Mailing List Archive

(no subject)
Hello,

I've found on-line claims that rsyslog can be compiled (and maybe even
runs ok?) on HP-UX.

However, I've not found too much information about this, so I'd like to
ask: has anyone been able to compile (and run) rsyslog 3.20.2 on HP-UX 11?

If so, does it need patching? What packages are required to build it
successfully? (only HP software or gcc + gnu tools?)

I'm asking because a colleague briefly attempted to configure the package
on hpux UX11.11, and configure ended with
> checking for pthread.h... yes
> checking for pthread_create in -lpthread... no

Any success stories out there?

Thanks!
Pieter

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: (no subject) [ In reply to ]
> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Ole.Rahn@t-systems.com
> Sent: Friday, April 01, 2011 3:10 PM
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] (no subject)
>
> Hi,
>
> I am just starting to use rsyslog in a quite big network and in a quite
complex
> environment.
>
> I would like several network elements to send their logs to a central
server.
> *Some* messages (containing confidential information) should be encrypted
> via TSL, some should not be encrypted, but should be sent through plain TCP
> (for a certain level of reliability), in order to lower the cpu load on the
> network node.
>
> I have been looking through the documentation, but could not come a clear
> picture, e.g. this article (from 2008, see "Limitations") says, that
neither
> network elements are authenticated, nor can TSL and plain TCP be mixed
> within one server instance.
> http://www.rsyslog.com/doc/rsyslog_tls.html
>
> Both limitations are said to be fixed, soon (since the article was written
in
> 2008, I guess "soon" is already a few years in the past).

Thanks for spotting this. Authentication is available since long. I think
there is a restriction in regard to multiple listeners and/or forwarders, but
I have no time at the moment to check this (paid work eating up time ;)). I'd
suggest just to give it a try. If it doesn't work, the code is designed to do
that, so you may be able to create a patch to enable it with relatively
little effort.

>
> While the limitation in regard to the authentication does not seem to
exist,
> anymore, (http://www.rsyslog.com/doc/ns_gtls.html), I could not find
> information about the other one.
>
> That is why I would like to ask:
>
> * Can rsyslog listen to plain TCP and TLS-encrypted messages at the
same
> time?
>
> * Does that require multiple instances?
>
> o If yes: Is there any guide how to setup multiple instances?

I don't think so, but it is common sense: make sure you do not use the same
pid files, input ports local log sockets etc -- nothing very rsyslog
specific.

>
> o if no: Do I need 2 separate TCP ports or can rsyslog "magically"
distinguish
> plain TCP from TSL traffic on one port?

You definitely need two different listeners.

There is also a much more elaborate TLS guide available at

http://www.rsyslog.com/doc/rsyslog_secure_tls.html

This is the guide the other paper at its top recommends to read ;)

Rainer
>
> I would be glad for feedback or other hints how to implement this setup.
>
> Best regards
> Ole
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: (no subject) [ In reply to ]
Thank you for the very quick response!
I will give it a try then...

Ole
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: (no subject) [ In reply to ]
I am not seeing anything in your config file to read data from output.txt

Instead, I see you specifying it as a directory name for rsyslog to use for
various scratch files.

you need to look at the imfile configuration if you want to read the file.

However a better way to get data from SEC to syslog is to use the udp output
mode in the latest SEC to send the logs directly to SEC instead of writing them
to a file and then havng rsyslog poll that file.

David Lang

On Fri, 7 Jun 2013, termo meter
wrote:

> Date: Fri, 7 Jun 2013 18:26:56 +0800 (SGT)
> From: termo meter <termo_meter@yahoo.com>
> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] (no subject)
>
> Hi All,
>
>
> im new to rsyslog.
>
> What i try to do, i setup 2 rsyslog server, rsyslog1 and rsyslog2.
>
> My firewall logs forward to rsyslog1 using syslog udp514, i manage to receive the log ar rsyslog1.
>
> At rsyslog1, i do some log correlation. the result is output to file "output.txt".
>
> I want to forward the result to the rsyslog2.
>
> But till now i unable to receive logs at rsyslog2.
>
>
> Here my rsyslog.conf file.
>
>
>
>
> Code:
> root@ubuntu:/etc# more rsyslog.conf
>
> $ModLoad imuxsock # provides support for local system logging
> $WorkDirectory /home/rsyslog/sec-2.7.2/output.txt
> $ModLoad imklog # provides kernel logging support (previously done by rklogd)
> #$ModLoad immark # provides --MARK-- message capability
>
> # provides UDP syslog reception
> $ModLoad imudp
> $UDPServerRun 514
>
> # provides TCP syslog reception
> #$ModLoad imtcp
> #$InputTCPServerRun 514
>
> ##########################
> #### GLOBAL DIRECTIVES ####
> ###########################
>
> #
> # Use traditional timestamp format.
> # To enable high precision timestamps, comment out the following line.
> #
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> # Filter duplicated messages
> #$RepeatedMsgReduction on
>
> #
> # Set the default permissions for all log files.
> #
> $FileOwner adm
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
> $Umask 0022
> $PrivDropToUser adm
> $PrivDropToGroup adm
>
> #
> # Where to place spool files
> #
> $ActionQueueType LinkedList # use asynchronous processing
> $ActionQueueFileName srvrfwd # set file name, also enables disk mode
> $ActionResumeRetryCount -1 # infinite retries on insert failure
> $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
> *.* @@192.168.0.124:514
> #
> # Include all config files in /etc/rsyslog.d/
> #
> $IncludeConfig /etc/rsyslog.d/*.conf
>
> Thanks.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Thank you David, where exactly do I need to start rsyslog with -x? from the init.d/rsyslog or the sysconfig/rsyslog ?

start() {
[ -x $exec ] || exit 5

umask 077

echo -n $"Starting system logger: "
# daemon --pidfile="$PIDFILE" $exec -x -i "$PIDFILE" $SYSLOGD_OPTIONS
daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
When I do it from init.d/rsyslog and I de-comment the daemon line and run -x from there , no logs are written?
----- Original Message -----
From: David Lang
Sent: 08/30/13 03:47 PM
To: rsyslog-users
Subject: Re: [rsyslog] (no subject)

If things are working most of the time, but occasionally you are seeing lots of dropped messages, I would be looking at DNS issues. One of the big reasons to disable DNS lookups on UDP rsyslog servers is that DNS can take an unknown amount of time to resolve (up to several seconds), and during that time, additional new messages cannot be processed, if you don't have insanely large buffers setup in the OS, this will cause you to loose messages. Try starting rsyslog with -x (to disable DNS lookups) and see if you still have the problem what version are you running? you should upgrade to 7.x and see if the problem reamins (lots of improvements, including a DNS cache compared to 5.x and earlier) David Lang On Fri, 30 Aug 2013, Robert Ortiz wrote: > Hey guys, > > So currently I'm running a load of 50K mps and mostly retaining logs there are random seconds where I drop 20K+ messages, I wanted to run rsyslog in debug mode, and I wanted to run this: > > > "RSYSLOG_DEBUGLOG" (sample:
RSYSLOG_DEBUGLOG="/path/to/debuglog/") > > with this " LogFuncFlow" > > But I am not sure where to do this from? Do I need to put this on the .conf file or is this something that needs to be created? > > Sorry I don't understand the instructions on the debugging site > > Thanks > > Currently this is my .conf file: > > #### MODULES #### > > #module(load="imuxsock") # needs to be done just once Robert 8-9-13 > #SysSock.FlowControl=(:"on") # enable flow control (use if needed) Robert 8-9-13 > $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) > > #module(load="imklog") > $ModLoad imklog # provides kernel logging support (previously done by rklogd) > $ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > #module(load="imudp") # needs to be done just once Robert 8-9-13 > #input(type="imudp" port="514") # Robert 8-9-13 > $ModLoad imudp > $UDPServerRun 514 > #$UDPServerTimeRequery 1000000 > > > #### GLOBAL D
IRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is usually not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Set Buffer Size - default is 4k > #$OMFileIOBufferSize 128k # - Gil 06/06/13 > #$OMFileAsyncWriting on > #$OMFileFlushOnTXEnd off > #$OMFileFlushInterval 30 > #$OMFileZipLevel 9 > $OMFileIOBufferSize 256k > > #Turn on Main Ruleset Robert 8-20-13 > #$RulesetCreateMainQueue on > > > # Set Main Message Queue Size - default is 10000 > > $MainMsgQueueSize 200000 # Robert 8-9-13 > > #### RULES #### > > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* > # /dev/console > > #Specific ruleset for remote messages > #$Ruleset <name> > > #*.* /var/log/test/f_all #Robert 8-21-1
3 > #Module (load="builtin:omfile") > #*.* action(type="omfile" > # DirCreateMode="0700" > # FileCreateMode="0644" > # File="/var/log/test/alllogs") > > > #switch back to default ruleset > #$Ruleset RSYSLOG DefaultRuleset > > # Begin action Robert 8-20-13 > # $ActionOmrulesetRulesetName somename > > :hostname, contains, "pdc" /var/log/test/f_ad > :hostname, contains, "fdfw" /var/log/test/f_fw > :hostname, contains, "mail" /var/log/test/f_mail > :hostname, contains, "networks" /var/log/test/f_networks > :hostname, contains, "shib" /var/log/test/f_shib > :hostname, contains, "rout" /var/log/test/f_router > :hostname, contains, "vm" /var/log/test/f_vm > :hostname, contains, "pix" /var/log/test/f_pix > > > #if $hostname contains 'pdc' then /var/log/test/f_ad > #& ~ > #if $hostname contains 'fdfw' then /var/log/test/f_fw > #& ~ > #if $hostname contains 'networks' then /var/log/test/f_networks > #& ~#if $hostname contains 'shib' then /var/log/test/f_shib > #& ~ > #if $hostname con
tains 'mail' then /var/log/test/f_mail > #& ~ > #if $hostname contains 'vm' then /var/log/test/f_vm > #& ~ > #if $hostname contains 'pix' then /var/log/test/f_pix > #& ~ > #if $hostname contains 'rout' then /var/log/test/f_router > #& ~ > > #if $hostname startswith 'sws' then /var/log/test/f_networks > #& ~ > #if $fromhost-ip == '10.0.0.10' then /var/log/test/test_fromhost > #& ~ > #if $hostname == 'swserv1.networks' then /var/log/test/test_swserv1 > #&~ > #if $hostname startswith 'virtserv' then /var/log/test/test_virtserv > #&~ > #if $hostname contains 'virtserv' then /var/log/test/test_virtserv1 > #& ~ > #if $fromhost-ip startswith '10.0.6' then /var/log/test/test_10.0.6 > #& ~ > #if $fromhost-ip startswith '10.0.7.' then /var/log/test/test_10.0.7_virtserv > #& ~ > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > #*.info;mail.none;authpriv.none;cron.none /var/log/messages > *.debug /var/log/messages > > # The authpri
v file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > > # ### begin forwarding rule ### > # The statement between the begin ... end define a SINGLE forwarding > # rule. They belong together, do NOT split them. If you create multiple > # forwarding rules, duplicate the whole block! > # Remote Logging (we use TCP for reliable delivery) > # > # An on-disk queue is created for this action. If the remote host is > # down, messages are spooled to disk and sent when it is up again. > #$WorkDirectory /var/lib/rsyslog # where to place spool files > #$ActionQueueFileName fwdRule1 # unique name prefix for spool files > #$ActionQueueMaxDiskS
pace 1g # 1gb space limit (use as much as possible) > #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.* @@remote-host:514 > # ### end of the forwarding rule ### > > > > > Robert. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow ht
tps://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.





