Mailing List Archive

On Sun, 15 Mar 2009, Julian Yap wrote:

> I'm having trouble logging ALL the syslog messages received from a
> server. I'm not sure if it's because it's from a non-standard piece
> of hardware (ie. not a Linux server). Logging to another server
> running syslogd works fine (but syslogd doesn't allow me to log
> messages from a remote server to a separate file and it's not my
> central syslogd server).
>
> I've tried several lines but none seem to work for me:
> if $fromhost == 'server' then /var/log/remote/server/all
> if $source == 'server' then /var/log/remote/server/all
> :FROMHOST, isequal, "server" /var/log/remote/server/all
> if $fromhost == 'server.domain.com' then /var/log/remote/server/all
> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all

there are a few possible reasons that this could have problems

is it that you have a high volume of logs and some just get dropped?

if you just write everything to a file (*.* /var/log/test) does it have
all the logs from this server? or is it missing some?

do the logs from this server sometimes include the host and sometimes not?

what is different between the logs that you match and the ones that you
miss?

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

OK, I narrowed the issues down. Now I've faced strange issues like
this before when using the $IncludeConfig directive.

This is what I have just tested with in my /etc/rsyslog.conf file (and
other lines) and it worked fine:
----
$IncludeConfig /etc/rsyslog.d/
:FROMHOST, isequal, "server" /var/log/remote/server/all
----

Now if I have a file /etc/rsyslog.d/testalert_for_another_server,
things turn strange and only certain messages are logged from the
first server.:
----
$ModLoad ommail

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DYNserver2, "/var/log/remote/server2.log"
$template TraditionalFormatNoHostname,"%timegenerated%
%syslogtag%%msg:::drop-last-lf%\n"

if $hostname == 'server2.domain.com' then
?DYNserver2;TraditionalFormatNoHostname

$ActionMailFrom rsyslog@domain.com
$ActionMailTo server2_alert
$template mailSubjectTestAlert,"INFO: Alert detected"
$template mailBodyTestAlert,"Message is..."
$ActionMailSubject mailSubjectTestAlert
$ActionExecOnlyOnceEveryInterval 300
$ActionExecOnlyEveryNthTimeTimeout 1200
$ActionExecOnlyEveryNthTime 3

if $hostname == 'server2.domain.com' and $msg contains 'Some message'
then :ommail:;mailBodyTestAlert
----

Now if I add the contents of
/etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf (and
remove file /etc/rsyslog.d/testalert_for_another_server) then things
work fine...

Now if I remove the previous changes to /etc/rsyslog.conf and modify
/etc/rsyslog.d/testalert_for_another_server and remove the following
lines then things work OK again:
$ActionExecOnlyOnceEveryInterval 300
$ActionExecOnlyEveryNthTimeTimeout 1200
$ActionExecOnlyEveryNthTime 3


- Julian


On Sun, Mar 15, 2009 at 7:16 PM, <david@lang.hm> wrote:
> On Sun, 15 Mar 2009, Julian Yap wrote:
>
>> I'm having trouble logging ALL the syslog messages received from a
>> server.  I'm not sure if it's because it's from a non-standard piece
>> of hardware (ie. not a Linux server).  Logging to another server
>> running syslogd works fine (but syslogd doesn't allow me to log
>> messages from a remote server to a separate file and it's not my
>> central syslogd server).
>>
>> I've tried several lines but none seem to work for me:
>> if $fromhost == 'server' then /var/log/remote/server/all
>> if $source == 'server' then /var/log/remote/server/all
>> :FROMHOST, isequal, "server" /var/log/remote/server/all
>> if $fromhost == 'server.domain.com' then /var/log/remote/server/all
>> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all
>
> there are a few possible reasons that this could have problems
>
> is it that you have a high volume of logs and some just get dropped?
>
> if you just write everything to a file (*.* /var/log/test) does it have
> all the logs from this server? or is it missing some?
>
> do the logs from this server sometimes include the host and sometimes not?
>
> what is different between the logs that you match and the ones that you
> miss?
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

The issue is that these statements

$ActionExecOnlyOnceEveryInterval 300
$ActionExecOnlyEveryNthTimeTimeout 1200
$ActionExecOnlyEveryNthTime 3

Modify the *next* action. So you need to specify them in front of the action.
If you use the $includeConfig option, and have part of the action inside the
include file and other parts (the statements) outside (or vice versa), you
never know which action gets configured how. So place all of them together.

