[rsyslog] SELinux woes

Hi there, I spent a couple of hours trying to figure out why rsyslog was not sending my logs to elasticsearch just to find out that SELinux was blocking it. So, "setsebool -P nis_enabled 1" fixed that problem. At this point rsyslog is sending logs to ES but I see other selinux errors in /var/log/

[rsyslog] Send logs in JSON format to Elasticsearch

Hi there, We've been using librlognorm templates to parse log files and send their content to Elasticsearch as JSON. At this point we need to parse logs that are already in JSON format. So, I am wondering if there is a way to write a liblognorm template that would create a JSON object from each lo

Re: [rsyslog] Send logs in JSON format to Elasticsearch

For some reason I stopped receiving emails from the mailing list even though I can see them in the archive. In response to Dave and Mostolog, each log line is a valid JSON and I would really prefer to only rely on liblognorm for parsing and not depend on mmjsonparse. Besides reluctance of installi

[rsyslog] rsyslog crash with "trap divide error ip"

Hi there, I am using rsyslog 8.21.0 on CentOS 6.6 and running into the same problem that was reported by Sury Bu on Feb 3 2016 with 8.15.0. Unfortunately, the forum won't send me activation e-mail after multiple attempts, so I am posting the errors h

Re: [rsyslog] rsyslog crash with "trap divide error ip"

No, it's not clear how to reproduce this. It happened at different times on different VMs. Thanks, Alec On Fri, Mar 3, 2017 at 8:56 AM, Rainer Gerhards wrote: > Can you reproduce this? > > Sent from phone, thus brief. > > Am 03.03.2017 16:48 schrieb "Alec Swan

Re: [rsyslog] rsyslog crash with "trap divide error ip"

ght at the problem spot... > > Rainer > >> Thanks, >> >> Alec >> >> On Fri, Mar 3, 2017 at 8:56 AM, Rainer Gerhards > > wrote: >> >>> Can you reproduce this? >>> >>> Sent from phone, thus brief. >>> >>>

[rsyslog] omelasticsearch queue not respecting queue.maxdiskspace

Hello, I noticed that rsyslog wrote over 8GB in omelasticsearch-queue.xxx files (each file is 101MB in size) when Elasticsearch server was down even though I have queue.maxdiskspace="1g" setting on the two omelasticsearch actions I am using (see below). Am I missing some other setting or is this a

Re: [rsyslog] omelasticsearch queue not respecting queue.maxdiskspace

used by a previous queue corruption, which left over some > (unused) queue files. That happened especially with versions prior to > 8.24.0 (8.25 is still preferrable, as it contains more queue robustness > improvements). > > Rainer > > 2017-03-08 0:51 GMT+01:00 David Lang :

Re: [rsyslog] omelasticsearch queue not respecting queue.maxdiskspace

search, to >> enforce maxdiskspace requirement or is it built in the generic queue >> management code? >> > > That's generic code, the plugin doesn't even know what kind of queue is > used. > > Rainer > >> >> Thanks, >> >> Ale

[rsyslog] Packages obsoleted by rsyslog

Hello, I am in the process of upgrading some of our CentOS 7 instances to rsyslog 8.34.0 (partially because I can't find rsyslog-mmutf8fix-8.24.0-12.el7 anywhere). We use a private Yum repo and I need to upload rsyslog and its dependent packages to that repo. The problem is that the new versions

Re: [rsyslog] Packages obsoleted by rsyslog

looking for folks > interested in helping with the packaging. We are not good at it, but so far > the overall mood was it is better to have not-so-great packages vs none... > > Rainer > > Sent from phone, thus brief. > > Alec Swan via rsyslog schrieb am Sa., 21. > Apr. 2018, 17:

Re: [rsyslog] Packages obsoleted by rsyslog

-centos in github). Thanks, Alec On Sat, Apr 21, 2018 at 3:29 PM, David Lang wrote: > On Sat, 21 Apr 2018, Alec Swan via rsyslog wrote: > > We use a private Yum repo and I need to upload rsyslog and its dependent >> packages to that repo. The problem is that the new vers

[rsyslog] mmnormalize, liblognorm and partial json

Hello, We are currently using rsyslog 8.34.0 with liblognorm 2.0.2 and it's been working fine until one of our log formats changed from a custom key-value tab-delimited format to the json format. Once that happened I changed the liblognorm rule to a simple "rule=:%.:json%" but it's failing to pars

Re: [rsyslog] mmnormalize, liblognorm and partial json

I realized that I had startmsg.regex setting left in the config file which matched the timestamp from the old format and hence was failing to match one json per line format. Sorry for the false alarm - user error :) Thanks, Alec On Thu, Aug 9, 2018 at 5:06 PM, Alec Swan wrote: > Hello, > > We

Re: [rsyslog] mmnormalize, liblognorm and partial json

Thanks for pointing this out, David. Alec On Thu, Aug 9, 2018 at 6:29 PM David Lang wrote: > The other common cause is that you need to parse on rawmsg instead of the > default of msg > > David Lang > ___ rsyslog mailing list http://lists.adiscon.net