Robert.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
the right thing is to find where $SYSLOGD_OPTIONS is defined and add -x to that

however, in this case, the line that's commented out has the -x on it, just
switch which line is commented out should work

If you are still having problems, try and start it manually

just doing rsyslogd -x will probably get you a running rsyslog

you can get debug output by doing rsyslog -x -dn, but that produces a LOT of
output and significantly slows rsyslog down.

David Lang

On Fri, 30 Aug 2013, Robert Ortiz wrote:

> Thank you David, where exactly do I need to start rsyslog with -x? from the init.d/rsyslog or the sysconfig/rsyslog ?
>
> start() {
> [ -x $exec ] || exit 5
>
> umask 077
>
> echo -n $"Starting system logger: "
> # daemon --pidfile="$PIDFILE" $exec -x -i "$PIDFILE" $SYSLOGD_OPTIONS
> daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS
> RETVAL=$?
> echo
> [ $RETVAL -eq 0 ] && touch $lockfile
> return $RETVAL
> }
> When I do it from init.d/rsyslog and I de-comment the daemon line and run -x from there , no logs are written?
> ----- Original Message -----
> From: David Lang
> Sent: 08/30/13 03:47 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] (no subject)
>
> If things are working most of the time, but occasionally you are seeing lots of dropped messages, I would be looking at DNS issues. One of the big reasons to disable DNS lookups on UDP rsyslog servers is that DNS can take an unknown amount of time to resolve (up to several seconds), and during that time, additional new messages cannot be processed, if you don't have insanely large buffers setup in the OS, this will cause you to loose messages. Try starting rsyslog with -x (to disable DNS lookups) and see if you still have the problem what version are you running? you should upgrade to 7.x and see if the problem reamins (lots of improvements, including a DNS cache compared to 5.x and earlier) David Lang On Fri, 30 Aug 2013, Robert Ortiz wrote: > Hey guys, > > So currently I'm running a load of 50K mps and mostly retaining logs there are random seconds where I drop 20K+ messages, I wanted to run rsyslog in debug mode, and I wanted to run this: > > > "RSYSLOG_DEBUGLOG" (sampl!
e:
> RSYSLOG_DEBUGLOG="/path/to/debuglog/") > > with this " LogFuncFlow" > > But I am not sure where to do this from? Do I need to put this on the .conf file or is this something that needs to be created? > > Sorry I don't understand the instructions on the debugging site > > Thanks > > Currently this is my .conf file: > > #### MODULES #### > > #module(load="imuxsock") # needs to be done just once Robert 8-9-13 > #SysSock.FlowControl=(:"on") # enable flow control (use if needed) Robert 8-9-13 > $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) > > #module(load="imklog") > $ModLoad imklog # provides kernel logging support (previously done by rklogd) > $ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > #module(load="imudp") # needs to be done just once Robert 8-9-13 > #input(type="imudp" port="514") # Robert 8-9-13 > $ModLoad imudp > $UDPServerRun 514 > #$UDPServerTimeRequery 1000000 > > > #### GLOBAL!
D
> IRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is usually not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Set Buffer Size - default is 4k > #$OMFileIOBufferSize 128k # - Gil 06/06/13 > #$OMFileAsyncWriting on > #$OMFileFlushOnTXEnd off > #$OMFileFlushInterval 30 > #$OMFileZipLevel 9 > $OMFileIOBufferSize 256k > > #Turn on Main Ruleset Robert 8-20-13 > #$RulesetCreateMainQueue on > > > # Set Main Message Queue Size - default is 10000 > > $MainMsgQueueSize 200000 # Robert 8-9-13 > > #### RULES #### > > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* > # /dev/console > > #Specific ruleset for remote messages > #$Ruleset <name> > > #*.* /var/log/test/f_all #Robert 8-21!
-1
> 3 > #Module (load="builtin:omfile") > #*.* action(type="omfile" > # DirCreateMode="0700" > # FileCreateMode="0644" > # File="/var/log/test/alllogs") > > > #switch back to default ruleset > #$Ruleset RSYSLOG DefaultRuleset > > # Begin action Robert 8-20-13 > # $ActionOmrulesetRulesetName somename > > :hostname, contains, "pdc" /var/log/test/f_ad > :hostname, contains, "fdfw" /var/log/test/f_fw > :hostname, contains, "mail" /var/log/test/f_mail > :hostname, contains, "networks" /var/log/test/f_networks > :hostname, contains, "shib" /var/log/test/f_shib > :hostname, contains, "rout" /var/log/test/f_router > :hostname, contains, "vm" /var/log/test/f_vm > :hostname, contains, "pix" /var/log/test/f_pix > > > #if $hostname contains 'pdc' then /var/log/test/f_ad > #& ~ > #if $hostname contains 'fdfw' then /var/log/test/f_fw > #& ~ > #if $hostname contains 'networks' then /var/log/test/f_networks > #& ~#if $hostname contains 'shib' then /var/log/test/f_shib > #& ~ > #if $hostname c!
on
> tains 'mail' then /var/log/test/f_mail > #& ~ > #if $hostname contains 'vm' then /var/log/test/f_vm > #& ~ > #if $hostname contains 'pix' then /var/log/test/f_pix > #& ~ > #if $hostname contains 'rout' then /var/log/test/f_router > #& ~ > > #if $hostname startswith 'sws' then /var/log/test/f_networks > #& ~ > #if $fromhost-ip == '10.0.0.10' then /var/log/test/test_fromhost > #& ~ > #if $hostname == 'swserv1.networks' then /var/log/test/test_swserv1 > #&~ > #if $hostname startswith 'virtserv' then /var/log/test/test_virtserv > #&~ > #if $hostname contains 'virtserv' then /var/log/test/test_virtserv1 > #& ~ > #if $fromhost-ip startswith '10.0.6' then /var/log/test/test_10.0.6 > #& ~ > #if $fromhost-ip startswith '10.0.7.' then /var/log/test/test_10.0.7_virtserv > #& ~ > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > #*.info;mail.none;authpriv.none;cron.none /var/log/messages > *.debug /var/log/messages > > # The authp!
ri
> v file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > > # ### begin forwarding rule ### > # The statement between the begin ... end define a SINGLE forwarding > # rule. They belong together, do NOT split them. If you create multiple > # forwarding rules, duplicate the whole block! > # Remote Logging (we use TCP for reliable delivery) > # > # An on-disk queue is created for this action. If the remote host is > # down, messages are spooled to disk and sent when it is up again. > #$WorkDirectory /var/lib/rsyslog # where to place spool files > #$ActionQueueFileName fwdRule1 # unique name prefix for spool files > #$ActionQueueMaxDis!
kS
> pace 1g # 1gb space limit (use as much as possible) > #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.* @@remote-host:514 > # ### end of the forwarding rule ### > > > > > Robert. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow !
ht
> tps://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
>
>
>
> Robert.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
I think my syslogd options are on


/etc/sysconfig/rsyslog:


# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-c 5"
/etc/sysconfig/rsyslog (END)


So I will add it to "= -c 5 -x"


also when I run :
$ sudo rsyslogd -x
$ sudo service rsyslog status
rsyslogd (pid 35610) is running...
$ ls
f_ad f_fw f_mail f_networks f_pix f_router f_shib f_vm
$ sudo tail f_fw
$

It starts the daemon without dns enabled, and it created the files but it doesnt actually write anything to the files?

