Mailing List Archive

log some of the messages with the template RSYSLOG_DebugFormat so we can see the
log and how it's parsed, that should give us the info we need to figure out
what's happening.

David Lang

On Wed, 3 Mar 2021, linksonice via rsyslog wrote:

> Date: Wed, 3 Mar 2021 11:21:38 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: [rsyslog] another n00b question about logging clients logs to their
> own directories based on hostnames
>
> Hi everybody
>
> I am wondering about the following scenario:
>
> - a bunch of rsyslog clients, ALL windows
>
> - an rsyslog server, Centos 8 running rsyslog-8.1911.0-6.el8.x86_64
>
> It seems the syntax has changed for v8, compared to versions previous.
>
> I am specifying this in my Centos rsyslog server's /etc/rsyslog.conf:
>
> /# log every host in its own directory
> template(name="RemoteHost" type="string"
> string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log")
>
> # Remote Logging
> $RuleSet remote
> *.* ?RemoteHost/
>
> and yet ... all my client windows event manager log entries are logged to
> the one unique /var/log/messages on my Centos 8.
>
> rsyslogd -N1 indicates the config is all fine, and yet ... those lines don't
> seem to be doing their thing, or the thing I need them to do.
>
> Can anyone see any obvious indicator of where I'm going wrong?
>
> Thanks for your comments
>
> Andrei
>
>
>
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

I take it you mean I should add this block of code to /etc/rsyslog.conf, and
bounce the service right?

template(name="RSYSLOG_DebugFormat" type="list") {
constant(value="Debug line with all properties:\nFROMHOST: '")
property(name="fromhost")
constant(value="', fromhost-ip: '")
property(name="fromhost-ip")
constant(value="', HOSTNAME: '")
property(name="hostname")
constant(value="', PRI: '")
property(name="pri")
constant(value=",\nsyslogtag '")
property(name="syslogtag")
constant(value="', programname: '")
property(name="programname")
constant(value="', APP-NAME: '")
property(name="app-name")
constant(value="', PROCID: '")
property(name="procid")
constant(value="', MSGID: '")
property(name="msgid")
constant(value="',\nTIMESTAMP: '")
property(name="timereported")
constant(value="', STRUCTURED-DATA: '")
property(name="structured-data")
constant(value="',\nmsg: '")
property(name="msg")
constant(value="'\nescaped msg: '")
property(name="msg" controlcharacters="drop")
constant(value="'\ninputname: ")
property(name="inputname")
constant(value=" rawmsg: '")
property(name="rawmsg")
constant(value="'\n$!:")
property(name="$!")
constant(value="\n$.:")
property(name="$.")
constant(value="\n$/:")
property(name="$/")
constant(value="\n\n")
}



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

no, just something like

/var/log/debugfile;RSYSLOG_DebugFormat

(write a file and use the built in template)

just adding a template to the file doesn't change any output.

David Lang

On Wed, 3 Mar 2021, linksonice via rsyslog wrote:

> Date: Wed, 3 Mar 2021 15:40:59 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
> I take it you mean I should add this block of code to /etc/rsyslog.conf, and
> bounce the service right?
>
> template(name="RSYSLOG_DebugFormat" type="list") {
> constant(value="Debug line with all properties:\nFROMHOST: '")
> property(name="fromhost")
> constant(value="', fromhost-ip: '")
> property(name="fromhost-ip")
> constant(value="', HOSTNAME: '")
> property(name="hostname")
> constant(value="', PRI: '")
> property(name="pri")
> constant(value=",\nsyslogtag '")
> property(name="syslogtag")
> constant(value="', programname: '")
> property(name="programname")
> constant(value="', APP-NAME: '")
> property(name="app-name")
> constant(value="', PROCID: '")
> property(name="procid")
> constant(value="', MSGID: '")
> property(name="msgid")
> constant(value="',\nTIMESTAMP: '")
> property(name="timereported")
> constant(value="', STRUCTURED-DATA: '")
> property(name="structured-data")
> constant(value="',\nmsg: '")
> property(name="msg")
> constant(value="'\nescaped msg: '")
> property(name="msg" controlcharacters="drop")
> constant(value="'\ninputname: ")
> property(name="inputname")
> constant(value=" rawmsg: '")
> property(name="rawmsg")
> constant(value="'\n$!:")
> property(name="$!")
> constant(value="\n$.:")
> property(name="$.")
> constant(value="\n$/:")
> property(name="$/")
> constant(value="\n\n")
> }
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Hi David

