Mailing List Archive

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Use the imfile module.

https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html

Be cautious though for access rights and SELinux policies.

On 22.02.2021 08:49, odrzen via rsyslog wrote:
> I am new with rsyslog and I have the following concern:
> How can I send from rsyslog clients, logs of services other than those written in /var/log/messagess ?
> For example the logs from :
> * /var/log/service_x/*
> * /var/log/service_y/*
>
> Can I configure the rsyslog client to include more paths to log files ?
>
> I tried the following with apache logs, through a pipe to logger utility( /etc/apache2/..virtualHost.conf ):
> ```
> CustomLog "| /bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-access_log | /usr/bin/logger -thttpd -plocal1.notice'" combined
> ErrorLog "|/bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-error_log | /usr/bin/logger -thttpd -plocal1.err'"
> ```
>
> and without any configuration either to the rsyslog client or to the rsyslog server I receive the logs on my ryslog server.
> But, I don't like this way, and I don't think it's the best way to do it. In addition, what will I do in other services ( databases for example ) ?
>
> Thanks in advance,
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks Cyril for the awesome explanations and help. I understood some things even better.

I would like to ask you about the ruleset. I try the following and ( until now ) works perfect:
```
Module(load="imfile" mode="inotify")

input(type="imfile"
File="/var/log/httpd/*log"
Tag="apache:"
```
Why you also configure ruleset ?
( Although I read about the "facility", but I still don't fully understand it, but this is another story, I will read it again. )

Personally I have not set ruleset. So, is any specific implied by default or not ?
What do I gain by defining a specific one like you in your very nice example ?
For example, Can I have better statistics on my messages ? Or.. something else ?

Thank you very much. I really appreciate your help.

??????? Original Message ???????
On Monday, February 22, 2021 12:53 PM, <cyril.stoll@uzh.ch> wrote:

> Hi
>
> Your OS most likely uses rsyslog for other things than just messages/syslog. It often also handles maillog, cron-logs etc. Now in order to send all the logs that rsyslog handles to a central logserver you can use the following config:
>
> *.* @123.123.123.123:514
>
> If you use two @ signs it will use TCP and in the example above with just one @ sign rsyslog will send the logs using UDP. You could also use the newer syntax to achieve this but it's just very simple this way.
>
> To send logs of other software that does not use rsyslog for logging I use the imfile module to read those logfiles and then send the logs to the central logserver. You can use the following config to do this:
>
> Module(load="imfile" mode="inotify")
> ruleset(name="fwdapachetocentrallog"){
> action(type="omfwd"
> template="RSYSLOG_TraditionalForwardFormat"
> queue.type="LinkedList"
> queue.filename="fwd_q_apache"
> queue.size="100000"
> action.resumeRetryCount="-1"
> queue.saveonshutdown="on"
> Target="123.123.123.123" Port="514" Protocol="udp")
> }
> Input(type="imfile" tag="apache/access.log" file="/var/log/httpd/local-access_log" facility="local1" ruleset="fwdapachetocentrallog")
> Input(type="imfile" tag="apache/err.log" file="/var/log/httpd/local-error_log" facility="local2" ruleset="fwdapachetocentrallog")
>
> Best,
> Cyril
>
>> ----- Original message -----
>> From: "odrzen via rsyslog" <rsyslog@lists.adiscon.com>
>> Sent by: "rsyslog" <rsyslog-bounces@lists.adiscon.com>
>> To: "rsyslog-users" <rsyslog@lists.adiscon.com>
>> Cc: "odrzen" <odrzen@protonmail.com>
>> Subject: [rsyslog] The right way to include more log files?
>> Date: Mon, Feb 22, 2021 8:50 AM
>>
>> I am new with rsyslog and I have the following concern:
>> How can I send from rsyslog clients, logs of services other than those written in /var/log/messagess ?
>> For example the logs from :
>> * /var/log/service_x/*
>> * /var/log/service_y/*
>>
>> Can I configure the rsyslog client to include more paths to log files ?
>>
>> I tried the following with apache logs, through a pipe to logger utility( /etc/apache2/..virtualHost.conf ):
>> ```
>> CustomLog "| /bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-access_log | /usr/bin/logger -thttpd -plocal1.notice'" combined
>> ErrorLog "|/bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-error_log | /usr/bin/logger -thttpd -plocal1.err'"
>> ```
>>
>> and without any configuration either to the rsyslog client or to the rsyslog server I receive the logs on my ryslog server.
>> But, I don't like this way, and I don't think it's the best way to do it. In addition, what will I do in other services ( databases for example ) ?
>>
>> Thanks in advance,
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

A ruleset is a "subprogram" processing your messages. If you have not
defined a specific ruleset, every message is getting processed by the
main rsyslog ruleset and the messages you read are in no way split
between different ruleset (thus all are processed according to the same
rules).

If you define multiple inputs with own rulesets, the events coming from
a particular input are processed only by the rules included in that ruleset.

Why would you want to do that? Let's imagine that you have an
installation where you want to log local events "normally" to a file but
you also receive events from the network and want to forward them to
some central log management solution. You could of course set up a
complicated set of filters which would choose only some subset of the
events to be written to files and another subset of the events to be
forwarded somewhere else, but it's way easier to just make an input
listening on a network port and tie it to a ruleset with action
forwarding it to another server.

Rulesets are a way of managing event processing flows. Additionally,
rulesets can have own queues which help dealing with reliability issues.

And again - if you have not set any rulesets explicitly, all your events
are processed by an implicit "main" ruleset containing all the filters
you put in the config file.


On 24.02.2021 08:01, odrzen via rsyslog wrote:
> Thanks Cyril for the awesome explanations and help. I understood some things even better.
>
> I would like to ask you about the ruleset. I try the following and ( until now ) works perfect:
> ```
> Module(load="imfile" mode="inotify")
>
> input(type="imfile"
> File="/var/log/httpd/*log"
> Tag="apache:"
> ```
> Why you also configure ruleset ?
> ( Although I read about the "facility", but I still don't fully understand it, but this is another story, I will read it again. )
>
> Personally I have not set ruleset. So, is any specific implied by default or not ?
> What do I gain by defining a specific one like you in your very nice example ?
> For example, Can I have better statistics on my messages ? Or.. something else ?
>
> Thank you very much. I really appreciate your help.
>
> ??????? Original Message ???????
> On Monday, February 22, 2021 12:53 PM, <cyril.stoll@uzh.ch> wrote:
>
>> Hi
>>
>> Your OS most likely uses rsyslog for other things than just messages/syslog. It often also handles maillog, cron-logs etc. Now in order to send all the logs that rsyslog handles to a central logserver you can use the following config:
>>
>> *.* @123.123.123.123:514
>>
>> If you use two @ signs it will use TCP and in the example above with just one @ sign rsyslog will send the logs using UDP. You could also use the newer syntax to achieve this but it's just very simple this way.
>>
>> To send logs of other software that does not use rsyslog for logging I use the imfile module to read those logfiles and then send the logs to the central logserver. You can use the following config to do this:
>>
>> Module(load="imfile" mode="inotify")
>> ruleset(name="fwdapachetocentrallog"){
>> action(type="omfwd"
>> template="RSYSLOG_TraditionalForwardFormat"
>> queue.type="LinkedList"
>> queue.filename="fwd_q_apache"
>> queue.size="100000"
>> action.resumeRetryCount="-1"
>> queue.saveonshutdown="on"
>> Target="123.123.123.123" Port="514" Protocol="udp")
>> }
>> Input(type="imfile" tag="apache/access.log" file="/var/log/httpd/local-access_log" facility="local1" ruleset="fwdapachetocentrallog")
>> Input(type="imfile" tag="apache/err.log" file="/var/log/httpd/local-error_log" facility="local2" ruleset="fwdapachetocentrallog")
>>
>> Best,
>> Cyril
>>
>>> ----- Original message -----
>>> From: "odrzen via rsyslog" <rsyslog@lists.adiscon.com>
>>> Sent by: "rsyslog" <rsyslog-bounces@lists.adiscon.com>
>>> To: "rsyslog-users" <rsyslog@lists.adiscon.com>
>>> Cc: "odrzen" <odrzen@protonmail.com>
>>> Subject: [rsyslog] The right way to include more log files?
>>> Date: Mon, Feb 22, 2021 8:50 AM
>>>
>>> I am new with rsyslog and I have the following concern:
>>> How can I send from rsyslog clients, logs of services other than those written in /var/log/messagess ?
>>> For example the logs from :
>>> * /var/log/service_x/*
>>> * /var/log/service_y/*
>>>
>>> Can I configure the rsyslog client to include more paths to log files ?
>>>
>>> I tried the following with apache logs, through a pipe to logger utility( /etc/apache2/..virtualHost.conf ):
>>> ```
>>> CustomLog "| /bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-access_log | /usr/bin/logger -thttpd -plocal1.notice'" combined
>>> ErrorLog "|/bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-error_log | /usr/bin/logger -thttpd -plocal1.err'"
>>> ```
>>>
>>> and without any configuration either to the rsyslog client or to the rsyslog server I receive the logs on my ryslog server.
>>> But, I don't like this way, and I don't think it's the best way to do it. In addition, what will I do in other services ( databases for example ) ?
>>>
>>> Thanks in advance,
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

First of all, Thank you very much for all this analysis.