I have a local hosts file that has a list of all the hostnames that will be sending the server messages but it doesnt seem to read it?
----- Original Message -----
From: David Lang
Sent: 08/30/13 04:21 PM
To: rsyslog-users
Subject: Re: [rsyslog] (no subject)

the right thing is to find where $SYSLOGD_OPTIONS is defined and add -x to that however, in this case, the line that's commented out has the -x on it, just switch which line is commented out should work If you are still having problems, try and start it manually just doing rsyslogd -x will probably get you a running rsyslog you can get debug output by doing rsyslog -x -dn, but that produces a LOT of output and significantly slows rsyslog down. David Lang On Fri, 30 Aug 2013, Robert Ortiz wrote: > Thank you David, where exactly do I need to start rsyslog with -x? from the init.d/rsyslog or the sysconfig/rsyslog ? > > start() { > [ -x $exec ] || exit 5 > > umask 077 > > echo -n $"Starting system logger: " > # daemon --pidfile="$PIDFILE" $exec -x -i "$PIDFILE" $SYSLOGD_OPTIONS > daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch $lockfile > return $RETVAL > } > When I do it from init.d/rsyslog and I de-comment the dae
mon line and run -x from there , no logs are written? > ----- Original Message ----- > From: David Lang > Sent: 08/30/13 03:47 PM > To: rsyslog-users > Subject: Re: [rsyslog] (no subject) > > If things are working most of the time, but occasionally you are seeing lots of dropped messages, I would be looking at DNS issues. One of the big reasons to disable DNS lookups on UDP rsyslog servers is that DNS can take an unknown amount of time to resolve (up to several seconds), and during that time, additional new messages cannot be processed, if you don't have insanely large buffers setup in the OS, this will cause you to loose messages. Try starting rsyslog with -x (to disable DNS lookups) and see if you still have the problem what version are you running? you should upgrade to 7.x and see if the problem reamins (lots of improvements, including a DNS cache compared to 5.x and earlier) David Lang On Fri, 30 Aug 2013, Robert Ortiz wrote: > Hey guys, > > So currently I'm running a l
oad of 50K mps and mostly retaining logs there are random seconds where I drop 20K+ messages, I wanted to run rsyslog in debug mode, and I wanted to run this: > > > "RSYSLOG_DEBUGLOG" (sampl! e: > RSYSLOG_DEBUGLOG="/path/to/debuglog/") > > with this " LogFuncFlow" > > But I am not sure where to do this from? Do I need to put this on the .conf file or is this something that needs to be created? > > Sorry I don't understand the instructions on the debugging site > > Thanks > > Currently this is my .conf file: > > #### MODULES #### > > #module(load="imuxsock") # needs to be done just once Robert 8-9-13 > #SysSock.FlowControl=(:"on") # enable flow control (use if needed) Robert 8-9-13 > $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) > > #module(load="imklog") > $ModLoad imklog # provides kernel logging support (previously done by rklogd) > $ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > #module
(load="imudp") # needs to be done just once Robert 8-9-13 > #input(type="imudp" port="514") # Robert 8-9-13 > $ModLoad imudp > $UDPServerRun 514 > #$UDPServerTimeRequery 1000000 > > > #### GLOBAL! D > IRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is usually not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Set Buffer Size - default is 4k > #$OMFileIOBufferSize 128k # - Gil 06/06/13 > #$OMFileAsyncWriting on > #$OMFileFlushOnTXEnd off > #$OMFileFlushInterval 30 > #$OMFileZipLevel 9 > $OMFileIOBufferSize 256k > > #Turn on Main Ruleset Robert 8-20-13 > #$RulesetCreateMainQueue on > > > # Set Main Message Queue Size - default is 10000 > > $MainMsgQueueSize 200000 # Robert 8-9-13 > > #### RULES #### > > # Log all kernel m
essages to the console. > # Logging much else clutters up the screen. > #kern.* > # /dev/console > > #Specific ruleset for remote messages > #$Ruleset <name> > > #*.* /var/log/test/f_all #Robert 8-21! -1 > 3 > #Module (load="builtin:omfile") > #*.* action(type="omfile" > # DirCreateMode="0700" > # FileCreateMode="0644" > # File="/var/log/test/alllogs") > > > #switch back to default ruleset > #$Ruleset RSYSLOG DefaultRuleset > > # Begin action Robert 8-20-13 > # $ActionOmrulesetRulesetName somename > > :hostname, contains, "pdc" /var/log/test/f_ad > :hostname, contains, "fdfw" /var/log/test/f_fw > :hostname, contains, "mail" /var/log/test/f_mail > :hostname, contains, "networks" /var/log/test/f_networks > :hostname, contains, "shib" /var/log/test/f_shib > :hostname, contains, "rout" /var/log/test/f_router > :hostname, contains, "vm" /var/log/test/f_vm > :hostname, contains, "pix" /var/log/test/f_pix > > > #if $hostname contains 'pdc' then /var/log/test/f_ad > #& ~ > #if $host
name contains 'fdfw' then /var/log/test/f_fw > #& ~ > #if $hostname contains 'networks' then /var/log/test/f_networks > #& ~#if $hostname contains 'shib' then /var/log/test/f_shib > #& ~ > #if $hostname c! on > tains 'mail' then /var/log/test/f_mail > #& ~ > #if $hostname contains 'vm' then /var/log/test/f_vm > #& ~ > #if $hostname contains 'pix' then /var/log/test/f_pix > #& ~ > #if $hostname contains 'rout' then /var/log/test/f_router > #& ~ > > #if $hostname startswith 'sws' then /var/log/test/f_networks > #& ~ > #if $fromhost-ip == '10.0.0.10' then /var/log/test/test_fromhost > #& ~ > #if $hostname == 'swserv1.networks' then /var/log/test/test_swserv1 > #&~ > #if $hostname startswith 'virtserv' then /var/log/test/test_virtserv > #&~ > #if $hostname contains 'virtserv' then /var/log/test/test_virtserv1 > #& ~ > #if $fromhost-ip startswith '10.0.6' then /var/log/test/test_10.0.6 > #& ~ > #if $fromhost-ip startswith '10.0.7.' then /var/log/test/test_10.0.7_virtserv > #& ~ >
> # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > #*.info;mail.none;authpriv.none;cron.none /var/log/messages > *.debug /var/log/messages > > # The authp! ri > v file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > > # ### begin forwarding rule ### > # The statement between the begin ... end define a SINGLE forwarding > # rule. They belong together, do NOT split them. If you create multiple > # forwarding rules, duplicate the whole block! > # Remote Logging (we use TCP for reliable delivery) > # > # An on-disk queue is created for this action. If the remote host is > # down,
messages are spooled to disk and sent when it is up again. > #$WorkDirectory /var/lib/rsyslog # where to place spool files > #$ActionQueueFileName fwdRule1 # unique name prefix for spool files > #$ActionQueueMaxDis! kS > pace 1g # 1gb space limit (use as much as possible) > #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.* @@remote-host:514 > # ### end of the forwarding rule ### > > > > > Robert. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow ! ht > tps://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > > > > > Robert. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professiona
l-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.





Robert.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
did you remember to shutdown the copy started by the system first?

David Lang
On Fri, 30 Aug 2013, Robert Ortiz wrote:

> Date: Fri, 30 Aug 2013 16:38:53 -0400
> From: Robert Ortiz <rortiz@gmx.com>
> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] (no subject)
>
> I think my syslogd options are on
>
>
> /etc/sysconfig/rsyslog:
>
>
> # Options for rsyslogd
> # Syslogd options are deprecated since rsyslog v3.
> # If you want to use them, switch to compatibility mode 2 by "-c 2"
> # See rsyslogd(8) for more details
> SYSLOGD_OPTIONS="-c 5"
> /etc/sysconfig/rsyslog (END)
>
>
> So I will add it to "= -c 5 -x"
>
>
> also when I run :
> $ sudo rsyslogd -x
> $ sudo service rsyslog status
> rsyslogd (pid 35610) is running...
> $ ls
> f_ad f_fw f_mail f_networks f_pix f_router f_shib f_vm
> $ sudo tail f_fw
> $
>
> It starts the daemon without dns enabled, and it created the files but it doesnt actually write anything to the files?
>
> I have a local hosts file that has a list of all the hostnames that will be sending the server messages but it doesnt seem to read it?
> ----- Original Message -----
> From: David Lang
> Sent: 08/30/13 04:21 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] (no subject)
>
> the right thing is to find where $SYSLOGD_OPTIONS is defined and add -x to that however, in this case, the line that's commented out has the -x on it, just switch which line is commented out should work If you are still having problems, try and start it manually just doing rsyslogd -x will probably get you a running rsyslog you can get debug output by doing rsyslog -x -dn, but that produces a LOT of output and significantly slows rsyslog down. David Lang On Fri, 30 Aug 2013, Robert Ortiz wrote: > Thank you David, where exactly do I need to start rsyslog with -x? from the init.d/rsyslog or the sysconfig/rsyslog ? > > start() { > [ -x $exec ] || exit 5 > > umask 077 > > echo -n $"Starting system logger: " > # daemon --pidfile="$PIDFILE" $exec -x -i "$PIDFILE" $SYSLOGD_OPTIONS > daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch $lockfile > return $RETVAL > } > When I do it from init.d/rsyslog and I de-comment the !
dae
> mon line and run -x from there , no logs are written? > ----- Original Message ----- > From: David Lang > Sent: 08/30/13 03:47 PM > To: rsyslog-users > Subject: Re: [rsyslog] (no subject) > > If things are working most of the time, but occasionally you are seeing lots of dropped messages, I would be looking at DNS issues. One of the big reasons to disable DNS lookups on UDP rsyslog servers is that DNS can take an unknown amount of time to resolve (up to several seconds), and during that time, additional new messages cannot be processed, if you don't have insanely large buffers setup in the OS, this will cause you to loose messages. Try starting rsyslog with -x (to disable DNS lookups) and see if you still have the problem what version are you running? you should upgrade to 7.x and see if the problem reamins (lots of improvements, including a DNS cache compared to 5.x and earlier) David Lang On Fri, 30 Aug 2013, Robert Ortiz wrote: > Hey guys, > > So currently I'm running a!
l
> oad of 50K mps and mostly retaining logs there are random seconds where I drop 20K+ messages, I wanted to run rsyslog in debug mode, and I wanted to run this: > > > "RSYSLOG_DEBUGLOG" (sampl! e: > RSYSLOG_DEBUGLOG="/path/to/debuglog/") > > with this " LogFuncFlow" > > But I am not sure where to do this from? Do I need to put this on the .conf file or is this something that needs to be created? > > Sorry I don't understand the instructions on the debugging site > > Thanks > > Currently this is my .conf file: > > #### MODULES #### > > #module(load="imuxsock") # needs to be done just once Robert 8-9-13 > #SysSock.FlowControl=(:"on") # enable flow control (use if needed) Robert 8-9-13 > $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) > > #module(load="imklog") > $ModLoad imklog # provides kernel logging support (previously done by rklogd) > $ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > #modu!
le
> (load="imudp") # needs to be done just once Robert 8-9-13 > #input(type="imudp" port="514") # Robert 8-9-13 > $ModLoad imudp > $UDPServerRun 514 > #$UDPServerTimeRequery 1000000 > > > #### GLOBAL! D > IRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is usually not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Set Buffer Size - default is 4k > #$OMFileIOBufferSize 128k # - Gil 06/06/13 > #$OMFileAsyncWriting on > #$OMFileFlushOnTXEnd off > #$OMFileFlushInterval 30 > #$OMFileZipLevel 9 > $OMFileIOBufferSize 256k > > #Turn on Main Ruleset Robert 8-20-13 > #$RulesetCreateMainQueue on > > > # Set Main Message Queue Size - default is 10000 > > $MainMsgQueueSize 200000 # Robert 8-9-13 > > #### RULES #### > > # Log all kernel!
m
> essages to the console. > # Logging much else clutters up the screen. > #kern.* > # /dev/console > > #Specific ruleset for remote messages > #$Ruleset <name> > > #*.* /var/log/test/f_all #Robert 8-21! -1 > 3 > #Module (load="builtin:omfile") > #*.* action(type="omfile" > # DirCreateMode="0700" > # FileCreateMode="0644" > # File="/var/log/test/alllogs") > > > #switch back to default ruleset > #$Ruleset RSYSLOG DefaultRuleset > > # Begin action Robert 8-20-13 > # $ActionOmrulesetRulesetName somename > > :hostname, contains, "pdc" /var/log/test/f_ad > :hostname, contains, "fdfw" /var/log/test/f_fw > :hostname, contains, "mail" /var/log/test/f_mail > :hostname, contains, "networks" /var/log/test/f_networks > :hostname, contains, "shib" /var/log/test/f_shib > :hostname, contains, "rout" /var/log/test/f_router > :hostname, contains, "vm" /var/log/test/f_vm > :hostname, contains, "pix" /var/log/test/f_pix > > > #if $hostname contains 'pdc' then /var/log/test/f_ad > #& ~ > #if $ho!
st
> name contains 'fdfw' then /var/log/test/f_fw > #& ~ > #if $hostname contains 'networks' then /var/log/test/f_networks > #& ~#if $hostname contains 'shib' then /var/log/test/f_shib > #& ~ > #if $hostname c! on > tains 'mail' then /var/log/test/f_mail > #& ~ > #if $hostname contains 'vm' then /var/log/test/f_vm > #& ~ > #if $hostname contains 'pix' then /var/log/test/f_pix > #& ~ > #if $hostname contains 'rout' then /var/log/test/f_router > #& ~ > > #if $hostname startswith 'sws' then /var/log/test/f_networks > #& ~ > #if $fromhost-ip == '10.0.0.10' then /var/log/test/test_fromhost > #& ~ > #if $hostname == 'swserv1.networks' then /var/log/test/test_swserv1 > #&~ > #if $hostname startswith 'virtserv' then /var/log/test/test_virtserv > #&~ > #if $hostname contains 'virtserv' then /var/log/test/test_virtserv1 > #& ~ > #if $fromhost-ip startswith '10.0.6' then /var/log/test/test_10.0.6 > #& ~ > #if $fromhost-ip startswith '10.0.7.' then /var/log/test/test_10.0.7_virtserv > #& ~!
>
> > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > #*.info;mail.none;authpriv.none;cron.none /var/log/messages > *.debug /var/log/messages > > # The authp! ri > v file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > > # ### begin forwarding rule ### > # The statement between the begin ... end define a SINGLE forwarding > # rule. They belong together, do NOT split them. If you create multiple > # forwarding rules, duplicate the whole block! > # Remote Logging (we use TCP for reliable delivery) > # > # An on-disk queue is created for this action. If the remote host is > # down,
> messages are spooled to disk and sent when it is up again. > #$WorkDirectory /var/lib/rsyslog # where to place spool files > #$ActionQueueFileName fwdRule1 # unique name prefix for spool files > #$ActionQueueMaxDis! kS > pace 1g # 1gb space limit (use as much as possible) > #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.* @@remote-host:514 > # ### end of the forwarding rule ### > > > > > Robert. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow ! ht > tps://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > > > > > Robert. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professio!
na
> l-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
>
>
>
> Robert.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
What else in is the config?