HTH
Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Julian Yap
> Sent: Monday, March 16, 2009 9:15 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Logging all messages from a remote server
>
> OK, I narrowed the issues down. Now I've faced strange issues like
> this before when using the $IncludeConfig directive.
>
> This is what I have just tested with in my /etc/rsyslog.conf file (and
> other lines) and it worked fine:
> ----
> $IncludeConfig /etc/rsyslog.d/
> :FROMHOST, isequal, "server" /var/log/remote/server/all
> ----
>
> Now if I have a file /etc/rsyslog.d/testalert_for_another_server,
> things turn strange and only certain messages are logged from the
> first server.:
> ----
> $ModLoad ommail
>
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> $template DYNserver2, "/var/log/remote/server2.log"
> $template TraditionalFormatNoHostname,"%timegenerated%
> %syslogtag%%msg:::drop-last-lf%\n"
>
> if $hostname == 'server2.domain.com' then
> ?DYNserver2;TraditionalFormatNoHostname
>
> $ActionMailFrom rsyslog@domain.com
> $ActionMailTo server2_alert
> $template mailSubjectTestAlert,"INFO: Alert detected"
> $template mailBodyTestAlert,"Message is..."
> $ActionMailSubject mailSubjectTestAlert
> $ActionExecOnlyOnceEveryInterval 300
> $ActionExecOnlyEveryNthTimeTimeout 1200
> $ActionExecOnlyEveryNthTime 3
>
> if $hostname == 'server2.domain.com' and $msg contains 'Some message'
> then :ommail:;mailBodyTestAlert
> ----
>
> Now if I add the contents of
> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf (and
> remove file /etc/rsyslog.d/testalert_for_another_server) then things
> work fine...
>
> Now if I remove the previous changes to /etc/rsyslog.conf and modify
> /etc/rsyslog.d/testalert_for_another_server and remove the following
> lines then things work OK again:
> $ActionExecOnlyOnceEveryInterval 300
> $ActionExecOnlyEveryNthTimeTimeout 1200
> $ActionExecOnlyEveryNthTime 3
>
>
> - Julian
>
>
> On Sun, Mar 15, 2009 at 7:16 PM, <david@lang.hm> wrote:
> > On Sun, 15 Mar 2009, Julian Yap wrote:
> >
> >> I'm having trouble logging ALL the syslog messages received from a
> >> server.  I'm not sure if it's because it's from a non-standard piece
> >> of hardware (ie. not a Linux server).  Logging to another server
> >> running syslogd works fine (but syslogd doesn't allow me to log
> >> messages from a remote server to a separate file and it's not my
> >> central syslogd server).
> >>
> >> I've tried several lines but none seem to work for me:
> >> if $fromhost == 'server' then /var/log/remote/server/all
> >> if $source == 'server' then /var/log/remote/server/all
> >> :FROMHOST, isequal, "server" /var/log/remote/server/all
> >> if $fromhost == 'server.domain.com' then /var/log/remote/server/all
> >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all
> >
> > there are a few possible reasons that this could have problems
> >
> > is it that you have a high volume of logs and some just get dropped?
> >
> > if you just write everything to a file (*.* /var/log/test) does it
> have
> > all the logs from this server? or is it missing some?
> >
> > do the logs from this server sometimes include the host and sometimes
> not?
> >
> > what is different between the logs that you match and the ones that
> you
> > miss?
> >
> > David Lang
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Rainer,

Would you recommend against using $includeConfig? In that case, it
tends to lead to more unknown config issues.

