mmnormalize

2024-05-22 Thread David Lang via rsyslog


On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:

Yes I'll consider that if needed, those are old servers, most of other 
are a lot newer and are running recent rsyslogd, so maybe I'll leave it 
like this.


Can you explain me a bit more what kind of input should I use to 
re-inject my imfile parsed entries back into local rsyslog ? Should I 
just send it to local UDP port ?


that works well, especially over localhost

Regarding sponsoring, I guess this is going to be too much for me, but 
do you have an estimation of the cost ? I can at least talk about it and 
see if we can help.


I'm not part of adiscon (the company formed by the Rainer, the initial author to 
maintain rsyslog), you would have to ask him.


David Lang


On 5/22/24 09:49, David Lang wrote:
8.24 was released back in 2017. RedHat has backported some fixes and 
features from newer versions of rsyslog (which were released every 6 
weeks for years, now every 8 weeks), but only they track what is and 
isn't in there.


If you are going to really start using the power of rsyslog, I would 
suggest upgrading to the community version (it will be much easier 
than figuring out what features are and aren't in such an old version)


the time parsing is MUCH newer than 8.24, and there are a ton of new 
mmnormalize features that aren't in that old a version.


timezone handling is a headache still, glibc has internal functions to 
handle timezones, but they don't expose it to userspace in a way that 
lets userspace use arbitrary timezones (the functions are there, but 
they insist on using the system environment rather than something 
passed as a parameter)


overall, your approach works.

when you are considering sending the message back into rsyslog, you 
need to be VERY sure that you don't setup a message loop. The best way 
to do this is to have your imfile input go into a separate ruleset 
(with it's own queue) so that there is no way for your output message 
to be re-processed.


thinking out loud, you may also want to look at the pmnormalize parser 
that lets the liblognorm parser populate the standard properties. I 
don't know that the time parsing you are dealing with here will work 
in that, but there has been some talk about implementing some time 
parsing code in mmnormalize that would use date-style fields, allowing 
for you to do what you are wanting in one step, but there hasn't been 
enough demand for it to rise to the top of the list for Adiscon to 
allocate manpower for it, and nobody has contributed the code or 
offered to sponsor development of it. (adiscon is a very small 
company, a half dozen or fewer people AFAIK)


David Lang

On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:


Date: Wed, 22 May 2024 09:31:49 +0200
From: Adam Cecile via rsyslog 
To: rsyslog-users 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by 
mmnormalize


So for the record, here is my awful hack.

I'm parsing messages like "[21/05/2024 23:56:37]  [pcc->cct] 
00100t7cc" from existing files using imfile and want to re-use the 
timestamp from msg payload in Rsyslog. Timestamp formatting is 
dd/mm/ HH:MM:ss in local server timezone



So first, I used mmnormalize with the following rule to extract 
individual timestamp fields:


rule=:[%day:number%/%month:number%/%year:number% 
%hour:number%:%minute:number%:%second:number%] 
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%



Then I used a custom static mapping table to convert month as digits 
into RFC 3164 "3 letters" month name:


{
  "version": 1,
  "nomatch": "",
  "type": "array",
  "table": [
    { "index": 1, "value": "Jan" },
    { "index": 2, "value": "Feb" },
    { "index": 3, "value": "Mar" },
    { "index": 4, "value": "Apr" },
    { "index": 5, "value": "May" },
    { "index": 6, "value": "Jun" },
    { "index": 7, "value": "Jul" },
    { "index": 8, "value": "Aug" },
    { "index": 9, "value": "Sep" },
    { "index": 10, "value": "Oct" },
    { "index": 11, "value": "Nov" },
    { "index": 12, "value": "Dec" },
  ]
}


Finally, I used a ruleset to apply this liblognorm pattern and use so 
internal Rsyslog scripting to build a RFC 3164 timestamp:


lookup_table(
  name="month-num-to-three-letters-lookup-table"
file="/etc/rsyslog.d/month-num-to-three-letters-lookup-table.json"
  reloadonhup="off"
)

ruleset(
  name="extractData"
)
  {
    set 


$.pcc=re_extract($!metadata!filename,"/REP_RE

Re: [rsyslog] Unable to re-use variable generated by mmnormalize

2024-05-22 Thread David Lang via rsyslog

8.24 was released back in 2017. RedHat has backported some fixes and features 
from newer versions of rsyslog (which were released every 6 weeks for years, 
now every 8 weeks), but only they track what is and isn't in there.


If you are going to really start using the power of rsyslog, I would suggest 
upgrading to the community version (it will be much easier than figuring out 
what features are and aren't in such an old version)


the time parsing is MUCH newer than 8.24, and there are a ton of new mmnormalize 
features that aren't in that old a version.


timezone handling is a headache still, glibc has internal functions to handle 
timezones, but they don't expose it to userspace in a way that lets userspace 
use arbitrary timezones (the functions are there, but they insist on using the 
system environment rather than something passed as a parameter)


overall, your approach works.

when you are considering sending the message back into rsyslog, you need to be 
VERY sure that you don't setup a message loop. The best way to do this is to 
have your imfile input go into a separate ruleset (with it's own queue) so that 
there is no way for your output message to be re-processed.


thinking out loud, you may also want to look at the pmnormalize parser that lets 
the liblognorm parser populate the standard properties. I don't know that the 
time parsing you are dealing with here will work in that, but there has been 
some talk about implementing some time parsing code in mmnormalize that would 
use date-style fields, allowing for you to do what you are wanting in one step, 
but there hasn't been enough demand for it to rise to the top of the list for 
Adiscon to allocate manpower for it, and nobody has contributed the code or 
offered to sponsor development of it. (adiscon is a very small company, a half 
dozen or fewer people AFAIK)


David Lang

On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:


Date: Wed, 22 May 2024 09:31:49 +0200
From: Adam Cecile via rsyslog 
To: rsyslog-users 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by mmnormalize

So for the record, here is my awful hack.

I'm parsing messages like "[21/05/2024 23:56:37]  [pcc->cct] 00100t7cc" 
from existing files using imfile and want to re-use the timestamp from 
msg payload in Rsyslog. Timestamp formatting is dd/mm/ HH:MM:ss in 
local server timezone



So first, I used mmnormalize with the following rule to extract 
individual timestamp fields:


rule=:[%day:number%/%month:number%/%year:number% 
%hour:number%:%minute:number%:%second:number%] 
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%



Then I used a custom static mapping table to convert month as digits 
into RFC 3164 "3 letters" month name:


{
  "version": 1,
  "nomatch": "",
  "type": "array",
  "table": [
    { "index": 1, "value": "Jan" },
    { "index": 2, "value": "Feb" },
    { "index": 3, "value": "Mar" },
    { "index": 4, "value": "Apr" },
    { "index": 5, "value": "May" },
    { "index": 6, "value": "Jun" },
    { "index": 7, "value": "Jul" },
    { "index": 8, "value": "Aug" },
    { "index": 9, "value": "Sep" },
    { "index": 10, "value": "Oct" },
    { "index": 11, "value": "Nov" },
    { "index": 12, "value": "Dec" },
  ]
}


Finally, I used a ruleset to apply this liblognorm pattern and use so 
internal Rsyslog scripting to build a RFC 3164 timestamp:


lookup_table(
  name="month-num-to-three-letters-lookup-table"
file="/etc/rsyslog.d/month-num-to-three-letters-lookup-table.json"
  reloadonhup="off"
)

ruleset(
  name="extractData"
)
  {
    set 
$.pcc=re_extract($!metadata!filename,"/REP_RECORD_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC");

    action(
  type="mmnormalize"
  path="$!extracted"
  rulebase="/etc/rsyslog.d/dsd-trace-parser.rules"
  useRawMsg="off"
    )
    set $!extracted!monthInt = cnum($!extracted!month);
    set $!extracted!dayInt = cnum($!extracted!day);
    if ($!extracted!dayInt < 10) then {
  set $!extracted!dayLeadingSpace = " " & $!extracted!dayInt;
    } else {
  set $!extracted!dayLeadingSpace = "" & $!extracted!dayInt;
    }
    set $!extracted!monthThreeLetters = 
lookup("month-num-to-three-letters-lookup-table", $!extracted!monthInt);
    set $!extracted!timestamp!rfc3164 = $!extracted!!monthThreeLetters 
& " " & $!extr

Re: [rsyslog] Unable to re-use variable generated by mmnormalize


Adam Cecile wrote:

You got it ! It does not like rules setting, switching to external file 
with rulebase works... Probably a too old version.


probably

It also does not seems to be able to set path, to nest new properties, 
but this is not really important.


that is not something that is currently supported, it's been a wish-list item of 
mine for years, but I haven't attempted coding it and haven't had the money to 
sponsor a fix (my suggestion is a fixup message modification module that goes 
through and fixes variable naming issues, if it has an embedded ! in it, make it 
nested, fix capitalization, deal with duplicates, etc)


David Lang


Thanks a lot for your help !

Btw, do you have any suggestion about how to re-compose date-time object 
from the individual fields, I'd like to hear from you


On 5/22/24 00:38, David Lang wrote:

if you do rsyslogd -N1 does it complain about anything?

David Lang

On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:


Date: Wed, 22 May 2024 00:32:25 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by 
mmnormalize


Message if being parsed to JSON object with all fields I have in rule 
(e.g: year or dsd-message)... So I guess parsing works, it is just 
not run by my configuration file


On May 22, 2024 12:30:19 AM GMT+02:00, David Lang  wrote:

if you post that exact text into your liblognorm test, what do you get?

David Lang

On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:


Date: Wed, 22 May 2024 00:24:08 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by 
mmnormalize


No ;-)

Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'gz-tuma', PRI: 133,
syslogtag 'trace.log', programname: 'trace.log', APP-NAME: 
'trace.log', PROCID: '-', MSGID: '-',

TIMESTAMP: 'May 21 23:56:46', STRUCTURED-DATA: '-',
msg: '[21/05/2024 23:56:37]  [pcc->cct]  00100t7cc'
escaped msg: '[21/05/2024 23:56:37]  [pcc->cct] 00100t7cc'
inputname: imfile rawmsg: '[21/05/2024 23:56:37] [pcc->cct] 00100t7cc'
$!:{ "metadata": { "filename": "", "fileoffset": 
"3396674" } }

$.:{ "pcc": "t7" }
$/:

On 5/22/24 00:20, David Lang wrote:
if you look at the msg field in the RSYSLOG_DebugFormat output, 
you will see that it does have a leading space. your pattern doesn't


David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:


Date: Tue, 21 May 2024 23:58:23 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by 
mmnormalize


Just tried, no leading space, message is correct however the log 
does not contains any trace indicating mmnormalize has tried to 
do something.

I guess it is just NOT active for some reason...

On 5/21/24 23:50, David Lang wrote:
log the message with RSYSLOG_DebugFormat so that you can see the 
variables that exist.


my guess is that your rule needs a leading space, because the 
msg field you are parsing starts with a space (a very common 
problem when you are starting to use mmnormalize)


David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:


Date: Tue, 21 May 2024 23:37:14 +0200
From: Adam Cecile via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Adam Cecile 
Subject: [rsyslog] Unable to re-use variable generated by 
mmnormalize


Hello,


I'm struggling to understand how to use mmnormalize module. My 
configuration snippet is the following:


template(name="recordRfc3164FileOutput" type="list") {
    property(name="timestamp" dateFormat="rfc3164")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="$.pcc")
    constant(value="@")
    property(name="syslogtag")
    constant(value=":")
    constant(value=" ")
    property(name="msg")
    constant(value="\n")
}

ruleset(
  name="extractPccNameFromRecordLog"
)
  {
    set




$.pcc=re_extract($!metadata!filename,"/record_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC"); 





    action(
  type="mmnormalize"
rule=["rule=:[%day:number%/%month:number%/%year:number% 
%hour:number%:%minutes:number%:%seconds:number%] 
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%"]

  useRawMsg="off"
    )
    action(
  type="omfile"
  dirCreateMode="0755"
  FileCreateMode="0644"
  File="/var/log/record.log"
  template="recordRfc3164FileOutput"
    )
  }

input(

Re: [rsyslog] Unable to re-use variable generated by mmnormalize

if you do rsyslogd -N1 does it complain about anything?

David Lang

On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:

Date: Wed, 22 May 2024 00:32:25 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by mmnormalize

Message if being parsed to JSON object with all fields I have in rule (e.g: 
year or dsd-message)... So I guess parsing works, it is just not run by my 
configuration file

On May 22, 2024 12:30:19 AM GMT+02:00, David Lang  wrote:

if you post that exact text into your liblognorm test, what do you get?

David Lang

On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:

Date: Wed, 22 May 2024 00:24:08 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by mmnormalize

No ;-)

Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'gz-tuma', PRI: 133,
syslogtag 'trace.log', programname: 'trace.log', APP-NAME: 'trace.log', PROCID: 
'-', MSGID: '-',
TIMESTAMP: 'May 21 23:56:46', STRUCTURED-DATA: '-',
msg: '[21/05/2024 23:56:37]  [pcc->cct]  00100t7cc'
escaped msg: '[21/05/2024 23:56:37]  [pcc->cct]  00100t7cc'
inputname: imfile rawmsg: '[21/05/2024 23:56:37]  [pcc->cct] 00100t7cc'
$!:{ "metadata": { "filename": "", "fileoffset": "3396674" } }
$.:{ "pcc": "t7" }
$/:

On 5/22/24 00:20, David Lang wrote:

if you look at the msg field in the RSYSLOG_DebugFormat output, you will see 
that it does have a leading space. your pattern doesn't

David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:

Date: Tue, 21 May 2024 23:58:23 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by mmnormalize

Just tried, no leading space, message is correct however the log does not 
contains any trace indicating mmnormalize has tried to do something.
I guess it is just NOT active for some reason...

On 5/21/24 23:50, David Lang wrote:

log the message with RSYSLOG_DebugFormat so that you can see the variables that 
exist.

my guess is that your rule needs a leading space, because the msg field you are 
parsing starts with a space (a very common problem when you are starting to use 
mmnormalize)

David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:

Date: Tue, 21 May 2024 23:37:14 +0200
From: Adam Cecile via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Adam Cecile 
Subject: [rsyslog] Unable to re-use variable generated by mmnormalize

Hello,

I'm struggling to understand how to use mmnormalize module. My configuration 
snippet is the following:

template(name="recordRfc3164FileOutput" type="list") {
    property(name="timestamp" dateFormat="rfc3164")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="$.pcc")
    constant(value="@")
    property(name="syslogtag")
    constant(value=":")
    constant(value=" ")
    property(name="msg")
    constant(value="\n")
}

ruleset(
  name="extractPccNameFromRecordLog"
)
  {
    set

$.pcc=re_extract($!metadata!filename,"/record_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC"); 

    action(
  type="mmnormalize"
rule=["rule=:[%day:number%/%month:number%/%year:number% 
%hour:number%:%minutes:number%:%seconds:number%] 
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%"]
  useRawMsg="off"
    )
    action(
  type="omfile"
  dirCreateMode="0755"
  FileCreateMode="0644"
  File="/var/log/record.log"
  template="recordRfc3164FileOutput"
    )
  }

input(
  type="imfile"
  file="/path/to/record_*/*.log"
  tag="trace.log"
  addmetadata="on"
  ruleset="extractPccNameFromRecordLog"
)

Extraction of pattern from imfile filepath is working fine, mmnormalize rule is working 
fine too, according to my test using "lognormalizer" command line tool to test 
it.

So I guessed, I could be able to replace property(name="msg") with 
property(name="$.dsd-message") or property(name="$!dsd-message") but all I get is an 
empty string.

Is there something I missed ?

Thanks in advance,

Regards, Adam.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitte

Re: [rsyslog] Unable to re-use variable generated by mmnormalize

if you post that exact text into your liblognorm test, what do you get?

