Mailing List Archive: rsyslog's programname

rsyslog's programname

Feb 12, 2020, 6:26 AM

Post #1 of 3 (425 views)

Is there way to configure rsyslog instance to use its own programname?
For example rsyslog-net or rsyslog-lin for appropriate instances which have
different listen ports open.
As those usually run on the same host, the error messages are logged under
"rsyslog" and it is hard to decide what message is from which instance.
One way for dealing could be to create link /usr/sbin/rsyslogd-lin pointing
to /usr/sbin/rsyslogd and starting instance with calling this link. That
will result in rsyslogd-lin being used as programname. Is there other way
for dealing with it in rsyslog configuration only?

In other case it seems those internal rsyslog messages are duplicite (once
logged with full syslog-tag with PID and secondly with msg only). Is there
some way to supress duplicite logging of these messages?

Feb 12 12:12:13 syslog01 rsyslogd[10891]: rsyslogd: imptcp imptcp: message
received is at least 1536 byte larger than max msg size; message will be
split starting at: "1011322,"UserFingerprint":null,"" [v8.1901.0]
Feb 12 12:12:13 syslog01 rsyslogd: imptcp imptcp: message received is at
least 1536 byte larger than max msg size; message will be split starting
at: "1011322,"UserFingerprint":null,"" [v8.1901.0]

Thank you.

--
Peter
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: rsyslog's programname [ In reply to ]

rsyslog at lists

Feb 12, 2020, 6:31 AM

Post #2 of 3 (425 views)

Permalink

El mié., 12 feb. 2020 a las 15:26, Peter Viskup via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Is there way to configure rsyslog instance to use its own programname?
> For example rsyslog-net or rsyslog-lin for appropriate instances which have
> different listen ports open.
> As those usually run on the same host, the error messages are logged under
> "rsyslog" and it is hard to decide what message is from which instance.
> One way for dealing could be to create link /usr/sbin/rsyslogd-lin pointing
> to /usr/sbin/rsyslogd and starting instance with calling this link. That
> will result in rsyslogd-lin being used as programname. Is there other way
> for dealing with it in rsyslog configuration only?

I admit that's tricky. No easy way, if at all. Probably worth logging
an enhancement request (but I'd prefer to take the name from a global
config parameter).

>
> In other case it seems those internal rsyslog messages are duplicite (once
> logged with full syslog-tag with PID and secondly with msg only). Is there
> some way to supress duplicite logging of these messages?

May this be config induced? If not, a debug log would be useful.

Rainer
>
> Feb 12 12:12:13 syslog01 rsyslogd[10891]: rsyslogd: imptcp imptcp: message
> received is at least 1536 byte larger than max msg size; message will be
> split starting at: "1011322,"UserFingerprint":null,"" [v8.1901.0]
> Feb 12 12:12:13 syslog01 rsyslogd: imptcp imptcp: message received is at
> least 1536 byte larger than max msg size; message will be split starting
> at: "1011322,"UserFingerprint":null,"" [v8.1901.0]
>
> Thank you.
>
> --
> Peter
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: rsyslog's programname [ In reply to ]

rsyslog at lists

Feb 12, 2020, 6:46 AM

Post #3 of 3 (425 views)

Permalink

[Replying with mailing list address in recipients.]
Thank you, Rainer, for quick answer.

On Wed, Feb 12, 2020 at 3:31 PM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:

> El mié., 12 feb. 2020 a las 15:26, Peter Viskup via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > In other case it seems those internal rsyslog messages are duplicite
> (once
> > logged with full syslog-tag with PID and secondly with msg only). Is
> there
> > some way to supress duplicite logging of these messages?
>
> May this be config induced? If not, a debug log would be useful.
>

There are instances in chroot having disabled processing of internal
messages (they should log to /dev/log inside the chroot - and they
definitely do).
~# cat /chroot/lin/etc/rsyslog.d/global/01-global.conf
global(workDirectory="/var/spool/rsyslog")
global(action.reportSuspensionContinuation="on")
global(processInternalMessages="off")
global(abortOnUncleanConfig="on")
$EscapeControlCharactersOnReceive off

And the standard operating system instance running on the host is reading
the /dev/log sockets in chroots:
~# cat /etc/rsyslog.d/chroot-lin-imuxsock.conf
input(type="imuxsock"
Socket="/chroot/lin/dev/log"
CreatePath="on")

Do not see any other configuration options related to that message
processing.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.