- Julian

On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards
<rgerhards@hq.adiscon.com> wrote:
> The issue is that these statements
>
> $ActionExecOnlyOnceEveryInterval 300
> $ActionExecOnlyEveryNthTimeTimeout 1200
> $ActionExecOnlyEveryNthTime 3
>
> Modify the *next* action. So you need to specify them in front of the action.
> If you use the $includeConfig option, and have part of the action inside the
> include file and other parts (the statements) outside (or vice versa), you
> never know which action gets configured how. So place all of them together.
>
> HTH
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> bounces@lists.adiscon.com] On Behalf Of Julian Yap
>> Sent: Monday, March 16, 2009 9:15 AM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Logging all messages from a remote server
>>
>> OK, I narrowed the issues down.  Now I've faced strange issues like
>> this before when using the $IncludeConfig directive.
>>
>> This is what I have just tested with in my /etc/rsyslog.conf file (and
>> other lines) and it worked fine:
>> ----
>> $IncludeConfig /etc/rsyslog.d/
>> :FROMHOST, isequal, "server"             /var/log/remote/server/all
>> ----
>>
>> Now if I have a file /etc/rsyslog.d/testalert_for_another_server,
>> things turn strange and only certain messages are logged from the
>> first server.:
>> ----
>> $ModLoad ommail
>>
>> $ActionFileDefaultTemplate      RSYSLOG_TraditionalFileFormat
>>
>> $template DYNserver2, "/var/log/remote/server2.log"
>> $template TraditionalFormatNoHostname,"%timegenerated%
>> %syslogtag%%msg:::drop-last-lf%\n"
>>
>> if $hostname == 'server2.domain.com' then
>> ?DYNserver2;TraditionalFormatNoHostname
>>
>> $ActionMailFrom rsyslog@domain.com
>> $ActionMailTo server2_alert
>> $template mailSubjectTestAlert,"INFO: Alert detected"
>> $template mailBodyTestAlert,"Message is..."
>> $ActionMailSubject mailSubjectTestAlert
>> $ActionExecOnlyOnceEveryInterval 300
>> $ActionExecOnlyEveryNthTimeTimeout 1200
>> $ActionExecOnlyEveryNthTime 3
>>
>> if $hostname == 'server2.domain.com' and $msg contains 'Some message'
>> then :ommail:;mailBodyTestAlert
>> ----
>>
>> Now if I add the contents of
>> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf (and
>> remove file /etc/rsyslog.d/testalert_for_another_server) then things
>> work fine...
>>
>> Now if I remove the previous changes to /etc/rsyslog.conf and modify
>> /etc/rsyslog.d/testalert_for_another_server and remove the following
>> lines then things work OK again:
>> $ActionExecOnlyOnceEveryInterval 300
>> $ActionExecOnlyEveryNthTimeTimeout 1200
>> $ActionExecOnlyEveryNthTime 3
>>
>>
>> - Julian
>>
>>
>> On Sun, Mar 15, 2009 at 7:16 PM,  <david@lang.hm> wrote:
>> > On Sun, 15 Mar 2009, Julian Yap wrote:
>> >
>> >> I'm having trouble logging ALL the syslog messages received from a
>> >> server.  I'm not sure if it's because it's from a non-standard piece
>> >> of hardware (ie. not a Linux server).  Logging to another server
>> >> running syslogd works fine (but syslogd doesn't allow me to log
>> >> messages from a remote server to a separate file and it's not my
>> >> central syslogd server).
>> >>
>> >> I've tried several lines but none seem to work for me:
>> >> if $fromhost == 'server' then /var/log/remote/server/all
>> >> if $source == 'server' then /var/log/remote/server/all
>> >> :FROMHOST, isequal, "server" /var/log/remote/server/all
>> >> if $fromhost == 'server.domain.com' then /var/log/remote/server/all
>> >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all
>> >
>> > there are a few possible reasons that this could have problems
>> >
>> > is it that you have a high volume of logs and some just get dropped?
>> >
>> > if you just write everything to a file (*.* /var/log/test) does it
>> have
>> > all the logs from this server? or is it missing some?
>> >
>> > do the logs from this server sometimes include the host and sometimes
>> not?
>> >
>> > what is different between the logs that you match and the ones that
>> you
>> > miss?
>> >
>> > David Lang
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com
>> >
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Julian Yap
> Sent: Monday, March 16, 2009 10:05 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Logging all messages from a remote server
>
> Rainer,
>
> Would you recommend against using $includeConfig? In that case, it
> tends to lead to more unknown config issues.