David Lang

On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:

Date: Wed, 22 May 2024 00:24:08 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by mmnormalize

No ;-)

Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'gz-tuma', PRI: 133,
syslogtag 'trace.log', programname: 'trace.log', APP-NAME: 'trace.log', 
PROCID: '-', MSGID: '-',

TIMESTAMP: 'May 21 23:56:46', STRUCTURED-DATA: '-',
msg: '[21/05/2024 23:56:37]  [pcc->cct]  00100t7cc'
escaped msg: '[21/05/2024 23:56:37]  [pcc->cct]  00100t7cc'
inputname: imfile rawmsg: '[21/05/2024 23:56:37]  [pcc->cct] 00100t7cc'
$!:{ "metadata": { "filename": "", "fileoffset": "3396674" } }
$.:{ "pcc": "t7" }
$/:

On 5/22/24 00:20, David Lang wrote:
if you look at the msg field in the RSYSLOG_DebugFormat output, you 
will see that it does have a leading space. your pattern doesn't

David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:

Date: Tue, 21 May 2024 23:58:23 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by 
mmnormalize

Just tried, no leading space, message is correct however the log does 
not contains any trace indicating mmnormalize has tried to do something.

I guess it is just NOT active for some reason...

On 5/21/24 23:50, David Lang wrote:
log the message with RSYSLOG_DebugFormat so that you can see the 
variables that exist.

my guess is that your rule needs a leading space, because the msg 
field you are parsing starts with a space (a very common problem 
when you are starting to use mmnormalize)

David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:

Date: Tue, 21 May 2024 23:37:14 +0200
From: Adam Cecile via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Adam Cecile 
Subject: [rsyslog] Unable to re-use variable generated by mmnormalize

Hello,

I'm struggling to understand how to use mmnormalize module. My 
configuration snippet is the following:

template(name="recordRfc3164FileOutput" type="list") {
    property(name="timestamp" dateFormat="rfc3164")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="$.pcc")
    constant(value="@")
    property(name="syslogtag")
    constant(value=":")
    constant(value=" ")
    property(name="msg")
    constant(value="\n")
}

ruleset(
  name="extractPccNameFromRecordLog"
)
  {
    set

$.pcc=re_extract($!metadata!filename,"/record_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC"); 

    action(
  type="mmnormalize"
rule=["rule=:[%day:number%/%month:number%/%year:number% 
%hour:number%:%minutes:number%:%seconds:number%] 
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%"]

  useRawMsg="off"
    )
    action(
  type="omfile"
  dirCreateMode="0755"
  FileCreateMode="0644"
  File="/var/log/record.log"
  template="recordRfc3164FileOutput"
    )
  }

input(
  type="imfile"
  file="/path/to/record_*/*.log"
  tag="trace.log"
  addmetadata="on"
  ruleset="extractPccNameFromRecordLog"
)

Extraction of pattern from imfile filepath is working fine, 
mmnormalize rule is working fine too, according to my test using 
"lognormalizer" command line tool to test it.

So I guessed, I could be able to replace property(name="msg") with 
property(name="$.dsd-message") or property(name="$!dsd-message") 
but all I get is an empty string.

Is there something I missed ?

Thanks in advance,

Regards, Adam.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THA

Re: [rsyslog] Unable to re-use variable generated by mmnormalize

if you look at the msg field in the RSYSLOG_DebugFormat output, you will see 
that it does have a leading space. your pattern doesn't


David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:


Date: Tue, 21 May 2024 23:58:23 +0200
From: Adam Cecile via rsyslog 
To: Adam Cecile via rsyslog 
Cc: Adam Cecile 
Subject: Re: [rsyslog] Unable to re-use variable generated by mmnormalize

Just tried, no leading space, message is correct however the log does 
not contains any trace indicating mmnormalize has tried to do something.

I guess it is just NOT active for some reason...

On 5/21/24 23:50, David Lang wrote:
log the message with RSYSLOG_DebugFormat so that you can see the 
variables that exist.


my guess is that your rule needs a leading space, because the msg 
field you are parsing starts with a space (a very common problem when 
you are starting to use mmnormalize)


David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:


Date: Tue, 21 May 2024 23:37:14 +0200
From: Adam Cecile via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Adam Cecile 
Subject: [rsyslog] Unable to re-use variable generated by mmnormalize

Hello,


I'm struggling to understand how to use mmnormalize module. My 
configuration snippet is the following:


template(name="recordRfc3164FileOutput" type="list") {
    property(name="timestamp" dateFormat="rfc3164")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="$.pcc")
    constant(value="@")
    property(name="syslogtag")
    constant(value=":")
    constant(value=" ")
    property(name="msg")
    constant(value="\n")
}

ruleset(
  name="extractPccNameFromRecordLog"
)
  {
    set 


$.pcc=re_extract($!metadata!filename,"/record_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC");

    action(
  type="mmnormalize"
  rule=["rule=:[%day:number%/%month:number%/%year:number% 
%hour:number%:%minutes:number%:%seconds:number%] 
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%"]

  useRawMsg="off"
    )
    action(
  type="omfile"
  dirCreateMode="0755"
  FileCreateMode="0644"
  File="/var/log/record.log"
  template="recordRfc3164FileOutput"
    )
  }

input(
  type="imfile"
  file="/path/to/record_*/*.log"
  tag="trace.log"
  addmetadata="on"
  ruleset="extractPccNameFromRecordLog"
)

Extraction of pattern from imfile filepath is working fine, 
mmnormalize rule is working fine too, according to my test using 
"lognormalizer" command line tool to test it.


So I guessed, I could be able to replace property(name="msg") with 
property(name="$.dsd-message") or property(name="$!dsd-message") but 
all I get is an empty string.


Is there something I missed ?


Thanks in advance,

Regards, Adam.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.



___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Unable to re-use variable generated by mmnormalize

log the message with RSYSLOG_DebugFormat so that you can see the variables that 
exist.


my guess is that your rule needs a leading space, because the msg field you are 
parsing starts with a space (a very common problem when you are starting to use 
mmnormalize)


David Lang

On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:


Date: Tue, 21 May 2024 23:37:14 +0200
From: Adam Cecile via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Adam Cecile 
Subject: [rsyslog] Unable to re-use variable generated by mmnormalize

Hello,


I'm struggling to understand how to use mmnormalize module. My 
configuration snippet is the following:


template(name="recordRfc3164FileOutput" type="list") {
    property(name="timestamp" dateFormat="rfc3164")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="$.pcc")
    constant(value="@")
    property(name="syslogtag")
    constant(value=":")
    constant(value=" ")
    property(name="msg")
    constant(value="\n")
}

ruleset(
  name="extractPccNameFromRecordLog"
)
  {
    set 
$.pcc=re_extract($!metadata!filename,"/record_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC");

    action(
  type="mmnormalize"
  rule=["rule=:[%day:number%/%month:number%/%year:number% 
%hour:number%:%minutes:number%:%seconds:number%] 
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%"]

  useRawMsg="off"
    )
    action(
  type="omfile"
  dirCreateMode="0755"
  FileCreateMode="0644"
  File="/var/log/record.log"
  template="recordRfc3164FileOutput"
    )
  }

input(
  type="imfile"
  file="/path/to/record_*/*.log"
  tag="trace.log"
  addmetadata="on"
  ruleset="extractPccNameFromRecordLog"
)

Extraction of pattern from imfile filepath is working fine, mmnormalize 
rule is working fine too, according to my test using "lognormalizer" 
command line tool to test it.


So I guessed, I could be able to replace property(name="msg") with 
property(name="$.dsd-message") or property(name="$!dsd-message") but all 
I get is an empty string.


Is there something I missed ?


Thanks in advance,

Regards, Adam.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] [Maybe OFF-TOPIC] Add TAG in syslogd/klogd

2024-05-05 Thread David Lang via rsyslog


On Sun, 5 May 2024, Alberto via rsyslog wrote:


El 5/5/24 a las 22:02, David Lang escribió:
...
I only need filter by source, but all fields (FROMHOST, HOSTNAME, 
FROMHOST-IP...) that can give me any information are useless because 
appears Docker host IP, not real source host IP, and I cannot populate 
fromhost (I've probed, anyway).


which end is on docker? the sender or the receiver?


Docker is the host of Rsyslog Server container (receiver) which is Server.
Sender is the old system.


In that case, what you need to do is change your docker config so that rsyslog 
sees the real sender IP, you can NAT outbound from the docker container, but not 
inbound to it.


David Lang




if fromhost-ip isn't useful, then fromhost won't be either as it's a 
lookup from fromhost-ip


what is the sending system?

David Lang

PROGRAMNAME, SYSLOGTAG, APP-NAME... give me app name not source 
hostname information.


I have put "$PreserveFQDN on" directive thinking that it could be 
useful. I'll remove it.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] [Maybe OFF-TOPIC] Add TAG in syslogd/klogd

2024-05-05 Thread David Lang via rsyslog


On Sun, 5 May 2024, Alberto via rsyslog wrote:


Hi David,

This system don't have any MAN.

I only need filter by source, but all fields (FROMHOST, HOSTNAME, 
FROMHOST-IP...) that can give me any information are useless because 
appears Docker host IP, not real source host IP, and I cannot populate 
fromhost (I've probed, anyway).


which end is on docker? the sender or the receiver?

if fromhost-ip isn't useful, then fromhost won't be either as it's a lookup from 
fromhost-ip


what is the sending system?

David Lang

PROGRAMNAME, SYSLOGTAG, APP-NAME... give me app name not source hostname 
information.


I have put "$PreserveFQDN on" directive thinking that it could be 
useful. I'll remove it.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] [Maybe OFF-TOPIC] Add TAG in syslogd/klogd

2024-05-05 Thread David Lang via rsyslog


On Sun, 5 May 2024, Alberto via rsyslog wrote:

I have a host with very old firmware that I cannot update, with 
syslogd/klogd 1.5.0.


I'm sending their logs to remote Rsyslog server (Docker container 
actually), but when I filter for get files by hostname/source IP..., I 
don't get real "hostname" or "Fromhost" because it gives me host's IP. 
This is an debug example:



"Debug line with all properties:
FROMHOST: '172.22.0.1'
HOSTNAME: '172.22.0.1'
PROGRAMNAME: 'upsmon'
FROMHOST-IP: '172.22.0.1'
SYSLOGTAG: 'upsmon[27392]:-'
APP-NAME: 'upsmon'
PROCID: '27392'
MSGID: '-'
INPUTNAME: 'imudp'
PRI: '27'
STRUCTURED-DATA: -',
MSG: ' Poll UPS [ups@xxx] failed - [ups] does not exist on server 
xx',
RAWMSG: '<27>upsmon[27392]: Poll UPS [ups@xx] failed - [ups] 
does not exist on server xxx"


so this rawmsg field is showing that the sender is not formatting the message 
correctly, the timestamp and hostname are missing from the message. The good 
news is that they are missing in a way that rsyslog can detect that it's 
malformed, so you aren't getting hostnames like 'upsmon' or 'Poll'


fromhost is generated by doing a name lookup of fromhost-ip so if you setup a 
/etc/hosts or DNS entry you can populate fromhost


I thought about adding an TAG in source host, but I don't know why do it 
in a syslogd/klogd so old.


the syslogtag is updmon, I don't know what options there are to change the 
formatting on that system, syslogd is very old and I'm surprised it's not 
sending valid messages.



This is the old source host configuration:

root@buffalo:~# cat /etc/syslog.conf
#cron.*  /var/log/cron
#user.info   /var/log/linkstation.log
*.emerg *
#local0.*   /var/log/linkstation.log
local6.*    /var/log/file.smb
local7.*    /var/log/backup.log
*.info;cron.none;user.none;local6.none  /var/log/messages

$PreserveFQDN on
*.* @192.168.1.2


$preserveFQED is not valid for syslogd that I know of, what happens if you 
remove it?


are there any man pages for syslog.conf on that system?

David Lang



Any Idea?

Best Regards,

Alberto


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since upgrade to ubuntu20

2024-04-23 Thread David Lang via rsyslog

I'm pretty sure this is one of the areas affected by the improvements since 2020 
in imfile.


David Lang

On Tue, 23 Apr 2024, Ian Diddams via rsyslog wrote:


Date: Tue, 23 Apr 2024 14:10:32 +
From: Ian Diddams via rsyslog 
To: John Chivian ,
rsyslog-users 
Cc: Ian Diddams 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
upgrade to ubuntu20

John - think that’s the badger!!

the logrotate.d file has been in use for about a decade AIUI but only now has it failed 
to work properly - which either suggests rsyslog wasn’t really that choosy before 
ubuntu20/latest rsyslog version but now is...  or "we" got lucky somehow.

Anyway ive updated the rotate config on the client to

postrotate
stop rsyslog
remove imfile
blat the logs
recreate the logs
restart rsyslog


and it seems to be doing what it is supposed to do now.

Ill keep a beady eye on it over the next few days.

Cheers!
-Original Message-
From: John Chivian 
Sent: Monday, April 22, 2024 11:02 PM
To: rsyslog-users 
Cc: Ian Diddams 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since 
upgrade to ubuntu20

If a file is rotated without rsyslog’s knowledge the state file becomes out of 
date.  The state file is just a high-water mark for the file and is not 
guaranteed to be updated in all cases.

State files are created in the statefile.directory and are convieniently named 
imfile-state* where the rest of the file name is a unique identifier that is 
specific to the input file.

If a log file is truncated, and the state file does not update, rsyslog won’t 
process new file content until the file reaches the previous high water size.  
You can see this in the state file itself as they are simply JSON objects 
containing offset values.

Our solution (for these file based instances) was to stop rsyslog, then 
rotate/delete the log file, then delete the state file, then restart rsyslog.

Regards,



On Apr 22, 2024, at 16:22, Ian Diddams via rsyslog  
wrote:


Having experienced something similar a few years ago (imfile not seeing new 
messages added to a certain log file), I'll throw this idea: in my case, it was 
because >the statefile associated with this log file got corrupted or 
something. Granted, I was messing around with the log file that imfile was 
watching.
Deleting the statefile and restarting rsyslog unlocked the situation. If you do 
so, keep in mind that the whole log file will be processed as if it was a new 
file.


For clarity, in my examples. Do you mean by statefile


   statefile.directory = "/var/log/node"

or

   file = "/var/log/node/Tlog.log"


Cheers

ian

On 2024-04-22 10:42, Ian Diddams via rsyslog wrote :

specifically look for 127.0.0.1 or localhost

see previous message .  Nothing.


OK, Ive just set this up


local4.*  /tmp/Tlocal.log

I created that log and chmod 777 for it to remove any silly potential
issues

and restarted rsyslog on the central server

No change.  Client logs have new entries.  Server /var/log/Tlocal.log
doesn’t at all.

So it's either the server not accepting what is sent on local4 - but
"logger -p local4.info " on the client DOES get centrally
logged so that’s unlikely OR the client config isn’t capturing the
additions to that local log for sending i.e.

module(
   load = "imfile"
   pollingInterval = "1"
   statefile.directory = "/var/log/node"
)

input(
   type = "imfile"
   tag = "tserv-stdout"
   facility = "local4"
   severity = "info"
   file = "/var/log/node/Tlog.log"
)

cheers

ian
-Original Message-
From: rsyslog  On Behalf Of David
Lang via rsyslog
Sent: Friday, April 19, 2024 12:44 PM
To: David Lang via rsyslog 
Cc: David Lang 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic
since upgrade to ubuntu20

specifically look for 127.0.0.1 or localhost

If you can log anything that's local4 on the server to a single file
(ideally using the template RSYSLOG_DebugFormat so we can see all the
variables that are parsed from it) it may be easier to find the log
than your current dynafile approach that puts them in different
directories based on the hostname.

David Lang
Confidentiality notice: This email (and any attachment) is intended
for the
addressee(s) named above. It may contain information of a
confidential or legally privileged nature. Unauthorised disclosure or
use of this email (or any attachment) is prohibited and may be
unlawful. If you are not the intended recipient, please delete the
email from your systems, destroy any copies and inform the sender
immediately. Privacy
notice: To find information on how we collect, process and store
data, please see our privacy statement on our website
https://www.celebrus.com/privacy-statement
Disclaimer: All attachments have been scanned for viruses. However,
Celebrus Technologies Plc cannot accept liability

Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since upgrade to ubuntu20

2024-04-22 Thread David Lang via rsyslog

depending on your distro SELinux or AppArmor may be preventing rsyslog from 
writing to /tmp, stick it in /var/log to avoid that.


can you get a short debug dump during a time that you send such a log?

just to be sure, this local4 is not showing up on the client, but is showing up 
on the central server??


