Hello everyone,
I have a problem that I cannot solve.
On the basis of this configuration I correctly receive the logs from the remote server on the "machine1.log" file and I am able to forward them correctly to another remote server.
The problem is that not even the system logs are written to the /var/log/messages file.
If I try to move the $IncludeConfig directive to the bottom of the rsyslog.conf file, all the logs the remote server sends me are written to the /var/log/messages file (obviously in an ideal situation this shouldn't happen)
How can I go about solving?
I tried to use the "stop" directive by inserting it in several places but I don't get the desired effect ... either it writes everything to the messages or it doesn't write anything.
Where am I wrong?
RSYSLOG.CONF
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
module(load="mmutf8fix")
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad imfile
$ModLoad imtcp
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/ssl/private/rsyslog/certificate-p7b_new.pem
$DefaultNetstreamDriverCertFile /etc/ssl/private/rsyslog/certificate_new.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog/certificate-key.pem
#### GLOBAL DIRECTIVES ####
#global(debug.gnutls="10" debug.logFile="/var/log/rsyslogdebug")
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
$IncludeConfig /etc/rsyslog.d/*.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
auth.info,authpriv.info @@10.1.2.3:514
REMOTE.CONF
###############################
# RECEPTION AND FORWARD RULES #
###############################
$PreserveFQDN on
$FileOwner user
$FileGroup user
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
### SourceIP – 10.X.X.X
$template RemoteTCP2000,"/opt/SI/logs/machine1.log"
$RuleSet RemoteTCP2000
*.* -?RemoteTCP2000
$InputTCPServerBindRuleset RemoteTCP2000
$InputTCPServerRun 2000
$RulesetCreateMainQueue on
$InputTCPServerKeepAlive on
$ActionResumeRetryCount -1
input(type="imfile"
File="/opt/SI/logs/machine1.log"
Tag="4000"
reopenOnTruncate="on"
)
$template RAW, "%rawmsg:1:20480%\n"
action(type="omfwd"
Target="10.Y.Y.Y"
Port="4000"
Protocol="tcp"
template="RAW"
KeepAlive="on"
ResendLastMSGOnReconnect="on"
action.resumeRetryCount="-1"
StreamDriver="gtls"
StreamDriverMode="1"
queue.saveOnShutdown="on"
queue.type="disk"
queue.filename="tcp4000_queue"
queue.size="10000"
StreamDriverPermittedPeers="*")
#& ~
#& stop
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I have a problem that I cannot solve.
On the basis of this configuration I correctly receive the logs from the remote server on the "machine1.log" file and I am able to forward them correctly to another remote server.
The problem is that not even the system logs are written to the /var/log/messages file.
If I try to move the $IncludeConfig directive to the bottom of the rsyslog.conf file, all the logs the remote server sends me are written to the /var/log/messages file (obviously in an ideal situation this shouldn't happen)
How can I go about solving?
I tried to use the "stop" directive by inserting it in several places but I don't get the desired effect ... either it writes everything to the messages or it doesn't write anything.
Where am I wrong?
RSYSLOG.CONF
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
module(load="mmutf8fix")
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad imfile
$ModLoad imtcp
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/ssl/private/rsyslog/certificate-p7b_new.pem
$DefaultNetstreamDriverCertFile /etc/ssl/private/rsyslog/certificate_new.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog/certificate-key.pem
#### GLOBAL DIRECTIVES ####
#global(debug.gnutls="10" debug.logFile="/var/log/rsyslogdebug")
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
$IncludeConfig /etc/rsyslog.d/*.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
auth.info,authpriv.info @@10.1.2.3:514
REMOTE.CONF
###############################
# RECEPTION AND FORWARD RULES #
###############################
$PreserveFQDN on
$FileOwner user
$FileGroup user
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
### SourceIP – 10.X.X.X
$template RemoteTCP2000,"/opt/SI/logs/machine1.log"
$RuleSet RemoteTCP2000
*.* -?RemoteTCP2000
$InputTCPServerBindRuleset RemoteTCP2000
$InputTCPServerRun 2000
$RulesetCreateMainQueue on
$InputTCPServerKeepAlive on
$ActionResumeRetryCount -1
input(type="imfile"
File="/opt/SI/logs/machine1.log"
Tag="4000"
reopenOnTruncate="on"
)
$template RAW, "%rawmsg:1:20480%\n"
action(type="omfwd"
Target="10.Y.Y.Y"
Port="4000"
Protocol="tcp"
template="RAW"
KeepAlive="on"
ResendLastMSGOnReconnect="on"
action.resumeRetryCount="-1"
StreamDriver="gtls"
StreamDriverMode="1"
queue.saveOnShutdown="on"
queue.type="disk"
queue.filename="tcp4000_queue"
queue.size="10000"
StreamDriverPermittedPeers="*")
#& ~
#& stop
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.