So, if I define my own rulesets in some rsyslog "client" to send this messages/logs to a central rsyslog server, then from the server side, I don't need to define something, right ?
Do these only apply to the local machine. Right ?

Another very easy example: if a machine doesn't run many services, but only 1-2, and we want to send the logs to a remote machine, in this case, too, would you suggest creating rulesets ?

Well .. is it for better performance and easier management in various situations ?

Can I use these rulesets and actions even more ?

> Additionally, rulesets can have own queues which help dealing with reliability issues.

Can I even use them on rsyslog (central) server to have better statistics ?
For example, I have now done this configuration:

module(load="impstats"
interval="600"
severity="7"
log.syslog="off")

global(senders.keepTrack="on")
dyn_stats(name="msg_per_host")


and I get the following results:

```
Wed Feb 24 23:23:20 2021: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=142

Wed Feb 24 23:23:20 2021: imuxsock: origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
Wed Feb 24 23:23:20 2021: dynafile cache Auditlog: origin=omfile requests=1611936 level0=979202 missed=26491 evicted=26362 maxused=10 closetimeouts=0
Wed Feb 24 23:23:20 2021: action 0: origin=core.action processed=1611936 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: dynafile cache RemoteLogs: origin=omfile requests=69023867 level0=7424680 missed=930036 evicted=929906 maxused=10 closetimeouts=0

Wed Feb 24 23:23:20 2021: action 1: origin=core.action processed=69023867 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: action 2: origin=core.action processed=67365327 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: action 3: origin=core.action processed=1611936 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: action 4: origin=core.action processed=21400 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: action 5: origin=core.action processed=25204 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: action 6: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: action 7: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Feb 24 23:23:20 2021: action 8: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0

Wed Feb 24 23:23:20 2021: msg_per_host: origin=dynstats.bucket
Wed Feb 24 23:23:20 2021: imudp(*:514): origin=imudp submitted=0
Wed Feb 24 23:23:20 2021: imudp(*:514): origin=imudp submitted=0
Wed Feb 24 23:23:20 2021: imtcp(6514): origin=imtcp submitted=68743761
Wed Feb 24 23:23:20 2021: resource-usage: origin=impstats utime=6521531271 stime=8494790327 maxrss=20592 minflt=198177 majflt=47 inblock=106768 oublock=89664368 nvcsw=132661919 nivcsw=31780
Wed Feb 24 23:23:20 2021: main Q: origin=core.queue size=0 enqueued=69023867 full=0 discarded.full=0 discarded.nf=0 maxqsize=2284
Wed Feb 24 23:23:20 2021: imudp(w0): origin=imudp called.recvmmsg=0 called.recvmsg=0 msgs.received=0
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_1.com messages=14731
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_2.com messages=4885409
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_3.com messages=18499
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_4.com messages=18946
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_5.com messages=91936
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_6.com messages=33897
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_7.com messages=7901260
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_8.com messages=21403
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_9.com messages=4887634
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_10.com messages=4886624
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_11.com messages=103785
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_12.com messages=17910
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_13.com messages=7990763
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_14.com messages=89795
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_15.com messages=14669914
Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_16.com messages=8018009
```

From the beginning I was wondering what the following action mean:
```
action 1: origin=core.action
action 2: origin=core.action
[...]
```

if I set in your example in the action, the parameter "name=something" then, in (central) rsyslog server I will see this action statistics ?




??????? Original Message ???????
On Wednesday, February 24, 2021 9:31 AM, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> wrote:

> A ruleset is a "subprogram" processing your messages. If you have not
> defined a specific ruleset, every message is getting processed by the
> main rsyslog ruleset and the messages you read are in no way split
> between different ruleset (thus all are processed according to the same
> rules).
>
> If you define multiple inputs with own rulesets, the events coming from
> a particular input are processed only by the rules included in that ruleset.
>
> Why would you want to do that? Let's imagine that you have an
> installation where you want to log local events "normally" to a file but
> you also receive events from the network and want to forward them to
> some central log management solution. You could of course set up a
> complicated set of filters which would choose only some subset of the
> events to be written to files and another subset of the events to be
> forwarded somewhere else, but it's way easier to just make an input
> listening on a network port and tie it to a ruleset with action
> forwarding it to another server.
>
> Rulesets are a way of managing event processing flows. Additionally,
> rulesets can have own queues which help dealing with reliability issues.
>
> And again - if you have not set any rulesets explicitly, all your events
> are processed by an implicit "main" ruleset containing all the filters
> you put in the config file.
>
> On 24.02.2021 08:01, odrzen via rsyslog wrote:
>
> > Thanks Cyril for the awesome explanations and help. I understood some things even better.
> > I would like to ask you about the ruleset. I try the following and ( until now ) works perfect:
> >
> > Module(load="imfile" mode="inotify")
> >
> > input(type="imfile"
> > File="/var/log/httpd/*log"
> > Tag="apache:"
> >
> >
> > Why you also configure ruleset ?
> > ( Although I read about the "facility", but I still don't fully understand it, but this is another story, I will read it again. )
> > Personally I have not set ruleset. So, is any specific implied by default or not ?
> > What do I gain by defining a specific one like you in your very nice example ?
> > For example, Can I have better statistics on my messages ? Or.. something else ?
> > Thank you very much. I really appreciate your help.
> > ??????? Original Message ???????
> > On Monday, February 22, 2021 12:53 PM, cyril.stoll@uzh.ch wrote:
> >
> > > Hi
> > > Your OS most likely uses rsyslog for other things than just messages/syslog. It often also handles maillog, cron-logs etc. Now in order to send all the logs that rsyslog handles to a central logserver you can use the following config:
> > > . @123.123.123.123:514
> > > If you use two @ signs it will use TCP and in the example above with just one @ sign rsyslog will send the logs using UDP. You could also use the newer syntax to achieve this but it's just very simple this way.
> > > To send logs of other software that does not use rsyslog for logging I use the imfile module to read those logfiles and then send the logs to the central logserver. You can use the following config to do this:
> > > Module(load="imfile" mode="inotify")
> > > ruleset(name="fwdapachetocentrallog"){
> > > action(type="omfwd"
> > > template="RSYSLOG_TraditionalForwardFormat"
> > > queue.type="LinkedList"
> > > queue.filename="fwd_q_apache"
> > > queue.size="100000"
> > > action.resumeRetryCount="-1"
> > > queue.saveonshutdown="on"
> > > Target="123.123.123.123" Port="514" Protocol="udp")
> > > }
> > > Input(type="imfile" tag="apache/access.log" file="/var/log/httpd/local-access_log" facility="local1" ruleset="fwdapachetocentrallog")
> > > Input(type="imfile" tag="apache/err.log" file="/var/log/httpd/local-error_log" facility="local2" ruleset="fwdapachetocentrallog")
> > > Best,
> > > Cyril
> > >
> > > > ----- Original message -----
> > > > From: "odrzen via rsyslog" rsyslog@lists.adiscon.com
> > > > Sent by: "rsyslog" rsyslog-bounces@lists.adiscon.com
> > > > To: "rsyslog-users" rsyslog@lists.adiscon.com
> > > > Cc: "odrzen" odrzen@protonmail.com
> > > > Subject: [rsyslog] The right way to include more log files?
> > > > Date: Mon, Feb 22, 2021 8:50 AM
> > > > I am new with rsyslog and I have the following concern:
> > > > How can I send from rsyslog clients, logs of services other than those written in /var/log/messagess ?
> > > > For example the logs from :
> > > >
> > > > - /var/log/service_x/*
> > > > - /var/log/service_y/*
> > > >
> > > > Can I configure the rsyslog client to include more paths to log files ?
> > > > I tried the following with apache logs, through a pipe to logger utility( /etc/apache2/..virtualHost.conf ):
> > > >
> > > > CustomLog "| /bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-access_log | /usr/bin/logger -thttpd -plocal1.notice'" combined
> > > > ErrorLog "|/bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-error_log | /usr/bin/logger -thttpd -plocal1.err'"
> > > >
> > > >
> > > > and without any configuration either to the rsyslog client or to the rsyslog server I receive the logs on my ryslog server.
> > > > But, I don't like this way, and I don't think it's the best way to do it. In addition, what will I do in other services ( databases for example ) ?
> > > > Thanks in advance,
> > > >
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

you can tie a ruleset to a particular input, so all messages that arrive via
that input only see the rules in that ruleset.

to change the action 2 to something meaningful, add name='foo' in the action()
statement and you will then get foo instead of 'action 2' in the pstats output

pstats only knows about what is going on on the server it's running on, it can't
tell you what happened on other systems.

does this answer your questions?