David Lang


On Mon, 22 Apr 2024, Ian Diddams via rsyslog wrote:


Date: Mon, 22 Apr 2024 08:42:00 +
From: Ian Diddams via rsyslog 
To: rsyslog-users 
Cc: Ian Diddams 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
upgrade to ubuntu20


specifically look for 127.0.0.1 or localhost

see previous message .  Nothing.


OK, Ive just set this up


local4.*  /tmp/Tlocal.log

I created that log and chmod 777 for it to remove any silly potential issues

and restarted rsyslog on the central server

No change.  Client logs have new entries.  Server /var/log/Tlocal.log doesn’t 
at all.

So it's either the server not accepting what is sent on local4 - but "logger -p 
local4.info " on the client DOES get centrally logged so that’s unlikely
OR
the client config isn’t capturing the additions to that local log for sending
i.e.

module(
   load = "imfile"
   pollingInterval = "1"
   statefile.directory = "/var/log/node"
)

input(
   type = "imfile"
   tag = "tserv-stdout"
   facility = "local4"
   severity = "info"
   file = "/var/log/node/Tlog.log"
)

cheers

ian
-Original Message-
From: rsyslog  On Behalf Of David Lang via 
rsyslog
Sent: Friday, April 19, 2024 12:44 PM
To: David Lang via rsyslog 
Cc: David Lang 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since 
upgrade to ubuntu20

specifically look for 127.0.0.1 or localhost

If you can log anything that's local4 on the server to a single file (ideally 
using the template RSYSLOG_DebugFormat so we can see all the variables that are 
parsed from it) it may be easier to find the log than your current dynafile 
approach that puts them in different directories based on the hostname.

David Lang
Confidentiality notice: This email (and any attachment) is intended for the 
addressee(s) named above. It may contain information of a confidential or 
legally privileged nature. Unauthorised disclosure or use of this email (or any 
attachment) is prohibited and may be unlawful. If you are not the intended 
recipient, please delete the email from your systems, destroy any copies and 
inform the sender immediately. Privacy notice: To find information on how we 
collect, process and store data, please see our privacy statement on our 
website https://www.celebrus.com/privacy-statement Disclaimer: All attachments 
have been scanned for viruses. However, Celebrus Technologies Plc cannot accept 
liability for any loss or damage you may incur as a result of virus infection.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since upgrade to ubuntu20

2024-04-22 Thread David Lang via rsyslog


On Mon, 22 Apr 2024, Ian Diddams wrote:


 Is there any chance that they are getting logged under a different hostname?


I've done an extensive search in the rsyslog server this morning, and the 
answer is sadly no.


try logging the local4 facility to a different, fixed file (rather than a 
dynamic filename)


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Too many queue files


This is showing that your omfwd is running into grief delivering messages.

I have also seen the queue sizes exceed what's configured by a few percentage, I 
don't know the reason for that. I suspect that it has something to do with the 
batch size and batches being counted rather than individual messages (at least 
in some cases), I know rate limiting is based on batches rather than individual 
messages, but didn't think queue size checking worked that way.


David Lang

On Fri, 19 Apr 2024, Tan Mientras via rsyslog wrote:


Date: Fri, 19 Apr 2024 14:12:36 +0200
From: Tan Mientras via rsyslog 
To: rsyslog-users 
Cc: Tan Mientras 
Subject: Re: [rsyslog] Too many queue files

A brief update:
Upgraded to v8.2404.0. After a few minutes running, statistics seems to
show interesting info:

Fri Apr 19 13:56:38 2024: imudp(w0): origin=imudp called.recvmmsg=9768601
called.recvmsg=0 msgs.received=18432627
Fri Apr 19 13:57:38 2024: global: origin=dynstats
Fri Apr 19 13:57:38 2024: global: origin=percentile
Fri Apr 19 13:57:38 2024: TCP-mytarget-10514: origin=omfwd
bytes.sent=9803793720
Fri Apr 19 13:57:38 2024: action-0-builtin:omfwd: origin=core.action
processed=17587820 failed=14461 suspended=1 suspended.duration=30 resumed=1
Fri Apr 19 13:57:38 2024: imudp(*/514/IPv4): origin=imudp
submitted=18715432 disallowed=0
Fri Apr 19 13:57:38 2024: imtcp(601): origin=imtcp submitted=0
Fri Apr 19 13:57:38 2024: imrelp(20514): origin=imrelp submitted=0
Fri Apr 19 13:57:38 2024: resource-usage: origin=impstats utime=214055198
stime=132473541 maxrss=156440 minflt=261166 majflt=28768 inblock=15373224
oublock=16853048 nvcsw=6683983 nivcsw=10414022 openfiles=16
Fri Apr 19 13:57:38 2024: ruleset[DA]: origin=core.queue size=1030656
enqueued=9118705 full=7590 discarded.full=4 discarded.nf=0 maxqsize=1080585
Fri Apr 19 13:57:38 2024: ruleset: origin=core.queue size=10
enqueued=18715430 full=6983 discarded.full=5 discarded.nf=0 maxqsize=10
Fri Apr 19 13:57:38 2024: main Q[DA]: origin=core.queue size=0 enqueued=0
full=0 discarded.full=0 discarded.nf=0 maxqsize=0
Fri Apr 19 13:57:38 2024: main Q: origin=core.queue size=0 enqueued=0
full=0 discarded.full=0 discarded.nf=0 maxqsize=0
Fri Apr 19 13:57:38 2024: imudp(w0): origin=imudp called.recvmmsg=9924190
called.recvmsg=0 msgs.received=18715432
Fri Apr 19 13:58:38 2024: global: origin=dynstats
Fri Apr 19 13:58:38 2024: global: origin=percentile
Fri Apr 19 13:58:38 2024: TCP-mytarget-10514: origin=omfwd
bytes.sent=9982666166
Fri Apr 19 13:58:38 2024: action-0-builtin:omfwd: origin=core.action
processed=17897068 failed=14461 suspended=1 suspended.duration=30 resumed=1
Fri Apr 19 13:58:38 2024: imudp(*/514/IPv4): origin=imudp
submitted=19017066 disallowed=0
Fri Apr 19 13:58:38 2024: imtcp(601): origin=imtcp submitted=0
Fri Apr 19 13:58:38 2024: imrelp(20514): origin=imrelp submitted=0
Fri Apr 19 13:58:38 2024: resource-usage: origin=impstats utime=217781728
stime=134680589 maxrss=156604 minflt=262499 majflt=29146 inblock=15656880
oublock=17128640 nvcsw=6793159 nivcsw=10589931 openfiles=15
*Fri Apr 19 13:58:38 2024: ruleset[DA]: origin=core.queue size=1029133
enqueued=9264638 full=7733 discarded.full=4 discarded.nf
<http://discarded.nf>=0 maxqsize=1080585 *
Fri Apr 19 13:58:38 2024: ruleset: origin=core.queue size=93391
enqueued=19017044 full=7109 discarded.full=5 discarded.nf=0 maxqsize=10
Fri Apr 19 13:58:38 2024: main Q[DA]: origin=core.queue size=0 enqueued=0
full=0 discarded.full=0 discarded.nf=0 maxqsize=0
Fri Apr 19 13:58:38 2024: main Q: origin=core.queue size=0 enqueued=0
full=0 discarded.full=0 discarded.nf=0 maxqsize=0
Fri Apr 19 13:58:38 2024: imudp(w0): origin=imudp called.recvmmsg=10081057
called.recvmsg=0 msgs.received=19017066

*Why is size(=1029133) greater than configured queue.size(="10")? Am I
missing something?*
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Too many queue files


stats every 60s is not a problem

I think Rainer or someone else from Adiscon will need to weigh in. They are 
based in Germany so we may not see anything from them until after the weekend.


your explination of the watermarks is not quite how I've understood them, but I 
haven't used them much (I just size my queues and disk space to not need to use 
them)


I'm not sure off the top of my head what is supposed to happen when you hit the 
disk limit. I think it stops writing new messages to disk, not that it starts 
throwing them away at that point.


In any case, it looks like you have a longstanding problem of not being able to 
deliver your messages (causing the queues to build).


David Lang

On Fri, 19 Apr 2024, Tan Mientras via rsyslog wrote:


Hi.

Long time no see!

A few months ago we deployed an opensearch cluster feeded by rsyslog and
let it running without giving it any attention, to be honest.
Today we realized it wasn't working and while reviewing things I noticed a
weird thing with rsyslog.
*Rsyslog is creating MANY (so many a simple "ls" gets stuck)
queue.xxxnumber files on disk.* Probably there's something wrong with our
configuration, but definitively is not working as I expected.

find /nfs/rsyslog/ -type f | wc -l results in *649420* queue.xxx files
du -sh /nfs/rsyslog/ results in *10T* (gladly, its an old synology)


*rsyslog -v (I should probably upgrade, yeah...)*
rsyslogd  8.2302.0 (aka 2023.02) compiled with:
PLATFORM: x86_64-pc-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /var/run/rsyslogd.pid
Number of Bits in RainerScript integers: 64


*Configuration (I think is better to paste it complete, sorry if I'm
wrong):*
# https://www.rsyslog.com/doc/master/configuration/modules/omstdout.html
#module(load="omstdout")
# http://www.rsyslog.com/doc/v8-stable/configuration/modules/impstats.html
# http://www.rsyslog.com/rsyslog-statistic-counter/
# http://www.rsyslog.com/impstats-analyzer/
module(load="impstats" log.file="/logs/rsyslog-stats.log" interval="60"
log.syslog="off")

# http://www.rsyslog.com/doc/master/rainerscript/global.html
global(
 workDirectory="/data"
 # http://www.rsyslog.com/doc/v8-stable/troubleshooting/debug.html
 environment=["RSYSLOG_DEBUGLOG=/logs/rsyslog-debug.log",
"RSYSLOG_DEBUG=DebugOnDemand NoStdOut"]
 MaxMessageSize="128k"
 internalmsg.ratelimit.interval="1"
 internalmsg.ratelimit.burst="10"

 #
http://www.rsyslog.com/doc/rsconf1_escapecontrolcharactersonreceive.html
 parser.escapeControlCharactersOnReceive="off"

 # This controls whether slashes in the "programname" property are
permitted or not. This property bases on a BSD concept, and by BSD syslogd
sources, slashes are NOT permitted inside the program name. However, some
Linux tools (including most importantly the   journal) store slashes as
part of the program name inside the syslogtag. In those cases, the
programname is truncated at the first slash. If this setting is changed to
"on", slashes are permitted and will not terminate programname parsing.
 #parser.permitSlashInHostname="on"

 # This controls whether slashes in the static part of the tag are
permitted or not. If this setting is off, a value of "app/foo[1234]" in the
tag will result in a programname of "app". If an application stores an
absolute path name like "/app/foo[1234]", the programname property
will become empty (""). If you need to actually store slashes as part of
the programname, this setting should be changed to "on" to permit this.
Then, a syslogtag of "/app/foo[1234]" will result in programname being
"/app/foo".
 parser.permitSlashInProgramName="on"
)

main_queue(
 queue.filename="main"
 queue.maxdiskspace="4G"
 queue.saveonshutdown="on"
 queue.lowwatermark="1"
 queue.highwatermark="6"
 queue.size="10"
 queue.type="LinkedList"
 queue.fulldelaymark="9"
 queue.lightdelaymark="75000"
 #TODO queue.dequeuebatchsize="1
 #IIUC: writes in disk when memory reaches highwatermark
 #If disk becomes full, we have 2 options:
 # - Dont accept any more messages, using fulldelaymark
 # - Reject messages
 #WARN: if bigger than fulldelay, will never discard
 #queue.discardmark="9750"
 #queue.discardseverity="8"
)

#TODO us

Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since upgrade to ubuntu20


specifically look for 127.0.0.1 or localhost

If you can log anything that's local4 on the server to a single file (ideally 
using the template RSYSLOG_DebugFormat so we can see all the variables that are 
parsed from it) it may be easier to find the log than your current dynafile 
approach that puts them in different directories based on the hostname.


David Lang


On Fri, 19 Apr 2024, David Lang via rsyslog wrote:


Date: Fri, 19 Apr 2024 03:59:53 -0700 (PDT)
From: David Lang via rsyslog 
To: Ian Diddams via rsyslog 
Cc: David Lang 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
upgrade to ubuntu20

Is there any chance that they are getting logged under a different hostname?

David Lang

On Fri, 19 Apr 2024, Ian Diddams via rsyslog wrote:


Date: Fri, 19 Apr 2024 09:24:03 +
From: Ian Diddams via rsyslog 
To: "rsyslog@lists.adiscon.com" 
Cc: Ian Diddams 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
upgrade to ubuntu20

Rsyslog tries very hard to not break backwards compatibility, so you 
should not have needed to change the config. There have been bugs over the 
years, but in >>general, a config should just keep working.


That of course makes perfect sense.  Though as it turned it - come the 

upgrade 18-> 20 ...  it didn’t work at all.




That seemed to fix matters - logs to Tlog.log on the client were
appearing in the central syslog log as well.

good, that should mean that the new style config is working


It should.

But ...  it ain't now



other logs from the same systems?

other system logs handled by rsyslog.conf all work as expected.
Adding local4.* to that /var/log/node/Tlog.log works for
  logger -p local4.info TEST
AND
  that log gets held centrally.

But the app that wroites to /var/log/node/Tlog.log doesn’t use native 
local4. ...  no idea what it does but it wortes direct to Tlog.log 
(that’s down to devs years ago etc Id imagine)



This is a good start. But at this point I am not understanding the 
problem. You say that with this config it is logging both locally and 
centrally as expected, what >>isn't working as expected?



No.

anything set up "as standard" in rsyslog.con f works, and logs centrally. 

As expected.


This Tlog.log is written to via some other means

There is a historical config (up to Ubuntu 18) where a rsyslog.d config 

file using imfile DID work and logged centrally


Then that stopped working on the upgrade to Ubuntu 20.
But we found that an different working configuration was required - so 

implemebnted that and the devs tell me it all then worked.


But a week or so ago that updated config stopped working.

ie the imfile stuff to capture a nmon standard rsyslog log no longer works.


based on your test, it sounds as if imfile is reading things, but not 
matching something else on your central system. can you provide more info 
about the config >>there?


You asked!  😉


#  /etc/rsyslog.confConfiguration file for rsyslog.
#
#   For more information see
#   /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#
 MODULES 
#

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by 

rklogd)

#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

$ModLoad imrelp
$InputRELPServerRun 514

###
 GLOBAL DIRECTIVES 
###

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#$PrivDropToUser syslog
#$PrivDropToGroup adm

#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

$template 

syslog,"/var/log/external/%fromhost%/syslog-%$YEAR%%$MONTH%%$DAY%.log"
$template 

apacheError,"/var/log/external/%fromhost%/apache/%programname%-error-%$YEAR%%$MONTH%%$DAY%.log"
$template 

apacheAccess,"/var/log/external/%fromhost%/apache/%programname%-access-%$YEAR%%$MONTH%%$DAY%.log"
$template mailError, 

"/var/log/external/%fromhost%/mail/error-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeStd, 

"/var/log/external/%fromhost%/node/TStd-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeTService, 

"/var/log/external/%fromhost%/node/TLog-%$YEAR%%$MONTH%%$DAY%.log"


local4.

Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since upgrade to ubuntu20

Is there any chance that they are getting logged under a different hostname?

David Lang

On Fri, 19 Apr 2024, Ian Diddams via rsyslog wrote:

Date: Fri, 19 Apr 2024 09:24:03 +
From: Ian Diddams via rsyslog 
To: "rsyslog@lists.adiscon.com" 
Cc: Ian Diddams 
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
upgrade to ubuntu20

Rsyslog tries very hard to not break backwards compatibility, so you should not have 
needed to change the config. There have been bugs over the years, but in 
>>general, a config should just keep working.

That of course makes perfect sense.  Though as it turned it - come the upgrade 
18-> 20 ...  it didn’t work at all.

That seemed to fix matters - logs to Tlog.log on the client were
appearing in the central syslog log as well.

good, that should mean that the new style config is working

It should.

But ...  it ain't now

other logs from the same systems?

other system logs handled by rsyslog.conf all work as expected.
Adding local4.* to that /var/log/node/Tlog.log works for
  logger -p local4.info TEST
AND
  that log gets held centrally.