I added this exact line:

/var/log/debugfile;RSYSLOG_DebugFormat

to /etc/rsyslog.conf

and then did

systemctl restart rsyslog

but no /var/log/debugfile has appeared.

The config passed muster with -N1.

This is the entire /etc/rsyslog.conf file:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

module(load="imuxsock" # provides support for local system logging (e.g.
via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal
now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the
journal
#module(load="imklog") # reads kernel messages (the same are read from
journald)
#module(load="immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

# This below is almost certainly the wrong syntax:
# $template
windowsLog,"/var/log/external/%fromhost%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"

# template(name="filename" type="string"
string="/var/log/external/%HOSTNAME%/mm_messages")
# *.info;mail.none;

# log every host in its own directory
template(name="RemoteHost" type="string"
string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log")

# Remote Logging
$RuleSet remote
*.* ?RemoteHost

/var/log/debugfile;RSYSLOG_DebugFormat

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1" # unique name prefix for spool files
#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on" # save messages to disk on shutdown
#queue.type="LinkedList" # run asynchronously
#action.resumeRetryCount="-1" # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

################

Hope this helps, thanks.

Andrei



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Strike the last update - looks like there were some other problems or
conflicts caused by various other things I had been trying, so I cleaned up
and just added the entry you suggested.

We now have some entries in the /var/log/debugfile as follows - here's 2
typical entries for hosts we need to get 2 separate directories by hostname
or IP logs for:

Debug line with all properties:
FROMHOST: 'iss-delta-cs1', fromhost-ip: '10.10.20.25', HOSTNAME:
'ISS-DELTA-CS1', PRI: 149,
syslogtag 'Service_Control_Manager:', programname:
'Service_Control_Manager', APP-NAME: 'Service_Control_Manager', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Mar 4 13:50:44', STRUCTURED-DATA: '-',
msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered
the stopped state.'
escaped msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service
entered the stopped state.'
inputname: imudp rawmsg: '<149>Mar 4 13:50:44 ISS-DELTA-CS1
Service_Control_Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service
service entered the stopped state.'
$!:
$.:
$/:

Debug line with all properties:
FROMHOST: 'iss-delta-cs2', fromhost-ip: '10.10.20.19', HOSTNAME:
'ISS-DELTA-CS2', PRI: 149,
syslogtag 'Service_Control_Manager:', programname:
'Service_Control_Manager', APP-NAME: 'Service_Control_Manager', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Mar 4 14:00:00', STRUCTURED-DATA: '-',
msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered
the running state.'
escaped msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service
entered the running state.'
inputname: imudp rawmsg: '<149>Mar 4 14:00:00 ISS-DELTA-CS2
Service_Control_Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service
service entered the running state.'
$!:
$.:
$/:

much the same in both cases as you can see.




