Mailing List Archive

Right place for STOP directive to prevent remote logs written to local messages
Hello everyone,

I have a problem that I cannot solve.

On the basis of this configuration I correctly receive the logs from the remote server on the "machine1.log" file and I am able to forward them correctly to another remote server.

The problem is that not even the system logs are written to the /var/log/messages file.

If I try to move the $IncludeConfig directive to the bottom of the rsyslog.conf file, all the logs the remote server sends me are written to the /var/log/messages file (obviously in an ideal situation this shouldn't happen)

How can I go about solving?

I tried to use the "stop" directive by inserting it in several places but I don't get the desired effect ... either it writes everything to the messages or it doesn't write anything.

Where am I wrong?



RSYSLOG.CONF
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
module(load="mmutf8fix")
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad imfile
$ModLoad imtcp

$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon
$DefaultNetstreamDriver gtls


# certificate files
$DefaultNetstreamDriverCAFile /etc/ssl/private/rsyslog/certificate-p7b_new.pem
$DefaultNetstreamDriverCertFile /etc/ssl/private/rsyslog/certificate_new.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog/certificate-key.pem


#### GLOBAL DIRECTIVES ####

#global(debug.gnutls="10" debug.logFile="/var/log/rsyslogdebug")
$WorkDirectory /var/lib/rsyslog


# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on


# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####


$IncludeConfig /etc/rsyslog.d/*.conf


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages


# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


auth.info,authpriv.info @@10.1.2.3:514




REMOTE.CONF
###############################
# RECEPTION AND FORWARD RULES #
###############################

$PreserveFQDN on

$FileOwner user
$FileGroup user
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022


### SourceIP – 10.X.X.X
$template RemoteTCP2000,"/opt/SI/logs/machine1.log"
$RuleSet RemoteTCP2000
*.* -?RemoteTCP2000
$InputTCPServerBindRuleset RemoteTCP2000
$InputTCPServerRun 2000
$RulesetCreateMainQueue on
$InputTCPServerKeepAlive on
$ActionResumeRetryCount -1

input(type="imfile"
File="/opt/SI/logs/machine1.log"
Tag="4000"
reopenOnTruncate="on"
)

$template RAW, "%rawmsg:1:20480%\n"

action(type="omfwd"
Target="10.Y.Y.Y"
Port="4000"
Protocol="tcp"
template="RAW"
KeepAlive="on"
ResendLastMSGOnReconnect="on"
action.resumeRetryCount="-1"
StreamDriver="gtls"
StreamDriverMode="1"
queue.saveOnShutdown="on"
queue.type="disk"
queue.filename="tcp4000_queue"
queue.size="10000"
StreamDriverPermittedPeers="*")
#& ~
#& stop
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Right place for STOP directive to prevent remote logs written to local messages [ In reply to ]
paste the included file into your rsyslog.conf so you can see it the way rsyslog
sees it (or write a combined file with the -o /path/to/combined/file command
line option)

then make two copies of the file.

In the first one, remove all actions (including the stop), leaving only the
config options/module loads, etc that are evaluated once at startup

In the second one, remove all the config items that are in the first file,
leaving only the actions that are evaluated for every log messages

At that point, I think you will see that in your config, you are telling it to
send every message to the remote system and then throw them away if you
uncomment either of the stop options.

There is nothing in your config that tells rsyslog to do anything different for
the remote messages vs the local messages. The way you have the files configured
now, you can easily trick yourself into thinking that you do, but if you
reformat the files as I describe above so that you see them the way that rsyslog
sees them, I think it will become obvious that this is not the case.

Then I would suggest writing a few messages that you want to filter out, and a
fe that you don't want to filter out with the template RSYSLOG_DebugFormat and
we can then help you figure out what sort of filter you want to write.