But the app that wroites to /var/log/node/Tlog.log doesn’t use native 
local4. ...  no idea what it does but it wortes direct to Tlog.log 
(that’s down to devs years ago etc Id imagine)

This is a good start. But at this point I am not understanding the problem. You say 
that with this config it is logging both locally and centrally as expected, what 
>>isn't working as expected?

No.

anything set up "as standard" in rsyslog.con f works, and logs centrally.  As 
expected.

This Tlog.log is written to via some other means

There is a historical config (up to Ubuntu 18) where a rsyslog.d config file 
using imfile DID work and logged centrally

Then that stopped working on the upgrade to Ubuntu 20.
But we found that an different working configuration was required - so 
implemebnted that and the devs tell me it all then worked.

But a week or so ago that updated config stopped working.

ie the imfile stuff to capture a nmon standard rsyslog log no longer works.

based on your test, it sounds as if imfile is reading things, but not matching 
something else on your central system. can you provide more info about the config 
>>there?

You asked!  😉

#  /etc/rsyslog.confConfiguration file for rsyslog.
#
#   For more information see
#   /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#
 MODULES 
#

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

$ModLoad imrelp
$InputRELPServerRun 514

###
 GLOBAL DIRECTIVES 
###

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#$PrivDropToUser syslog
#$PrivDropToGroup adm

#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

$template syslog,"/var/log/external/%fromhost%/syslog-%$YEAR%%$MONTH%%$DAY%.log"
$template 
apacheError,"/var/log/external/%fromhost%/apache/%programname%-error-%$YEAR%%$MONTH%%$DAY%.log"
$template 
apacheAccess,"/var/log/external/%fromhost%/apache/%programname%-access-%$YEAR%%$MONTH%%$DAY%.log"
$template mailError, 
"/var/log/external/%fromhost%/mail/error-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeStd, 
"/var/log/external/%fromhost%/node/TStd-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeTService, 
"/var/log/external/%fromhost%/node/TLog-%$YEAR%%$MONTH%%$DAY%.log"

local4.* ?nodeService
#& ~
& stop

local5.* ?nodeStd
#& ~
& stop

local7.* ?apacheError
#& ~
& stop

local6.* ?apacheAccess
#& ~
& stop

*.* ?syslog

That hasn’t changed for about 11 years.
That rsyslog central server is also recently upgraded to Ubuntu20 from Ubuntu18

FWIW Ive only talked about TLog - but TStd does the same thing (and has a 
similar imfile/local5 config on the client as top the imfile/local4)

Confidentiality notice: This email (and any attachment) is intended for the 
addressee(s) named above. It may contain information of a confidential or 
legally privileged nature. Unauthorised disclosure or use of this

Re: [rsyslog] imfile rsyslog config sporadic since upgrade to ubuntu20

Caveat: I've recently inherited a bunch of ubuntu systems with very little 
historical knowledge available to me. The issue described below has occurred 
only since the inline ubuntu upgrade was done. However, Ive no vision of 
whether this is solely an issue with ubuntu implementation of rsyslog, or it's 
a higher version of rsyslog that has this issue across all platforms


Systems: Ubuntu 20 (recent upgrade in-line from ubuntu 18)

Scenario:

While servers were ubuntu 18, clients had a a application that wrote logs into 
a non-standard system log /var/log/node/Tlog.log (name obfuscated 
[cid:image001.gif@01DA9232.6FE9BBE0] )


Previous rsyslog.conf configurations were in place to capture and include this 
log into rsyslog for central syslogging purposes where the log would appear on 
the central syslog server in /var/log/external//node/Tlog-.log


client config:

$ModLoad imfile
...
$InputFileName /var/log/node/Tlog.log
$InputFileTag tserv-stdout
$InputFileStateFile tserv-stdout
$InputFileSeverity info
$InputFileFacility local4
$InputRunFileMonitor

That worked well for years allegedly/apparently.

a few months ago these systems were upgraded to ubuntu 20. It was shortly 
afterwards noted that the central logging wasn't working well... logs were 
very sporadic if at all.


Then it was discovered that somewhere along the line the ubuntu 20 systems 
rsyslog config was needed to be altered (who knew?)


So now the client has

module(
load = "imfile"
pollingInterval = "1"
statefile.directory = "/var/log/node"
)
...
input(
type = "imfile"
tag = "tserv-stdout"
facility = "local4"
severity = "info"
file = "/var/log/node/Tlog.log"
)


Rsyslog tries very hard to not break backwards compatibility, so you should not 
have needed to change the config. There have been bugs over the years, but in 
general, a config should just keep working.


That seemed to fix matters - logs to Tlog.log on the client were appearing in 
the central syslog log as well.


good, that should mean that the new style config is working

then about a week ago it just stopped working. All configs are as above ie the 
ones that were working. rsyslogd is running. nothing obvious is in any other 
log to suggest issues with rsyslog. Other system logs are updated centrally as 
normal. It's just this extraneous log that has stopped "working". Tlog.log on 
the client is constantly updated via its app (ie it is not a silent/inactive 
log)


other logs from the same systems?

Any thoughts/pointers as to what the proverbial is happening, or how better to 
troubleshoot it?


I've chucked a local4.* /var/log/node/Tlog.log entry into rsyslog.conf and 
logger -p local4.info logs locally and centrally as expected using that - so 
its not that eg networks have decided to block that access etc .


This is a good start. But at this point I am not understanding the problem. You 
say that with this config it is logging both locally and centrally as expected, 
what isn't working as expected?


and FWIW, both systems (client and rsyslog server) have this version of 
rsyslogd


rsyslogd 8.2001.0 (aka 2020.01) compiled with:
PLATFORM: x86_64-pc-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /run/rsyslogd.pid
Number of Bits in RainerScript integers: 64


one thing here is that, as this notes, you are using a version of rsyslog 
initially released in Jan 2020, that has some number of changes backported to it 
by Canonical, this is not a version provided by the rsyslog project (just based 
on it), if you can upgrade to a current version to get the 4+ years of changes 
and bugfixes (which do include a complete imfile rewrite amoung other things), 
we would be in better shape to help. If you can't do that, we will do what we 
can, but are far more limited in what we can do with such an old version.


based on your test, it sounds as if imfile is reading things, but not matching 
something else on your central system. can you provide more info about the 
config there?


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Possibility to introduce a new log crypto provider

2024-04-17 Thread David Lang via rsyslog

On Wed, 17 Apr 2024, Attila Lakatos via rsyslog wrote:

On Tue, Apr 16, 2024 at 1:17 PM Derek Atkins via rsyslog <
rsyslog@lists.adiscon.com> wrote:

Hi David,

On Tue, April 16, 2024 6:32 am, David Lang via rsyslog wrote:

> Is there any way to duplicate the existing functionality with openssl or
> gnutls
> libraries?

Without knowing what the current functionality actually is, I would answer
"yes".  At least with OpenSSL (but also with GnuTLS) you have access to
all the low-level cryptographic methods, so you can go call AES and
SHA2-256 directly as you wish.  So yes, you can use them as generic
cryptographic APIs.

Even though I don't have a strong crypto background, I agree here. It provides 
ways to handle different algorithms and/or methods. The problematic part is to 
make this compatible with the current libgcrypt implementation. For instance, 
the gcry crypto provider supports various options for *cry.algo* and 
*cry.mode* that you can or can't combine, whilst for openssl this could be 
achieved by a single parameter DHE-RSA-AES256-GCM-SHA384 , etc. So the same 
functionality could be achieved but it needs to be handled differently. I 
think this is the same scenario as setting the *gnutlsPriorityString* option 
in rsyslog- openssl/gnutls.

to be backwards compatible, the existing configs would need to keep working, 
even if they are implemented differently under the covers.

So while you may be able to do it with a single parameter with a different 
library, you still need to have a shim module that accepts the old parameters 
and does the conversion to new parameters under the covers.

If it would break the existing configs, it means we can't remove the old 
functionality, so instead of reducing maintainer effort, it would just add to 
it.

David Lang

-derek

--
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Possibility to introduce a new log crypto provider

2024-04-16 Thread David Lang via rsyslog

While this approach makes it easier to add new algorithms, it isn't going to do 
anything to reduce the load on the maintainers.

Is there any way to duplicate the existing functionality with openssl or gnutls 
libraries?

given that some people prefer openssl and some prefer gnutls, I think that we 
will need to make the new option work with both.

David Lang

On Tue, 16 Apr 2024, Attila Lakatos via rsyslog wrote:

One approach that comes to my mind is to create a brand new provider using
e.g. openssl. Provide
a new configure option to build that. If the new crypto provider is turned
on, then it will be used. Otherwise,
if --enable-libgcrypt was passed to configure, then libgcrypt will be used.
For logs decryption, the rscryutils binary will be compiled based on what
configure option was passed to it.
This ensures that the default behavior is not changed and also we can
add/remove/change CLI options
for the rscryutils prog.
I am open to any suggestions :)

On Mon, Apr 15, 2024 at 12:09 PM Rainer Gerhards 
wrote:

Sound good to me, as long as everything is backwards-compatible ;-)

Else we need to discuss pro and con (I guess there a lot of pro!)

Rainer

El lun, 15 abr 2024 a las 11:55, Attila Lakatos via rsyslog
() escribió:

>
> Hello,
>
> Currently, log messages written to files can undergo encryption using the
> libgcrypt cryptographic library [1]. This works fine, logs can be encoded
> and successfully decoded but I think the library has some drawbacks:
>
>- algorithms are hardcoded, if someone would want to use something
else,
>then they would need to request it first
>- the same applies to the algorithm mode
>- If I am not mistaken, the libgcrypt library is part of rsyslog only
>for this purpose -> adds extra dependency that maintainers need to
cover
>
> I would like to ask if there is any chance that a new crypto provider
will
> be part of the project in the future? For example openssl (or gnutls)
could
> provide the same functionality and it could reduce the amount of
> dependencies the project currently has. I would gladly craft a patch or
two.
> What do you think?
>
> [1] https://www.rsyslog.com/doc/configuration/cryprov_gcry.html
>
> Attila
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rate limiting logs written to a file

2024-04-08 Thread David Lang via rsyslog


On Mon, 8 Apr 2024, Prasad Koya wrote:


Yes, we get a lot of flexibility with omprog.

However, changing a syslog's facility/priority isn't possible right?
Please see below.

if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
 action(type="omfile"
action.execOnlyOnceEveryInterval="3600"
template="RSYSLOG_FileFormat")

 # Change the facility and message severity forever here for the
next action(s). for example to user.alert
}

# Forward all 'user'.crit and severe to syslog collector.
user.crit action(type="omfwd" target="10.11.12.13" protocol="udp"
port="514" template="MsgForwardFormat")


you cannot change the $facility, $severity, and $pri variables, but you can make 
your own $.pri variable and create a new template that is identical to 
MsgForwardFormat that users $.pri instead of $pri (the outbound message is just 
text, so you can make it say anything)


David Lang


On Mon, Apr 8, 2024 at 6:37 PM David Lang  wrote:


not easily within rsyslog, with an event correlation engine, you have a lot more
capability (which is why I keep pushing you that way :-) )

you can create a template to use when outputting a log, and that log can say
anything (it can be arbitrary text unrelated to the log you received), but that
gets really ugly really quickly

you would combine it essentially with a if/else type arrangement to only be done
if the prior action didn't take place. I don't know if the onceeveryinterval
will work with that.

David Lang


On Mon, 8 Apr 2024, Prasad Koya wrote:


Thank you. "action.execOnlyOnceEveryInterval" is very useful.

We intend to keep all unfiltered syslogs in a local file, say file1,
but log a rate limited message to file2 and forward that message to a
syslog collector.

Is it possible to change the facility, severity or message for the next actions?

Thanks again.

On Sun, Apr 7, 2024 at 11:42 PM David Lang  wrote:


you would need to do the filtering with omprog on the sending machines.

I would suggest that rather than throwing them away, you generate a log every
rate-limiting period along the lines of "X number of messages happened in the
last period"

This is really a job for an event correlation engine, since rsyslog is
multi-threaded for performance, it can't count on anything internal seeing every
message, which is why filtering for the messages and sending them to an external
app (single threaded or a very complex multi-threaded thing that correlates
across it's threads) is the right thing to do.

David Lang

On Sun, 7 Apr 2024, Prasad Koya via rsyslog wrote:


Thanks for the replies.

My requirement is that I have a daemon that may generate a burst of
syslogs, say, every minute (when a certain subsystem is overloaded).
We do not want to write all these syslogs to /var/log/messages. We
also do not want to forward so many of those syslogs to a remote
syslog server. We wanted to rate limit them, maybe 1 per hour or so.
For now, I have tried 'omprog' module and sending such syslogs to an
external program.


module( load="omprog" )

if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
 action(type="omprog"
binary="/usr/bin/rate_limit_daemon_syslogs.sh"
template="RSYSLOG_FileFormat")
 stop
}

/usr/bin/rate_limit_daemon_syslogs.sh maintains state on when was the
last syslog forwarded or written locally. If this script decides its
ok to syslog, then it will call 'logger' with differently worded
message and different facility.

In our case we'd like to limit these logs at the source and not at an
intermediate syslog collector. I took a quick look at the sampling
docs and that may not apply to our scenario.

Thanks.

On Wed, Apr 3, 2024 at 12:07 AM Mariusz Kruk via rsyslog
 wrote:


A piece of feedback against
https://www.rsyslog.com/doc/tutorials/random_sampling.html

I know it's obvious for some people but for some it might not be - it
will collect _about_ 20% of logs provided the overall number of events
is big enough. Since it's a random-based mechanism, it's... random.

Additionally, I had a similar thing implemented for load-balancing to
different "backends" and for some reason it didn't work uniformly (I
think I already wrote about this) - one of four backends was never
chosen. The thing is I was choosing not based directly on random(4) but
on (random(some_bigger_integer) % 4) which I thought would yield more
uniform randomness. It appears I was wrong.

MK


On 3.04.2024 08:51, Rainer Gerhards via rsyslog wrote:

This sounds a bit like you are looking for this:

https://www.rsyslog.com/doc/tutorials/log_sampling.html

HTH
Rainer

El mié, 3 abr 2024 a las 3:25, Prasad Koya

Re: [rsyslog] rate limiting logs written to a file

2024-04-08 Thread David Lang via rsyslog

not easily within rsyslog, with an event correlation engine, you have a lot more 
capability (which is why I keep pushing you that way :-) )


you can create a template to use when outputting a log, and that log can say 
anything (it can be arbitrary text unrelated to the log you received), but that 
gets really ugly really quickly


you would combine it essentially with a if/else type arrangement to only be done 
if the prior action didn't take place. I don't know if the onceeveryinterval 
will work with that.


David Lang


On Mon, 8 Apr 2024, Prasad Koya wrote:


Thank you. "action.execOnlyOnceEveryInterval" is very useful.

We intend to keep all unfiltered syslogs in a local file, say file1,
but log a rate limited message to file2 and forward that message to a
syslog collector.

Is it possible to change the facility, severity or message for the next actions?

Thanks again.

On Sun, Apr 7, 2024 at 11:42 PM David Lang  wrote:


you would need to do the filtering with omprog on the sending machines.

I would suggest that rather than throwing them away, you generate a log every
rate-limiting period along the lines of "X number of messages happened in the
last period"

This is really a job for an event correlation engine, since rsyslog is
multi-threaded for performance, it can't count on anything internal seeing every
message, which is why filtering for the messages and sending them to an external
app (single threaded or a very complex multi-threaded thing that correlates
across it's threads) is the right thing to do.

David Lang

On Sun, 7 Apr 2024, Prasad Koya via rsyslog wrote:


Thanks for the replies.

My requirement is that I have a daemon that may generate a burst of
syslogs, say, every minute (when a certain subsystem is overloaded).
We do not want to write all these syslogs to /var/log/messages. We
also do not want to forward so many of those syslogs to a remote
syslog server. We wanted to rate limit them, maybe 1 per hour or so.
For now, I have tried 'omprog' module and sending such syslogs to an
external program.


module( load="omprog" )

if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
 action(type="omprog"
binary="/usr/bin/rate_limit_daemon_syslogs.sh"
template="RSYSLOG_FileFormat")
 stop
}

/usr/bin/rate_limit_daemon_syslogs.sh maintains state on when was the
last syslog forwarded or written locally. If this script decides its
ok to syslog, then it will call 'logger' with differently worded
message and different facility.