--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

your template is called REMOTEHOST so try logging with

?REMOTEHOST

and see what happens (looking back, your prior message that lists the config
line has a trailing /)

the hostname of these two lines are different, so they should get written into
two different directories (assuming permissions let rsyslog write there)

David Lang

On Thu, 4 Mar 2021, linksonice via rsyslog wrote:

> Date: Thu, 4 Mar 2021 08:37:24 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
> Strike the last update - looks like there were some other problems or
> conflicts caused by various other things I had been trying, so I cleaned up
> and just added the entry you suggested.
>
> We now have some entries in the /var/log/debugfile as follows - here's 2
> typical entries for hosts we need to get 2 separate directories by hostname
> or IP logs for:
>
> Debug line with all properties:
> FROMHOST: 'iss-delta-cs1', fromhost-ip: '10.10.20.25', HOSTNAME:
> 'ISS-DELTA-CS1', PRI: 149,
> syslogtag 'Service_Control_Manager:', programname:
> 'Service_Control_Manager', APP-NAME: 'Service_Control_Manager', PROCID: '-',
> MSGID: '-',
> TIMESTAMP: 'Mar 4 13:50:44', STRUCTURED-DATA: '-',
> msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered
> the stopped state.'
> escaped msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service
> entered the stopped state.'
> inputname: imudp rawmsg: '<149>Mar 4 13:50:44 ISS-DELTA-CS1
> Service_Control_Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service
> service entered the stopped state.'
> $!:
> $.:
> $/:
>
> Debug line with all properties:
> FROMHOST: 'iss-delta-cs2', fromhost-ip: '10.10.20.19', HOSTNAME:
> 'ISS-DELTA-CS2', PRI: 149,
> syslogtag 'Service_Control_Manager:', programname:
> 'Service_Control_Manager', APP-NAME: 'Service_Control_Manager', PROCID: '-',
> MSGID: '-',
> TIMESTAMP: 'Mar 4 14:00:00', STRUCTURED-DATA: '-',
> msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered
> the running state.'
> escaped msg: ' 7036: The WinHTTP Web Proxy Auto-Discovery Service service
> entered the running state.'
> inputname: imudp rawmsg: '<149>Mar 4 14:00:00 ISS-DELTA-CS2
> Service_Control_Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service
> service entered the running state.'
> $!:
> $.:
> $/:
>
> much the same in both cases as you can see.
>
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

It's possible the trailing / in the older block was some kind of after-effect
of this nabble website's content parser after I tried posting the block in
italics earlier ; I'm not actually putting that in the /etc/rsyslog.conf.

So I tried this, based on your last comment:

template(name="RemoteHost" type="string"
string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log")

# Remote Logging
$RuleSet remote
?RemoteHost ### previously I had *.* ?Remotehost

but frankly I'm not sure what you mean by "try logging with ?REMOTEHOST",
and how this is any different from what I had before. In any case, it just
doesn't work. I need a little bit more explicit information. :D

###

Apart from all of the above, I've made some progress in the meantime using a
whole different method, as follows:

if $fromhost-ip == '10.10.20.25' then {
action(type="omfile"
file="/var/log/external/ISS-Delta-CS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log")
stop
}

so if I make a block of code for every single remote client like that, the
objective is achieved! i.e. all remote clients log events to their own log
files.

The only trouble is, the filename is duff - the %$YEAR%%$MONTH%%$DAY% thing
is taken literally:

[root@aws-delta-mon etc]# ls -lrt
/var/log/external/ISS-Delta-TS1/windows_events-%\$YEAR%%\$MONTH%%\$DAY%.log
-rw------- 1 root root 19002 Mar 5 15:33
'/var/log/external/ISS-Delta-TS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log'

This being said, I could maybe do away with the %$YEAR%%$MONTH%%$DAY% thing
altogether and maybe try logging like so:

if $fromhost-ip == '10.10.20.25' then {
action(type="omfile"
file="/var/log/external/$fromhost-ip_windows_events.log")
stop
}

and then just rotate those logs, BUT ... there has to be a better way of
doing all this in just a few lines, surely, like previous to v8?

cheers



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Cyril, there is no content in the messages you are sending.

David Lang

On Fri, 5 Mar 2021, Cyril Stoll via rsyslog wrote:

> Date: Fri, 5 Mar 2021 18:55:15 +0100
> From: Cyril Stoll via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: cyril.stoll@uzh.ch
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

the exact same syntax that worked prior to v8 should still work.

in the new action() format, you need to set the dynafile template to hve things
like the date work (like they did with the prior one)
what files are created when you use the remotehost template?