No, but do not split config directives that need to go together over several
places. You need to put this together

# this starts the definition of a single action
$ActionExecOnlyOnceEveryInterval 300
$ActionExecOnlyEveryNthTimeTimeout 1200
$ActionExecOnlyEveryNthTime 3
$...
*.* action
#this ends it

So you need to put everything together. If you rip it apart, you will get
undefined results.

This is - to phrase it politely - not very well documented. You need to read
the fine print, most of the $Action... params modify the *next* action - NOT
*all* actions. So it is vitally important where they occur.

Will try to make this clear as soon as I have a bit more time.


Rainer
>
> - Julian
>
> On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards
> <rgerhards@hq.adiscon.com> wrote:
> > The issue is that these statements
> >
> > $ActionExecOnlyOnceEveryInterval 300
> > $ActionExecOnlyEveryNthTimeTimeout 1200
> > $ActionExecOnlyEveryNthTime 3
> >
> > Modify the *next* action. So you need to specify them in front of the
> action.
> > If you use the $includeConfig option, and have part of the action
> inside the
> > include file and other parts (the statements) outside (or vice
> versa), you
> > never know which action gets configured how. So place all of them
> together.
> >
> > HTH
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> >> bounces@lists.adiscon.com] On Behalf Of Julian Yap
> >> Sent: Monday, March 16, 2009 9:15 AM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Logging all messages from a remote server
> >>
> >> OK, I narrowed the issues down.  Now I've faced strange issues like
> >> this before when using the $IncludeConfig directive.
> >>
> >> This is what I have just tested with in my /etc/rsyslog.conf file
> (and
> >> other lines) and it worked fine:
> >> ----
> >> $IncludeConfig /etc/rsyslog.d/
> >> :FROMHOST, isequal, "server"             /var/log/remote/server/all
> >> ----
> >>
> >> Now if I have a file /etc/rsyslog.d/testalert_for_another_server,
> >> things turn strange and only certain messages are logged from the
> >> first server.:
> >> ----
> >> $ModLoad ommail
> >>
> >> $ActionFileDefaultTemplate      RSYSLOG_TraditionalFileFormat
> >>
> >> $template DYNserver2, "/var/log/remote/server2.log"
> >> $template TraditionalFormatNoHostname,"%timegenerated%
> >> %syslogtag%%msg:::drop-last-lf%\n"
> >>
> >> if $hostname == 'server2.domain.com' then
> >> ?DYNserver2;TraditionalFormatNoHostname
> >>
> >> $ActionMailFrom rsyslog@domain.com
> >> $ActionMailTo server2_alert
> >> $template mailSubjectTestAlert,"INFO: Alert detected"
> >> $template mailBodyTestAlert,"Message is..."
> >> $ActionMailSubject mailSubjectTestAlert
> >> $ActionExecOnlyOnceEveryInterval 300
> >> $ActionExecOnlyEveryNthTimeTimeout 1200
> >> $ActionExecOnlyEveryNthTime 3
> >>
> >> if $hostname == 'server2.domain.com' and $msg contains 'Some
> message'
> >> then :ommail:;mailBodyTestAlert
> >> ----
> >>
> >> Now if I add the contents of
> >> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf
> (and
> >> remove file /etc/rsyslog.d/testalert_for_another_server) then things
> >> work fine...
> >>
> >> Now if I remove the previous changes to /etc/rsyslog.conf and modify
> >> /etc/rsyslog.d/testalert_for_another_server and remove the following
> >> lines then things work OK again:
> >> $ActionExecOnlyOnceEveryInterval 300
> >> $ActionExecOnlyEveryNthTimeTimeout 1200
> >> $ActionExecOnlyEveryNthTime 3
> >>
> >>
> >> - Julian
> >>
> >>
> >> On Sun, Mar 15, 2009 at 7:16 PM,  <david@lang.hm> wrote:
> >> > On Sun, 15 Mar 2009, Julian Yap wrote:
> >> >
> >> >> I'm having trouble logging ALL the syslog messages received from
> a
> >> >> server.  I'm not sure if it's because it's from a non-standard
> piece
> >> >> of hardware (ie. not a Linux server).  Logging to another server
> >> >> running syslogd works fine (but syslogd doesn't allow me to log
> >> >> messages from a remote server to a separate file and it's not my
> >> >> central syslogd server).
> >> >>
> >> >> I've tried several lines but none seem to work for me:
> >> >> if $fromhost == 'server' then /var/log/remote/server/all
> >> >> if $source == 'server' then /var/log/remote/server/all
> >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all
> >> >> if $fromhost == 'server.domain.com' then
> /var/log/remote/server/all
> >> >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all
> >> >
> >> > there are a few possible reasons that this could have problems
> >> >
> >> > is it that you have a high volume of logs and some just get
> dropped?
> >> >
> >> > if you just write everything to a file (*.* /var/log/test) does it
> >> have
> >> > all the logs from this server? or is it missing some?
> >> >
> >> > do the logs from this server sometimes include the host and
> sometimes
> >> not?
> >> >
> >> > what is different between the logs that you match and the ones
> that
> >> you
> >> > miss?
> >> >
> >> > David Lang
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com
> >> >
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Thanks all. My config is working fine now.