In our case we'd like to limit these logs at the source and not at an
intermediate syslog collector. I took a quick look at the sampling
docs and that may not apply to our scenario.

Thanks.

On Wed, Apr 3, 2024 at 12:07 AM Mariusz Kruk via rsyslog
 wrote:


A piece of feedback against
https://www.rsyslog.com/doc/tutorials/random_sampling.html

I know it's obvious for some people but for some it might not be - it
will collect _about_ 20% of logs provided the overall number of events
is big enough. Since it's a random-based mechanism, it's... random.

Additionally, I had a similar thing implemented for load-balancing to
different "backends" and for some reason it didn't work uniformly (I
think I already wrote about this) - one of four backends was never
chosen. The thing is I was choosing not based directly on random(4) but
on (random(some_bigger_integer) % 4) which I thought would yield more
uniform randomness. It appears I was wrong.

MK


On 3.04.2024 08:51, Rainer Gerhards via rsyslog wrote:

This sounds a bit like you are looking for this:

https://www.rsyslog.com/doc/tutorials/log_sampling.html

HTH
Rainer

El mié, 3 abr 2024 a las 3:25, Prasad Koya via rsyslog
() escribió:

Hi


module( load="imuxsock" )
module( load="imklog" )

if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") then {
   action(type="omfile" queue.size="1000" queue.type="LinkedList"
queue.dequeueSlowDown="36" file="/var/log/oom")
}


If we have a flurry of, for example, "Out of memory" messages from the
facility 'kern', we'd like to keep only, say, one per hour in a
separate file.

https://rsyslog.readthedocs.io/en/latest/rainerscript/queue_parameters.html
says do not set low value for queue.size.

Above page also says queue.dequeueslowdown can be used as
rate-limiting. Maybe that doesn't apply for "omfile" as I don't see
above rsyslog.conf working. high and low watermarks are not applicable
here as it's not a disk based queue. Appreciate any pointers.

Thank you.
___
rsyslog mailing list
https://lists.adiscon.ne

Re: [rsyslog] rate limiting logs written to a file

2024-04-07 Thread David Lang via rsyslog

you would need to do the filtering with omprog on the sending machines.

I would suggest that rather than throwing them away, you generate a log every 
rate-limiting period along the lines of "X number of messages happened in the 
last period"

This is really a job for an event correlation engine, since rsyslog is 
multi-threaded for performance, it can't count on anything internal seeing every 
message, which is why filtering for the messages and sending them to an external 
app (single threaded or a very complex multi-threaded thing that correlates 
across it's threads) is the right thing to do.

David Lang

On Sun, 7 Apr 2024, Prasad Koya via rsyslog wrote:

Thanks for the replies.

My requirement is that I have a daemon that may generate a burst of
syslogs, say, every minute (when a certain subsystem is overloaded).
We do not want to write all these syslogs to /var/log/messages. We
also do not want to forward so many of those syslogs to a remote
syslog server. We wanted to rate limit them, maybe 1 per hour or so.
For now, I have tried 'omprog' module and sending such syslogs to an
external program.

module( load="omprog" )

if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
 action(type="omprog"
binary="/usr/bin/rate_limit_daemon_syslogs.sh"
template="RSYSLOG_FileFormat")
 stop
}

/usr/bin/rate_limit_daemon_syslogs.sh maintains state on when was the
last syslog forwarded or written locally. If this script decides its
ok to syslog, then it will call 'logger' with differently worded
message and different facility.

In our case we'd like to limit these logs at the source and not at an
intermediate syslog collector. I took a quick look at the sampling
docs and that may not apply to our scenario.

Thanks.

On Wed, Apr 3, 2024 at 12:07 AM Mariusz Kruk via rsyslog
 wrote:

A piece of feedback against
https://www.rsyslog.com/doc/tutorials/random_sampling.html

I know it's obvious for some people but for some it might not be - it
will collect _about_ 20% of logs provided the overall number of events
is big enough. Since it's a random-based mechanism, it's... random.

Additionally, I had a similar thing implemented for load-balancing to
different "backends" and for some reason it didn't work uniformly (I
think I already wrote about this) - one of four backends was never
chosen. The thing is I was choosing not based directly on random(4) but
on (random(some_bigger_integer) % 4) which I thought would yield more
uniform randomness. It appears I was wrong.

MK

On 3.04.2024 08:51, Rainer Gerhards via rsyslog wrote:
> This sounds a bit like you are looking for this:
>
> https://www.rsyslog.com/doc/tutorials/log_sampling.html
>
> HTH
> Rainer
>
> El mié, 3 abr 2024 a las 3:25, Prasad Koya via rsyslog
> () escribió:
>> Hi
>>
>>
>> module( load="imuxsock" )
>> module( load="imklog" )
>>
>> if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") then {
>>action(type="omfile" queue.size="1000" queue.type="LinkedList"
>> queue.dequeueSlowDown="36" file="/var/log/oom")
>> }
>>
>>
>> If we have a flurry of, for example, "Out of memory" messages from the
>> facility 'kern', we'd like to keep only, say, one per hour in a
>> separate file.
>>
>> https://rsyslog.readthedocs.io/en/latest/rainerscript/queue_parameters.html
>> says do not set low value for queue.size.
>>
>> Above page also says queue.dequeueslowdown can be used as
>> rate-limiting. Maybe that doesn't apply for "omfile" as I don't see
>> above rsyslog.conf working. high and low watermarks are not applicable
>> here as it's not a disk based queue. Appreciate any pointers.
>>
>> Thank you.
>> ___
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and D

Re: [rsyslog] RHEL-7.9 rsyslog with FileOwner

2024-04-06 Thread David Lang via rsyslog

it's common for rsyslog configs to drop privileges, and if it does so, it can't 
then make use of those privileges to open files as other users, etc.


This is why we need to see the full config, and any files included.

David Lang

On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:


Also remember that in Linux system (quoting the man 2 chown):

   Only a privileged process (Linux: one with the CAP_CHOWN 
capability) may change the owner of a file.  The owner of a file may
   change  the group of the file to any group of which that owner 
is a member.  A privileged process (Linux: with CAP_CHOWN) may

   change the group arbitrarily.

So if your rsyslogd is an unprivileged process (it does not have 
CAP_CHOWN granted explicitly and it does not run as root user), you won' 
be able to create files as a different user.


MK

On 6.04.2024 07:20, David Lang via rsyslog wrote:
if you are using the action() syntax, you set the ownership as part of 
the action.


if you post your full config (including included files) we can better 
guess what's wrong with it.


David Lang

On Sat, 6 Apr 2024, warron.french via rsyslog wrote:


I am running multiple servers on RHEL-7.9 at work and with no option to
upgrade to a newer major version.

I have a server collecting (consolidating) logs from other (remote) 
servers
and need to store the various independently generated logfiles but 
also set

the Group-owner to something other than root.

I thought the proper syntax to do this was to set:
$FileOwner   somegroup

But rsyslogd upon restart fails to accept this directive.

Can someone tell me what directive I should be using because 
attempting to

find the Rsyslog documentation specific to my RHEL-7.9 in combination to
answering this query at *rsyslog.com <http://rsyslog.com> *
is not proving to be useful.

Thank you in advance for your assistance,

--
Warron French
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
POST if you DON'T LIKE THAT.



___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] RHEL-7.9 rsyslog with FileOwner

2024-04-05 Thread David Lang via rsyslog

if you are using the action() syntax, you set the ownership as part of the 
action.


if you post your full config (including included files) we can better guess 
what's wrong with it.


David Lang

On Sat, 6 Apr 2024, warron.french via rsyslog wrote:


I am running multiple servers on RHEL-7.9 at work and with no option to
upgrade to a newer major version.

I have a server collecting (consolidating) logs from other (remote) servers
and need to store the various independently generated logfiles but also set
the Group-owner to something other than root.

I thought the proper syntax to do this was to set:
$FileOwner   somegroup

But rsyslogd upon restart fails to accept this directive.

Can someone tell me what directive I should be using because attempting to
find the Rsyslog documentation specific to my RHEL-7.9 in combination to
answering this query at *rsyslog.com <http://rsyslog.com> *
is not proving to be useful.

Thank you in advance for your assistance,

--
Warron French
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rate limiting logs written to a file

2024-04-02 Thread David Lang via rsyslog

rate limiting output will just cause things to back up, it doesn't throw away 
the messages. It would be better for you to detect these messages and feed them 
into an external event correlation engine (Simple Event Correltator for 
example), and have that engine then send you logs that you keep (which could be 
'system X sent Y OOM messages in the last 5 min' or something like that)


David Lang



 On Tue, 2 Apr 2024, Prasad Koya via rsyslog wrote:


Date: Tue, 2 Apr 2024 18:25:01 -0700
From: Prasad Koya via rsyslog 
To: rsyslog-users 
Cc: Prasad Koya 
Subject: [rsyslog] rate limiting logs written to a file

Hi


module( load="imuxsock" )
module( load="imklog" )

if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") then {
 action(type="omfile" queue.size="1000" queue.type="LinkedList"
queue.dequeueSlowDown="36" file="/var/log/oom")
}


If we have a flurry of, for example, "Out of memory" messages from the
facility 'kern', we'd like to keep only, say, one per hour in a
separate file.

https://rsyslog.readthedocs.io/en/latest/rainerscript/queue_parameters.html
says do not set low value for queue.size.

Above page also says queue.dequeueslowdown can be used as
rate-limiting. Maybe that doesn't apply for "omfile" as I don't see
above rsyslog.conf working. high and low watermarks are not applicable
here as it's not a disk based queue. Appreciate any pointers.

Thank you.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Bash history --> rsyslog relay --> Elastic

2024-03-25 Thread David Lang via rsyslog

Ok, the fact that you are getting other logs remotely does eliminate the 
permission/network problems.


That just means that the filters you are applying to find the bash logs are not 
matching the log contents.


To figure this out, you need to figure out what is actually being sent (since 
it's not what you think is being sent or it would match your filters). To figure 
this out, we need to figure out exactly what is being sent.


The best way to do this is to configure the reciving syslog server to log all 
logs using the template RSYSLOG_DebugFormat, a line like the following would do 
it


/var/log/debuglog;RSYSLOG_DebugFormat

then find a sample of the log message you are looking for in this log, and you 
should then be able to see both the rawmsg of exactly what is arriving, and the 
various properties showing how it was parsed apart. At that point you should be 
able to adjust your filters to match the log message.


You can also dump the log message via tcpdump and analyse that, but that 
requires manually figuring out how the log is being parsed.


I don't believe that you have shown a sample of what the log message looks like 
(if you did, I apologize for missing it, please re-post it)


when the problem isn't network/permissions, >90% of the time the problem is that 
the log isn't being parsed the way you think it is, so the filter doesn't match.


David Lang

On Mon, 25 Mar 2024, Kees de Jong via rsyslog wrote:


Hi David,



SELinux is disabled on all hosts. Other logs do get through from remote
hosts and are stored on a local disk. In this test setup I only enabled
the config for Bash history. I did this to exclude any configuration
that might intercept or drop the Bash history logs.

But when I include the other configs again, they log just fine locally.
So I think we can exclude systemd or a firewall in that case. Also,
when I use netcat, I can send over messages over those ports and see
them also with tcpdump.


on the receiving system, log the messages with the template

RSYSLOG_DebugFormat and give us a sample message.

What exactly do you mean by this? Could you please elaborate on that?
At the moment no messages are logged for the Bash history. How can I
use this template to enhance the debugging? Thanks!





___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Bash history --> rsyslog relay --> Elastic

2024-03-25 Thread David Lang via rsyslog

on the receiving system, log the messages with the template RSYSLOG_DebugFormat 
and give us a sample message.


note that there are other reasons why you may see a log message with tcpdump but 
rsyslog will not process it, including if there is not a route back to the 
sender, or if there are firewall rules blocking that port. It's possible that 
SELinux or systemd are also preventing rsyslog from accessing that port.


David Lang

 On Mon, 25 Mar 2024, Kees de Jong via rsyslog wrote:


Date: Mon, 25 Mar 2024 10:25:23 +
From: Kees de Jong via rsyslog 
To: "rsyslog@lists.adiscon.com" 
Cc: Kees de Jong 
Subject: Re: [rsyslog] Bash history --> rsyslog relay --> Elastic

Hi,


I've reset the rsyslog configuration on the rsyslog server to the Red
Hat default and confirmed it with `rpmverify`, I'm running version
rsyslog-8.2102.0-7.el8_6.1.x86_64.

Then I only added the config to receive and process the Bash history
logs:

cat /etc/rsyslog.d/00-a.conf
if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
   @127.0.0.1:10514
   /var/log/bash-history.log
   & stop
}

The default /etc/rsyslog.conf (without comments) is shown below:

# rg -v '^#' /etc/rsyslog.conf
2:
6:
8:
9:module(load="imuxsock"  # provides support for local system
logging (e.g. via logger command)
10:   SysSock.Use="off") # Turn off message reception via local log
socket;
11:   # local messages are retrieved through
imjournal now.
12:module(load="imjournal"  # provides access to the systemd
journal
13:   StateFile="imjournal.state") # File to store the position in
the journal
16:
21:
26:
28:
30:global(workDirectory="/var/lib/rsyslog")
31:
33:module(load="builtin:omfile"
Template="RSYSLOG_TraditionalFileFormat")
34:
36:include(file="/etc/rsyslog.d/*.conf" mode="optional")
37:
39:
43:
46:*.info;mail.none;authpriv.none;cron.none
/var/log/messages
47:
49:authpriv.*
/var/log/secure
50:
52:mail.*  -
/var/log/maillog
53:
54:
56:cron.*
/var/log/cron
57:
59:*.emerg :omusrmsg:*
60:
62:uucp,news.crit
/var/log/spooler
63:
65:local7.*
/var/log/boot.log
66:
67:

As you can see, I both forward the logs to a local UDP socket and a
local file. I also commented out one of them each time, to make sure
there is no issue with either the socket or file setup.

When I run a `tcpdump` on the rsyslog server, I do see that the
messages are coming in from the client:

10:49:00.007063 IP (tos 0x0, ttl 64, id 30789, offset 0, flags [DF],
proto UDP (17), length 98)
   x.x.x.x.50145 > y.y.y.y.syslog: SYSLOG, length: 70
   Facility user (1), Severity info (6)
   Msg: Mar 25 10:48:59 rsyslogclient -bash[398711]: HISTORY:
PID=398711 UID=0 ls

However, the rsyslog server does not process these logs. The receiving
server forwards the logs to a local socket which is setup with
`netcat`, it does not show any output of messages. The local log file
remains empty as well. It's writable by anyone (-rw-rw-rw- 1 root root
0 Mar 25 10:52 /var/log/bash-history.log)

I've ran the same setup also on a VM with Fedora with version rsyslog-
8.2310.0-1.fc39.x86_64, with that version and setup it works fine.
Could it be that there is a syntax change somewhere? Or maybe something
else is wrong here? If it could be a syntax issue, what change could I
test?

Just to summarize:
* The client is able to forward the Bash history messages through
syslog.
* The server receives these messages as well.
* However, for some reason it does not match with the filter and thus
no action is taken by rsyslog to forward it to either a local socket or
a local file.



___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] question: decoding cisco syslog messages using pmciscoios

2024-03-22 Thread David Lang via rsyslog

good to hear, If you can identify what in the logging configuration was 
different that caused this problem, please post it to the list so that others 
can learn from it.


David Lang

On Fri, 22 Mar 2024, Pedro Caetano via rsyslog wrote:


Starting from a minimal configuration on the switch solved the issue.

Thank you for your time and patience.

Best,
Pedro Caetano

On Thu, Mar 21, 2024 at 6:07 PM Pedro Caetano
 wrote:


I'll strip the configuration to the bare minimum and report back.

Thank you for your patience.

