Mailing List Archive

Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada
I can successfully have logs going to the correct files under
/var/log/remote/%HOSTNAME%/whatever, with the following template:

$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
$template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
$template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
$template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
$template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"

and following ruleset:

$RuleSet justlogs
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputTCPServerBindRuleset justlogs
$InputTCPServerRun 514


And direct some logs into specific folders, a la:

ruleset(name="remote1"){
if $msg contains 'VPX' then {
action(type="omfile"
file="/var/log/remote/netscaler/netscalerlog")
}
if $msg contains 'br01' then {
action(type="omfile"
file="/var/log/remote/cisco/router/routerlog")
}
if $msg contains 'appfw' then {
action(type="omfile"
file="/var/log/remote/netscaler/appfwlog")
}
}
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
back to the default rule set
$InputTCPServerBindRuleset remote1 #Define a new input and bind it
to the "remote1" rule set
$InputTCPServerRun 514

But not both at the same time! I've tried smashing the rulesets
together, but no joy.

Reading the manual makes my brain hurt. And the online rsyslog.conf
builder isn't working for me.

Pointers appreciated!

TIA

Pete
--




_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
look at the dynafile option for the action() statement (in the omfile page of
the docs)

David Lang

On Thu, 9 Sep 2021, lists--- via rsyslog wrote:

> Date: Thu, 09 Sep 2021 06:53:42 +0100
> From: lists--- via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: lists@kush-t.com
> Subject: [rsyslog] Struggling with the basics - trying to filter on text AND
> have logs go to /var/log/remote/yadayada
>
> I can successfully have logs going to the correct files under
> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>
> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>
> and following ruleset:
>
> $RuleSet justlogs
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> $RuleSet RSYSLOG_DefaultRuleset
> $InputTCPServerBindRuleset justlogs
> $InputTCPServerRun 514
>
>
> And direct some logs into specific folders, a la:
>
> ruleset(name="remote1"){
> if $msg contains 'VPX' then {
> action(type="omfile"
> file="/var/log/remote/netscaler/netscalerlog")
> }
> if $msg contains 'br01' then {
> action(type="omfile"
> file="/var/log/remote/cisco/router/routerlog")
> }
> if $msg contains 'appfw' then {
> action(type="omfile"
> file="/var/log/remote/netscaler/appfwlog")
> }
> }
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the
> default rule set
> $InputTCPServerBindRuleset remote1 #Define a new input and bind it to the
> "remote1" rule set
> $InputTCPServerRun 514
>
> But not both at the same time! I've tried smashing the rulesets together, but
> no joy.
>
> Reading the manual makes my brain hurt. And the online rsyslog.conf builder
> isn't working for me.
>
> Pointers appreciated!
>
> TIA
>
> Pete
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
Hello!

Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
more than 10 years ago.

I guess this is more or less what you're looking for:

```
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")

template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")

ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplNetscalerMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
```

There is still some space for improvements though. I'd suggest creating
different inputs for different kinds of logs. This way you can speedup
processing a bit (because `if $msg contains ...` is slow). Do not overuse
local variables though ($.something).

```
# Assuming VPX and appfw logs are coming from the same device
# Otherwise easier to create one more input and remove `if $msg contains`
completely
input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")

input(type="imptcp" name="cisco_router" port="2515" ruleset="cisco_router")

# /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
template(name="TmplNetscalerMsg" type="list" {
constant(value="/var/log/remote/netscaler/")
property(name="hostname")
constant(value="/")
property(name="$.ns_type")
constant(value="log")
}

template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")

ruleset(name="netscaler") {
if $msg contains 'VPX' then {
set $.ns_type = "vpx";
} else if $msg contains 'appfw' then {
set $.ns_type = "appfw";
} else {
set $.ns_type = "UNKNOWN";
}
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplNetscalerMsg")
}

ruleset(name="cisco_router") {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
}
```

All this knowledge I got from reading the Rsyslog docs here:
https://www.rsyslog.com/doc/v8-stable/configuration/index.html
Yes, it's not that well structured but still worth reading if you're using
Rsyslog a lot.