David Lang

On Tue, 6 Jul 2021, Marco via rsyslog wrote:

> Date: Tue, 6 Jul 2021 13:16:06 +0200
> From: Marco via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Marco <scoutband@gmail.com>
> Subject: [rsyslog] Right place for STOP directive to prevent remote logs
> written to local messages
>
> Hello everyone,
>
> I have a problem that I cannot solve.
>
> On the basis of this configuration I correctly receive the logs from the remote server on the "machine1.log" file and I am able to forward them correctly to another remote server.
>
> The problem is that not even the system logs are written to the /var/log/messages file.
>
> If I try to move the $IncludeConfig directive to the bottom of the rsyslog.conf file, all the logs the remote server sends me are written to the /var/log/messages file (obviously in an ideal situation this shouldn't happen)
>
> How can I go about solving?
>
> I tried to use the "stop" directive by inserting it in several places but I don't get the desired effect ... either it writes everything to the messages or it doesn't write anything.
>
> Where am I wrong?
>
>
>
> RSYSLOG.CONF
> # rsyslog configuration file
>
> # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
> # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
>
> #### MODULES ####
>
> # The imjournal module bellow is now used as a message source instead of imuxsock.
> $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
> $ModLoad imjournal # provides access to the systemd journal
> module(load="mmutf8fix")
> $ModLoad imklog # reads kernel messages (the same are read from journald)
> $ModLoad imfile
> $ModLoad imtcp
>
> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> $InputTCPServerStreamDriverAuthMode anon
> $DefaultNetstreamDriver gtls
>
>
> # certificate files
> $DefaultNetstreamDriverCAFile /etc/ssl/private/rsyslog/certificate-p7b_new.pem
> $DefaultNetstreamDriverCertFile /etc/ssl/private/rsyslog/certificate_new.pem
> $DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog/certificate-key.pem
>
>
> #### GLOBAL DIRECTIVES ####
>
> #global(debug.gnutls="10" debug.logFile="/var/log/rsyslogdebug")
> $WorkDirectory /var/lib/rsyslog
>
>
> # Use default timestamp format
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> # File syncing capability is disabled by default. This feature is usually not required,
> # not useful and an extreme performance hit
> #$ActionFileEnableSync on
>
>
> # Turn off message reception via local log socket;
> # local messages are retrieved through imjournal now.
> $OmitLocalLogging on
>
> # File to store the position in the journal
> $IMJournalStateFile imjournal.state
>
>
> #### RULES ####
>
>
> $IncludeConfig /etc/rsyslog.d/*.conf
>
>
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.* /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>
>
> # The authpriv file has restricted access.
> authpriv.* /var/log/secure
>
> # Log all the mail messages in one place.
> mail.* -/var/log/maillog
>
> # Log cron stuff
> cron.* /var/log/cron
>
> # Everybody gets emergency messages
> *.emerg :omusrmsg:*
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit /var/log/spooler
>
> # Save boot messages also to boot.log
> local7.* /var/log/boot.log
>
>
> auth.info,authpriv.info @@10.1.2.3:514
>
>
>
>
> REMOTE.CONF
> ###############################
> # RECEPTION AND FORWARD RULES #
> ###############################
>
> $PreserveFQDN on
>
> $FileOwner user
> $FileGroup user
> $FileCreateMode 0640
> $DirCreateMode 0755
> $Umask 0022
>
>
> ### SourceIP – 10.X.X.X
> $template RemoteTCP2000,"/opt/SI/logs/machine1.log"
> $RuleSet RemoteTCP2000
> *.* -?RemoteTCP2000
> $InputTCPServerBindRuleset RemoteTCP2000
> $InputTCPServerRun 2000
> $RulesetCreateMainQueue on
> $InputTCPServerKeepAlive on
> $ActionResumeRetryCount -1
>
> input(type="imfile"
> File="/opt/SI/logs/machine1.log"
> Tag="4000"
> reopenOnTruncate="on"
> )
>
> $template RAW, "%rawmsg:1:20480%\n"
>
> action(type="omfwd"
> Target="10.Y.Y.Y"
> Port="4000"
> Protocol="tcp"
> template="RAW"
> KeepAlive="on"
> ResendLastMSGOnReconnect="on"
> action.resumeRetryCount="-1"
> StreamDriver="gtls"
> StreamDriverMode="1"
> queue.saveOnShutdown="on"
> queue.type="disk"
> queue.filename="tcp4000_queue"
> queue.size="10000"
> StreamDriverPermittedPeers="*")
> #& ~
> #& stop
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.