David Lang


On Wed, 24 Feb 2021, odrzen via rsyslog wrote:

> Date: Wed, 24 Feb 2021 21:59:52 +0000
> From: odrzen via rsyslog <rsyslog@lists.adiscon.com>
> Reply-To: odrzen <odrzen@protonmail.com>,
> rsyslog-users <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: odrzen <odrzen@protonmail.com>
> Subject: Re: [rsyslog] The right way to include more log files?
>
> First of all, Thank you very much for all this analysis.
>
> So, if I define my own rulesets in some rsyslog "client" to send this messages/logs to a central rsyslog server, then from the server side, I don't need to define something, right ?
> Do these only apply to the local machine. Right ?
>
> Another very easy example: if a machine doesn't run many services, but only 1-2, and we want to send the logs to a remote machine, in this case, too, would you suggest creating rulesets ?
>
> Well .. is it for better performance and easier management in various situations ?
>
> Can I use these rulesets and actions even more ?
>
>> Additionally, rulesets can have own queues which help dealing with reliability issues.
>
> Can I even use them on rsyslog (central) server to have better statistics ?
> For example, I have now done this configuration:
>
> module(load="impstats"
> interval="600"
> severity="7"
> log.syslog="off")
>
> global(senders.keepTrack="on")
> dyn_stats(name="msg_per_host")
>
>
> and I get the following results:
>
> ```
> Wed Feb 24 23:23:20 2021: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=142
>
> Wed Feb 24 23:23:20 2021: imuxsock: origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
> Wed Feb 24 23:23:20 2021: dynafile cache Auditlog: origin=omfile requests=1611936 level0=979202 missed=26491 evicted=26362 maxused=10 closetimeouts=0
> Wed Feb 24 23:23:20 2021: action 0: origin=core.action processed=1611936 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: dynafile cache RemoteLogs: origin=omfile requests=69023867 level0=7424680 missed=930036 evicted=929906 maxused=10 closetimeouts=0
>
> Wed Feb 24 23:23:20 2021: action 1: origin=core.action processed=69023867 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: action 2: origin=core.action processed=67365327 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: action 3: origin=core.action processed=1611936 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: action 4: origin=core.action processed=21400 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: action 5: origin=core.action processed=25204 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: action 6: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: action 7: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Feb 24 23:23:20 2021: action 8: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
>
> Wed Feb 24 23:23:20 2021: msg_per_host: origin=dynstats.bucket
> Wed Feb 24 23:23:20 2021: imudp(*:514): origin=imudp submitted=0
> Wed Feb 24 23:23:20 2021: imudp(*:514): origin=imudp submitted=0
> Wed Feb 24 23:23:20 2021: imtcp(6514): origin=imtcp submitted=68743761
> Wed Feb 24 23:23:20 2021: resource-usage: origin=impstats utime=6521531271 stime=8494790327 maxrss=20592 minflt=198177 majflt=47 inblock=106768 oublock=89664368 nvcsw=132661919 nivcsw=31780
> Wed Feb 24 23:23:20 2021: main Q: origin=core.queue size=0 enqueued=69023867 full=0 discarded.full=0 discarded.nf=0 maxqsize=2284
> Wed Feb 24 23:23:20 2021: imudp(w0): origin=imudp called.recvmmsg=0 called.recvmsg=0 msgs.received=0
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_1.com messages=14731
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_2.com messages=4885409
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_3.com messages=18499
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_4.com messages=18946
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_5.com messages=91936
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_6.com messages=33897
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_7.com messages=7901260
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_8.com messages=21403
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_9.com messages=4887634
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_10.com messages=4886624
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_11.com messages=103785
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_12.com messages=17910
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_13.com messages=7990763
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_14.com messages=89795
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_15.com messages=14669914
> Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_16.com messages=8018009
> ```
>
> From the beginning I was wondering what the following action mean:
> ```
> action 1: origin=core.action
> action 2: origin=core.action
> [...]
> ```
>
> if I set in your example in the action, the parameter "name=something" then, in (central) rsyslog server I will see this action statistics ?
>
>
>
>
> ??????? Original Message ???????
> On Wednesday, February 24, 2021 9:31 AM, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
>> A ruleset is a "subprogram" processing your messages. If you have not
>> defined a specific ruleset, every message is getting processed by the
>> main rsyslog ruleset and the messages you read are in no way split
>> between different ruleset (thus all are processed according to the same
>> rules).
>>
>> If you define multiple inputs with own rulesets, the events coming from
>> a particular input are processed only by the rules included in that ruleset.
>>
>> Why would you want to do that? Let's imagine that you have an
>> installation where you want to log local events "normally" to a file but
>> you also receive events from the network and want to forward them to
>> some central log management solution. You could of course set up a
>> complicated set of filters which would choose only some subset of the
>> events to be written to files and another subset of the events to be
>> forwarded somewhere else, but it's way easier to just make an input
>> listening on a network port and tie it to a ruleset with action
>> forwarding it to another server.
>>
>> Rulesets are a way of managing event processing flows. Additionally,
>> rulesets can have own queues which help dealing with reliability issues.
>>
>> And again - if you have not set any rulesets explicitly, all your events
>> are processed by an implicit "main" ruleset containing all the filters
>> you put in the config file.
>>
>> On 24.02.2021 08:01, odrzen via rsyslog wrote:
>>
>> > Thanks Cyril for the awesome explanations and help. I understood some things even better.
>> > I would like to ask you about the ruleset. I try the following and ( until now ) works perfect:
>> >
>> > Module(load="imfile" mode="inotify")
>> >
>> > input(type="imfile"
>> > File="/var/log/httpd/*log"
>> > Tag="apache:"
>> >
>> >
>> > Why you also configure ruleset ?
>> > ( Although I read about the "facility", but I still don't fully understand it, but this is another story, I will read it again. )
>> > Personally I have not set ruleset. So, is any specific implied by default or not ?
>> > What do I gain by defining a specific one like you in your very nice example ?
>> > For example, Can I have better statistics on my messages ? Or.. something else ?
>> > Thank you very much. I really appreciate your help.
>> > ??????? Original Message ???????
>> > On Monday, February 22, 2021 12:53 PM, cyril.stoll@uzh.ch wrote:
>> >
>> > > Hi
>> > > Your OS most likely uses rsyslog for other things than just messages/syslog. It often also handles maillog, cron-logs etc. Now in order to send all the logs that rsyslog handles to a central logserver you can use the following config:
>> > > . @123.123.123.123:514
>> > > If you use two @ signs it will use TCP and in the example above with just one @ sign rsyslog will send the logs using UDP. You could also use the newer syntax to achieve this but it's just very simple this way.
>> > > To send logs of other software that does not use rsyslog for logging I use the imfile module to read those logfiles and then send the logs to the central logserver. You can use the following config to do this:
>> > > Module(load="imfile" mode="inotify")
>> > > ruleset(name="fwdapachetocentrallog"){
>> > > action(type="omfwd"
>> > > template="RSYSLOG_TraditionalForwardFormat"
>> > > queue.type="LinkedList"
>> > > queue.filename="fwd_q_apache"
>> > > queue.size="100000"
>> > > action.resumeRetryCount="-1"
>> > > queue.saveonshutdown="on"
>> > > Target="123.123.123.123" Port="514" Protocol="udp")
>> > > }
>> > > Input(type="imfile" tag="apache/access.log" file="/var/log/httpd/local-access_log" facility="local1" ruleset="fwdapachetocentrallog")
>> > > Input(type="imfile" tag="apache/err.log" file="/var/log/httpd/local-error_log" facility="local2" ruleset="fwdapachetocentrallog")
>> > > Best,
>> > > Cyril
>> > >
>> > > > ----- Original message -----
>> > > > From: "odrzen via rsyslog" rsyslog@lists.adiscon.com
>> > > > Sent by: "rsyslog" rsyslog-bounces@lists.adiscon.com
>> > > > To: "rsyslog-users" rsyslog@lists.adiscon.com
>> > > > Cc: "odrzen" odrzen@protonmail.com
>> > > > Subject: [rsyslog] The right way to include more log files?
>> > > > Date: Mon, Feb 22, 2021 8:50 AM
>> > > > I am new with rsyslog and I have the following concern:
>> > > > How can I send from rsyslog clients, logs of services other than those written in /var/log/messagess ?
>> > > > For example the logs from :
>> > > >
>> > > > - /var/log/service_x/*
>> > > > - /var/log/service_y/*
>> > > >
>> > > > Can I configure the rsyslog client to include more paths to log files ?
>> > > > I tried the following with apache logs, through a pipe to logger utility( /etc/apache2/..virtualHost.conf ):
>> > > >
>> > > > CustomLog "| /bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-access_log | /usr/bin/logger -thttpd -plocal1.notice'" combined
>> > > > ErrorLog "|/bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-error_log | /usr/bin/logger -thttpd -plocal1.err'"
>> > > >
>> > > >
>> > > > and without any configuration either to the rsyslog client or to the rsyslog server I receive the logs on my ryslog server.
>> > > > But, I don't like this way, and I don't think it's the best way to do it. In addition, what will I do in other services ( databases for example ) ?
>> > > > Thanks in advance,
>> > > >
>> > > > rsyslog mailing list
>> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > > > http://www.rsyslog.com/professional-services/
>> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> >
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

