Hi there,
I'm pretty new to rsyslog, so it's likely I'm doing something wrong. I'm
trying to build a dockerised syslog router based on rsyslog.
The docker container is listening on UDP514 and receiving syslogs from
multiple sources and I want to route the raw syslogs to some destinations,
as well as parse them and send them on to different Elasticsearch
destinations, and perhaps Kafka in the future.
To start with, I'm just trying to forward on the syslogs received on UDP
514 to another syslog server also listening on UDP 514.
I would also like to monitor the local Alpine server in the container and
have those logs writing only to stdout which can then get picked up by
filebeat which is monitoring all my containers, or seen by the "docker
logs" command.
What I don't want is for the container syslogs being written to the UDP 514
outbound stream or the syslogs being received on UDP 514 being written to
the local container syslogs via stdout.
I tried making two different multiple rulesets and actions and binding them
to the UDP 514 and the linux socket inputs. When I tried this, I could
only see the forwarded UDP 514 syslogs, but not the stdout local container
syslogs. However for some reason, when I only used one ruleset for the UDP
traffic, and then had a default rule for the local syslogs, it seemed to
work.
I'd love to know why my multiple ruleset configuration didn't work. I
tried following the documentation here:
https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html and
Rainer's helpful tutorial here:
https://rainer.gerhards.net/2019/10/rsyslog-relay-messages-only-no-local-storage.html
Here is my working configuration with the one ruleset and the default:
# configure inputs
# local system logging
module(load="imuxsock")
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log" CreatePath="on")
# run UDP syslog on syslog port 514
module(load="imudp")
input(type="imudp" port="514" ruleset="syslogin")
# configure output actions with rulesets for UDP 514 outbound
ruleset(name="syslogin"){
action(type="omfwd" target="my-remote-server.com" port="514"
protocol="udp")
}
# default is to send all output to stdout, in this case only
localfiles, as UDP 514 input is forwarded to 514 UDP.
$ModLoad omstdout.so
*.* :omstdout:
But the one with two rulesets bound to each of the inputs only
forwards the UDP 514 stream:
$ModLoad omstdout.so
# configure inputs
# local system logging
module(load="imuxsock")
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log"
CreatePath="on" ruleset="local")
# run UDP syslog on syslog port 514
module(load="imudp")
input(type="imudp" port="514" ruleset="syslogin")
# configure output actions via rulesets
ruleset(name="syslogin"){
action(type="omfwd" target="my-remote-server.com" port="514"
protocol="udp")
}
ruleset(name="local"){
action(type="omstdout")
}
Thanks for any help with this!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I'm pretty new to rsyslog, so it's likely I'm doing something wrong. I'm
trying to build a dockerised syslog router based on rsyslog.
The docker container is listening on UDP514 and receiving syslogs from
multiple sources and I want to route the raw syslogs to some destinations,
as well as parse them and send them on to different Elasticsearch
destinations, and perhaps Kafka in the future.
To start with, I'm just trying to forward on the syslogs received on UDP
514 to another syslog server also listening on UDP 514.
I would also like to monitor the local Alpine server in the container and
have those logs writing only to stdout which can then get picked up by
filebeat which is monitoring all my containers, or seen by the "docker
logs" command.
What I don't want is for the container syslogs being written to the UDP 514
outbound stream or the syslogs being received on UDP 514 being written to
the local container syslogs via stdout.
I tried making two different multiple rulesets and actions and binding them
to the UDP 514 and the linux socket inputs. When I tried this, I could
only see the forwarded UDP 514 syslogs, but not the stdout local container
syslogs. However for some reason, when I only used one ruleset for the UDP
traffic, and then had a default rule for the local syslogs, it seemed to
work.
I'd love to know why my multiple ruleset configuration didn't work. I
tried following the documentation here:
https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html and
Rainer's helpful tutorial here:
https://rainer.gerhards.net/2019/10/rsyslog-relay-messages-only-no-local-storage.html
Here is my working configuration with the one ruleset and the default:
# configure inputs
# local system logging
module(load="imuxsock")
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log" CreatePath="on")
# run UDP syslog on syslog port 514
module(load="imudp")
input(type="imudp" port="514" ruleset="syslogin")
# configure output actions with rulesets for UDP 514 outbound
ruleset(name="syslogin"){
action(type="omfwd" target="my-remote-server.com" port="514"
protocol="udp")
}
# default is to send all output to stdout, in this case only
localfiles, as UDP 514 input is forwarded to 514 UDP.
$ModLoad omstdout.so
*.* :omstdout:
But the one with two rulesets bound to each of the inputs only
forwards the UDP 514 stream:
$ModLoad omstdout.so
# configure inputs
# local system logging
module(load="imuxsock")
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log"
CreatePath="on" ruleset="local")
# run UDP syslog on syslog port 514
module(load="imudp")
input(type="imudp" port="514" ruleset="syslogin")
# configure output actions via rulesets
ruleset(name="syslogin"){
action(type="omfwd" target="my-remote-server.com" port="514"
protocol="udp")
}
ruleset(name="local"){
action(type="omstdout")
}
Thanks for any help with this!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.