On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> I can successfully have logs going to the correct files under
> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>
> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>
> and following ruleset:
>
> $RuleSet justlogs
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> $RuleSet RSYSLOG_DefaultRuleset
> $InputTCPServerBindRuleset justlogs
> $InputTCPServerRun 514
>
>
> And direct some logs into specific folders, a la:
>
> ruleset(name="remote1"){
> if $msg contains 'VPX' then {
> action(type="omfile"
> file="/var/log/remote/netscaler/netscalerlog")
> }
> if $msg contains 'br01' then {
> action(type="omfile"
> file="/var/log/remote/cisco/router/routerlog")
> }
> if $msg contains 'appfw' then {
> action(type="omfile"
> file="/var/log/remote/netscaler/appfwlog")
> }
> }
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
> back to the default rule set
> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
> to the "remote1" rule set
> $InputTCPServerRun 514
>
> But not both at the same time! I've tried smashing the rulesets
> together, but no joy.
>
> Reading the manual makes my brain hurt. And the online rsyslog.conf
> builder isn't working for me.
>
> Pointers appreciated!
>
> TIA
>
> Pete
> --
>
>
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
Quoting Yuri Bushmelev <jay4mail@gmail.com>:

> Hello!
>
> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
> your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
> more than 10 years ago.
>
> I guess this is more or less what you're looking for:
>
> ```
> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>
> template(name="TmplVPXMsg" type="string"
> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
> template(name="TmplAppfwMsg" type="string"
> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
> template(name="TmplCiscoRouterMsg" type="string"
> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>
> ruleset(name="remote1") {
> if $msg contains 'VPX' then {
> action(type="omfile" name="netscaler_vpx_file"
> dynaFile="TmplNetscalerMsg")
> } else if $msg contains 'br01' then {
> action(type="omfile" name="cisco_router_file"
> dynaFile="TmplCiscoRouterMsg")
> } else if $msg contains 'appfw' then {
> action(type="omfile" name="netscaler_appfw_file"
> dynaFile="TmplAppfwMsg")
> }
> }
> ```
>
> There is still some space for improvements though. I'd suggest creating
> different inputs for different kinds of logs. This way you can speedup
> processing a bit (because `if $msg contains ...` is slow). Do not overuse
> local variables though ($.something).
>
> ```
> # Assuming VPX and appfw logs are coming from the same device
> # Otherwise easier to create one more input and remove `if $msg contains`
> completely
> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
>
> input(type="imptcp" name="cisco_router" port="2515" ruleset="cisco_router")
>
> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
> template(name="TmplNetscalerMsg" type="list" {
> constant(value="/var/log/remote/netscaler/")
> property(name="hostname")
> constant(value="/")
> property(name="$.ns_type")
> constant(value="log")
> }
>
> template(name="TmplCiscoRouterMsg" type="string"
> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>
> ruleset(name="netscaler") {
> if $msg contains 'VPX' then {
> set $.ns_type = "vpx";
> } else if $msg contains 'appfw' then {
> set $.ns_type = "appfw";
> } else {
> set $.ns_type = "UNKNOWN";
> }
> action(type="omfile" name="netscaler_appfw_file"
> dynaFile="TmplNetscalerMsg")
> }
>
> ruleset(name="cisco_router") {
> action(type="omfile" name="cisco_router_file"
> dynaFile="TmplCiscoRouterMsg")
> }
> ```
>
> All this knowledge I got from reading the Rsyslog docs here:
> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
> Yes, it's not that well structured but still worth reading if you're using
> Rsyslog a lot.
>
>
> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
>> I can successfully have logs going to the correct files under
>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>>
>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>>
>> and following ruleset:
>>
>> $RuleSet justlogs
>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
>> $RuleSet RSYSLOG_DefaultRuleset
>> $InputTCPServerBindRuleset justlogs
>> $InputTCPServerRun 514
>>
>>
>> And direct some logs into specific folders, a la:
>>
>> ruleset(name="remote1"){
>> if $msg contains 'VPX' then {
>> action(type="omfile"
>> file="/var/log/remote/netscaler/netscalerlog")
>> }
>> if $msg contains 'br01' then {
>> action(type="omfile"
>> file="/var/log/remote/cisco/router/routerlog")
>> }
>> if $msg contains 'appfw' then {
>> action(type="omfile"
>> file="/var/log/remote/netscaler/appfwlog")
>> }
>> }
>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
>> back to the default rule set
>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
>> to the "remote1" rule set
>> $InputTCPServerRun 514
>>
>> But not both at the same time! I've tried smashing the rulesets
>> together, but no joy.
>>
>> Reading the manual makes my brain hurt. And the online rsyslog.conf
>> builder isn't working for me.
>>
>> Pointers appreciated!
>>
>> TIA
>>
>> Pete
>> --
>>
>>
>>
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
> --
> Yury Bushmelev
>