??????? Original Message ???????
On Thursday, February 25, 2021 12:07 AM, David Lang <david@lang.hm> wrote:

> you can tie a ruleset to a particular input, so all messages that arrive via
> that input only see the rules in that ruleset.

Hm.. OK!

> to change the action 2 to something meaningful, add name='foo' in the action()
> statement and you will then get foo instead of 'action 2' in the pstats output

I set the name='foo' parameter on a machine, but on the host (remote rsyslog "server") that sends these messages, nothing has changed.


> pstats only knows about what is going on on the server it's running on, it can't
> tell you what happened on other systems.

Yes, of course, I just mentioned this as an example for the central server.

> does this answer your questions?

Yes, thank you very much. Especially in your previous message where you are very detailed.
I am more wondering to understand what is the right way and why to use rulestes, actions or quests and especially in this case to send particular log files to a central rsyslog.
Sorry if I confused you about the statistics.

> David Lang
>
> On Wed, 24 Feb 2021, odrzen via rsyslog wrote:
>
> > Date: Wed, 24 Feb 2021 21:59:52 +0000
> > From: odrzen via rsyslog rsyslog@lists.adiscon.com
> > Reply-To: odrzen odrzen@protonmail.com,
> > rsyslog-users rsyslog@lists.adiscon.com
> > To: rsyslog-users rsyslog@lists.adiscon.com
> > Cc: odrzen odrzen@protonmail.com
> > Subject: Re: [rsyslog] The right way to include more log files?
> > First of all, Thank you very much for all this analysis.
> > So, if I define my own rulesets in some rsyslog "client" to send this messages/logs to a central rsyslog server, then from the server side, I don't need to define something, right ?
> > Do these only apply to the local machine. Right ?
> > Another very easy example: if a machine doesn't run many services, but only 1-2, and we want to send the logs to a remote machine, in this case, too, would you suggest creating rulesets ?
> > Well .. is it for better performance and easier management in various situations ?
> > Can I use these rulesets and actions even more ?
> >
> > > Additionally, rulesets can have own queues which help dealing with reliability issues.
> >
> > Can I even use them on rsyslog (central) server to have better statistics ?
> > For example, I have now done this configuration:
> > module(load="impstats"
> > interval="600"
> > severity="7"
> > log.syslog="off")
> > global(senders.keepTrack="on")
> > dyn_stats(name="msg_per_host")
> > and I get the following results:
> >
> > Wed Feb 24 23:23:20 2021: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=142
> >
> > Wed Feb 24 23:23:20 2021: imuxsock: origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
> > Wed Feb 24 23:23:20 2021: dynafile cache Auditlog: origin=omfile requests=1611936 level0=979202 missed=26491 evicted=26362 maxused=10 closetimeouts=0
> > Wed Feb 24 23:23:20 2021: action 0: origin=core.action processed=1611936 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: dynafile cache RemoteLogs: origin=omfile requests=69023867 level0=7424680 missed=930036 evicted=929906 maxused=10 closetimeouts=0
> >
> > Wed Feb 24 23:23:20 2021: action 1: origin=core.action processed=69023867 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: action 2: origin=core.action processed=67365327 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: action 3: origin=core.action processed=1611936 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: action 4: origin=core.action processed=21400 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: action 5: origin=core.action processed=25204 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: action 6: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: action 7: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Feb 24 23:23:20 2021: action 8: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> >
> > Wed Feb 24 23:23:20 2021: msg_per_host: origin=dynstats.bucket
> > Wed Feb 24 23:23:20 2021: imudp(*:514): origin=imudp submitted=0
> > Wed Feb 24 23:23:20 2021: imudp(*:514): origin=imudp submitted=0
> > Wed Feb 24 23:23:20 2021: imtcp(6514): origin=imtcp submitted=68743761
> > Wed Feb 24 23:23:20 2021: resource-usage: origin=impstats utime=6521531271 stime=8494790327 maxrss=20592 minflt=198177 majflt=47 inblock=106768 oublock=89664368 nvcsw=132661919 nivcsw=31780
> > Wed Feb 24 23:23:20 2021: main Q: origin=core.queue size=0 enqueued=69023867 full=0 discarded.full=0 discarded.nf=0 maxqsize=2284
> > Wed Feb 24 23:23:20 2021: imudp(w0): origin=imudp called.recvmmsg=0 called.recvmsg=0 msgs.received=0
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_1.com messages=14731
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_2.com messages=4885409
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_3.com messages=18499
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_4.com messages=18946
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_5.com messages=91936
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_6.com messages=33897
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_7.com messages=7901260
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_8.com messages=21403
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_9.com messages=4887634
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_10.com messages=4886624
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_11.com messages=103785
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_12.com messages=17910
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_13.com messages=7990763
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_14.com messages=89795
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_15.com messages=14669914
> > Wed Feb 24 23:23:20 2021: _sender_stat: sender=example_16.com messages=8018009
> >
> >
> > From the beginning I was wondering what the following action mean:
> >
> > action 1: origin=core.action
> > action 2: origin=core.action
> > [...]
> >
> >
> > if I set in your example in the action, the parameter "name=something" then, in (central) rsyslog server I will see this action statistics ?
> > ??????? Original Message ???????
> > On Wednesday, February 24, 2021 9:31 AM, Mariusz Kruk via rsyslog rsyslog@lists.adiscon.com wrote:
> >
> > > A ruleset is a "subprogram" processing your messages. If you have not
> > > defined a specific ruleset, every message is getting processed by the
> > > main rsyslog ruleset and the messages you read are in no way split
> > > between different ruleset (thus all are processed according to the same
> > > rules).
> > > If you define multiple inputs with own rulesets, the events coming from
> > > a particular input are processed only by the rules included in that ruleset.
> > > Why would you want to do that? Let's imagine that you have an
> > > installation where you want to log local events "normally" to a file but
> > > you also receive events from the network and want to forward them to
> > > some central log management solution. You could of course set up a
> > > complicated set of filters which would choose only some subset of the
> > > events to be written to files and another subset of the events to be
> > > forwarded somewhere else, but it's way easier to just make an input
> > > listening on a network port and tie it to a ruleset with action
> > > forwarding it to another server.
> > > Rulesets are a way of managing event processing flows. Additionally,
> > > rulesets can have own queues which help dealing with reliability issues.
> > > And again - if you have not set any rulesets explicitly, all your events
> > > are processed by an implicit "main" ruleset containing all the filters
> > > you put in the config file.
> > > On 24.02.2021 08:01, odrzen via rsyslog wrote:
> > >
> > > > Thanks Cyril for the awesome explanations and help. I understood some things even better.
> > > > I would like to ask you about the ruleset. I try the following and ( until now ) works perfect:
> > > >
> > > > Module(load="imfile" mode="inotify")
> > > >
> > > > input(type="imfile"
> > > > File="/var/log/httpd/*log"
> > > > Tag="apache:"
> > > >
> > > >
> > > > Why you also configure ruleset ?
> > > > ( Although I read about the "facility", but I still don't fully understand it, but this is another story, I will read it again. )
> > > > Personally I have not set ruleset. So, is any specific implied by default or not ?
> > > > What do I gain by defining a specific one like you in your very nice example ?
> > > > For example, Can I have better statistics on my messages ? Or.. something else ?
> > > > Thank you very much. I really appreciate your help.
> > > > ??????? Original Message ???????
> > > > On Monday, February 22, 2021 12:53 PM, cyril.stoll@uzh.ch wrote:
> > > >
> > > > > Hi
> > > > > Your OS most likely uses rsyslog for other things than just messages/syslog. It often also handles maillog, cron-logs etc. Now in order to send all the logs that rsyslog handles to a central logserver you can use the following config:
> > > > > . @123.123.123.123:514
> > > > > If you use two @ signs it will use TCP and in the example above with just one @ sign rsyslog will send the logs using UDP. You could also use the newer syntax to achieve this but it's just very simple this way.
> > > > > To send logs of other software that does not use rsyslog for logging I use the imfile module to read those logfiles and then send the logs to the central logserver. You can use the following config to do this:
> > > > > Module(load="imfile" mode="inotify")
> > > > > ruleset(name="fwdapachetocentrallog"){
> > > > > action(type="omfwd"
> > > > > template="RSYSLOG_TraditionalForwardFormat"
> > > > > queue.type="LinkedList"
> > > > > queue.filename="fwd_q_apache"
> > > > > queue.size="100000"
> > > > > action.resumeRetryCount="-1"
> > > > > queue.saveonshutdown="on"
> > > > > Target="123.123.123.123" Port="514" Protocol="udp")
> > > > > }
> > > > > Input(type="imfile" tag="apache/access.log" file="/var/log/httpd/local-access_log" facility="local1" ruleset="fwdapachetocentrallog")
> > > > > Input(type="imfile" tag="apache/err.log" file="/var/log/httpd/local-error_log" facility="local2" ruleset="fwdapachetocentrallog")
> > > > > Best,
> > > > > Cyril
> > > > >
> > > > > > ----- Original message -----
> > > > > > From: "odrzen via rsyslog" rsyslog@lists.adiscon.com
> > > > > > Sent by: "rsyslog" rsyslog-bounces@lists.adiscon.com
> > > > > > To: "rsyslog-users" rsyslog@lists.adiscon.com
> > > > > > Cc: "odrzen" odrzen@protonmail.com
> > > > > > Subject: [rsyslog] The right way to include more log files?
> > > > > > Date: Mon, Feb 22, 2021 8:50 AM
> > > > > > I am new with rsyslog and I have the following concern:
> > > > > > How can I send from rsyslog clients, logs of services other than those written in /var/log/messagess ?
> > > > > > For example the logs from :
> > > > > >
> > > > > > - /var/log/service_x/*
> > > > > > - /var/log/service_y/*
> > > > > >
> > > > > > Can I configure the rsyslog client to include more paths to log files ?
> > > > > > I tried the following with apache logs, through a pipe to logger utility( /etc/apache2/..virtualHost.conf ):
> > > > > >
> > > > > > CustomLog "| /bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-access_log | /usr/bin/logger -thttpd -plocal1.notice'" combined
> > > > > > ErrorLog "|/bin/sh -c '/usr/bin/tee -a /var/log/httpd/local-error_log | /usr/bin/logger -thttpd -plocal1.err'"
> > > > > >
> > > > > >
> > > > > > and without any configuration either to the rsyslog client or to the rsyslog server I receive the logs on my ryslog server.
> > > > > > But, I don't like this way, and I don't think it's the best way to do it. In addition, what will I do in other services ( databases for example ) ?
> > > > > > Thanks in advance,
> > > > > > rsyslog mailing list
> > > > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com/professional-services/
> > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > > >
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > >
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