when you say it hangs on a restart, is it eating CPU, doing a lot of I/O or just
sitting doing nothing?

I don't see a good reason to send to yourself over relp, and if your server is
doing that, you are trying very hard to create a loop.

David lang

On Fri, 12 Jun 2015, Aleksey Chudov wrote:

> Date: Fri, 12 Jun 2015 12:24:19 +0300
> From: Aleksey Chudov <aleksey.chudov@gmail.com>
> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] (no subject)
>
> Hello,
>
> I have configured Rsyslog central server and created the same RELP client
> configuration for all Rsyslog clients and Rsyslog server itself.
>
> My test configuration below
>
> 1. Server only
>
> # cat /etc/rsyslog.d/00-server.conf
>
> $ModLoad imrelp
> $InputRELPServerRun 2514
>
> $template DynHostMessages,
> "/var/log/HOSTS/%HOSTNAME%/messages-%$YEAR%%$MONTH%%$DAY%"
>
> if $inputname == 'imrelp' then {
> *.* -?DynHostMessages
> stop
> }
>
>
> 2. Clients and server
>
> # cat /etc/rsyslog.d/50-client.conf
>
> $ModLoad omrelp
> *.* :omrelp:127.0.0.1:2514
>
>
> While using the above configuration Rsyslog server process hungs on every
> restart and needs to be killed by SIGKILL. There's no problem with
> delivery of messages.
>
> This configuration may looks strange. Why server should send messages to
> themselves over relp? Just to simplify the configuration and standardize
> log files location for all hosts without creating custom rules for the
> server.
>
> I have tested official packages
>
> rsyslog 7.6.7-1.el7
> rsyslog-relp 7.6.7-1.el7
>
> and
>
> rsyslog 8.10.0.ad1-2.el7
> rsyslog-relp 8.10.0.ad1-2.el7
>
>
> Is it a bug?
>
>
> Regards,
> Aleksey
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Thanks you for the answer!

Below is the exact config for official rsyslog-8.10.0.ad1-2.el7.x86_64 from
my test CentOS 7 machine


# grep -v '^#\|^$' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imklog # reads kernel messages (the same are read from journald)
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log


# ls /etc/rsyslog.d/
00-server.conf 50-client.conf listen.conf


# cat /etc/rsyslog.d/00-server.conf
$ModLoad imrelp
$InputRELPServerRun 2514

$template DynHostMessages,
"/var/log/HOSTS/%HOSTNAME%/messages-%$YEAR%%$MONTH%%$DAY%"

if $inputname == 'imrelp' then {
*.* -?DynHostMessages
stop
}


# cat /etc/rsyslog.d/50-client.conf
$ModLoad omrelp
*.* :omrelp:127.0.0.1:2514


# cat /etc/rsyslog.d/listen.conf
$SystemLogSocketName /run/systemd/journal/syslog


On every restart Rsyslog process hangs without eating any resources.

There is no loops because of config files order and immediately stopping
everything received from imrelp as shown above.


I believe the problem is in RELP module because there is not problems then
I switch to TCP module as shown below.


# cat /etc/rsyslog.d/00-server.conf
$ModLoad imtcp
$InputTCPServerRun 514

$template DynHostMessages,
"/var/log/HOSTS/%HOSTNAME%/messages-%$YEAR%%$MONTH%%$DAY%"

if $inputname == 'imtcp' then {
*.* -?DynHostMessages
stop
}


# cat /etc/rsyslog.d/50-client.conf
$ModLoad omrelp
*.* @@127.0.0.1:514


Regards
Aleksey


On Fri, Jun 12, 2015 at 5:09 PM, David Lang <david@lang.hm> wrote:

> What else in is the config?
>
> when you say it hangs on a restart, is it eating CPU, doing a lot of I/O
> or just sitting doing nothing?
>
> I don't see a good reason to send to yourself over relp, and if your
> server is doing that, you are trying very hard to create a loop.
>
> David lang
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Hello!

Please read this:
https://www.rsyslog.com/doc/master/configuration/modules/omfile.html

You can configure default values for the module as described in the
document above:
```
module(load="builtin:omfile" ...parameters...)
```


On Tue, 2 Nov 2021 at 18:16, Milan Koudelka via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Hi,
> I tried to switch some rsyslog configurations to advanced format to
> fine-tune actions.
>
> Instead of
> local1.* /mnt/log/gdc;RawMsg
>
> I wrote
> local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> queue.filename="gdc")
>
> As recommended, I kept other configurations as they were, if I don't
> need any advanced configuration.
>
> Eg.
> *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
>
> But, I also changed legacy setting of file group ownership
> $FileGroup splunk
> $FileCreateMode 0640
> $DirGroup splunk
> $DirCreateMode 0650
>
> And I've put that directly to module load
> module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> DirCreateMode="0650")
>
> The problem is, only the files configured with advanced format are
> created with the correct group owner. /mnt/log/messages is created
> under root user. Do I need to add back the legacy setting and keep
> both in-module and legacy setting?
>
> Milan Koudelka
> Principal SW engineer
> milan.koudelka@gooddata.com
> +420 776 313 414
>
> Danube House
> Karolinská 650/1
> 186 00 Prague 8, Czech Republic
> Twitter | Facebook | LinkedIn | Blog
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.



--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Hi Yury,
yes, I did that.

module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
DirCreateMode="0650")

But it applies only to the logs which use format with action()
function. Others with basic format use root:root.

Sorry, I forgot to add some subject to this topic.

Milan Koudelka

Principal SW engineer

milan.koudelka@gooddata.com

+420 776 313 414


Danube House

Karolinská 650/1

186 00 Prague 8, Czech Republic

Twitter | Facebook | LinkedIn | Blog




On Tue, Nov 2, 2021 at 12:24 PM Yuri Bushmelev via rsyslog
<rsyslog@lists.adiscon.com> wrote:
>
> Hello!
>
> Please read this:
> https://www.rsyslog.com/doc/master/configuration/modules/omfile.html
>
> You can configure default values for the module as described in the
> document above:
> ```
> module(load="builtin:omfile" ...parameters...)
> ```
>
>
> On Tue, 2 Nov 2021 at 18:16, Milan Koudelka via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> > Hi,
> > I tried to switch some rsyslog configurations to advanced format to
> > fine-tune actions.
> >
> > Instead of
> > local1.* /mnt/log/gdc;RawMsg
> >
> > I wrote
> > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> > queue.filename="gdc")
> >
> > As recommended, I kept other configurations as they were, if I don't
> > need any advanced configuration.
> >
> > Eg.
> > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> >
> > But, I also changed legacy setting of file group ownership
> > $FileGroup splunk
> > $FileCreateMode 0640
> > $DirGroup splunk
> > $DirCreateMode 0650
> >
> > And I've put that directly to module load
> > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> > DirCreateMode="0650")
> >
> > The problem is, only the files configured with advanced format are
> > created with the correct group owner. /mnt/log/messages is created
> > under root user. Do I need to add back the legacy setting and keep
> > both in-module and legacy setting?
> >
> > Milan Koudelka
> > Principal SW engineer
> > milan.koudelka@gooddata.com
> > +420 776 313 414
> >
> > Danube House
> > Karolinská 650/1
> > 186 00 Prague 8, Czech Republic
> > Twitter | Facebook | LinkedIn | Blog
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
>
>
>
> --
> Yury Bushmelev
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Hello!