Best,
Pedro

On Thu, Mar 21, 2024 at 1:29 PM David Lang  wrote:
>
> ok, the rawmsg field is telling us that the body of the message sent by the
> device is a bunch of nonsense (control characters with a lot of nulls)
>
> so the problem is on the sending side, not on the rsyslog side, look at your
> options there..
>
> David Lang
>
> On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:
>
> > Date: Thu, 21 Mar 2024 12:34:43 +
> > From: Pedro Caetano via rsyslog 
> > To: rsyslog@lists.adiscon.com
> > Cc: Pedro Caetano 
> > Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios
> >
> > Hi,
> >
> > This is the output generated:
> >
> > Debug line with all properties:
> > FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
> > '172.26.0.31', PRI: 43,
> > syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
> > TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
> > msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
> > #017���#034#003H #017�#001#001L#001�#000#000�#0
> > 34#003�
> > 
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
> > #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
> > 
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
> > inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
> > #000�#034#003H #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
> > 
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
> > $!:
> > $.:
> > $/:
> >
> >
> >
> >
> > Below is the configuration in place:
> >
> > $DebugFile /var/log/rsyslogdebug.log
> > $DebugLevel 2
> >
> > template(name="RSYSLOG_DebugFormat" type="list") {
> > constant(value="Debug line with all properties:\nFROMHOST: '")
> > property(name="fromhost")
> > constant(value="', fromhost-ip: '")
> > property(name="fromhost-ip")
> > constant(value="', HOSTNAME: '")
> > property(name="hostname")
> > constant(value="', PRI: '")
> > property(name="pri")
> > constant(value=",\nsyslogtag '")
> > property(name="syslogtag")
> > constant(value="', programname: '")
> > property(name="programname")
> > constant(value="', APP-NAME: '")
> > property(name="app-name")
> > constant(value="', PROCID: '")
> > property(name="procid")
> > constant(value="', MSGID: '")
> > property(name="msgid")
> > constant(value="',\nTIMESTAMP: '")
> > property(name="timereported")
> > constant(value="', STRUCTURED-DATA: '")
> > property(name="structured-data")
> > constant(value="',\nmsg: '")
> > property(name="msg")
> > constant(value="'\nescaped msg: '")
> > property(name="msg" controlcharacters="

Re: [rsyslog] question: decoding cisco syslog messages using pmciscoios

2024-03-21 Thread David Lang via rsyslog

ok, the rawmsg field is telling us that the body of the message sent by the 
device is a bunch of nonsense (control characters with a lot of nulls)


so the problem is on the sending side, not on the rsyslog side, look at your 
options there..


David Lang

On Thu, 21 Mar 2024, Pedro Caetano via rsyslog wrote:


Date: Thu, 21 Mar 2024 12:34:43 +
From: Pedro Caetano via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Pedro Caetano 
Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios

Hi,

This is the output generated:

Debug line with all properties:
FROMHOST: '172.26.0.31', fromhost-ip: '172.26.0.31', HOSTNAME:
'172.26.0.31', PRI: 43,
syslogtag '', programname: '', APP-NAME: '-', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Mar 21 12:03:20', STRUCTURED-DATA: '-',
msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
#017���#034#003H #017�#001#001L#001�#000#000�#0
34#003�
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
escaped msg: '<43>934417: SWPABB1ACCP01: [syslog@9 #000�#034#003H
#017���#034#003H #017�#001#001L#001�#000#000�#034#003�
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#00'
inputname: imtcp rawmsg: '<43>934417: SWPABB1ACCP01: [syslog@9
#000�#034#003H #017���#034#003H #017�#001#001L#001�#000#000�#034#003�
#010�#001#001K#005�#000#000#001)#000#000�#001#000#000#000#000#000#000#000#000��#000#000#000#000�ͫ�#000#000#000#001#000#017#013�3#000#000#000#016#000#003#000#036#000#023#005�#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000#000'
$!:
$.:
$/:




Below is the configuration in place:

$DebugFile /var/log/rsyslogdebug.log
$DebugLevel 2

template(name="RSYSLOG_DebugFormat" type="list") {
constant(value="Debug line with all properties:\nFROMHOST: '")
property(name="fromhost")
constant(value="', fromhost-ip: '")
property(name="fromhost-ip")
constant(value="', HOSTNAME: '")
property(name="hostname")
constant(value="', PRI: '")
property(name="pri")
constant(value=",\nsyslogtag '")
property(name="syslogtag")
constant(value="', programname: '")
property(name="programname")
constant(value="', APP-NAME: '")
property(name="app-name")
constant(value="', PROCID: '")
property(name="procid")
constant(value="', MSGID: '")
property(name="msgid")
constant(value="',\nTIMESTAMP: '")
property(name="timereported")
constant(value="', STRUCTURED-DATA: '")
property(name="structured-data")
constant(value="',\nmsg: '")
property(name="msg")
constant(value="'\nescaped msg: '")
property(name="msg" controlcharacters="drop")
constant(value="'\ninputname: ")
property(name="inputname")
constant(value=" rawmsg: '")
property(name="rawmsg")
constant(value="'\n$!:")
property(name="$!")
constant(value="\n$.:")
property(name="$.")
constant(value="\n$/:")
property(name="$/")
constant(value="\n\n")
}



#Modules
module(load="imtcp")
module(load="pmciscoios")

#Inputs
input(type="imtcp" port="20514" ruleset="rsyslogswitchs")

#Parsers
parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")


#Rules
ruleset(name="rsyslogswitchs" parser="custom.ciscoios.withOrigin"){
  *.* /var/log/remote-syslog/testesw3.log;RSYSLOG_DebugFormat
}

Best,
Pedro
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Capturing shutdown logs

2024-03-20 Thread David Lang via rsyslog

when you use imjournal with rsyslog, journald is storing the logs in it's 
database, then rsyslog is periodically querying the database for new logs. that 
database can be all in ram, or partially on disk.


David Lang

On Wed, 20 Mar 2024, David Lang via rsyslog wrote:


Date: Wed, 20 Mar 2024 12:58:52 -0700 (PDT)
From: David Lang via rsyslog 
To: Attila Lakatos via rsyslog 
Cc: David Lang 
Subject: Re: [rsyslog] Capturing shutdown logs

The jousnal is storing them somewhere anyway (in ram if nothing else), that's 
a 
'feature' of journald.


you can set how much space you allocate to journald for it's fixed storage 
and 
so can set it small enough to not be an issue.


David Lang

On Wed, 20 Mar 2024, Attila Lakatos via rsyslog wrote:


Hello Peter,

I think that would be the best solution from rsyslog point of view.
However, this would mean that logs would be stored in both
/var/log/{messages|secure|...} and the journal.
Ideally, it would be better to have them only in one place.

Thanks,
Attila

On Tue, Mar 19, 2024 at 4:03 PM Peter Portante via rsyslog <
rsyslog@lists.adiscon.com> wrote:


Attila, any reason you can't just use persistent journald?  That is
what we did to solve the lost shutdown and crash logs.  -Peter

On Fri, Mar 15, 2024 at 12:31 PM David Lang via rsyslog
 wrote:
>
> imjournal uses the journal api to fetch the logs (fetching them in
> near-real-time), journald keeps files internally to support it.
>
> David Lang
>
> On Fri, 15 Mar 2024, Attila Lakatos via rsyslog wrote:
>
> > The solution is clean to me, however I think this could be a
bottleneck for
> > busy systems. Also, this would mean that I need to maintain a copy of
journal
> > logs in one or more files.
> >
> > On Wed, Mar 13, 2024 at 2:53 PM John Chivian 
wrote:
> >
> >> You could split rsyslog into two separate service instances.
> >>
> >> Service 1 would do *only one thing*, read imjournal and write to
> >> file(s).  This service would *not* have the network.target 

dependency.

> >> Service 2 would do *everything else*, including reading the file(s)
> >> output from above (which survive the reboot) and sending the events
within
> >> to a network destination.  This service would have the network.target
> >> dependency so as to be able to deliver reliably.
> >>
> >> Regards,
> >>
> >>
> >> On Mar 13, 2024, at 07:49, Attila Lakatos via rsyslog <
> >> rsyslog@lists.adiscon.com> wrote:
> >>
> >> Recently I came across an observation where we are not able to 

capture

> >> normal reboot/shutdown logs on Fedora/RHEL distributions. In these
> >> environments, systemd is responsible for starting the rsyslog
service. A
> >> service can have multiple dependencies, which influence how early or
how
> >> late rsyslog is started or stopped. Many years ago, we added
dependency for
> >> the network.target and network-online.target into the service file
[1]. If
> >> rsyslog started before establishing network access, it would be
unable to
> >> transmit messages to remote destinations during that period,
resulting in
> >> the generation of misleading information about the unavailability of
> >> certain remote targets (e.g. not able to resolve hostnames).
> >> However, this approach results in a significant tradeoff. While it
prevents
> >> misleading unavailability messages during network setup and shutdown,
it
> >> also causes rsyslog to *exit* *early* during shutdown, leading to
missed
> >> logs regarding the graceful termination of other programs. This
limitation
> >> extends to system reboots as well. Thus, while addressing one issue,
the
> >> current service configuration introduces another.
> >> By default, we retrieve shutdown events from the journal using the
> >> imjournal module. Journal log data is stored in memory so after
shutdown,
> >> logs are not preserved.
> >>
> >> Has someone faced this problem? Are there any known workarounds?
> >>
> >> [1]
> >>
> >>


https://github.com/deoren/rsyslog-examples/blob/master/etc/systemd/system/rsyslog.service.d/10-wait-on-network.conf

> >> ___
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if 

you

> >> DON'T LI

Re: [rsyslog] Capturing shutdown logs

2024-03-20 Thread David Lang via rsyslog

The jousnal is storing them somewhere anyway (in ram if nothing else), that's a 
'feature' of journald.


you can set how much space you allocate to journald for it's fixed storage and 
so can set it small enough to not be an issue.


David Lang

On Wed, 20 Mar 2024, Attila Lakatos via rsyslog wrote:


Hello Peter,

I think that would be the best solution from rsyslog point of view.
However, this would mean that logs would be stored in both
/var/log/{messages|secure|...} and the journal.
Ideally, it would be better to have them only in one place.

Thanks,
Attila

On Tue, Mar 19, 2024 at 4:03 PM Peter Portante via rsyslog <
rsyslog@lists.adiscon.com> wrote:


Attila, any reason you can't just use persistent journald?  That is
what we did to solve the lost shutdown and crash logs.  -Peter

On Fri, Mar 15, 2024 at 12:31 PM David Lang via rsyslog
 wrote:
>
> imjournal uses the journal api to fetch the logs (fetching them in
> near-real-time), journald keeps files internally to support it.
>
> David Lang
>
> On Fri, 15 Mar 2024, Attila Lakatos via rsyslog wrote:
>
> > The solution is clean to me, however I think this could be a
bottleneck for
> > busy systems. Also, this would mean that I need to maintain a copy of
journal
> > logs in one or more files.
> >
> > On Wed, Mar 13, 2024 at 2:53 PM John Chivian 
wrote:
> >
> >> You could split rsyslog into two separate service instances.
> >>
> >> Service 1 would do *only one thing*, read imjournal and write to
> >> file(s).  This service would *not* have the network.target dependency.
> >> Service 2 would do *everything else*, including reading the file(s)
> >> output from above (which survive the reboot) and sending the events
within
> >> to a network destination.  This service would have the network.target
> >> dependency so as to be able to deliver reliably.
> >>
> >> Regards,
> >>
> >>
> >> On Mar 13, 2024, at 07:49, Attila Lakatos via rsyslog <
> >> rsyslog@lists.adiscon.com> wrote:
> >>
> >> Recently I came across an observation where we are not able to capture
> >> normal reboot/shutdown logs on Fedora/RHEL distributions. In these
> >> environments, systemd is responsible for starting the rsyslog
service. A
> >> service can have multiple dependencies, which influence how early or
how
> >> late rsyslog is started or stopped. Many years ago, we added
dependency for
> >> the network.target and network-online.target into the service file
[1]. If
> >> rsyslog started before establishing network access, it would be
unable to
> >> transmit messages to remote destinations during that period,
resulting in
> >> the generation of misleading information about the unavailability of
> >> certain remote targets (e.g. not able to resolve hostnames).
> >> However, this approach results in a significant tradeoff. While it
prevents
> >> misleading unavailability messages during network setup and shutdown,
it
> >> also causes rsyslog to *exit* *early* during shutdown, leading to
missed
> >> logs regarding the graceful termination of other programs. This
limitation
> >> extends to system reboots as well. Thus, while addressing one issue,
the
> >> current service configuration introduces another.
> >> By default, we retrieve shutdown events from the journal using the
> >> imjournal module. Journal log data is stored in memory so after
shutdown,
> >> logs are not preserved.
> >>
> >> Has someone faced this problem? Are there any known workarounds?
> >>
> >> [1]
> >>
> >>
https://github.com/deoren/rsyslog-examples/blob/master/etc/systemd/system/rsyslog.service.d/10-wait-on-network.conf
> >> ___
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> >>
> >>
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIB

Re: [rsyslog] question: decoding cisco syslog messages using pmciscoios

2024-03-20 Thread David Lang via rsyslog

please log some messages with the template RSYSLOG_DebugFormat so we can see 
exactly what is being sent, along with all the variables that it's being parsed 
into. (and go ahead and send those in the email rather than posting to pastebin)


David Lang

 On Wed, 20 Mar 2024, Pedro Caetano via rsyslog wrote:


Date: Wed, 20 Mar 2024 15:12:11 +
From: Pedro Caetano via rsyslog 
To: rsyslog@lists.adiscon.com
Cc: Pedro Caetano 
Subject: [rsyslog] question: decoding cisco syslog messages using pmciscoios

Hi,

After installing rsyslog and rsyslog-pmciscoios, I'm able to load the
module without issues using the example present in the documentation.
This are the installed packages:
rsyslog.x86_64  8.2404.0.master-1710892962
rsyslog-pmciscoios.x86_64   8.2404.0.master-1710892962 @rsyslog_v8


We have experimenting with present.origin on and off, still observing
garbled text on the logfiles, example here:
https://pastebin.com/wQ8LbwfP

The device pushing the logs is a cisco switch c2960x running the
following ios: c2960x-universalk9-mz.152-7.E7.bin

The configuration on the switch is as follows:
logging trap notifications
logging origin-id hostname
logging facility syslog
logging source-interface Vlan275
logging snmp-trap emergencies
logging snmp-trap alerts
logging snmp-trap critical
logging snmp-trap errors
logging snmp-trap warnings
logging host 10.150.0.7 transport tcp port 20514
logging host 192.168.190.226 transport tcp port 20514

Any help would be greatly appreciated.


Thank you,
Pedro Caetano
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Logs received via tls are binary

2024-03-19 Thread David Lang via rsyslog

we would need to see your full configs on both the sender and receiving sides to 
make a guess as to what is being done wrong.


David Lang

On Tue, 19 Mar 2024, Brian via rsyslog wrote:

I will have to take a closer look at logs but yes, the logs in the 
receiving syslog server are showing up as binary files.


Brian

On 3/19/2024 7:24 AM, Rainer Gerhards wrote:

Please contain a plain text part in your mail. The mailing list
processor removes HTML for security reasons.

Judging from the subject, I guess either the receiver OR the sender
has not successfully enabled TLS. Check for error messages from
rsyslog.

HTH
Rainer

El mar, 19 mar 2024 a las 15:06, Brian W. via rsyslog
() escribió:


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] PMCISCOIOS Module Issue

2024-03-19 Thread David Lang via rsyslog

if Redhat does not provide you with the pmciscoios module, then you need to
upgrade to a version that the community supports install that package from the
community repo.

see https://www.rsyslog.com/rhelcentos-rpms/ for instructions.

David Lang

P.S. this list is very much still alive and the primary way to get support from
the community.

On Tue, 19 Mar 2024, Roy White via rsyslog wrote:

Good Morning,

I am hopeful this mailing list is still monitored, and that this is not falling onto deaf ears. I am currently trying to implement an Rsyslog Remote Server to consolidate the logs of all of our Cisco switches. The server is collecting the data, however because of the format of the Cisco IOS logs, it is not properly parsing and recognizing the host and source of the remote logs. Rsyslog is prepending a its own IP address, and timestamp, and making the data difficult more difficult to read. I have dug through the documentation and found that there is a module called pmciscoios that is supposed to aide in fixing this issue. Unfortunately, I am currently running rsyslogd 8.2102.0-7.el8_6.1 (aka 2021.02), on RHEL 8.6 and the pmciscoios module is missing. Through further research I was able to find the pmciscoios.c file through GITHUB but was unable to figure out how to convert it to a .so format in order to add it to /lib64/rsyslog and have it read properly. Has anyone dealt with this

sue previously, and do you have any suggestions for how I might be able to fix
this? I would be very grateful for any assistance or feedback. Thank you in
advance!

