Re: [rsyslog] omelasticsearch queue not respecting queue.maxdiskspace

This may be caused by a previous queue corruption, which left over some (unused) queue files. That happened especially with versions prior to 8.24.0 (8.25 is still preferrable, as it contains more queue robustness improvements). Rainer 2017-03-08 0:51 GMT+01:00 David Lang : > On Tue, 7 Mar 2017,

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On 2017-03-08 13:16, David Lang wrote: It doesn't add "$date $hostname $programname" anymore - but instead, it adds a single space at the beginning of each line. Not sure where the space is coming from? the space is part of the $msg variable. in the last release there was a mm module added th

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On Wed, 8 Mar 2017, Tomasz Chmielewski via rsyslog wrote: On 2017-03-08 12:53, Tomasz Chmielewski via rsyslog wrote: On 2017-03-08 12:47, Tomasz Chmielewski via rsyslog wrote: If I use this - everything gets to /var/log/syslog (with $date $hostname $programname added): template (name="RemoteM

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On Wed, 8 Mar 2017, Tomasz Chmielewski wrote: On 2017-03-08 12:47, Tomasz Chmielewski via rsyslog wrote: If I use this - everything gets to /var/log/syslog (with $date $hostname $programname added): template (name="RemoteMessage" type="string" string="%msg%\\n") template mypath="/var/log/remot

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On 2017-03-08 12:53, Tomasz Chmielewski via rsyslog wrote: On 2017-03-08 12:47, Tomasz Chmielewski via rsyslog wrote: If I use this - everything gets to /var/log/syslog (with $date $hostname $programname added): template (name="RemoteMessage" type="string" string="%msg%\\n") template mypath="/v

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On 2017-03-08 12:47, Tomasz Chmielewski via rsyslog wrote: If I use this - everything gets to /var/log/syslog (with $date $hostname $programname added): template (name="RemoteMessage" type="string" string="%msg%\\n") template mypath="/var/log/remote/%$year%-%$month%-%$day%/%hostname%/%programnam

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On 2017-03-08 12:36, David Lang wrote: This one doesn't do what I want: template (name="RemoteMessage" type="string" string="%msg%\\n") if ($hostname != 'log01') then action(type="omfile" file="/var/log/remote/%$year%-%$month%-%$day%/%hostname%/%programname%");RemoteMessage this can't be do

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On Wed, 8 Mar 2017, Tomasz Chmielewski wrote: On 2017-03-08 12:23, David Lang wrote: On Wed, 8 Mar 2017, Tomasz Chmielewski via rsyslog wrote: 2017-03-08T02:51:54.582+ I CONTROL [initandlisten] db version v3.2.12 Then it ends up as: Mar 8 02:52:57 db01-some-domain-com mongod.log 201

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On 2017-03-08 12:23, David Lang wrote: On Wed, 8 Mar 2017, Tomasz Chmielewski via rsyslog wrote: 2017-03-08T02:51:54.582+ I CONTROL [initandlisten] db version v3.2.12 Then it ends up as: Mar 8 02:52:57 db01-some-domain-com mongod.log 2017-03-08T02:51:54.582+ I CONTROL [initandli

Re: [rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

On Wed, 8 Mar 2017, Tomasz Chmielewski via rsyslog wrote: 2017-03-08T02:51:54.582+ I CONTROL [initandlisten] db version v3.2.12 Then it ends up as: Mar 8 02:52:57 db01-some-domain-com mongod.log 2017-03-08T02:51:54.582+ I CONTROL [initandlisten] db version v3.2.12 Date, hostnam

[rsyslog] remote syslog - getting rid of "$date $hostname $programname" from logs accepted from remote?

My rsyslog accepting data from remote is configured as follows: $FileCreateMode 0644 # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") $template REMOTE,"/var/log/remote/%$year%-%$month%-%$day%/%hostname%/%programname%" if ($hostname != 'log01') then ?REMOTE

Re: [rsyslog] omelasticsearch queue not respecting queue.maxdiskspace

On Tue, 7 Mar 2017, Alec Swan via rsyslog wrote: Hello, I noticed that rsyslog wrote over 8GB in omelasticsearch-queue.xxx files (each file is 101MB in size) when Elasticsearch server was down even though I have queue.maxdiskspace="1g" setting on the two omelasticsearch actions I am using (see

[rsyslog] omelasticsearch queue not respecting queue.maxdiskspace

Hello, I noticed that rsyslog wrote over 8GB in omelasticsearch-queue.xxx files (each file is 101MB in size) when Elasticsearch server was down even though I have queue.maxdiskspace="1g" setting on the two omelasticsearch actions I am using (see below). Am I missing some other setting or is this a