On Wed, 24 Feb 2021, odrzen wrote:

> I am more wondering to understand what is the right way and why to use rulestes, actions or quests and especially in this case to send particular log files to a central rsyslog.

There are a few reasons to use a ruleset

1. when you have an input (say a network port) that is very different than other
inputs and you only want to have a subset of the rules processed for logs that
arrive on this input

2. a varient of #1, if you want to make sure that logs arriving from one input
cannot be blocked if the queue builds up processing other inputs, you configure
as #1 and add a queue to the ruleset

3. if you want to put a queue on a group of actions, say sending to one of a
couple different destinations (failover), if you put a queue on each action, it
will 'succeed' by putting the message in the queue, even if it's not sent. But
you can put a queue on the ruleset to buffer things at that level, then have
actions that don't have a queue and can fail (which you can detect)

4. avoiding duplicate writers to one destination. If you are writing to the same
file/sending to the same remote machine and have 10 different actions in your
rule that all have the same output, they will all be trying to output at the
same time (opening multiple connections to remote systems), if you put the
action in a ruleset and call it from all of those destinations, you ony have one
connection

5. making the ruleset easier to understand. Just like functions in programming
languages, it may be easier to understand a config file that calls rulesets that
hide the details rather than having all the statements inline.

David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

So, as I understand it - after your very good explanation, it's very important to define a `ruleset` in case we want rsyslog to handle/manage additional logs.
And it need a new `ruleset`, with a specific `action`, `template`, `queue` and `Target`.

In your opinion, if a service writes its own logs to separate log files and rsyslog handles these logs by default, if this service generates a lot of logs, would you also still create a separate `ruleset` for it?


On the side of the machine in which I have defined in the way you describe which additional log files the rsyslog handles ( with its own `ruleset` ), I see that I actually have more information about the messages from these logs using the `impstats` module (at the moment I don't know how else I can get more information about them).


For example:

```
Wed Mar 3 00:30:33 2021: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=107
Wed Mar 3 00:30:33 2021: imuxsock: origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
Wed Mar 3 00:30:33 2021: action 0: origin=core.action processed=55295 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Mar 3 00:30:33 2021: action 1: origin=core.action processed=4511 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Mar 3 00:30:33 2021: action 2: origin=core.action processed=49706 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Mar 3 00:30:33 2021: action 3: origin=core.action processed=15 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Mar 3 00:30:33 2021: action 4: origin=core.action processed=1063 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Mar 3 00:30:33 2021: action 5: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Mar 3 00:30:33 2021: action 6: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Wed Mar 3 00:30:33 2021: action 7: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0

Wed Mar 3 00:30:33 2021: msg_per_host: origin=dynstats.bucket

Wed Mar 3 00:30:33 2021: apache: origin=core.action processed=6405 failed=0 suspended=0 suspended.duration=0 resumed=0

Wed Mar 3 00:30:33 2021: resource-usage: origin=impstats utime=25597640 stime=23465292 maxrss=17348 minflt=18258 majflt=0 inblock=656 oublock=125552 nvcsw=522977 nivcsw=115

Wed Mar 3 00:30:33 2021: apache queue[DA]: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0
Wed Mar 3 00:30:33 2021: apache queue: origin=core.queue size=0 enqueued=6405 full=0 discarded.full=0 discarded.nf=0 maxqsize=3

Wed Mar 3 00:30:33 2021: main Q: origin=core.queue size=0 enqueued=61700 full=0 discarded.full=0 discarded.nf=0 maxqsize=10
```

But now, from the side of the central machine to which I send the logs, can or should I set a separate "ruleset" for these messages ?
So that I can be sure that the messages were successfully processed and stored on the central machine as well ?


Thank you very much for the explanations and your time.
The way you describe them is very nice and simple. You helped me a lot to better understand why we need "rulesets".
Sorry if I had to figure this out on some page of the documentation, but I didn't see it described that way.