Ah, sorry, my bad.. I missed that part in your original email..
Well.. I'd wait for Rainer's answer then..


On Tue, 2 Nov 2021 at 19:50, Milan Koudelka <milan.koudelka@gooddata.com>
wrote:

> Hi Yury,
> yes, I did that.
>
> module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> DirCreateMode="0650")
>
> But it applies only to the logs which use format with action()
> function. Others with basic format use root:root.
>
> Sorry, I forgot to add some subject to this topic.
>
> Milan Koudelka
>
> Principal SW engineer
>
> milan.koudelka@gooddata.com
>
> +420 776 313 414
>
>
> Danube House
>
> Karolinská 650/1
>
> 186 00 Prague 8, Czech Republic
>
> Twitter | Facebook | LinkedIn | Blog
>
>
>
>
> On Tue, Nov 2, 2021 at 12:24 PM Yuri Bushmelev via rsyslog
> <rsyslog@lists.adiscon.com> wrote:
> >
> > Hello!
> >
> > Please read this:
> > https://www.rsyslog.com/doc/master/configuration/modules/omfile.html
> >
> > You can configure default values for the module as described in the
> > document above:
> > ```
> > module(load="builtin:omfile" ...parameters...)
> > ```
> >
> >
> > On Tue, 2 Nov 2021 at 18:16, Milan Koudelka via rsyslog <
> > rsyslog@lists.adiscon.com> wrote:
> >
> > > Hi,
> > > I tried to switch some rsyslog configurations to advanced format to
> > > fine-tune actions.
> > >
> > > Instead of
> > > local1.* /mnt/log/gdc;RawMsg
> > >
> > > I wrote
> > > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> > > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> > > queue.filename="gdc")
> > >
> > > As recommended, I kept other configurations as they were, if I don't
> > > need any advanced configuration.
> > >
> > > Eg.
> > > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> > >
> > > But, I also changed legacy setting of file group ownership
> > > $FileGroup splunk
> > > $FileCreateMode 0640
> > > $DirGroup splunk
> > > $DirCreateMode 0650
> > >
> > > And I've put that directly to module load
> > > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> > > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> > > DirCreateMode="0650")
> > >
> > > The problem is, only the files configured with advanced format are
> > > created with the correct group owner. /mnt/log/messages is created
> > > under root user. Do I need to add back the legacy setting and keep
> > > both in-module and legacy setting?
> > >
> > > Milan Koudelka
> > > Principal SW engineer
> > > milan.koudelka@gooddata.com
> > > +420 776 313 414
> > >
> > > Danube House
> > > Karolinská 650/1
> > > 186 00 Prague 8, Czech Republic
> > > Twitter | Facebook | LinkedIn | Blog
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > > DON'T LIKE THAT.
> >
> >
> >
> > --
> > Yury Bushmelev
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
That's by intention: new style defaults do not affect legacy defaults
and vice versa. If it did, one could override new style defaults
multiple times, which was one thing to avoid.

It looks like old style defaults are also set. I would assume that
they are set AFTER the file writers. old style is position dependent.

Please also note that "keep existing config" is advice only for simple
actions without many parameters. If you set file owner etc it is
definitely much easier to do via new style.

HTH
Rainer

El mar, 2 nov 2021 a las 12:23, Yuri Bushmelev via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hello!
>
> Please read this:
> https://www.rsyslog.com/doc/master/configuration/modules/omfile.html
>
> You can configure default values for the module as described in the
> document above:
> ```
> module(load="builtin:omfile" ...parameters...)
> ```
>
>
> On Tue, 2 Nov 2021 at 18:16, Milan Koudelka via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> > Hi,
> > I tried to switch some rsyslog configurations to advanced format to
> > fine-tune actions.
> >
> > Instead of
> > local1.* /mnt/log/gdc;RawMsg
> >
> > I wrote
> > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> > queue.filename="gdc")
> >
> > As recommended, I kept other configurations as they were, if I don't
> > need any advanced configuration.
> >
> > Eg.
> > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> >
> > But, I also changed legacy setting of file group ownership
> > $FileGroup splunk
> > $FileCreateMode 0640
> > $DirGroup splunk
> > $DirCreateMode 0650
> >
> > And I've put that directly to module load
> > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> > DirCreateMode="0650")
> >
> > The problem is, only the files configured with advanced format are
> > created with the correct group owner. /mnt/log/messages is created
> > under root user. Do I need to add back the legacy setting and keep
> > both in-module and legacy setting?
> >
> > Milan Koudelka
> > Principal SW engineer
> > milan.koudelka@gooddata.com
> > +420 776 313 414
> >
> > Danube House
> > Karolinská 650/1
> > 186 00 Prague 8, Czech Republic
> > Twitter | Facebook | LinkedIn | Blog
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
>
>
>
> --
> Yury Bushmelev
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
It's almost always a bad idea to use a queue with omfile, it's slower to put the
messages into the queue than to write them to disk

David Lang

On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:

> Date: Tue, 2 Nov 2021 11:15:29 +0100
> From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Milan Koudelka <milan.koudelka@gooddata.com>
> Subject: [rsyslog] (no subject)
>
> Hi,
> I tried to switch some rsyslog configurations to advanced format to
> fine-tune actions.
>
> Instead of
> local1.* /mnt/log/gdc;RawMsg
>
> I wrote
> local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> queue.filename="gdc")
>
> As recommended, I kept other configurations as they were, if I don't
> need any advanced configuration.
>
> Eg.
> *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
>
> But, I also changed legacy setting of file group ownership
> $FileGroup splunk
> $FileCreateMode 0640
> $DirGroup splunk
> $DirCreateMode 0650
>
> And I've put that directly to module load
> module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> DirCreateMode="0650")
>
> The problem is, only the files configured with advanced format are
> created with the correct group owner. /mnt/log/messages is created
> under root user. Do I need to add back the legacy setting and keep
> both in-module and legacy setting?
>
> Milan Koudelka
> Principal SW engineer
> milan.koudelka@gooddata.com
> +420 776 313 414
>
> Danube House
> Karolinská 650/1
> 186 00 Prague 8, Czech Republic
> Twitter | Facebook | LinkedIn | Blog
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Hi Rainer,
thank you for the reply. I thought that this would be it. I'm glad I
can confirm it now.

Milan Koudelka

Principal SW engineer

milan.koudelka@gooddata.com

+420 776 313 414


Danube House

Karolinská 650/1

186 00 Prague 8, Czech Republic

Twitter | Facebook | LinkedIn | Blog





On Tue, Nov 2, 2021 at 7:01 PM Rainer Gerhards via rsyslog
<rsyslog@lists.adiscon.com> wrote:
>
> That's by intention: new style defaults do not affect legacy defaults
> and vice versa. If it did, one could override new style defaults
> multiple times, which was one thing to avoid.
>
> It looks like old style defaults are also set. I would assume that
> they are set AFTER the file writers. old style is position dependent.
>
> Please also note that "keep existing config" is advice only for simple
> actions without many parameters. If you set file owner etc it is
> definitely much easier to do via new style.
>
> HTH
> Rainer
>
> El mar, 2 nov 2021 a las 12:23, Yuri Bushmelev via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hello!
> >
> > Please read this:
> > https://www.rsyslog.com/doc/master/configuration/modules/omfile.html
> >
> > You can configure default values for the module as described in the
> > document above:
> > ```
> > module(load="builtin:omfile" ...parameters...)
> > ```
> >
> >
> > On Tue, 2 Nov 2021 at 18:16, Milan Koudelka via rsyslog <
> > rsyslog@lists.adiscon.com> wrote:
> >
> > > Hi,
> > > I tried to switch some rsyslog configurations to advanced format to
> > > fine-tune actions.
> > >
> > > Instead of
> > > local1.* /mnt/log/gdc;RawMsg
> > >
> > > I wrote
> > > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> > > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> > > queue.filename="gdc")
> > >
> > > As recommended, I kept other configurations as they were, if I don't
> > > need any advanced configuration.
> > >
> > > Eg.
> > > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> > >
> > > But, I also changed legacy setting of file group ownership
> > > $FileGroup splunk
> > > $FileCreateMode 0640
> > > $DirGroup splunk
> > > $DirCreateMode 0650
> > >
> > > And I've put that directly to module load
> > > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> > > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> > > DirCreateMode="0650")
> > >
> > > The problem is, only the files configured with advanced format are
> > > created with the correct group owner. /mnt/log/messages is created
> > > under root user. Do I need to add back the legacy setting and keep
> > > both in-module and legacy setting?
> > >
> > > Milan Koudelka
> > > Principal SW engineer
> > > milan.koudelka@gooddata.com
> > > +420 776 313 414
> > >
> > > Danube House
> > > Karolinská 650/1
> > > 186 00 Prague 8, Czech Republic
> > > Twitter | Facebook | LinkedIn | Blog
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > > DON'T LIKE THAT.
> >
> >
> >
> > --
> > Yury Bushmelev
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Hi David,
thank you for your answer as well. This is a good hint. I'll remove it.

I'm trying to solve a problem with high-traffic log files which are
read by the log management system Splunk. Sometimes rsyslog writes
only part of the line, Splunk reads it and then rsyslog finishes the
line. That causes corrupted events in Splunk. I didn't find any
solution for that on Splunk. From the Splunk side, there are
recommendations to wait longer before the file is considered as closed
(Splunk parameters time_before_close). But that didn't help. I hoped
that some fine-tuning of how rsyslog writes the file could help, but I
see that it would be probably even worse with queues.