David Lang

On Fri, 5 Mar 2021, linksonice via rsyslog wrote:

> Date: Fri, 5 Mar 2021 08:42:35 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
> It's possible the trailing / in the older block was some kind of after-effect
> of this nabble website's content parser after I tried posting the block in
> italics earlier ; I'm not actually putting that in the /etc/rsyslog.conf.
>
> So I tried this, based on your last comment:
>
> template(name="RemoteHost" type="string"
> string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log")
>
> # Remote Logging
> $RuleSet remote
> ?RemoteHost ### previously I had *.* ?Remotehost
>
> but frankly I'm not sure what you mean by "try logging with ?REMOTEHOST",
> and how this is any different from what I had before. In any case, it just
> doesn't work. I need a little bit more explicit information. :D
>
> ###
>
> Apart from all of the above, I've made some progress in the meantime using a
> whole different method, as follows:
>
> if $fromhost-ip == '10.10.20.25' then {
> action(type="omfile"
> file="/var/log/external/ISS-Delta-CS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log")
> stop
> }
>
> so if I make a block of code for every single remote client like that, the
> objective is achieved! i.e. all remote clients log events to their own log
> files.
>
> The only trouble is, the filename is duff - the %$YEAR%%$MONTH%%$DAY% thing
> is taken literally:
>
> [root@aws-delta-mon etc]# ls -lrt
> /var/log/external/ISS-Delta-TS1/windows_events-%\$YEAR%%\$MONTH%%\$DAY%.log
> -rw------- 1 root root 19002 Mar 5 15:33
> '/var/log/external/ISS-Delta-TS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log'
>
> This being said, I could maybe do away with the %$YEAR%%$MONTH%%$DAY% thing
> altogether and maybe try logging like so:
>
> if $fromhost-ip == '10.10.20.25' then {
> action(type="omfile"
> file="/var/log/external/$fromhost-ip_windows_events.log")
> stop
> }
>
> and then just rotate those logs, BUT ... there has to be a better way of
> doing all this in just a few lines, surely, like previous to v8?
>
> cheers
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Using the RemoteHost template like so:

template(name="RemoteHost" type="string"
string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log")

# Remote Logging
$RuleSet remote
?RemoteHost

I got nothing.



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

are you sure you have permission to write there? and double check that there are
no syntax errors (rsyslogd -N1)

if you have include files, it may help to start rsyslog with -o /path/to/file to
have rsyslog dump the config file as it understands it.

you should be getting something in those directories unless there is a
permission or config problem, no matter what the log contents are.

David Lang

On Mon, 8 Mar 2021, linksonice via rsyslog wrote:

> Date: Mon, 8 Mar 2021 03:23:13 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
> Using the RemoteHost template like so:
>
> template(name="RemoteHost" type="string"
> string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log")
>
> # Remote Logging
> $RuleSet remote
> ?RemoteHost
>
> I got nothing.
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

This is the only thing happening in rsyslog.d:

##############
[root@aws-delta-mon etc]# cat rsyslog.d/21-cloudinit.conf
# Log cloudinit generated log messages to file
:syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log

# comment out the following line to allow CLOUDINIT messages through.
# Doing so means you'll also get CLOUDINIT messages in /var/log/syslog
& stop
##############

Apart from that the perms are fine, because using the other method I
researched:

##############
if $fromhost-ip == '10.10.10.5' then {
# action(type="omfile"
file="/var/log/external/ISS-Delta-TS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log")
action(type="omfile"
file="/var/log/external/ISS-Delta-TS1/windows_events.log")
stop
}
##############

works fine, considering it auto-generated both the parent directories under
/blah/blah/external, and the windows_events.logs within them.

Running

rsyslogd -N1 -o /tmp/boom.cfg

and then

rsyslogd -N1 -f /tmp/boom.cfg

shows no issue either.