I can take some of the blame for requesting the
$ActionExecOnlyEveryNthTime* params in the first place :P.

Just to shed some light, my previous understanding (or what I
initially gathered from the docs) was that the $Action params needed
to just be in a block and the order of params didn't matter.

So:
#start Action
$Action...
$Action...
$Action...
#end Action

So that was just what I gathered in my head. But it's all clear now.

- Julian

On Sun, Mar 15, 2009 at 11:08 PM, Rainer Gerhards
<rgerhards@hq.adiscon.com> wrote:
>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> bounces@lists.adiscon.com] On Behalf Of Julian Yap
>> Sent: Monday, March 16, 2009 10:05 AM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Logging all messages from a remote server
>>
>> Rainer,
>>
>> Would you recommend against using $includeConfig?  In that case, it
>> tends to lead to more unknown config issues.
>
> No, but do not split config directives that need to go together over several
> places. You need to put this together
>
> # this starts the definition of a single action
> $ActionExecOnlyOnceEveryInterval 300
> $ActionExecOnlyEveryNthTimeTimeout 1200
> $ActionExecOnlyEveryNthTime 3
> $...
> *.*  action
> #this ends it
>
> So you need to put everything together. If you rip it apart, you will get
> undefined results.
>
> This is - to phrase it politely - not very well documented. You need to read
> the fine print, most of the $Action... params modify the *next* action - NOT
> *all* actions. So it is vitally important where they occur.
>
> Will try to make this clear as soon as I have a bit more time.
>
>
> Rainer
>>
>> - Julian
>>
>> On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards
>> <rgerhards@hq.adiscon.com> wrote:
>> > The issue is that these statements
>> >
>> > $ActionExecOnlyOnceEveryInterval 300
>> > $ActionExecOnlyEveryNthTimeTimeout 1200
>> > $ActionExecOnlyEveryNthTime 3
>> >
>> > Modify the *next* action. So you need to specify them in front of the
>> action.
>> > If you use the $includeConfig option, and have part of the action
>> inside the
>> > include file and other parts (the statements) outside (or vice
>> versa), you
>> > never know which action gets configured how. So place all of them
>> together.
>> >
>> > HTH
>> > Rainer
>> >
>> >> -----Original Message-----
>> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> >> bounces@lists.adiscon.com] On Behalf Of Julian Yap
>> >> Sent: Monday, March 16, 2009 9:15 AM
>> >> To: rsyslog-users
>> >> Subject: Re: [rsyslog] Logging all messages from a remote server
>> >>
>> >> OK, I narrowed the issues down.  Now I've faced strange issues like
>> >> this before when using the $IncludeConfig directive.
>> >>
>> >> This is what I have just tested with in my /etc/rsyslog.conf file
>> (and
>> >> other lines) and it worked fine:
>> >> ----
>> >> $IncludeConfig /etc/rsyslog.d/
>> >> :FROMHOST, isequal, "server"             /var/log/remote/server/all
>> >> ----
>> >>
>> >> Now if I have a file /etc/rsyslog.d/testalert_for_another_server,
>> >> things turn strange and only certain messages are logged from the
>> >> first server.:
>> >> ----
>> >> $ModLoad ommail
>> >>
>> >> $ActionFileDefaultTemplate      RSYSLOG_TraditionalFileFormat
>> >>
>> >> $template DYNserver2, "/var/log/remote/server2.log"
>> >> $template TraditionalFormatNoHostname,"%timegenerated%
>> >> %syslogtag%%msg:::drop-last-lf%\n"
>> >>
>> >> if $hostname == 'server2.domain.com' then
>> >> ?DYNserver2;TraditionalFormatNoHostname