Thanks Yuri

This is all good, but rsyslog doesn't like the config!

rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level 1),
master config /etc/rsyslog.conf
|
rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
try http://www.rsyslog.com/e/2209 ]
|
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
line 101: parameter 'ruleset' not known -- typo in config file?
[v8.24.0-57.el7_9.1 try http
://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
line 101: parameter 'port' not known -- typo in config file?
[v8.24.0-57.el7_9.1 try http://
www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
line 101: parameter 'name' not known -- typo in config file?
[v8.24.0-57.el7_9.1 try http://
www.rsyslog.com/e/2207 ]


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
please post your full config, the example config does not have 101 lines, so
it doesn't match the error you are posting.

Also be aware that 8.24 is no about 5 years old and unsupported by the
community, you are running something unique to redhat.

that said, the imptcp module should be available, but they may have put it in a
different package, but you should get similar results with the imtcp module

David Lang

On Fri, 10 Sep 2021, lists--- via rsyslog wrote:

> Date: Fri, 10 Sep 2021 02:41:02 +0100
> From: lists--- via rsyslog <rsyslog@lists.adiscon.com>
> To: Yuri Bushmelev <jay4mail@gmail.com>
> Cc: lists@kush-t.com, rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Struggling with the basics - trying to filter on text
> AND have logs go to /var/log/remote/yadayada
>
> Quoting Yuri Bushmelev <jay4mail@gmail.com>:
>
>> Hello!
>>
>> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
>> your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
>> more than 10 years ago.
>>
>> I guess this is more or less what you're looking for:
>>
>> ```
>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>>
>> template(name="TmplVPXMsg" type="string"
>> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
>> template(name="TmplAppfwMsg" type="string"
>> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
>> template(name="TmplCiscoRouterMsg" type="string"
>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>
>> ruleset(name="remote1") {
>> if $msg contains 'VPX' then {
>> action(type="omfile" name="netscaler_vpx_file"
>> dynaFile="TmplNetscalerMsg")
>> } else if $msg contains 'br01' then {
>> action(type="omfile" name="cisco_router_file"
>> dynaFile="TmplCiscoRouterMsg")
>> } else if $msg contains 'appfw' then {
>> action(type="omfile" name="netscaler_appfw_file"
>> dynaFile="TmplAppfwMsg")
>> }
>> }
>> ```
>>
>> There is still some space for improvements though. I'd suggest creating
>> different inputs for different kinds of logs. This way you can speedup
>> processing a bit (because `if $msg contains ...` is slow). Do not overuse
>> local variables though ($.something).
>>
>> ```
>> # Assuming VPX and appfw logs are coming from the same device
>> # Otherwise easier to create one more input and remove `if $msg contains`
>> completely
>> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
>>
>> input(type="imptcp" name="cisco_router" port="2515" ruleset="cisco_router")
>>
>> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
>> template(name="TmplNetscalerMsg" type="list" {
>> constant(value="/var/log/remote/netscaler/")
>> property(name="hostname")
>> constant(value="/")
>> property(name="$.ns_type")
>> constant(value="log")
>> }
>>
>> template(name="TmplCiscoRouterMsg" type="string"
>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>
>> ruleset(name="netscaler") {
>> if $msg contains 'VPX' then {
>> set $.ns_type = "vpx";
>> } else if $msg contains 'appfw' then {