??????? Original Message ???????
On Thursday, February 25, 2021 12:33 AM, David Lang <david@lang.hm> wrote:

> On Wed, 24 Feb 2021, odrzen wrote:
>
> > I am more wondering to understand what is the right way and why to use rulestes, actions or quests and especially in this case to send particular log files to a central rsyslog.
>
> There are a few reasons to use a ruleset
>
> 1. when you have an input (say a network port) that is very different than other
> inputs and you only want to have a subset of the rules processed for logs that
> arrive on this input
>
> 2. a varient of #1, if you want to make sure that logs arriving from one input
> cannot be blocked if the queue builds up processing other inputs, you configure
> as #1 and add a queue to the ruleset
>
> 3. if you want to put a queue on a group of actions, say sending to one of a
> couple different destinations (failover), if you put a queue on each action, it
> will 'succeed' by putting the message in the queue, even if it's not sent. But
> you can put a queue on the ruleset to buffer things at that level, then have
> actions that don't have a queue and can fail (which you can detect)
>
> 4. avoiding duplicate writers to one destination. If you are writing to the same
> file/sending to the same remote machine and have 10 different actions in your
> rule that all have the same output, they will all be trying to output at the
> same time (opening multiple connections to remote systems), if you put the
> action in a ruleset and call it from all of those destinations, you ony have one
> connection
>
> 5. making the ruleset easier to understand. Just like functions in programming
> languages, it may be easier to understand a config file that calls rulesets that
> hide the details rather than having all the statements inline.
>
> David Lang
>


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

ruleseets only apply inside the instance or rsyslog that is running them. Once
you send the logs to a new machine, you now have a separate problem. How will
you identify the log you want to treat differently.

If they are arriving via the same port as other logs, this can be difficult. I
deal with this on my systems by having the sending machine send the logs in a
json format that can include additional metadata (like what file the log came
from) while still beingable to easily recreate the original log message.

If I am understanding your problem correctly it seems like what you want is:

you have files on machine A that you want to move to machine B in real-time

This can be done without defining any rulesets, but it will require you create
some way to identify the logs.

since you are reading files from disk that do not have any facility or severity
as part of the message being read, you could use those to encode what is what
(local0 is file1, local1 is file2, using severity is possible, but more
difficult), this gives you up to 64 combinations to work with, but is a pain to
keep straight.

another option would be to use the syslogtag field, and then just know on the
far side that if you receive one of the special syslogtag values, you need to
formt the write to disk without using that field. the syslogtag field cannot
include a / and is limited to 32 characters, so you do have some limitations

or you could make a custom format for your output that puts the file path as the
first thing after the syslogtag and then parse it out on the receiving side.

I go a step further in making a more complex, but more flexible solution where I
create a json message to send that has a field 'msg' that is the original
message, and a tree of objects 'trusted-<company abbriv>' that I have contain
the metadata that I want to add. This includes the filename if it's read from a
file, the name and timestamps related to any relays that it goes through, what
environment this is from (dev/qa/prod/etc) for cases where people like to re-use
names, and anything else that comes up in the future. On the receiving side,
it's a json message that gets parsed, then I look at the data in $!trusted-foo!*
and can make decisions on what to do at that point.

David Lang

On Tue, 2 Mar 2021, odrzen wrote:

> Date: Tue, 02 Mar 2021 22:57:37 +0000
> From: odrzen <odrzen@protonmail.com>
> To: David Lang <david@lang.hm>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] The right way to include more log files?
>
> So, as I understand it - after your very good explanation, it's very important to define a `ruleset` in case we want rsyslog to handle/manage additional logs.
> And it need a new `ruleset`, with a specific `action`, `template`, `queue` and `Target`.
>
> In your opinion, if a service writes its own logs to separate log files and rsyslog handles these logs by default, if this service generates a lot of logs, would you also still create a separate `ruleset` for it?
>
>
> On the side of the machine in which I have defined in the way you describe which additional log files the rsyslog handles ( with its own `ruleset` ), I see that I actually have more information about the messages from these logs using the `impstats` module (at the moment I don't know how else I can get more information about them).
>
>
> For example:
>
> ```
> Wed Mar 3 00:30:33 2021: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=107
> Wed Mar 3 00:30:33 2021: imuxsock: origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
> Wed Mar 3 00:30:33 2021: action 0: origin=core.action processed=55295 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Mar 3 00:30:33 2021: action 1: origin=core.action processed=4511 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Mar 3 00:30:33 2021: action 2: origin=core.action processed=49706 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Mar 3 00:30:33 2021: action 3: origin=core.action processed=15 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Mar 3 00:30:33 2021: action 4: origin=core.action processed=1063 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Mar 3 00:30:33 2021: action 5: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Mar 3 00:30:33 2021: action 6: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> Wed Mar 3 00:30:33 2021: action 7: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
>
> Wed Mar 3 00:30:33 2021: msg_per_host: origin=dynstats.bucket
>
> Wed Mar 3 00:30:33 2021: apache: origin=core.action processed=6405 failed=0 suspended=0 suspended.duration=0 resumed=0
>
> Wed Mar 3 00:30:33 2021: resource-usage: origin=impstats utime=25597640 stime=23465292 maxrss=17348 minflt=18258 majflt=0 inblock=656 oublock=125552 nvcsw=522977 nivcsw=115
>
> Wed Mar 3 00:30:33 2021: apache queue[DA]: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0
> Wed Mar 3 00:30:33 2021: apache queue: origin=core.queue size=0 enqueued=6405 full=0 discarded.full=0 discarded.nf=0 maxqsize=3
>
> Wed Mar 3 00:30:33 2021: main Q: origin=core.queue size=0 enqueued=61700 full=0 discarded.full=0 discarded.nf=0 maxqsize=10
> ```
>
> But now, from the side of the central machine to which I send the logs, can or should I set a separate "ruleset" for these messages ?
> So that I can be sure that the messages were successfully processed and stored on the central machine as well ?
>
>
> Thank you very much for the explanations and your time.
> The way you describe them is very nice and simple. You helped me a lot to better understand why we need "rulesets".
> Sorry if I had to figure this out on some page of the documentation, but I didn't see it described that way.
>
>
>
>
>
>
>
> ??????? Original Message ???????
> On Thursday, February 25, 2021 12:33 AM, David Lang <david@lang.hm> wrote:
>
>> On Wed, 24 Feb 2021, odrzen wrote:
>>
>>> I am more wondering to understand what is the right way and why to use rulestes, actions or quests and especially in this case to send particular log files to a central rsyslog.
>>
>> There are a few reasons to use a ruleset
>>
>> 1. when you have an input (say a network port) that is very different than other
>> inputs and you only want to have a subset of the rules processed for logs that
>> arrive on this input
>>
>> 2. a varient of #1, if you want to make sure that logs arriving from one input
>> cannot be blocked if the queue builds up processing other inputs, you configure
>> as #1 and add a queue to the ruleset
>>
>> 3. if you want to put a queue on a group of actions, say sending to one of a
>> couple different destinations (failover), if you put a queue on each action, it
>> will 'succeed' by putting the message in the queue, even if it's not sent. But
>> you can put a queue on the ruleset to buffer things at that level, then have
>> actions that don't have a queue and can fail (which you can detect)
>>
>> 4. avoiding duplicate writers to one destination. If you are writing to the same
>> file/sending to the same remote machine and have 10 different actions in your
>> rule that all have the same output, they will all be trying to output at the
>> same time (opening multiple connections to remote systems), if you put the
>> action in a ruleset and call it from all of those destinations, you ony have one
>> connection
>>
>> 5. making the ruleset easier to understand. Just like functions in programming
>> languages, it may be easier to understand a config file that calls rulesets that
>> hide the details rather than having all the statements inline.
>>
>> David Lang
>>
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Yes you understand my problem.
And I understand that in the end, the problem is mainly in the central machine where it receives all these messages.

From the remote machines, I have (probably) correctly defined the way they send their logs to the central machine. Now this part is very easy and cool. Indeed, all the messages come to the main/central machine very nicely and in real time.
But the messages are really too many per second. At the moment I don't seem to have a problem, but in the future I may have bottleneck problems or something else..

How can I make this more efficient so that I don't have problems in the future ?


?our idea about "facility" and "severity" is good, but I also realize that it is not the best and most effective.

About syslogtag seems to me a very interesting idea, as well as the way you described with the "json" messages. But first, I want to ask for something.
Now after the settings I did thanks to your help, I receive the messages as follows :

```
2021-03-04T00:13:14+02:00 example.com apache: 192.168.1.1 - - [04/Mar/2021:00:13:14 +0200] "GET / HTTP/1.1" 301 237 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
2021-03-04T00:14:20+02:00 example.com apache: 192.168.1.2 - - [04/Mar/2021:00:14:20 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.
2021-03-04T00:14:20+02:00 example.com apache: 192.168.1.3 - - [04/Mar/2021:00:14:20 +0200] "GET /post/ HTTP/1.1" 200 3877 "-" "Mozilla/5.0 (X11; Linux x86_64;
```

Is not safe to try to push all messages containing the word "apache" into a separate "rullset" ?
Although I guess this word may exist randomly in a completely irrelevant message... so then there will be a problem.. right?