Milan Koudelka

Principal SW engineer

milan.koudelka@gooddata.com

+420 776 313 414


Danube House

Karolinská 650/1

186 00 Prague 8, Czech Republic

Twitter | Facebook | LinkedIn | Blog



On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
>
> It's almost always a bad idea to use a queue with omfile, it's slower to put the
> messages into the queue than to write them to disk
>
> David Lang
>
> On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
>
> > Date: Tue, 2 Nov 2021 11:15:29 +0100
> > From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog@lists.adiscon.com
> > Cc: Milan Koudelka <milan.koudelka@gooddata.com>
> > Subject: [rsyslog] (no subject)
> >
> > Hi,
> > I tried to switch some rsyslog configurations to advanced format to
> > fine-tune actions.
> >
> > Instead of
> > local1.* /mnt/log/gdc;RawMsg
> >
> > I wrote
> > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> > queue.filename="gdc")
> >
> > As recommended, I kept other configurations as they were, if I don't
> > need any advanced configuration.
> >
> > Eg.
> > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> >
> > But, I also changed legacy setting of file group ownership
> > $FileGroup splunk
> > $FileCreateMode 0640
> > $DirGroup splunk
> > $DirCreateMode 0650
> >
> > And I've put that directly to module load
> > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> > DirCreateMode="0650")
> >
> > The problem is, only the files configured with advanced format are
> > created with the correct group owner. /mnt/log/messages is created
> > under root user. Do I need to add back the legacy setting and keep
> > both in-module and legacy setting?
> >
> > Milan Koudelka
> > Principal SW engineer
> > milan.koudelka@gooddata.com
> > +420 776 313 414
> >
> > Danube House
> > Karolinská 650/1
> > 186 00 Prague 8, Czech Republic
> > Twitter | Facebook | LinkedIn | Blog
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
do you really need the file contents in real-time? what I like to do is to
rotate the file every min and mv the file to a directory that splunk reads (and
let splunk delete the file after it's read see the sinkhole feature)

that way the file is known to be complete when splunk gets it and if splunk
stops reading, the files accumulate until splunk gets around to it wihtout
leaving stray files around.

David Lang

On Tue, 2 Nov 2021, Milan Koudelka
wrote:

> Date: Tue, 2 Nov 2021 20:17:40 +0100
> From: Milan Koudelka <milan.koudelka@gooddata.com>
> To: David Lang <david@lang.hm>
> Cc: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] (no subject)
>
> Hi David,
> thank you for your answer as well. This is a good hint. I'll remove it.
>
> I'm trying to solve a problem with high-traffic log files which are
> read by the log management system Splunk. Sometimes rsyslog writes
> only part of the line, Splunk reads it and then rsyslog finishes the
> line. That causes corrupted events in Splunk. I didn't find any
> solution for that on Splunk. From the Splunk side, there are
> recommendations to wait longer before the file is considered as closed
> (Splunk parameters time_before_close). But that didn't help. I hoped
> that some fine-tuning of how rsyslog writes the file could help, but I
> see that it would be probably even worse with queues.
>
> Milan Koudelka
>
> Principal SW engineer
>
> milan.koudelka@gooddata.com
>
> +420 776 313 414
>
>
> Danube House
>
> Karolinská 650/1
>
> 186 00 Prague 8, Czech Republic
>
> Twitter | Facebook | LinkedIn | Blog
>
>
>
> On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
>>
>> It's almost always a bad idea to use a queue with omfile, it's slower to put the
>> messages into the queue than to write them to disk
>>
>> David Lang
>>
>> On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
>>
>>> Date: Tue, 2 Nov 2021 11:15:29 +0100
>>> From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog@lists.adiscon.com
>>> Cc: Milan Koudelka <milan.koudelka@gooddata.com>
>>> Subject: [rsyslog] (no subject)
>>>
>>> Hi,
>>> I tried to switch some rsyslog configurations to advanced format to
>>> fine-tune actions.
>>>
>>> Instead of
>>> local1.* /mnt/log/gdc;RawMsg
>>>
>>> I wrote
>>> local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
>>> ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
>>> queue.filename="gdc")
>>>
>>> As recommended, I kept other configurations as they were, if I don't
>>> need any advanced configuration.
>>>
>>> Eg.
>>> *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
>>>
>>> But, I also changed legacy setting of file group ownership
>>> $FileGroup splunk
>>> $FileCreateMode 0640
>>> $DirGroup splunk
>>> $DirCreateMode 0650
>>>
>>> And I've put that directly to module load
>>> module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
>>> fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
>>> DirCreateMode="0650")
>>>
>>> The problem is, only the files configured with advanced format are
>>> created with the correct group owner. /mnt/log/messages is created
>>> under root user. Do I need to add back the legacy setting and keep
>>> both in-module and legacy setting?
>>>
>>> Milan Koudelka
>>> Principal SW engineer
>>> milan.koudelka@gooddata.com
>>> +420 776 313 414
>>>
>>> Danube House
>>> Karolinská 650/1
>>> 186 00 Prague 8, Czech Republic
>>> Twitter | Facebook | LinkedIn | Blog
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Which rsyslog version do you use?

Rainer

Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com> schrieb am Di., 2.
Nov. 2021, 20:18:

> Hi David,
> thank you for your answer as well. This is a good hint. I'll remove it.
>
> I'm trying to solve a problem with high-traffic log files which are
> read by the log management system Splunk. Sometimes rsyslog writes
> only part of the line, Splunk reads it and then rsyslog finishes the
> line. That causes corrupted events in Splunk. I didn't find any
> solution for that on Splunk. From the Splunk side, there are
> recommendations to wait longer before the file is considered as closed
> (Splunk parameters time_before_close). But that didn't help. I hoped
> that some fine-tuning of how rsyslog writes the file could help, but I
> see that it would be probably even worse with queues.
>
> Milan Koudelka
>
> Principal SW engineer
>
> milan.koudelka@gooddata.com
>
> +420 776 313 414
>
>
> Danube House
>
> Karolinská 650/1
>
> 186 00 Prague 8, Czech Republic
>
> Twitter | Facebook | LinkedIn | Blog
>
>
>
> On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
> >
> > It's almost always a bad idea to use a queue with omfile, it's slower to
> put the
> > messages into the queue than to write them to disk
> >
> > David Lang
> >
> > On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
> >
> > > Date: Tue, 2 Nov 2021 11:15:29 +0100
> > > From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
> > > To: rsyslog@lists.adiscon.com
> > > Cc: Milan Koudelka <milan.koudelka@gooddata.com>
> > > Subject: [rsyslog] (no subject)
> > >
> > > Hi,
> > > I tried to switch some rsyslog configurations to advanced format to
> > > fine-tune actions.
> > >
> > > Instead of
> > > local1.* /mnt/log/gdc;RawMsg
> > >
> > > I wrote
> > > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> > > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> > > queue.filename="gdc")
> > >
> > > As recommended, I kept other configurations as they were, if I don't
> > > need any advanced configuration.
> > >
> > > Eg.
> > > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> > >
> > > But, I also changed legacy setting of file group ownership
> > > $FileGroup splunk
> > > $FileCreateMode 0640
> > > $DirGroup splunk
> > > $DirCreateMode 0650
> > >
> > > And I've put that directly to module load
> > > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> > > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> > > DirCreateMode="0650")
> > >
> > > The problem is, only the files configured with advanced format are
> > > created with the correct group owner. /mnt/log/messages is created
> > > under root user. Do I need to add back the legacy setting and keep
> > > both in-module and legacy setting?
> > >
> > > Milan Koudelka
> > > Principal SW engineer
> > > milan.koudelka@gooddata.com
> > > +420 776 313 414
> > >
> > > Danube House
> > > Karolinská 650/1
> > > 186 00 Prague 8, Czech Republic
> > > Twitter | Facebook | LinkedIn | Blog
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
I'm using rsyslog-8.1911.0-7.el8_4.2.x86_64

Milan Koudelka

Principal SW engineer

milan.koudelka@gooddata.com

+420 776 313 414


Danube House

Karolinská 650/1

186 00 Prague 8, Czech Republic

Twitter | Facebook | LinkedIn | Blog




On Tue, Nov 2, 2021 at 9:14 PM Rainer Gerhards <rgerhards@hq.adiscon.com> wrote:
>
> Which rsyslog version do you use?
>
> Rainer
>
> Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com> schrieb am Di., 2. Nov. 2021, 20:18:
>>
>> Hi David,
>> thank you for your answer as well. This is a good hint. I'll remove it.
>>
>> I'm trying to solve a problem with high-traffic log files which are
>> read by the log management system Splunk. Sometimes rsyslog writes
>> only part of the line, Splunk reads it and then rsyslog finishes the
>> line. That causes corrupted events in Splunk. I didn't find any
>> solution for that on Splunk. From the Splunk side, there are
>> recommendations to wait longer before the file is considered as closed
>> (Splunk parameters time_before_close). But that didn't help. I hoped
>> that some fine-tuning of how rsyslog writes the file could help, but I
>> see that it would be probably even worse with queues.
>>
>> Milan Koudelka
>>
>> Principal SW engineer
>>
>> milan.koudelka@gooddata.com
>>
>> +420 776 313 414
>>
>>
>> Danube House
>>
>> Karolinská 650/1
>>
>> 186 00 Prague 8, Czech Republic
>>
>> Twitter | Facebook | LinkedIn | Blog
>>
>>
>>
>> On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
>> >
>> > It's almost always a bad idea to use a queue with omfile, it's slower to put the
>> > messages into the queue than to write them to disk
>> >
>> > David Lang
>> >
>> > On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
>> >
>> > > Date: Tue, 2 Nov 2021 11:15:29 +0100
>> > > From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
>> > > To: rsyslog@lists.adiscon.com
>> > > Cc: Milan Koudelka <milan.koudelka@gooddata.com>
>> > > Subject: [rsyslog] (no subject)
>> > >
>> > > Hi,
>> > > I tried to switch some rsyslog configurations to advanced format to
>> > > fine-tune actions.
>> > >
>> > > Instead of
>> > > local1.* /mnt/log/gdc;RawMsg
>> > >
>> > > I wrote
>> > > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
>> > > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
>> > > queue.filename="gdc")
>> > >
>> > > As recommended, I kept other configurations as they were, if I don't
>> > > need any advanced configuration.
>> > >
>> > > Eg.
>> > > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
>> > >
>> > > But, I also changed legacy setting of file group ownership
>> > > $FileGroup splunk
>> > > $FileCreateMode 0640
>> > > $DirGroup splunk
>> > > $DirCreateMode 0650
>> > >
>> > > And I've put that directly to module load
>> > > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
>> > > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
>> > > DirCreateMode="0650")
>> > >
>> > > The problem is, only the files configured with advanced format are
>> > > created with the correct group owner. /mnt/log/messages is created
>> > > under root user. Do I need to add back the legacy setting and keep
>> > > both in-module and legacy setting?
>> > >
>> > > Milan Koudelka
>> > > Principal SW engineer
>> > > milan.koudelka@gooddata.com
>> > > +420 776 313 414
>> > >
>> > > Danube House
>> > > Karolinská 650/1
>> > > 186 00 Prague 8, Czech Republic
>> > > Twitter | Facebook | LinkedIn | Blog
>> > > _______________________________________________
>> > > rsyslog mailing list
>> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > http://www.rsyslog.com/professional-services/
>> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
I actually don't need it real-time. 1 to 5 minutes delay would be acceptable.