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Managed to figure out another solution:

##############
$template
DynaFile,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"
*.* -?DynaFile
##############

Not really sure what's special about DynaFile as opposed to the way I was
doing it before. Are these not arbitrary names, chosen for templates?

Anyway now, even my local Linux [rsyslog server] logs like that. It's all
fair progress in any case, and there are, as always many ways to skin a cat,
but what would you say is the optimal way to make the LOCAL machine, the
rsyslog server here, NOT log to anything in /var/log/external, and just keep
on logging to /var/log/messages? That would be my preference.

Thanks for your comments.




--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Even better, the total solution:

###############
if ($hostname != "aws-delta-mon") then {
$template
DynaFile,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"
*.* -?DynaFile
}
###############

This prevents the rsyslog server from logging everything in duplicate under
/var/log/external.

I realised somewhat late in the game that $template [pre-V6 notation] is
acceptable in v8 or post v6, but the issue I found, if you read the entire
thread here is that whilst it's acceptable syntactically, it just doesn't
work. Maybe there was something else missing in my rsyslog.conf, but it's
just not straightforward enough really. Hope this helps somebody going
forward. Call me lazy [and many do :D], but maybe the documentation could
use a bunch of tried and tested example use cases.



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

there should be nothing special in the name (unless you managed to conflict with
a built-in name), can you try the old name with this working format?

David Lang

On Wed, 10 Mar 2021, linksonice via rsyslog wrote:

> Date: Wed, 10 Mar 2021 11:14:25 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
> Even better, the total solution:
>
> ###############
> if ($hostname != "aws-delta-mon") then {
> $template
> DynaFile,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"
> *.* -?DynaFile
> }
> ###############
>
> This prevents the rsyslog server from logging everything in duplicate under
> /var/log/external.
>
> I realised somewhat late in the game that $template [pre-V6 notation] is
> acceptable in v8 or post v6, but the issue I found, if you read the entire
> thread here is that whilst it's acceptable syntactically, it just doesn't
> work. Maybe there was something else missing in my rsyslog.conf, but it's
> just not straightforward enough really. Hope this helps somebody going
> forward. Call me lazy [and many do :D], but maybe the documentation could
> use a bunch of tried and tested example use cases.
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Hello!

For `omfile` action `file` parameter is static file name. You cannot use
variables there as it's not expanded (AFAIK at least). For dynamic file
names you should use the `dynaFile` parameter instead.

This is explained here:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html#file

So your latest example can be rewritten in this way:

```
template(name="events_by_date" type="list") {
constant(value="/var/log/external/")
property(name="hostname" securepath="replace" caseconversion="lower")
constant(value="/windows_events-")
property(name="timereported" dateformat="year")
property(name="timereported" dateformat="month")
property(name="timereported" dateformat="day")
constant(value=".log")
}

if ($hostname != "aws-delta-mon") then {
action(name="windows_events" type="omfile"
dynaFile="events_by_date"
dirOwner="root"
dirGroup="root"
dirCreateMode="0755"
fileCreateMode="0644"
)
}
```

List-type template definition is longer than string-type but it's easier to
understand (for me at least).

I added `securepath` options to increase security. Elsewhere an evil person
may send "../../../etc" as a hostname e.g. and you will write the log into
/etc directory. `caseconversion` will make all your hostnames in lower case
which is convenient for windows/linux mixed environments. Usually windows
hostnames are uppercase (at least it was so while ago).

Then I added dir* `omfile` properties to ensure newly created log files
will have proper ownership and permissions.

If you would like to write messages in some specific format then you may
define another template and specify it in the `omfile`'s `template` option.
This will affect just the messages format, not the file name format.