>> set $.ns_type = "appfw";
>> } else {
>> set $.ns_type = "UNKNOWN";
>> }
>> action(type="omfile" name="netscaler_appfw_file"
>> dynaFile="TmplNetscalerMsg")
>> }
>>
>> ruleset(name="cisco_router") {
>> action(type="omfile" name="cisco_router_file"
>> dynaFile="TmplCiscoRouterMsg")
>> }
>> ```
>>
>> All this knowledge I got from reading the Rsyslog docs here:
>> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
>> Yes, it's not that well structured but still worth reading if you're using
>> Rsyslog a lot.
>>
>>
>> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
>> rsyslog@lists.adiscon.com> wrote:
>>
>>> I can successfully have logs going to the correct files under
>>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>>>
>>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
>>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
>>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
>>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>>>
>>> and following ruleset:
>>>
>>> $RuleSet justlogs
>>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
>>> $RuleSet RSYSLOG_DefaultRuleset
>>> $InputTCPServerBindRuleset justlogs
>>> $InputTCPServerRun 514
>>>
>>>
>>> And direct some logs into specific folders, a la:
>>>
>>> ruleset(name="remote1"){
>>> if $msg contains 'VPX' then {
>>> action(type="omfile"
>>> file="/var/log/remote/netscaler/netscalerlog")
>>> }
>>> if $msg contains 'br01' then {
>>> action(type="omfile"
>>> file="/var/log/remote/cisco/router/routerlog")
>>> }
>>> if $msg contains 'appfw' then {
>>> action(type="omfile"
>>> file="/var/log/remote/netscaler/appfwlog")
>>> }
>>> }
>>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
>>> back to the default rule set
>>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
>>> to the "remote1" rule set
>>> $InputTCPServerRun 514
>>>
>>> But not both at the same time! I've tried smashing the rulesets
>>> together, but no joy.
>>>
>>> Reading the manual makes my brain hurt. And the online rsyslog.conf
>>> builder isn't working for me.
>>>
>>> Pointers appreciated!
>>>
>>> TIA
>>>
>>> Pete
>>> --
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>
>>
>> --
>> Yury Bushmelev
>>
>
> Thanks Yuri
>
> This is all good, but rsyslog doesn't like the config!
>
> rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level 1), master
> config /etc/rsyslog.conf
> |
> rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1 try
> http://www.rsyslog.com/e/2209 ]
> |
> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 101:
> parameter 'ruleset' not known -- typo in config file? [v8.24.0-57.el7_9.1 try
> http
> ://www.rsyslog.com/e/2207 ]
> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 101:
> parameter 'port' not known -- typo in config file? [v8.24.0-57.el7_9.1 try
> http://
> www.rsyslog.com/e/2207 ]
> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 101:
> parameter 'name' not known -- typo in config file? [v8.24.0-57.el7_9.1 try
> http://
> www.rsyslog.com/e/2207 ]
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
On Thu, 9 Sep 2021, Yuri Bushmelev via rsyslog wrote:

> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
> your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
> more than 10 years ago.

please explain why

template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")

is better than

$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"

or why

action(type="omfile" file="/var/log/remote/netscaler/netscalerlog")

is better than

/var/log/remote/netscaler/netscalerlog

it gets a bit closer when you compare

action(type="omfile" dynaFile="TmplNetscalerMsg")

with

?TmplNetscalerMsg

but only because of the ?