That means, the log file wouldn't be available locally longer than 1
minute. It could cause some problems to engineers if they would like
to tail such a file locally.

Anyway, it is a good idea. I'll read more about it.

Thank you.

Milan Koudelka

Principal SW engineer

milan.koudelka@gooddata.com

+420 776 313 414


Danube House

Karolinská 650/1

186 00 Prague 8, Czech Republic

Twitter | Facebook | LinkedIn | Blog




On Tue, Nov 2, 2021 at 8:51 PM David Lang <david@lang.hm> wrote:
>
> do you really need the file contents in real-time? what I like to do is to
> rotate the file every min and mv the file to a directory that splunk reads (and
> let splunk delete the file after it's read see the sinkhole feature)
>
> that way the file is known to be complete when splunk gets it and if splunk
> stops reading, the files accumulate until splunk gets around to it wihtout
> leaving stray files around.
>
> David Lang
>
> On Tue, 2 Nov 2021, Milan Koudelka
> wrote:
>
> > Date: Tue, 2 Nov 2021 20:17:40 +0100
> > From: Milan Koudelka <milan.koudelka@gooddata.com>
> > To: David Lang <david@lang.hm>
> > Cc: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] (no subject)
> >
> > Hi David,
> > thank you for your answer as well. This is a good hint. I'll remove it.
> >
> > I'm trying to solve a problem with high-traffic log files which are
> > read by the log management system Splunk. Sometimes rsyslog writes
> > only part of the line, Splunk reads it and then rsyslog finishes the
> > line. That causes corrupted events in Splunk. I didn't find any
> > solution for that on Splunk. From the Splunk side, there are
> > recommendations to wait longer before the file is considered as closed
> > (Splunk parameters time_before_close). But that didn't help. I hoped
> > that some fine-tuning of how rsyslog writes the file could help, but I
> > see that it would be probably even worse with queues.
> >
> > Milan Koudelka
> >
> > Principal SW engineer
> >
> > milan.koudelka@gooddata.com
> >
> > +420 776 313 414
> >
> >
> > Danube House
> >
> > Karolinská 650/1
> >
> > 186 00 Prague 8, Czech Republic
> >
> > Twitter | Facebook | LinkedIn | Blog
> >
> >
> >
> > On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
> >>
> >> It's almost always a bad idea to use a queue with omfile, it's slower to put the
> >> messages into the queue than to write them to disk
> >>
> >> David Lang
> >>
> >> On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
> >>
> >>> Date: Tue, 2 Nov 2021 11:15:29 +0100
> >>> From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: Milan Koudelka <milan.koudelka@gooddata.com>
> >>> Subject: [rsyslog] (no subject)
> >>>
> >>> Hi,
> >>> I tried to switch some rsyslog configurations to advanced format to
> >>> fine-tune actions.
> >>>
> >>> Instead of
> >>> local1.* /mnt/log/gdc;RawMsg
> >>>
> >>> I wrote
> >>> local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> >>> ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> >>> queue.filename="gdc")
> >>>
> >>> As recommended, I kept other configurations as they were, if I don't
> >>> need any advanced configuration.
> >>>
> >>> Eg.
> >>> *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> >>>
> >>> But, I also changed legacy setting of file group ownership
> >>> $FileGroup splunk
> >>> $FileCreateMode 0640
> >>> $DirGroup splunk
> >>> $DirCreateMode 0650
> >>>
> >>> And I've put that directly to module load
> >>> module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> >>> fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> >>> DirCreateMode="0650")
> >>>
> >>> The problem is, only the files configured with advanced format are
> >>> created with the correct group owner. /mnt/log/messages is created
> >>> under root user. Do I need to add back the legacy setting and keep
> >>> both in-module and legacy setting?
> >>>
> >>> Milan Koudelka
> >>> Principal SW engineer
> >>> milan.koudelka@gooddata.com
> >>> +420 776 313 414
> >>>
> >>> Danube House
> >>> Karolinská 650/1
> >>> 186 00 Prague 8, Czech Republic
> >>> Twitter | Facebook | LinkedIn | Blog
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Regarding rsyslog and Splunk - why don't you use omhttp and post directly to HEC?


On 2 November 2021 20:17:40 CET, Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com> wrote:
>Hi David,
>thank you for your answer as well. This is a good hint. I'll remove it.
>
>I'm trying to solve a problem with high-traffic log files which are
>read by the log management system Splunk. Sometimes rsyslog writes
>only part of the line, Splunk reads it and then rsyslog finishes the
>line. That causes corrupted events in Splunk. I didn't find any
>solution for that on Splunk. From the Splunk side, there are
>recommendations to wait longer before the file is considered as closed
>(Splunk parameters time_before_close). But that didn't help. I hoped
>that some fine-tuning of how rsyslog writes the file could help, but I
>see that it would be probably even worse with queues.
>
>Milan Koudelka
>
>Principal SW engineer
>
>milan.koudelka@gooddata.com
>
>+420 776 313 414
>
>
>Danube House
>
>Karolinská 650/1
>
>186 00 Prague 8, Czech Republic
>
>Twitter | Facebook | LinkedIn | Blog
>
>
>
>On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
>>
>> It's almost always a bad idea to use a queue with omfile, it's slower to put the
>> messages into the queue than to write them to disk
>>
>> David Lang
>>
>> On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
>>
>> > Date: Tue, 2 Nov 2021 11:15:29 +0100
>> > From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
>> > To: rsyslog@lists.adiscon.com
>> > Cc: Milan Koudelka <milan.koudelka@gooddata.com>
>> > Subject: [rsyslog] (no subject)
>> >
>> > Hi,
>> > I tried to switch some rsyslog configurations to advanced format to
>> > fine-tune actions.
>> >
>> > Instead of
>> > local1.* /mnt/log/gdc;RawMsg
>> >
>> > I wrote
>> > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
>> > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
>> > queue.filename="gdc")
>> >
>> > As recommended, I kept other configurations as they were, if I don't
>> > need any advanced configuration.
>> >
>> > Eg.
>> > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
>> >
>> > But, I also changed legacy setting of file group ownership
>> > $FileGroup splunk
>> > $FileCreateMode 0640
>> > $DirGroup splunk
>> > $DirCreateMode 0650
>> >
>> > And I've put that directly to module load
>> > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
>> > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
>> > DirCreateMode="0650")
>> >
>> > The problem is, only the files configured with advanced format are
>> > created with the correct group owner. /mnt/log/messages is created
>> > under root user. Do I need to add back the legacy setting and keep
>> > both in-module and legacy setting?
>> >
>> > Milan Koudelka
>> > Principal SW engineer
>> > milan.koudelka@gooddata.com
>> > +420 776 313 414
>> >
>> > Danube House
>> > Karolinská 650/1
>> > 186 00 Prague 8, Czech Republic
>> > Twitter | Facebook | LinkedIn | Blog
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>_______________________________________________
>rsyslog mailing list
>https://lists.adiscon.net/mailman/listinfo/rsyslog
>http://www.rsyslog.com/professional-services/
>What's up with rsyslog? Follow https://twitter.com/rgerhards
>NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
local file reads are much more efficient than HEC

David Lang

On Tue, 2 Nov 2021, Mariusz Kruk via rsyslog wrote:

> Date: Tue, 02 Nov 2021 22:25:09 +0100
> From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Mariusz Kruk <kruk@epsilon.eu.org>
> Subject: Re: [rsyslog] (no subject)
>
> Regarding rsyslog and Splunk - why don't you use omhttp and post directly to HEC?
>
>
> On 2 November 2021 20:17:40 CET, Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com> wrote:
>> Hi David,
>> thank you for your answer as well. This is a good hint. I'll remove it.
>>
>> I'm trying to solve a problem with high-traffic log files which are
>> read by the log management system Splunk. Sometimes rsyslog writes
>> only part of the line, Splunk reads it and then rsyslog finishes the
>> line. That causes corrupted events in Splunk. I didn't find any
>> solution for that on Splunk. From the Splunk side, there are
>> recommendations to wait longer before the file is considered as closed
>> (Splunk parameters time_before_close). But that didn't help. I hoped
>> that some fine-tuning of how rsyslog writes the file could help, but I
>> see that it would be probably even worse with queues.
>>
>> Milan Koudelka
>>
>> Principal SW engineer
>>
>> milan.koudelka@gooddata.com
>>
>> +420 776 313 414
>>
>>
>> Danube House
>>
>> Karolinská 650/1
>>
>> 186 00 Prague 8, Czech Republic
>>
>> Twitter | Facebook | LinkedIn | Blog
>>
>>
>>
>> On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
>>>
>>> It's almost always a bad idea to use a queue with omfile, it's slower to put the
>>> messages into the queue than to write them to disk
>>>
>>> David Lang
>>>
>>> On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
>>>
>>> > Date: Tue, 2 Nov 2021 11:15:29 +0100
>>> > From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
>>> > To: rsyslog@lists.adiscon.com
>>> > Cc: Milan Koudelka <milan.koudelka@gooddata.com>
>>> > Subject: [rsyslog] (no subject)
>>> >
>>> > Hi,
>>> > I tried to switch some rsyslog configurations to advanced format to
>>> > fine-tune actions.
>>> >
>>> > Instead of
>>> > local1.* /mnt/log/gdc;RawMsg
>>> >
>>> > I wrote
>>> > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
>>> > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
>>> > queue.filename="gdc")
>>> >
>>> > As recommended, I kept other configurations as they were, if I don't
>>> > need any advanced configuration.
>>> >
>>> > Eg.
>>> > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
>>> >
>>> > But, I also changed legacy setting of file group ownership
>>> > $FileGroup splunk
>>> > $FileCreateMode 0640
>>> > $DirGroup splunk
>>> > $DirCreateMode 0650
>>> >
>>> > And I've put that directly to module load
>>> > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
>>> > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
>>> > DirCreateMode="0650")
>>> >
>>> > The problem is, only the files configured with advanced format are
>>> > created with the correct group owner. /mnt/log/messages is created
>>> > under root user. Do I need to add back the legacy setting and keep
>>> > both in-module and legacy setting?
>>> >
>>> > Milan Koudelka
>>> > Principal SW engineer
>>> > milan.koudelka@gooddata.com
>>> > +420 776 313 414
>>> >
>>> > Danube House
>>> > Karolinská 650/1
>>> > 186 00 Prague 8, Czech Republic
>>> > Twitter | Facebook | LinkedIn | Blog
>>> > _______________________________________________
>>> > rsyslog mailing list
>>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> > http://www.rsyslog.com/professional-services/
>>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Wouldn't be that sure. Firstly, you spare iops. But that can be offset by caching. But secondly, if you post to event endpoint, you skip the whole linebreaking and timestamp detection and parsing part (and you have the timestamp already since you parsed it in rsyslog). Not to mention the flexibility. Been there, done that, got the t-shirt ;) I've seen working rsyslog->HEC setups running with several thousand EPS with no sweat.