>> >>
>> >> $ActionMailFrom rsyslog@domain.com
>> >> $ActionMailTo server2_alert
>> >> $template mailSubjectTestAlert,"INFO: Alert detected"
>> >> $template mailBodyTestAlert,"Message is..."
>> >> $ActionMailSubject mailSubjectTestAlert
>> >> $ActionExecOnlyOnceEveryInterval 300
>> >> $ActionExecOnlyEveryNthTimeTimeout 1200
>> >> $ActionExecOnlyEveryNthTime 3
>> >>
>> >> if $hostname == 'server2.domain.com' and $msg contains 'Some
>> message'
>> >> then :ommail:;mailBodyTestAlert
>> >> ----
>> >>
>> >> Now if I add the contents of
>> >> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf
>> (and
>> >> remove file /etc/rsyslog.d/testalert_for_another_server) then things
>> >> work fine...
>> >>
>> >> Now if I remove the previous changes to /etc/rsyslog.conf and modify
>> >> /etc/rsyslog.d/testalert_for_another_server and remove the following
>> >> lines then things work OK again:
>> >> $ActionExecOnlyOnceEveryInterval 300
>> >> $ActionExecOnlyEveryNthTimeTimeout 1200
>> >> $ActionExecOnlyEveryNthTime 3
>> >>
>> >>
>> >> - Julian
>> >>
>> >>
>> >> On Sun, Mar 15, 2009 at 7:16 PM,  <david@lang.hm> wrote:
>> >> > On Sun, 15 Mar 2009, Julian Yap wrote:
>> >> >
>> >> >> I'm having trouble logging ALL the syslog messages received from
>> a
>> >> >> server.  I'm not sure if it's because it's from a non-standard
>> piece
>> >> >> of hardware (ie. not a Linux server).  Logging to another server
>> >> >> running syslogd works fine (but syslogd doesn't allow me to log
>> >> >> messages from a remote server to a separate file and it's not my
>> >> >> central syslogd server).
>> >> >>
>> >> >> I've tried several lines but none seem to work for me:
>> >> >> if $fromhost == 'server' then /var/log/remote/server/all
>> >> >> if $source == 'server' then /var/log/remote/server/all
>> >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all
>> >> >> if $fromhost == 'server.domain.com' then
>> /var/log/remote/server/all
>> >> >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all
>> >> >
>> >> > there are a few possible reasons that this could have problems
>> >> >
>> >> > is it that you have a high volume of logs and some just get
>> dropped?
>> >> >
>> >> > if you just write everything to a file (*.* /var/log/test) does it
>> >> have
>> >> > all the logs from this server? or is it missing some?
>> >> >
>> >> > do the logs from this server sometimes include the host and
>> sometimes
>> >> not?
>> >> >
>> >> > what is different between the logs that you match and the ones
>> that
>> >> you
>> >> > miss?
>> >> >
>> >> > David Lang
>> >> > _______________________________________________
>> >> > rsyslog mailing list
>> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> > http://www.rsyslog.com
>> >> >
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com
>> >
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Julian Yap
> Sent: Monday, March 16, 2009 10:18 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Logging all messages from a remote server
>
> Thanks all. My config is working fine now.
>
> I can take some of the blame for requesting the
> $ActionExecOnlyEveryNthTime* params in the first place :P.
>
> Just to shed some light, my previous understanding (or what I
> initially gathered from the docs) was that the $Action params needed
> to just be in a block and the order of params didn't matter.
>
> So:
> #start Action
> $Action...
> $Action...
> $Action...
> #end Action
>
> So that was just what I gathered in my head. But it's all clear now.