So before I try to try the solution by converting the messages to "JSON" format first,
I don't understand how on the central rsyslog, I will define the following:
1. don't manage/handle the messages with the "x" tag at all.
2. the messages with the tag "x", will be managed/handled by this ruleset (sub process)



??????? Original Message ???????
On Wednesday, March 3, 2021 6:24 AM, David Lang <david@lang.hm> wrote:

> ruleseets only apply inside the instance or rsyslog that is running them. Once
> you send the logs to a new machine, you now have a separate problem. How will
> you identify the log you want to treat differently.
>
> If they are arriving via the same port as other logs, this can be difficult. I
> deal with this on my systems by having the sending machine send the logs in a
> json format that can include additional metadata (like what file the log came
> from) while still beingable to easily recreate the original log message.
>
> If I am understanding your problem correctly it seems like what you want is:
>
> you have files on machine A that you want to move to machine B in real-time
>
> This can be done without defining any rulesets, but it will require you create
> some way to identify the logs.
>
> since you are reading files from disk that do not have any facility or severity
> as part of the message being read, you could use those to encode what is what
> (local0 is file1, local1 is file2, using severity is possible, but more
> difficult), this gives you up to 64 combinations to work with, but is a pain to
> keep straight.
>
> another option would be to use the syslogtag field, and then just know on the
> far side that if you receive one of the special syslogtag values, you need to
> formt the write to disk without using that field. the syslogtag field cannot
> include a / and is limited to 32 characters, so you do have some limitations
>
> or you could make a custom format for your output that puts the file path as the
> first thing after the syslogtag and then parse it out on the receiving side.
>
> I go a step further in making a more complex, but more flexible solution where I
> create a json message to send that has a field 'msg' that is the original
> message, and a tree of objects 'trusted-<company abbriv>' that I have contain
> the metadata that I want to add. This includes the filename if it's read from a
> file, the name and timestamps related to any relays that it goes through, what
> environment this is from (dev/qa/prod/etc) for cases where people like to re-use
> names, and anything else that comes up in the future. On the receiving side,
> it's a json message that gets parsed, then I look at the data in $!trusted-foo!*
> and can make decisions on what to do at that point.
>
> David Lang
>
> On Tue, 2 Mar 2021, odrzen wrote:
>
> > Date: Tue, 02 Mar 2021 22:57:37 +0000
> > From: odrzen odrzen@protonmail.com
> > To: David Lang david@lang.hm
> > Cc: rsyslog-users rsyslog@lists.adiscon.com
> > Subject: Re: [rsyslog] The right way to include more log files?
> > So, as I understand it - after your very good explanation, it's very important to define a `ruleset` in case we want rsyslog to handle/manage additional logs.
> > And it need a new `ruleset`, with a specific `action`, `template`, `queue` and `Target`.
> > In your opinion, if a service writes its own logs to separate log files and rsyslog handles these logs by default, if this service generates a lot of logs, would you also still create a separate `ruleset` for it?
> > On the side of the machine in which I have defined in the way you describe which additional log files the rsyslog handles ( with its own `ruleset` ), I see that I actually have more information about the messages from these logs using the `impstats` module (at the moment I don't know how else I can get more information about them).
> > For example:
> >
> > Wed Mar 3 00:30:33 2021: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=107
> > Wed Mar 3 00:30:33 2021: imuxsock: origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
> > Wed Mar 3 00:30:33 2021: action 0: origin=core.action processed=55295 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Mar 3 00:30:33 2021: action 1: origin=core.action processed=4511 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Mar 3 00:30:33 2021: action 2: origin=core.action processed=49706 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Mar 3 00:30:33 2021: action 3: origin=core.action processed=15 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Mar 3 00:30:33 2021: action 4: origin=core.action processed=1063 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Mar 3 00:30:33 2021: action 5: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Mar 3 00:30:33 2021: action 6: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> > Wed Mar 3 00:30:33 2021: action 7: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
> >
> > Wed Mar 3 00:30:33 2021: msg_per_host: origin=dynstats.bucket
> >
> > Wed Mar 3 00:30:33 2021: apache: origin=core.action processed=6405 failed=0 suspended=0 suspended.duration=0 resumed=0
> >
> > Wed Mar 3 00:30:33 2021: resource-usage: origin=impstats utime=25597640 stime=23465292 maxrss=17348 minflt=18258 majflt=0 inblock=656 oublock=125552 nvcsw=522977 nivcsw=115
> >
> > Wed Mar 3 00:30:33 2021: apache queue[DA]: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0
> > Wed Mar 3 00:30:33 2021: apache queue: origin=core.queue size=0 enqueued=6405 full=0 discarded.full=0 discarded.nf=0 maxqsize=3
> >
> > Wed Mar 3 00:30:33 2021: main Q: origin=core.queue size=0 enqueued=61700 full=0 discarded.full=0 discarded.nf=0 maxqsize=10
> >
> >
> > But now, from the side of the central machine to which I send the logs, can or should I set a separate "ruleset" for these messages ?
> > So that I can be sure that the messages were successfully processed and stored on the central machine as well ?
> > Thank you very much for the explanations and your time.
> > The way you describe them is very nice and simple. You helped me a lot to better understand why we need "rulesets".
> > Sorry if I had to figure this out on some page of the documentation, but I didn't see it described that way.
> > ??????? Original Message ???????
> > On Thursday, February 25, 2021 12:33 AM, David Lang david@lang.hm wrote:
> >
> > > On Wed, 24 Feb 2021, odrzen wrote:
> > >
> > > > I am more wondering to understand what is the right way and why to use rulestes, actions or quests and especially in this case to send particular log files to a central rsyslog.
> > >
> > > There are a few reasons to use a ruleset
> > >
> > > 1. when you have an input (say a network port) that is very different than other
> > > inputs and you only want to have a subset of the rules processed for logs that
> > > arrive on this input
> > >
> > > 2. a varient of #1, if you want to make sure that logs arriving from one input
> > > cannot be blocked if the queue builds up processing other inputs, you configure
> > > as #1 and add a queue to the ruleset
> > >
> > > 3. if you want to put a queue on a group of actions, say sending to one of a
> > > couple different destinations (failover), if you put a queue on each action, it
> > > will 'succeed' by putting the message in the queue, even if it's not sent. But
> > > you can put a queue on the ruleset to buffer things at that level, then have
> > > actions that don't have a queue and can fail (which you can detect)
> > >
> > > 4. avoiding duplicate writers to one destination. If you are writing to the same
> > > file/sending to the same remote machine and have 10 different actions in your
> > > rule that all have the same output, they will all be trying to output at the
> > > same time (opening multiple connections to remote systems), if you put the
> > > action in a ruleset and call it from all of those destinations, you ony have one
> > > connection
> > >
> > > 5. making the ruleset easier to understand. Just like functions in programming
> > > languages, it may be easier to understand a config file that calls rulesets that
> > > hide the details rather than having all the statements inline.
> > > David Lang
> > >


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

On Wed, 3 Mar 2021, odrzen wrote:

> Yes you understand my problem.
> And I understand that in the end, the problem is mainly in the central machine where it receives all these messages.
>
> From the remote machines, I have (probably) correctly defined the way they send their logs to the central machine. Now this part is very easy and cool. Indeed, all the messages come to the main/central machine very nicely and in real time.
> But the messages are really too many per second. At the moment I don't seem to have a problem, but in the future I may have bottleneck problems or something else..

what is 'too many per second', I've gone to several hundred thousand per second
in production settings, and others have tested (with simple configs) over a
million messages per second in tests/

> How can I make this more efficient so that I don't have problems in the future ?

I'd have to see the full config to begin to guess where your bottlenecks are.

>
> ?our idea about "facility" and "severity" is good, but I also realize that it is not the best and most effective.
>
> About syslogtag seems to me a very interesting idea, as well as the way you described with the "json" messages. But first, I want to ask for something.
> Now after the settings I did thanks to your help, I receive the messages as follows :
>
> ```
> 2021-03-04T00:13:14+02:00 example.com apache: 192.168.1.1 - - [04/Mar/2021:00:13:14 +0200] "GET / HTTP/1.1" 301 237 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
> 2021-03-04T00:14:20+02:00 example.com apache: 192.168.1.2 - - [04/Mar/2021:00:14:20 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.
> 2021-03-04T00:14:20+02:00 example.com apache: 192.168.1.3 - - [04/Mar/2021:00:14:20 +0200] "GET /post/ HTTP/1.1" 200 3877 "-" "Mozilla/5.0 (X11; Linux x86_64;
> ```
>
> Is not safe to try to push all messages containing the word "apache" into a separate "rullset" ?
> Although I guess this word may exist randomly in a completely irrelevant message... so then there will be a problem.. right?

apache: is the syslogtag, so if you check for it just in that property you don't
have to worry about it appearing elsewhere

write some logs out with the template RSYSLOG_DebugFormat and it will show you
how rsyslog has already parsed the message and what veriables you have available
to work with.