Now, I agree that if you are doing more complex things, the new syntax is
better, but for simple things the old syntax is frequently as good or better.

When the new syntax was introduced, Reiner was thinking that the old syntax
would be phased out, but with further disucssion and examples, he changed his
mind because simple things are so much simpler in the old syntax.

if your config requires setting one thing to affect a future line, you are
probably better off doing it in a single line with the new syntax.

The new template() and action() syntax allow a lot of options that don't exist
with the old format (and names in the action() syntax can be incredibly
valuable when debugging things), but if you aren't doing complex things, the old
syntax can be btter due to it's brevity.

David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
Thanks David

Yes, my bad, i was still trying to load the "imtcp" module instead of
the "imptcp" module. The rsyslog syntax is now valid, which is a good
start.

And yes, I'm constrained by what I can pull from redhat. Not my choice!

So, my entire config now looks like the below:

$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command)
$ModLoad imjournal # provides access to the systemd journal
$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
$template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
$template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
$template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
$template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
template (name="TmplCiscoFirewallFormat" type="string"
string="%TIMESTAMP% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
template (name="TmplCiscoFirewallFile" type="string"
string="/var/log/remote/cisco/firewalllog"
)
$ModLoad imudp
$RuleSet remoteudp1
:programname, isequal, "SFIMS" ?TmplCiscoFirewallFile;TmplCiscoFirewallFormat
& ~
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputUDPServerBindRuleset remoteudp1
$UDPServerRun 514
$ModLoad imptcp
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplVPXMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local7.notice /var/log/cmd.log


It's a mish-mash of old and new styles.

The logs for the templated "TmplVPXMsg" "TmplAppfwMsg"
"TmplCiscoRouterMsg" are working nicely.

My issue is still how to pick out the remaining logs coming in over
514/TCP (ruleset="remote1") and stash them into the templated
"TmplAuthpriv" "TmplMsg" "TmplCron" "TmplMail" "TmplCmd".
I don't know the correct syntax for catching these within the
"remote1" ruleset!

Within previous iterations we had something like:

# Provides TCP syslog reception
$ModLoad imtcp

$RuleSet remote1
:msg, regex , "[Zz][SsUu][Vv][Pp][Xx]" ?TmplNetscalerFile;TmplNetcalerFormat
& ~
authpriv.* ?TmplAuthpriv
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
cron.* ?TmplCron
mail.* ?TmplMail
local7.notice ?TmplCmd
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back
to the default rule set
$InputTCPServerBindRuleset remote1 #Define a new input and bind it to
the "remote1" rule set
$InputTCPServerRun 514

Pointers appreciated!

TIA

Pete
--



Quoting David Lang <david@lang.hm>:

> please post your full config, the example config does not have 101
> lines, so it doesn't match the error you are posting.
>
> Also be aware that 8.24 is no about 5 years old and unsupported by
> the community, you are running something unique to redhat.
>
> that said, the imptcp module should be available, but they may have
> put it in a different package, but you should get similar results
> with the imtcp module
>
> David Lang
>
> On Fri, 10 Sep 2021, lists--- via rsyslog wrote:
>
>> Date: Fri, 10 Sep 2021 02:41:02 +0100
>> From: lists--- via rsyslog <rsyslog@lists.adiscon.com>
>> To: Yuri Bushmelev <jay4mail@gmail.com>
>> Cc: lists@kush-t.com, rsyslog-users <rsyslog@lists.adiscon.com>
>> Subject: Re: [rsyslog] Struggling with the basics - trying to filter on text
>> AND have logs go to /var/log/remote/yadayada
>>
>> Quoting Yuri Bushmelev <jay4mail@gmail.com>:
>>
>>> Hello!
>>>
>>> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
>>> your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
>>> more than 10 years ago.
>>>
>>> I guess this is more or less what you're looking for:
>>>
>>> ```
>>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>>>
>>> template(name="TmplVPXMsg" type="string"
>>> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
>>> template(name="TmplAppfwMsg" type="string"
>>> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
>>> template(name="TmplCiscoRouterMsg" type="string"
>>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>>
>>> ruleset(name="remote1") {
>>> if $msg contains 'VPX' then {
>>> action(type="omfile" name="netscaler_vpx_file"
>>> dynaFile="TmplNetscalerMsg")
>>> } else if $msg contains 'br01' then {
>>> action(type="omfile" name="cisco_router_file"
>>> dynaFile="TmplCiscoRouterMsg")
>>> } else if $msg contains 'appfw' then {
>>> action(type="omfile" name="netscaler_appfw_file"
>>> dynaFile="TmplAppfwMsg")
>>> }
>>> }
>>> ```
>>>
>>> There is still some space for improvements though. I'd suggest creating
>>> different inputs for different kinds of logs. This way you can speedup
>>> processing a bit (because `if $msg contains ...` is slow). Do not overuse
>>> local variables though ($.something).
>>>
>>> ```
>>> # Assuming VPX and appfw logs are coming from the same device
>>> # Otherwise easier to create one more input and remove `if $msg contains`
>>> completely
>>> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
>>>
>>> input(type="imptcp" name="cisco_router" port="2515" ruleset="cisco_router")
>>>
>>> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
>>> template(name="TmplNetscalerMsg" type="list" {
>>> constant(value="/var/log/remote/netscaler/")
>>> property(name="hostname")
>>> constant(value="/")
>>> property(name="$.ns_type")
>>> constant(value="log")
>>> }
>>>
>>> template(name="TmplCiscoRouterMsg" type="string"
>>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>>
>>> ruleset(name="netscaler") {
>>> if $msg contains 'VPX' then {
>>> set $.ns_type = "vpx";
>>> } else if $msg contains 'appfw' then {
>>> set $.ns_type = "appfw";
>>> } else {
>>> set $.ns_type = "UNKNOWN";
>>> }
>>> action(type="omfile" name="netscaler_appfw_file"
>>> dynaFile="TmplNetscalerMsg")
>>> }
>>>
>>> ruleset(name="cisco_router") {
>>> action(type="omfile" name="cisco_router_file"
>>> dynaFile="TmplCiscoRouterMsg")
>>> }
>>> ```
>>>
>>> All this knowledge I got from reading the Rsyslog docs here:
>>> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
>>> Yes, it's not that well structured but still worth reading if you're using
>>> Rsyslog a lot.
>>>
>>>
>>> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
>>> rsyslog@lists.adiscon.com> wrote:
>>>
>>>> I can successfully have logs going to the correct files under
>>>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>>>>
>>>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>>>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
>>>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
>>>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
>>>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>>>>
>>>> and following ruleset:
>>>>
>>>> $RuleSet justlogs
>>>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
>>>> $RuleSet RSYSLOG_DefaultRuleset
>>>> $InputTCPServerBindRuleset justlogs
>>>> $InputTCPServerRun 514
>>>>
>>>>
>>>> And direct some logs into specific folders, a la:
>>>>
>>>> ruleset(name="remote1"){
>>>> if $msg contains 'VPX' then {
>>>> action(type="omfile"
>>>> file="/var/log/remote/netscaler/netscalerlog")
>>>> }
>>>> if $msg contains 'br01' then {
>>>> action(type="omfile"
>>>> file="/var/log/remote/cisco/router/routerlog")
>>>> }
>>>> if $msg contains 'appfw' then {
>>>> action(type="omfile"
>>>> file="/var/log/remote/netscaler/appfwlog")
>>>> }
>>>> }
>>>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
>>>> back to the default rule set
>>>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
>>>> to the "remote1" rule set
>>>> $InputTCPServerRun 514
>>>>
>>>> But not both at the same time! I've tried smashing the rulesets
>>>> together, but no joy.
>>>>
>>>> Reading the manual makes my brain hurt. And the online rsyslog.conf
>>>> builder isn't working for me.
>>>>
>>>> Pointers appreciated!
>>>>
>>>> TIA
>>>>
>>>> Pete
>>>> --
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>
>>>
>>> --
>>> Yury Bushmelev
>>>
>>
>> Thanks Yuri
>>
>> This is all good, but rsyslog doesn't like the config!
>>
>> rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level
>> 1), master config /etc/rsyslog.conf |
>> rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
>> try http://www.rsyslog.com/e/2209 ] |
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'ruleset' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http
>> ://www.rsyslog.com/e/2207 ]
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'port' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http://
>> www.rsyslog.com/e/2207 ]
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'name' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http://
>> www.rsyslog.com/e/2207 ]
>>
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>