Well, the order doesn't matter BUT (!) above you do NOT define an action -
because the action itself is missing! So whatever action comes next, it will
receive these parameters.

Rainer
>
> - Julian
>
> On Sun, Mar 15, 2009 at 11:08 PM, Rainer Gerhards
> <rgerhards@hq.adiscon.com> wrote:
> >> -----Original Message-----
> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> >> bounces@lists.adiscon.com] On Behalf Of Julian Yap
> >> Sent: Monday, March 16, 2009 10:05 AM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Logging all messages from a remote server
> >>
> >> Rainer,
> >>
> >> Would you recommend against using $includeConfig?  In that case, it
> >> tends to lead to more unknown config issues.
> >
> > No, but do not split config directives that need to go together over
> several
> > places. You need to put this together
> >
> > # this starts the definition of a single action
> > $ActionExecOnlyOnceEveryInterval 300
> > $ActionExecOnlyEveryNthTimeTimeout 1200
> > $ActionExecOnlyEveryNthTime 3
> > $...
> > *.*  action
> > #this ends it
> >
> > So you need to put everything together. If you rip it apart, you will
> get
> > undefined results.
> >
> > This is - to phrase it politely - not very well documented. You need
> to read
> > the fine print, most of the $Action... params modify the *next*
> action - NOT
> > *all* actions. So it is vitally important where they occur.
> >
> > Will try to make this clear as soon as I have a bit more time.
> >
> >
> > Rainer
> >>
> >> - Julian
> >>
> >> On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards
> >> <rgerhards@hq.adiscon.com> wrote:
> >> > The issue is that these statements
> >> >
> >> > $ActionExecOnlyOnceEveryInterval 300
> >> > $ActionExecOnlyEveryNthTimeTimeout 1200
> >> > $ActionExecOnlyEveryNthTime 3
> >> >
> >> > Modify the *next* action. So you need to specify them in front of
> the
> >> action.
> >> > If you use the $includeConfig option, and have part of the action
> >> inside the
> >> > include file and other parts (the statements) outside (or vice
> >> versa), you
> >> > never know which action gets configured how. So place all of them
> >> together.
> >> >
> >> > HTH
> >> > Rainer
> >> >
> >> >> -----Original Message-----
> >> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> >> >> bounces@lists.adiscon.com] On Behalf Of Julian Yap
> >> >> Sent: Monday, March 16, 2009 9:15 AM
> >> >> To: rsyslog-users
> >> >> Subject: Re: [rsyslog] Logging all messages from a remote server
> >> >>
> >> >> OK, I narrowed the issues down.  Now I've faced strange issues
> like
> >> >> this before when using the $IncludeConfig directive.
> >> >>
> >> >> This is what I have just tested with in my /etc/rsyslog.conf file
> >> (and
> >> >> other lines) and it worked fine:
> >> >> ----
> >> >> $IncludeConfig /etc/rsyslog.d/
> >> >> :FROMHOST, isequal, "server"
> /var/log/remote/server/all
> >> >> ----
> >> >>
> >> >> Now if I have a file /etc/rsyslog.d/testalert_for_another_server,
> >> >> things turn strange and only certain messages are logged from the
> >> >> first server.:
> >> >> ----
> >> >> $ModLoad ommail
> >> >>
> >> >> $ActionFileDefaultTemplate      RSYSLOG_TraditionalFileFormat
> >> >>
> >> >> $template DYNserver2, "/var/log/remote/server2.log"
> >> >> $template TraditionalFormatNoHostname,"%timegenerated%