On 2 November 2021 22:37:52 CET, David Lang <david@lang.hm> wrote:
>local file reads are much more efficient than HEC
>
>David Lang
>
>On Tue, 2 Nov 2021, Mariusz Kruk via rsyslog wrote:
>
>> Date: Tue, 02 Nov 2021 22:25:09 +0100
>> From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>> Cc: Mariusz Kruk <kruk@epsilon.eu.org>
>> Subject: Re: [rsyslog] (no subject)
>>
>> Regarding rsyslog and Splunk - why don't you use omhttp and post directly to HEC?
>>
>>
>> On 2 November 2021 20:17:40 CET, Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>> Hi David,
>>> thank you for your answer as well. This is a good hint. I'll remove it.
>>>
>>> I'm trying to solve a problem with high-traffic log files which are
>>> read by the log management system Splunk. Sometimes rsyslog writes
>>> only part of the line, Splunk reads it and then rsyslog finishes the
>>> line. That causes corrupted events in Splunk. I didn't find any
>>> solution for that on Splunk. From the Splunk side, there are
>>> recommendations to wait longer before the file is considered as closed
>>> (Splunk parameters time_before_close). But that didn't help. I hoped
>>> that some fine-tuning of how rsyslog writes the file could help, but I
>>> see that it would be probably even worse with queues.
>>>
>>> Milan Koudelka
>>>
>>> Principal SW engineer
>>>
>>> milan.koudelka@gooddata.com
>>>
>>> +420 776 313 414
>>>
>>>
>>> Danube House
>>>
>>> Karolinská 650/1
>>>
>>> 186 00 Prague 8, Czech Republic
>>>
>>> Twitter | Facebook | LinkedIn | Blog
>>>
>>>
>>>
>>> On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
>>>>
>>>> It's almost always a bad idea to use a queue with omfile, it's slower to put the
>>>> messages into the queue than to write them to disk
>>>>
>>>> David Lang
>>>>
>>>> On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
>>>>
>>>> > Date: Tue, 2 Nov 2021 11:15:29 +0100
>>>> > From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
>>>> > To: rsyslog@lists.adiscon.com
>>>> > Cc: Milan Koudelka <milan.koudelka@gooddata.com>
>>>> > Subject: [rsyslog] (no subject)
>>>> >
>>>> > Hi,
>>>> > I tried to switch some rsyslog configurations to advanced format to
>>>> > fine-tune actions.
>>>> >
>>>> > Instead of
>>>> > local1.* /mnt/log/gdc;RawMsg
>>>> >
>>>> > I wrote
>>>> > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
>>>> > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
>>>> > queue.filename="gdc")
>>>> >
>>>> > As recommended, I kept other configurations as they were, if I don't
>>>> > need any advanced configuration.
>>>> >
>>>> > Eg.
>>>> > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
>>>> >
>>>> > But, I also changed legacy setting of file group ownership
>>>> > $FileGroup splunk
>>>> > $FileCreateMode 0640
>>>> > $DirGroup splunk
>>>> > $DirCreateMode 0650
>>>> >
>>>> > And I've put that directly to module load
>>>> > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
>>>> > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
>>>> > DirCreateMode="0650")
>>>> >
>>>> > The problem is, only the files configured with advanced format are
>>>> > created with the correct group owner. /mnt/log/messages is created
>>>> > under root user. Do I need to add back the legacy setting and keep
>>>> > both in-module and legacy setting?
>>>> >
>>>> > Milan Koudelka
>>>> > Principal SW engineer
>>>> > milan.koudelka@gooddata.com
>>>> > +420 776 313 414
>>>> >
>>>> > Danube House
>>>> > Karolinská 650/1
>>>> > 186 00 Prague 8, Czech Republic
>>>> > Twitter | Facebook | LinkedIn | Blog
>>>> > _______________________________________________
>>>> > rsyslog mailing list
>>>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> > http://www.rsyslog.com/professional-services/
>>>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: (no subject) [ In reply to ]
Thank you for another idea. I always preferred log files, because in
case of any temporary outage, I can read them later. We use HEC with
Kubernetes anyway. It is another idea what we can try. It looks like
to me you are experienced with such a solution. Can you point me to
some docs or presentations how to make this bullet proof?

Milan Koudelka

Principal SW engineer

milan.koudelka@gooddata.com

+420 776 313 414


Danube House

Karolinská 650/1

186 00 Prague 8, Czech Republic

Twitter | Facebook | LinkedIn | Blog




On Tue, Nov 2, 2021 at 10:25 PM Mariusz Kruk via rsyslog
<rsyslog@lists.adiscon.com> wrote:
>
> Regarding rsyslog and Splunk - why don't you use omhttp and post directly to HEC?
>
>
> On 2 November 2021 20:17:40 CET, Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com> wrote:
> >Hi David,
> >thank you for your answer as well. This is a good hint. I'll remove it.
> >
> >I'm trying to solve a problem with high-traffic log files which are
> >read by the log management system Splunk. Sometimes rsyslog writes
> >only part of the line, Splunk reads it and then rsyslog finishes the
> >line. That causes corrupted events in Splunk. I didn't find any
> >solution for that on Splunk. From the Splunk side, there are
> >recommendations to wait longer before the file is considered as closed
> >(Splunk parameters time_before_close). But that didn't help. I hoped
> >that some fine-tuning of how rsyslog writes the file could help, but I
> >see that it would be probably even worse with queues.
> >
> >Milan Koudelka
> >
> >Principal SW engineer
> >
> >milan.koudelka@gooddata.com
> >
> >+420 776 313 414
> >
> >
> >Danube House
> >
> >Karolinská 650/1
> >
> >186 00 Prague 8, Czech Republic
> >
> >Twitter | Facebook | LinkedIn | Blog
> >
> >
> >
> >On Tue, Nov 2, 2021 at 7:24 PM David Lang <david@lang.hm> wrote:
> >>
> >> It's almost always a bad idea to use a queue with omfile, it's slower to put the
> >> messages into the queue than to write them to disk
> >>
> >> David Lang
> >>
> >> On Tue, 2 Nov 2021, Milan Koudelka via rsyslog wrote:
> >>
> >> > Date: Tue, 2 Nov 2021 11:15:29 +0100
> >> > From: Milan Koudelka via rsyslog <rsyslog@lists.adiscon.com>
> >> > To: rsyslog@lists.adiscon.com
> >> > Cc: Milan Koudelka <milan.koudelka@gooddata.com>
> >> > Subject: [rsyslog] (no subject)
> >> >
> >> > Hi,
> >> > I tried to switch some rsyslog configurations to advanced format to
> >> > fine-tune actions.
> >> >
> >> > Instead of
> >> > local1.* /mnt/log/gdc;RawMsg
> >> >
> >> > I wrote
> >> > local1.* action(type="omfile" file="/mnt/log/gdc" template="RawMsg"
> >> > ioBufferSize="128k" queue.size="50000" queue.type="linkedlist"
> >> > queue.filename="gdc")
> >> >
> >> > As recommended, I kept other configurations as they were, if I don't
> >> > need any advanced configuration.
> >> >
> >> > Eg.
> >> > *.info;mail.none;authpriv.none;cron.none /mnt/log/messages
> >> >
> >> > But, I also changed legacy setting of file group ownership
> >> > $FileGroup splunk
> >> > $FileCreateMode 0640
> >> > $DirGroup splunk
> >> > $DirCreateMode 0650
> >> >
> >> > And I've put that directly to module load
> >> > module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat"
> >> > fileGroup="splunk" FileCreateMode="0640" dirGroup="splunk"
> >> > DirCreateMode="0650")
> >> >
> >> > The problem is, only the files configured with advanced format are
> >> > created with the correct group owner. /mnt/log/messages is created
> >> > under root user. Do I need to add back the legacy setting and keep
> >> > both in-module and legacy setting?
> >> >
> >> > Milan Koudelka
> >> > Principal SW engineer
> >> > milan.koudelka@gooddata.com
> >> > +420 776 313 414
> >> >
> >> > Danube House
> >> > Karolinská 650/1
> >> > 186 00 Prague 8, Czech Republic
> >> > Twitter | Facebook | LinkedIn | Blog
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >_______________________________________________
> >rsyslog mailing list
> >https://lists.adiscon.net/mailman/listinfo/rsyslog
> >http://www.rsyslog.com/professional-services/
> >What's up with rsyslog? Follow https://twitter.com/rgerhards
> >NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

1 2  View All