Very Respectfully,

Roy White, MBA

SysOps Project Manager, Information Technology

Re: [rsyslog] Bash history --> rsyslog relay --> Elastic

2024-03-19 Thread David Lang via rsyslog

please post your full configs, it's likely that there are other things in the 
config that are causing issues.


note that when you are within an if statement, you don't need to do the &, just 
a bare stop will apply to everything that the if matched.


David Lang

On Tue, 19 Mar 2024, Kees de Jong via rsyslog wrote:


Date: Tue, 19 Mar 2024 13:09:01 +
From: Kees de Jong via rsyslog 
To: "rsyslog@lists.adiscon.com" 
Cc: Kees de Jong 
Subject: [rsyslog] Bash history --> rsyslog relay --> Elastic

Hi,


I want to collect Bash history and forward it to my Elastic cluster. I
have a central rsyslog server in my cluster, which receives logs
already and forwards some to another rsyslog server.

I use the Bash `shopt -s syslog_history` option on Red Hat. On the
nodes in my cluster I forward the logs to the central rsyslog
logserver. Which looks like this:

if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
   @x.x.x.x:514
& stop
}

The central logserver has a Fleet Agent running, which runs an UDP
listener integration on 127.0.0.1 on UDP 10514. This integration has
syslog parsing enabled.

I can send data from a node to the central rsyslog server. In tcpdump I
see the messages send from another node. On the central rsyslog server
I have the following setup:

if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
   @127.0.0.1:10514
& stop
}

Which forwards the logs to the local Elastic Fleet Agent. However, logs
send from a node in my cluster is not forwarded by the central rsylog
server to the local Fleet port. When I enable the Bash syslog option on
the central log server it does forward the local Bash history to the
Elastic cluster. But it doesn't forward the data received from the
nodes in my cluster.

What am I missing? Other logs are forwarded to another syslog server
just fine. So the setup should work I guess? That forwarding is done
like this:

if ($syslogfacility-text == ['auth','authpriv'] and ($programname
contains 'ssh')) then @y.y.y.y:514

So maybe the filter for receiving relayed Bash history messages is
wrong? Since it does work fine for locally generated logs. And other
type of logs are forwarded just fine.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] custom properties and arm performance

2024-03-15 Thread David Lang via rsyslog


On Fri, 15 Mar 2024, John Chivian via rsyslog wrote:


Is there a way to add custom/user properties?


That’s what the STRUCTURED_DATA header element is for.


in theory yes, in practice RFC5424 does not have broad support for things like 
structured data.


What is becoming more common in practice is using json in the message body and 
parsing that on the receiver.


There are no known problems on any processor (ARM or anything else)

David Lang






On Mar 15, 2024, at 11:53, Dimi Onobodies via rsyslog 
 wrote:

Hi everyone

I have two questions irrelevant with each other. I thought to ask these in one 
mail instead of two.


 1.
Is there a way to add custom/user properties?

I have a bunch of rsyslog servers forwarding logs to a central rsyslog server. I want to 
"tag" the message prior to forwarding, and then on the receiving central 
rsyslog server use this tag for filtering.

I dont want to use the "tag" property because it already contains information 
from application logs.

I can add a custom field in a custom template, but that would inject it in the 
message (msg) which is something I was hoping to avoid (filtering by parsing 
the msg).

Is there a way to add custom properties which both forwarding and receiving 
rsyslog system can parse without having to filter the msg content?



 1.
ARM CPU perfomance with rsyslog.

I am thinking to switch rsyslog systems (oci instances) to ARM base CPUs. I 
performed a few stress-tests compared to AMD and I didn't see significant 
changes. What I did noticed tho was, arm cpu was achieving the same results 
with less cpu utilization.

Before I move to production, is anyone aware of any issues with rsyslog and arm 
based cpus?

Have a nice weekend,

D.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Capturing shutdown logs

2024-03-15 Thread David Lang via rsyslog

imjournal uses the journal api to fetch the logs (fetching them in
near-real-time), journald keeps files internally to support it.

David Lang

On Fri, 15 Mar 2024, Attila Lakatos via rsyslog wrote:

The solution is clean to me, however I think this could be a bottleneck for
busy systems. Also, this would mean that I need to maintain a copy of journal
logs in one or more files.

On Wed, Mar 13, 2024 at 2:53 PM John Chivian wrote:

You could split rsyslog into two separate service instances.

Service 1 would do *only one thing*, read imjournal and write to
file(s). This service would *not* have the network.target dependency.
Service 2 would do *everything else*, including reading the file(s)
output from above (which survive the reboot) and sending the events within
to a network destination. This service would have the network.target
dependency so as to be able to deliver reliably.

Regards,

On Mar 13, 2024, at 07:49, Attila Lakatos via rsyslog <
rsyslog@lists.adiscon.com> wrote:

Recently I came across an observation where we are not able to capture
normal reboot/shutdown logs on Fedora/RHEL distributions. In these
environments, systemd is responsible for starting the rsyslog service. A
service can have multiple dependencies, which influence how early or how
late rsyslog is started or stopped. Many years ago, we added dependency for
the network.target and network-online.target into the service file [1]. If
rsyslog started before establishing network access, it would be unable to
transmit messages to remote destinations during that period, resulting in
the generation of misleading information about the unavailability of
certain remote targets (e.g. not able to resolve hostnames).
However, this approach results in a significant tradeoff. While it prevents
misleading unavailability messages during network setup and shutdown, it
also causes rsyslog to *exit* *early* during shutdown, leading to missed
logs regarding the graceful termination of other programs. This limitation
extends to system reboots as well. Thus, while addressing one issue, the
current service configuration introduces another.
By default, we retrieve shutdown events from the journal using the
imjournal module. Journal log data is stored in memory so after shutdown,
logs are not preserved.

Has someone faced this problem? Are there any known workarounds?

[1]

https://github.com/deoren/rsyslog-examples/blob/master/etc/systemd/system/rsyslog.service.d/10-wait-on-network.conf
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

Re: [rsyslog] Capturing shutdown logs

2024-03-13 Thread David Lang via rsyslog

you could put the remote sender things in a seprate ruleset with a queue on that 
ruleset, that would let the rest of the config run without the network 
(accumulating early logs and gathering shutdown logs up to the point that 
rsyslog gets shut down)


you can configure rsyslog to save the queue to disk at shutdown (but this can 
take time, so you may need to increase the systemd timeout for letting rsyslog 
do a clean shutdown)


David Lang

 On Wed, 13 Mar 2024, Attila Lakatos via rsyslog wrote:


Date: Wed, 13 Mar 2024 13:49:19 +0100
From: Attila Lakatos via rsyslog 
To: rsyslog-users 
Cc: Attila Lakatos 
Subject: [rsyslog] Capturing shutdown logs

Recently I came across an observation where we are not able to capture
normal reboot/shutdown logs on Fedora/RHEL distributions. In these
environments, systemd is responsible for starting the rsyslog service. A
service can have multiple dependencies, which influence how early or how
late rsyslog is started or stopped. Many years ago, we added dependency for
the network.target and network-online.target into the service file [1]. If
rsyslog started before establishing network access, it would be unable to
transmit messages to remote destinations during that period, resulting in
the generation of misleading information about the unavailability of
certain remote targets (e.g. not able to resolve hostnames).
However, this approach results in a significant tradeoff. While it prevents
misleading unavailability messages during network setup and shutdown, it
also causes rsyslog to *exit* *early* during shutdown, leading to missed
logs regarding the graceful termination of other programs. This limitation
extends to system reboots as well. Thus, while addressing one issue, the
current service configuration introduces another.
By default, we retrieve shutdown events from the journal using the
imjournal module. Journal log data is stored in memory so after shutdown,
logs are not preserved.

Has someone faced this problem? Are there any known workarounds?

[1]
https://github.com/deoren/rsyslog-examples/blob/master/etc/systemd/system/rsyslog.service.d/10-wait-on-network.conf
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Journald sending log to remote Rsyslog

2024-03-12 Thread David Lang via rsyslog


journald does not have the ability to send over the network to a syslog server.

when you configure journald to send to a syslog daemon, journald throws away a 
lot of details that it knows. The other option is to use imjournal in rsyslog to 
fetch the logs from journald


David Lang

 On Tue, 12 Mar 2024, Alberto via rsyslog wrote:


Hi,

I'm trying to send logs from a Workstation with Journald to my Rsyslog
server.



All references point to change "ForwardToSyslog=yes" in
"/etc/systemd/journald.conf" (I don't know why I cannot find the
"/run/systemd/journal/syslog" socket never) and Rsyslog getting from socket
but in LOCALHOST.



Can I send to REMOTE Rsyslog without install an local Rsyslog in
Workstation?



Best Regards,

Alberto

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Tuning rsyslog to forward logs

2024-03-05 Thread David Lang via rsyslog

The queue fills up because rsyslog is not able to deliver the logs fast enough. 
You are sending the logs via TCP (encrypted) so the sending is throttled to the 
speed that the receiving system can accept them.


Are you using Splunk as the syslog listener to accept the messages?

Splunk is a very poor performing syslog listener, you would be better of running 
rsyslog on the splunk system and writing the files to disk there and then 
reading those files into Splunk (frequent log rotation and sinkhole options to 
have splunk delete the file after it reads it are your friends, you can also 
have rsyslog write to different directories based on the sender 
hostname/sourcetype/index and have splunk pick those up from the directory 
rather than showing the splunk system as the sending host)


David Lang


On Tue, 5 Mar 2024, Andrew Heath via rsyslog wrote:


Greetings,
I have a rsyslog server we use to store and forward logs to a Splunk
instance, however we keep running into the issue where we hit max queue
size and it writes to disk witch is causing our log partition to fill up, I
have read the docs and added some more worker threads but to no avail. The
system has more resources available but for some reason rsyslog is not
using them to help process and forward logs. I have attached a copy of our
config file for reference.

[1] https://paste.centos.org/view/36386fa1




___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Short source hostname

2024-02-24 Thread David Lang via rsyslog


On Sat, 24 Feb 2024, Mariusz Kruk via rsyslog wrote:


On 23.02.2024 20:29, Frank Morawietz via rsyslog wrote:

You could also just do your own field based on the $fromhost value, just
split at first dot.

set $.loghost=field($hostname,46,1);

Then you can use the $.loghost variable in your template.
Got it. I already tried this adaption of my template and it's looking like 
I wanted now!


One thing though. As far as I remember, if your receiver cannot resolve the 
hostname, your $fromhost will be identical to $fromhost-ip.


So trimming it after first dot will yield unwanted results.


correct

P.S.: So the global option PreserveFQDN is not used on the receiving 
server?

Honestly - have no idea. I don't use it :-)


I think that has to do with the local hostname for the logs it sends, but I 
don't remember.


lots of log analysis stuff breaks if the short hostname isn't unique, so while 
you can frequently get away with using a FQDN and not having the short name be 
unique, it is likely bite you at some point. Best to avoid it.


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Short source hostname

2024-02-23 Thread David Lang via rsyslog

$fromhost is the result of a name lookup of the IP of the connection, it is
always the full result of that lookup (which will normally be a FQDN from DNS

David Lang

On Fri, 23 Feb 2024, Frank Morawietz via rsyslog wrote:

Thanks for your reply, Mariusz.

Also remember that fromhost and fromhost-ip are from the _connection_.
Hostname is the value from the message (might be completely bonkers if
the source doesn't follow standards).

This is exactly why I switched to FROMHOST. To much messages with junk instead
of the hostname.

You could also just do your own field based on the $fromhost value, just
split at first dot.

set $.loghost=field($hostname,46,1);

Then you can use the $.loghost variable in your template.

Got it. I already tried this adaption of my template and it's looking like I
wanted now!

Best regards,
Frank

P.S.: So the global option PreserveFQDN is not used on the receiving server?
--
Frank Morawietz

This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient, you
must not copy this message or attachment or disclose the contents to any other
person. If you have received this transmission in error, please notify the
sender immediately and delete the message and any attachment from your system.
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept
liability for any omissions or errors in this message which may arise as a
result of E-Mail-transmission or for damages resulting from any unauthorized
changes of the content of this message and any attachment thereto. Merck KGaA,
Darmstadt, Germany and any of its subsidiaries do not guarantee that this
message is free of viruses and does not accept liability for any damages caused
by any virus transmitted therewith.

Click
merckgroup.com/disclaimer<https://www.merckgroup.com/en/legal-disclaimer/mail-disclaimer.html>
to access the German, French, Spanish, Portuguese, Turkish, Polish and Slovak
versions of this disclaimer.

Please find our Privacy Statement information by clicking here:
merckgroup.com/privacy-statements-by-location<https://www.merckgroup.com/en/privacy-statement/privacy-statements-by-location.html>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.

Re: [rsyslog] bind one queue to a ruleset for all syslogs going to one server.

2024-02-14 Thread David Lang via rsyslog


On Tue, 13 Feb 2024, Prasad Koya via rsyslog wrote:


While these messages are deep copied and enqueued to respective action
queues, it's possible that the second message may reach the remote syslog
server before the first message. I'd like to avoid that situation.

How do I define one queue for all syslogs forwarded to a server
by preserving the facility/severity in each message.


you can't. Rsyslog can use multiple threads, and the threads do not even try to 
corrdinate between them to make sure they are sending messages in order.


by putting the forward action in a single ruleset, and calling that ruleset 
instead of invoking the action, you will make it less likely that things will be 
out of order, but only less likely.


At one point in the distant past, rsyslog tried really hard to send the messages 
out in the order that they were received, but I pointed out quite a few corner 
cases where that would be defeated by the network (especially if sending through 
relay servers) and rsyslog abandoned that effort, and in the process increased 
it's throughput by several orders of magnatude.


In general, messages still probably arrive in order, but not always. And when 
you are talking about logs sent from multiple machines, it becomes even 
impossible to guarantee reception of logs from multiple machines in the order 
they were generated (and in this case anything you do to make log delivery more 
reliable like TCP or RELP, makes the possible delays in message delivery worse)


As noted, you if you care about absolute ordering of logs, you need good, high 
precision timestamps, especially across multiple machines.


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Cant parse incoming json via relp

2024-02-14 Thread David Lang via rsyslog


what is the config of the receiver?

I'll note that what you are sending is valid json, but not a valid syslog 
message, that could be why you are running into grief.


log using the template RSYSLOG_DebugFormat on the receiver so we can see exactly 
what it's getting.


Also, you have a comment that rulesets must be in the main file, that is 
incorrect. Rsyslog combines all files before any config parsing is done, so at 
the time that it's parsing the config, it doesn't know what file any line came 
from. You could (but shouldn't) have your template() definition spread across 
multiple files as an extreme example.