> So before I try to try the solution by converting the messages to "JSON" format first,
> I don't understand how on the central rsyslog, I will define the following:
> 1. don't manage/handle the messages with the "x" tag at all.
> 2. the messages with the tag "x", will be managed/handled by this ruleset (sub process)

if $syslogtag == "apache:" then {
one set of rules (which could be a call to a ruleset)
} else {
another set of rules that will get evaluated if and only if (IFF) the syslog
tag is not apach:
}

David Lang

>
>
> ??????? Original Message ???????
> On Wednesday, March 3, 2021 6:24 AM, David Lang <david@lang.hm> wrote:
>
>> ruleseets only apply inside the instance or rsyslog that is running them. Once
>> you send the logs to a new machine, you now have a separate problem. How will
>> you identify the log you want to treat differently.
>>
>> If they are arriving via the same port as other logs, this can be difficult. I
>> deal with this on my systems by having the sending machine send the logs in a
>> json format that can include additional metadata (like what file the log came
>> from) while still beingable to easily recreate the original log message.
>>
>> If I am understanding your problem correctly it seems like what you want is:
>>
>> you have files on machine A that you want to move to machine B in real-time
>>
>> This can be done without defining any rulesets, but it will require you create
>> some way to identify the logs.
>>
>> since you are reading files from disk that do not have any facility or severity
>> as part of the message being read, you could use those to encode what is what
>> (local0 is file1, local1 is file2, using severity is possible, but more
>> difficult), this gives you up to 64 combinations to work with, but is a pain to
>> keep straight.
>>
>> another option would be to use the syslogtag field, and then just know on the
>> far side that if you receive one of the special syslogtag values, you need to
>> formt the write to disk without using that field. the syslogtag field cannot
>> include a / and is limited to 32 characters, so you do have some limitations
>>
>> or you could make a custom format for your output that puts the file path as the
>> first thing after the syslogtag and then parse it out on the receiving side.
>>
>> I go a step further in making a more complex, but more flexible solution where I
>> create a json message to send that has a field 'msg' that is the original
>> message, and a tree of objects 'trusted-<company abbriv>' that I have contain
>> the metadata that I want to add. This includes the filename if it's read from a
>> file, the name and timestamps related to any relays that it goes through, what
>> environment this is from (dev/qa/prod/etc) for cases where people like to re-use
>> names, and anything else that comes up in the future. On the receiving side,
>> it's a json message that gets parsed, then I look at the data in $!trusted-foo!*
>> and can make decisions on what to do at that point.
>>
>> David Lang
>>
>> On Tue, 2 Mar 2021, odrzen wrote:
>>
>>> Date: Tue, 02 Mar 2021 22:57:37 +0000
>>> From: odrzen odrzen@protonmail.com
>>> To: David Lang david@lang.hm
>>> Cc: rsyslog-users rsyslog@lists.adiscon.com
>>> Subject: Re: [rsyslog] The right way to include more log files?
>>> So, as I understand it - after your very good explanation, it's very important to define a `ruleset` in case we want rsyslog to handle/manage additional logs.
>>> And it need a new `ruleset`, with a specific `action`, `template`, `queue` and `Target`.
>>> In your opinion, if a service writes its own logs to separate log files and rsyslog handles these logs by default, if this service generates a lot of logs, would you also still create a separate `ruleset` for it?
>>> On the side of the machine in which I have defined in the way you describe which additional log files the rsyslog handles ( with its own `ruleset` ), I see that I actually have more information about the messages from these logs using the `impstats` module (at the moment I don't know how else I can get more information about them).
>>> For example:
>>>
>>> Wed Mar 3 00:30:33 2021: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=107
>>> Wed Mar 3 00:30:33 2021: imuxsock: origin=imuxsock submitted=0 ratelimit.discarded=0 ratelimit.numratelimiters=0
>>> Wed Mar 3 00:30:33 2021: action 0: origin=core.action processed=55295 failed=0 suspended=0 suspended.duration=0 resumed=0
>>> Wed Mar 3 00:30:33 2021: action 1: origin=core.action processed=4511 failed=0 suspended=0 suspended.duration=0 resumed=0
>>> Wed Mar 3 00:30:33 2021: action 2: origin=core.action processed=49706 failed=0 suspended=0 suspended.duration=0 resumed=0
>>> Wed Mar 3 00:30:33 2021: action 3: origin=core.action processed=15 failed=0 suspended=0 suspended.duration=0 resumed=0
>>> Wed Mar 3 00:30:33 2021: action 4: origin=core.action processed=1063 failed=0 suspended=0 suspended.duration=0 resumed=0
>>> Wed Mar 3 00:30:33 2021: action 5: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
>>> Wed Mar 3 00:30:33 2021: action 6: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
>>> Wed Mar 3 00:30:33 2021: action 7: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
>>>
>>> Wed Mar 3 00:30:33 2021: msg_per_host: origin=dynstats.bucket
>>>
>>> Wed Mar 3 00:30:33 2021: apache: origin=core.action processed=6405 failed=0 suspended=0 suspended.duration=0 resumed=0
>>>
>>> Wed Mar 3 00:30:33 2021: resource-usage: origin=impstats utime=25597640 stime=23465292 maxrss=17348 minflt=18258 majflt=0 inblock=656 oublock=125552 nvcsw=522977 nivcsw=115
>>>
>>> Wed Mar 3 00:30:33 2021: apache queue[DA]: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0
>>> Wed Mar 3 00:30:33 2021: apache queue: origin=core.queue size=0 enqueued=6405 full=0 discarded.full=0 discarded.nf=0 maxqsize=3
>>>
>>> Wed Mar 3 00:30:33 2021: main Q: origin=core.queue size=0 enqueued=61700 full=0 discarded.full=0 discarded.nf=0 maxqsize=10
>>>
>>>
>>> But now, from the side of the central machine to which I send the logs, can or should I set a separate "ruleset" for these messages ?
>>> So that I can be sure that the messages were successfully processed and stored on the central machine as well ?
>>> Thank you very much for the explanations and your time.
>>> The way you describe them is very nice and simple. You helped me a lot to better understand why we need "rulesets".
>>> Sorry if I had to figure this out on some page of the documentation, but I didn't see it described that way.
>>> ??????? Original Message ???????
>>> On Thursday, February 25, 2021 12:33 AM, David Lang david@lang.hm wrote:
>>>
>>>> On Wed, 24 Feb 2021, odrzen wrote:
>>>>
>>>>> I am more wondering to understand what is the right way and why to use rulestes, actions or quests and especially in this case to send particular log files to a central rsyslog.
>>>>
>>>> There are a few reasons to use a ruleset
>>>>
>>>> 1. when you have an input (say a network port) that is very different than other
>>>> inputs and you only want to have a subset of the rules processed for logs that
>>>> arrive on this input
>>>>
>>>> 2. a varient of #1, if you want to make sure that logs arriving from one input
>>>> cannot be blocked if the queue builds up processing other inputs, you configure
>>>> as #1 and add a queue to the ruleset
>>>>
>>>> 3. if you want to put a queue on a group of actions, say sending to one of a
>>>> couple different destinations (failover), if you put a queue on each action, it
>>>> will 'succeed' by putting the message in the queue, even if it's not sent. But
>>>> you can put a queue on the ruleset to buffer things at that level, then have
>>>> actions that don't have a queue and can fail (which you can detect)
>>>>
>>>> 4. avoiding duplicate writers to one destination. If you are writing to the same
>>>> file/sending to the same remote machine and have 10 different actions in your
>>>> rule that all have the same output, they will all be trying to output at the
>>>> same time (opening multiple connections to remote systems), if you put the
>>>> action in a ruleset and call it from all of those destinations, you ony have one
>>>> connection
>>>>
>>>> 5. making the ruleset easier to understand. Just like functions in programming
>>>> languages, it may be easier to understand a config file that calls rulesets that
>>>> hide the details rather than having all the statements inline.
>>>> David Lang
>>>>
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.