> >> >> %syslogtag%%msg:::drop-last-lf%\n"
> >> >>
> >> >> if $hostname == 'server2.domain.com' then
> >> >> ?DYNserver2;TraditionalFormatNoHostname
> >> >>
> >> >> $ActionMailFrom rsyslog@domain.com
> >> >> $ActionMailTo server2_alert
> >> >> $template mailSubjectTestAlert,"INFO: Alert detected"
> >> >> $template mailBodyTestAlert,"Message is..."
> >> >> $ActionMailSubject mailSubjectTestAlert
> >> >> $ActionExecOnlyOnceEveryInterval 300
> >> >> $ActionExecOnlyEveryNthTimeTimeout 1200
> >> >> $ActionExecOnlyEveryNthTime 3
> >> >>
> >> >> if $hostname == 'server2.domain.com' and $msg contains 'Some
> >> message'
> >> >> then :ommail:;mailBodyTestAlert
> >> >> ----
> >> >>
> >> >> Now if I add the contents of
> >> >> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf
> >> (and
> >> >> remove file /etc/rsyslog.d/testalert_for_another_server) then
> things
> >> >> work fine...
> >> >>
> >> >> Now if I remove the previous changes to /etc/rsyslog.conf and
> modify
> >> >> /etc/rsyslog.d/testalert_for_another_server and remove the
> following
> >> >> lines then things work OK again:
> >> >> $ActionExecOnlyOnceEveryInterval 300
> >> >> $ActionExecOnlyEveryNthTimeTimeout 1200
> >> >> $ActionExecOnlyEveryNthTime 3
> >> >>
> >> >>
> >> >> - Julian
> >> >>
> >> >>
> >> >> On Sun, Mar 15, 2009 at 7:16 PM,  <david@lang.hm> wrote:
> >> >> > On Sun, 15 Mar 2009, Julian Yap wrote:
> >> >> >
> >> >> >> I'm having trouble logging ALL the syslog messages received
> from
> >> a
> >> >> >> server.  I'm not sure if it's because it's from a non-standard
> >> piece
> >> >> >> of hardware (ie. not a Linux server).  Logging to another
> server
> >> >> >> running syslogd works fine (but syslogd doesn't allow me to
> log
> >> >> >> messages from a remote server to a separate file and it's not
> my
> >> >> >> central syslogd server).
> >> >> >>
> >> >> >> I've tried several lines but none seem to work for me:
> >> >> >> if $fromhost == 'server' then /var/log/remote/server/all
> >> >> >> if $source == 'server' then /var/log/remote/server/all
> >> >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all
> >> >> >> if $fromhost == 'server.domain.com' then
> >> /var/log/remote/server/all
> >> >> >> if $fromhost-ip == '192.168.0.60' then
> /var/log/remote/server/all
> >> >> >
> >> >> > there are a few possible reasons that this could have problems
> >> >> >
> >> >> > is it that you have a high volume of logs and some just get
> >> dropped?
> >> >> >
> >> >> > if you just write everything to a file (*.* /var/log/test) does
> it
> >> >> have
> >> >> > all the logs from this server? or is it missing some?
> >> >> >
> >> >> > do the logs from this server sometimes include the host and
> >> sometimes
> >> >> not?
> >> >> >
> >> >> > what is different between the logs that you match and the ones
> >> that
> >> >> you
> >> >> > miss?
> >> >> >
> >> >> > David Lang
> >> >> > _______________________________________________
> >> >> > rsyslog mailing list
> >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> > http://www.rsyslog.com
> >> >> >
> >> >> _______________________________________________
> >> >> rsyslog mailing list
> >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> http://www.rsyslog.com
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com
> >> >
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com