David Lang


On Wed, 14 Feb 2024, Alex via rsyslog wrote:


Hello

I have two rsyslog servers - sender and receiver
Sender get data, convert it to json and send via relp to receiver
But receiver can't parse json

1. Sender config
module(load="omrelp")

template(
   name="json_syslog"
   type="list"
   option.json="on"
) {
   constant(value="{")
   constant(value="\"@timestamp\":\"")   property(name="timereported"
dateFormat="rfc3339")
   constant(value="\",\"type\":\"syslog_json")
   constant(value="\",\"syslogtag\":\"") property(name="syslogtag"
format="json")
   constant(value="\",\"relayhost\":\"") property(name="fromhost")
   constant(value="\",\"relayip\":\"")   property(name="fromhost-ip")
   constant(value="\",\"logsource\":\"") property(name="source")
   constant(value="\",\"hostname\":\"")  property(name="hostname"
caseconversion="lower")
   constant(value="\",\"programname\":\"")
property(name="programname")
   constant(value="\",\"source\":\"")property(name="app-name"
caseConversion="lower" onEmpty="null")
   constant(value="\",\"priority\":\"")  property(name="pri")
   constant(value="\",\"severity\":\"")
property(name="syslogseverity" caseConversion="upper")
   constant(value="\",\"facility\":\"")
property(name="syslogfacility")
   constant(value="\",\"severity_label\":\"")
property(name="syslogseverity-text")
   constant(value="\",\"facility_label\":\"")
property(name="syslogfacility-text")
   constant(value="\",\"msg\":\"")   property(name="msg" format="json")
   constant(value="\",\"end_msg\":\"")
   constant(value="\"}\n")
}

ruleset(
   name="syslogCollector"
) {

   action(
   type="omrelp"
   target="docker-swarm.dc1.virtel.net" port="10514"
   template="json_syslog"

   queue.type="LinkedList"
   queue.size="4000"
   queue.timeoutEnqueue="0" # timeout for reject new messages if queue
is full

   action.resumeRetryCount="0"
   action.reportSuspension="on"
   action.reportSuspensionContinuation="on"
   action.resumeInterval="10"
   )
}

2. Receiver config
module(load="imrelp")
input(
   port="10514"
   type="imrelp"
   name="imrelp"
   ruleset="relpCollector"
)

# --
# Rulesets
# Must be in main file only !!
# --
ruleset(
   name="relpCollector"
) {

   action(type="mmjsonparse")

   if $parsesuccess == "OK" then {
   $IncludeConfig /etc/rsyslog.d/*.conf
   stop
   }

   action(
   type="omfile"
   file="/var/log/json_parse_error.log"
   ioBufferSize="64k"
   flushOnTXEnd="on"
   )
}

3. Send message to first server
logger -n 192.168.9.10 -P 514 -T -t myapp "This is only test message -
remote"

4. Server1 send to Server2 valid json like a
{"@timestamp":"2024-02-14T15:47:50.323104+03:00","type":"syslog_json","syslogtag":"myapp","relayhost":"172.26.0.1","relayip":"172.26.0.1","logsource":"
docker-swarm.dc1.virtel.net","hostname":"devhost","programname":"myapp","source":"myapp","priority":"13","severity":"5","facility":"1","severity_label":"notice","facility_label":"user","msg":"This
is only test message - remote","end_msg":""}

5. Server2 cant parse json and store message into
/var/log/json_parse_error.log
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Rsyslog stop working when output destination (rabbitmq) is unavialable

2024-02-07 Thread David Lang via rsyslog

just a note that a batch size of 4000 doesn't make a lot of sense when the queue 
size is only 4096 :-)

batch sizes are a case of diminishing returns. There is a huge advantage of 
going from to around 100 or so, but far less gains in going from 100 to 1000 
(unless you are doing database inserts or similar)

On Wed, 7 Feb 2024, Alex via rsyslog wrote:

My solution is

   queue.type="LinkedList"
   queue.size="4096"
   queue.timeoutEnqueue="0" # timeout for reject new messages if queue
is full
   queue.dequeuebatchSize="4000"

ср, 7 февр. 2024 г. в 09:03, Prasad Koya via rsyslog <
rsyslog@lists.adiscon.com>:

Alex, excuse me for using this thread for posting my question. But my
question is also on the same topic.

I have configured rsyslogd (v8.2102.0) to forward syslogs to two remote
servers, one using TCP protocol and second one using UDP. Besides
forwarding, I also have a rule to log to a local file. Here are the
relevant sections from my rsyslog.conf. I can post the full file if needed.

$MainMsgQueueTimeoutEnqueue 0

local4.*  action(type="omfwd" target="10.240.219.64"
action.resumeRetryCount="10" protocol="tcp" port="36456"
template="Syslogs_ForwardFormat")
local4.*  action(type="omfwd" target="10.16.39.124"
protocol="udp" port="36456" template="Syslogs_ForwardFormat")

*.*   /var/log/syslogs

After the TCP connection is established and messages are getting forwarded,
say someone pulls out the ethernet cable at the remote syslog collector 1
that is using tcp protocol. Some number of syslogs from this point are
still forwarded to the server 2 using udp protocol and written to the local
file as well. However if the TCP connection to the first server does not
recover then after some time, we do not see any syslogs in the local file
or at the second syslog server. I straced rsyslogd and all I see is the
recvmsg() calls on the /dev/log socket.

How do we tell rsyslog to drop the TCP connection if the other end is no
longer receiving the syslogs. Perhaps it can drop the connection and retry
after say X minutes. I tried using resumeRetryCount as documented at
https://www.rsyslog.com/doc/configuration/actions.html, but that is not
helping in my situation. Perhaps I'm missing some other "action" setting?
Appreciate if you can give me a pointer to a sample configuration or point
me to relevant documentation.

Thank you.

On Mon, Feb 5, 2024 at 11:11 AM David Lang via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> you have a queue of 1024 for rabbitmq, if there are more messages than
> that
> pending, other processing will stop until the queue can accept more
> messages.
> Setup a larger queue (potentially a disk assisted queue) to handle longer
> outages.
>
> you may also want to consider configuring the queue to throw away
messages
> if it
> gets too full.
>
> David Lang
>
>   On Mon, 5 Feb 2024, Alex via rsyslog wrote:
>
> > I have rsyslog (8.2310.0) in docker container from latest alpine image
> as a
> > syslog collector with forwarding to logstash.local and rabbitmq.local
> >
> > Rsyslog stops working when rabbitmq is unavailable and work fine when
> > rabbitmq server is up
> >
> > How to configure rsyslog to work when the destination is unavailable ?
> >
> >
> > module(load="omrabbitmq")
> > module(load="imptcp" threads="3")
> > input(type="imptcp" port="514" ruleset="syslogCollector")
> >
> > template(
> >name="json_syslog"
> >type="list"
> >option.json="on"
> > ) {
> >constant(value="{")
> >constant(value="\"@timestamp\":\"")
> > property(name="timereported" dateFormat="rfc3339")
> >constant(value="\",\"type\":\"syslog_json")
> >constant(value="\",\"tag\":\"")
> > property(name="syslogtag" format="json")
> >constant(value="\",\"relayhost\":\"") property(name="fromhost")
> >constant(value="\",\"relayip\":\"")
 property(name="fromhost-ip")
> >constant(value="\",\"logsource\":\"") property(name="source")
> >constant(value="\",\"hostname\":\"")  property(name="hostname"
> > caseconversion="lower")
> >constant(value="\",\"program\":\"")
 property(name="

Re: [rsyslog] Rsyslog stop working when output destination (rabbitmq) is unavialable

2024-02-06 Thread David Lang via rsyslog

read the documents I posted above and they will explain most of what you are 
seeing.


the reason it doesn't fail instantly is that the OS has a buffer for the TCP 
connection, and that buffer takes a little time to fill up.


retrycount tells rsyslog how many times to retry each message before dropping 
it.


closing and re-opening the connection won't help you if the network is down, as 
everything will block waiting for the connection to get re-established.


If you enable impstats and have it write directly to a file (not send it though 
the normal queue) then you will see the failures and see the action being 
suspended after some failures.


David Lang

On Tue, 6 Feb 2024, Prasad Koya wrote:


Alex, excuse me for using this thread for posting my question. But my
question is also on the same topic.

I have configured rsyslogd (v8.2102.0) to forward syslogs to two remote
servers, one using TCP protocol and second one using UDP. Besides
forwarding, I also have a rule to log to a local file. Here are the
relevant sections from my rsyslog.conf. I can post the full file if needed.



$MainMsgQueueTimeoutEnqueue 0

local4.*  action(type="omfwd" target="10.240.219.64"
action.resumeRetryCount="10" protocol="tcp" port="36456"
template="Syslogs_ForwardFormat")
local4.*  action(type="omfwd" target="10.16.39.124"
protocol="udp" port="36456" template="Syslogs_ForwardFormat")

*.*   /var/log/syslogs

After the TCP connection is established and messages are getting forwarded,
say someone pulls out the ethernet cable at the remote syslog collector 1
that is using tcp protocol. Some number of syslogs from this point are
still forwarded to the server 2 using udp protocol and written to the local
file as well. However if the TCP connection to the first server does not
recover then after some time, we do not see any syslogs in the local file
or at the second syslog server. I straced rsyslogd and all I see is the
recvmsg() calls on the /dev/log socket.

How do we tell rsyslog to drop the TCP connection if the other end is no
longer receiving the syslogs. Perhaps it can drop the connection and retry
after say X minutes. I tried using resumeRetryCount as documented at
https://www.rsyslog.com/doc/configuration/actions.html, but that is not
helping in my situation. Perhaps I'm missing some other "action" setting?
Appreciate if you can give me a pointer to a sample configuration or point
me to relevant documentation.

Thank you.




On Mon, Feb 5, 2024 at 11:11 AM David Lang via rsyslog <
rsyslog@lists.adiscon.com> wrote:


you have a queue of 1024 for rabbitmq, if there are more messages than
that
pending, other processing will stop until the queue can accept more
messages.
Setup a larger queue (potentially a disk assisted queue) to handle longer
outages.

you may also want to consider configuring the queue to throw away messages
if it
gets too full.

David Lang

  On Mon, 5 Feb 2024, Alex via rsyslog wrote:


I have rsyslog (8.2310.0) in docker container from latest alpine image

as a

syslog collector with forwarding to logstash.local and rabbitmq.local

Rsyslog stops working when rabbitmq is unavailable and work fine when
rabbitmq server is up

How to configure rsyslog to work when the destination is unavailable ?


module(load="omrabbitmq")
module(load="imptcp" threads="3")
input(type="imptcp" port="514" ruleset="syslogCollector")

template(
   name="json_syslog"
   type="list"
   option.json="on"
) {
   constant(value="{")
   constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
   constant(value="\",\"type\":\"syslog_json")
   constant(value="\",\"tag\":\"")
property(name="syslogtag" format="json")
   constant(value="\",\"relayhost\":\"") property(name="fromhost")
   constant(value="\",\"relayip\":\"")   property(name="fromhost-ip")
   constant(value="\",\"logsource\":\"") property(name="source")
   constant(value="\",\"hostname\":\"")  property(name="hostname"
caseconversion="lower")
   constant(value="\",\"program\":\"")   property(name="programname")
   constant(value="\",\"source\":\"")property(name="app-name"
caseConversion="lower" onEmpty="null")
   constant(value="\",\"priority\":\"")  property(name="pri")
   constant(value="\",\&qu

Re: [rsyslog] Action queue with omkafka


you should be able to configure kafka to not throw away logs in it's queue.

In your example below, you have configured rsyslog to throw away messages when 
the queue fills up to 6 messages.


can you show the pstats data that shows that rsyslog is dropping messages?

David Lang


On Tue, 6 Feb 2024, Adriaan de Waal via rsyslog wrote:


Good day

I've configured the omkafka module to push logs to Kafka and added a 
disk-assisted queue configuration to this action. The idea being, that if the 
Kafka cluster is temporarily unavailable, logs will be queued and prevent 
message loss. It should also be noted that this whole Kafka configuration is in 
its own ruleset and called from other rulesets in order to output data to Kafka.

The issue I'm having is that the queue doesn't hold onto messages and simply 
passes it on (I can see in the relevant statistics that the queue processed the 
messages) even when the Kafka cluster can't be reached and the action suspends. 
The librdkafka library - used by omkafka - also has its own queue, but this 
fills up and message loss occurs. I've also tried to rather set the queue on 
the ruleset itself, but that too makes no difference.

Below is the queue configuration within the action(type="omkafka" ...) 
definition.
   # Queue Settings
   queue.type="LinkedList" # In-memory queue with dynamic memory allocation
   queue.spoolDirectory="/var/spool/rsyslog" # Path for disk-assisted queue
   queue.size="65000" # Total queue size
   queue.highwatermark="6" # Write messages to disk if highwatermark 
breached
   queue.lowwatermark="5" # Use in-memory queue again below this mark
   queue.filename="kafka_output" # Enables disk-assisted queue and names it
   queue.maxdiskspace="18g" # Maximum disk space disk-queue can use
   queue.saveonshutdown="on" # Save queue contents to disk on shutdown
Any assistance in this regard would be greatly appreciated.

Kind Regards
---

___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] imfile readTimeout behavior question

I remember hearing about this sort of problem before, the version you are using
is 2 years old, please update to a current version and check again.

note that the version you are running is different from the 8.2202 that the
rsyslog project shipped, and is entirely supported by redhat as a result.

David Lang

On Tue, 6 Feb 2024, russel.miranda--- via rsyslog wrote:

Hello rsyslog community,

I am working on a Centos 7 system that has rsyslog 8.2202.0 configured to
monitor and process perhaps 2 dozen log files with the imfile module.
The module is loaded with the module directive like this:

module(load="imfile" mode="inotify")

And the file references are set up using several config files in the
/etc/rsyslog.d directory containing entries similar to the following:

input(type="imfile"
File="/var/log/activity*.log"
Severity="info"
Tag="pfx:activity"
readTimeout="2"
reopenOnTruncate="on"
startmsg.regex="^[0-9]{4}-[0-9]{2}-[0-9]{2}"
)

Some of the referenced files normally receive one or more entries every second.
Other referenced files grow very slowly, receiving maybe one or two entries a
day.

We must be able to handle that some subset of the entries will be multi-line
entries.
Every entry begins with a date stamp. We use the startmsg.regex capability to
detect the date stamp at the start of a line so that imfile can correctly
detect the start of a new record.
We expect that if no new line is added to any specific file within 2 seconds, then any existing
line(s) of unprocessed data in that file can be considered a complete record, so we have configured
the "readTimeout" to be "2".

What we expect is that after 2 seconds of no additional content being added to
a file, the readTimeout timer will expire and the last line of that file will
be considered a complete entry and be processed.
What we are actually seeing is that as long as ANY monitored file has new data
added to it within 2 seconds, then no timer expires.

Because some files receive data every second, the last line in each slow
growing files is not processed until hours, maybe days after it is written,
when another entry is added and the date stamp on the new line matches the
startmsg.regex.

When the software on the host is running normally, the continuous stream of log
records being added to the frequently updated files prevents the readTimeout
from ever occurring. This makes it appear as if the readTimeout never expires.
I originally thought this was a recurrence of #1445
(https://github.com/rsyslog/rsyslog/issues/1445), which was fixed in 8.28 by
#1598 (https://github.com/rsyslog/rsyslog/pull/1598). Our version (8.2202.0)
should contain that fix (I do see it in the release note history). However, the
behavior is not exactly the same as described in #1445, because I can cause the
final lines to be processed by stopping the processes that are generating the
frequent log records. Once there are no new lines to process in any monitored
file, then the readTimeout occurs and the final lines of the slow growing files
are processed.

Is this the intended behavior? Am I misunderstanding the configuration of the
imfile module? Is there any way to get the timeouts to occur on a file-by-file
basis instead of requiring all of the monitored files to be unchanged for the
readTimeout?

I really wish I could disable the multi-line handling entirely, but as you
might guess, the reason we had to configure it this way is that some of the
files are generated by software that is not under our control.
I would prefer not to try to write "dummy" records into the files from another process to
push out the "straggler" final lines from the slow growing files. Even though they aren't
written very often, I just know that someday the external process and the software we're trying to
collect the data from will both try to write at nearly the same time and the result will be a
mangled mix of the two records.

Thank you for any suggestions,

Russ Miranda

[rsyslog] doc request

As the docs are getting cleaned up, these three pages should either be combined 
or put close enough to each other that when you find one the other two are just 
a click away


https://www.rsyslog.com/doc/concepts/queues.html
https://www.rsyslog.com/doc/whitepapers/queues_analogy.html
https://www.rsyslog.com/doc/rainerscript/queue_parameters.html

Also, I don't know if it's possible, but if it's possible to keep the old links 
working (redirecting to the new locations for things) it would be good as there 
are links to rsyslog docs scattered in mailing list posts, stackoverflow 
discussions, etc. It doesn't require that everything be kept at 1:1 (for 
example, if two or three of the pages above end up getting combined, the link 
can just be to the combined page, it doesn't need to be to a specific portion of 
the page)


the idea is that existing links take you someplace close to relevant, not to a 
404 message.


David Lang
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Rsyslog stop working when output destination (rabbitmq) is unavialable