On Thu, 11 Mar 2021 at 02:14, linksonice via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Even better, the total solution:
>
> ###############
> if ($hostname != "aws-delta-mon") then {
> $template
>
> DynaFile,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"
> *.* -?DynaFile
> }
> ###############
>
> This prevents the rsyslog server from logging everything in duplicate under
> /var/log/external.
>
> I realised somewhat late in the game that $template [pre-V6 notation] is
> acceptable in v8 or post v6, but the issue I found, if you read the entire
> thread here is that whilst it's acceptable syntactically, it just doesn't
> work. Maybe there was something else missing in my rsyslog.conf, but it's
> just not straightforward enough really. Hope this helps somebody going
> forward. Call me lazy [and many do :D], but maybe the documentation could
> use a bunch of tried and tested example use cases.
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks Yury, that's a fair bit to think about there, and may help to make
things a little clearer going forward. The omfile static filename parameter
thing certainly makes sense.

In response to David also, in the previous note, DynaFile is just an
arbitrary name indeed; changed it to WindowsLogs and the behaviour is the
same so well noted.

The last thing I want to be able to understand is how to log a bunch of
Linux clients SEPARATELY from the Windows clients [.not that we have any now,
but we may do in future] - is there an easy to separate the 2 flavours of
clients, or do we need to fall back to

if $fromhost-ip

type conditional blocks? I swear this used to be easy, pre-v6!

It seems difficult to visualise, based on the need to exclude the local
machine / rsyslog server aws-delta-mon with the conditional. Otherwise

$template
WindowsLogs,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"

just processes everything it will see I imagine [?] windows or not.




--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

the problem is figuring out how to determine what is a windows sender and what
isn't.

What are you using to send the logs from the windows machines? The best option
is probably to have that software tag the logs with something you can test for.

David Lang

On Thu, 11 Mar 2021, linksonice via rsyslog wrote:

> Date: Thu, 11 Mar 2021 11:39:41 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
> Thanks Yury, that's a fair bit to think about there, and may help to make
> things a little clearer going forward. The omfile static filename parameter
> thing certainly makes sense.
>
> In response to David also, in the previous note, DynaFile is just an
> arbitrary name indeed; changed it to WindowsLogs and the behaviour is the
> same so well noted.
>
> The last thing I want to be able to understand is how to log a bunch of
> Linux clients SEPARATELY from the Windows clients [.not that we have any now,
> but we may do in future] - is there an easy to separate the 2 flavours of
> clients, or do we need to fall back to
>
> if $fromhost-ip
>
> type conditional blocks? I swear this used to be easy, pre-v6!
>
> It seems difficult to visualise, based on the need to exclude the local
> machine / rsyslog server aws-delta-mon with the conditional. Otherwise
>
> $template
> WindowsLogs,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"
>
> just processes everything it will see I imagine [?] windows or not.
>
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

everything that worked pre v6 should still be work.

David Lang

On Thu, 11 Mar 2021, linksonice via rsyslog wrote:

> Date: Thu, 11 Mar 2021 11:39:41 -0700 (MST)
> From: linksonice via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: linksonice <adoicin@gmail.com>
> Subject: Re: [rsyslog] another n00b question about logging clients logs to
> their own directories based on hostnames
>
> Thanks Yury, that's a fair bit to think about there, and may help to make
> things a little clearer going forward. The omfile static filename parameter
> thing certainly makes sense.
>
> In response to David also, in the previous note, DynaFile is just an
> arbitrary name indeed; changed it to WindowsLogs and the behaviour is the
> same so well noted.
>
> The last thing I want to be able to understand is how to log a bunch of
> Linux clients SEPARATELY from the Windows clients [.not that we have any now,
> but we may do in future] - is there an easy to separate the 2 flavours of
> clients, or do we need to fall back to
>
> if $fromhost-ip
>
> type conditional blocks? I swear this used to be easy, pre-v6!
>
> It seems difficult to visualise, based on the need to exclude the local
> machine / rsyslog server aws-delta-mon with the conditional. Otherwise
>
> $template
> WindowsLogs,"/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log"
>
> just processes everything it will see I imagine [?] windows or not.
>
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.