_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
On Fri, 10 Sep 2021, lists@kush-t.com wrote:

> Thanks David
>
> Yes, my bad, i was still trying to load the "imtcp" module instead of the
> "imptcp" module. The rsyslog syntax is now valid, which is a good start.
>
> And yes, I'm constrained by what I can pull from redhat. Not my choice!
>
> So, my entire config now looks like the below:
>
> $ModLoad imuxsock # provides support for local system logging (e.g. via
> logger command)
> $ModLoad imjournal # provides access to the systemd journal
> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
> template (name="TmplCiscoFirewallFormat" type="string"
> string="%TIMESTAMP% %HOSTNAME%
> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
> )
> template (name="TmplCiscoFirewallFile" type="string"
> string="/var/log/remote/cisco/firewalllog"
> )


> $ModLoad imudp
> $RuleSet remoteudp1
> :programname, isequal, "SFIMS" ?TmplCiscoFirewallFile;TmplCiscoFirewallFormat
> & ~
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> $RuleSet RSYSLOG_DefaultRuleset
> $InputUDPServerBindRuleset remoteudp1
> $UDPServerRun 514
> $ModLoad imptcp

This is one of the places where you should use the new syntax, change all of
this to the new syntax


> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
> template(name="TmplVPXMsg" type="string"
> string="/var/log/remote/netscaler/netscalerlog")
> template(name="TmplAppfwMsg" type="string"
> string="/var/log/remote/netscaler/appfwlog")
> template(name="TmplCiscoRouterMsg" type="string"
> string="/var/log/remote/cisco/router/routerlog")




> ruleset(name="remote1") {
> if $msg contains 'VPX' then {
> action(type="omfile" name="netscaler_vpx_file"
> dynaFile="TmplVPXMsg")
> } else if $msg contains 'br01' then {
> action(type="omfile" name="cisco_router_file"
> dynaFile="TmplCiscoRouterMsg")
> } else if $msg contains 'appfw' then {
> action(type="omfile" name="netscaler_appfw_file"
> dynaFile="TmplAppfwMsg")
> }
> }


> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")

you should get an error defining an input multiple times, are you sure there are
no errors on startup?

> $WorkDirectory /var/lib/rsyslog
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $IncludeConfig /etc/rsyslog.d/*.conf
> $OmitLocalLogging on
> $IMJournalStateFile imjournal.state
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> authpriv.* /var/log/secure
> mail.* -/var/log/maillog
> cron.* /var/log/cron
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local7.* /var/log/boot.log
> local7.notice /var/log/cmd.log
>
>
> It's a mish-mash of old and new styles.
>
> The logs for the templated "TmplVPXMsg" "TmplAppfwMsg" "TmplCiscoRouterMsg"
> are working nicely.
>
> My issue is still how to pick out the remaining logs coming in over 514/TCP
> (ruleset="remote1") and stash them into the templated "TmplAuthpriv"
> "TmplMsg" "TmplCron" "TmplMail" "TmplCmd".
> I don't know the correct syntax for catching these within the "remote1"
> ruleset!
>
> Within previous iterations we had something like:
>
> # Provides TCP syslog reception
> $ModLoad imtcp
>
> $RuleSet remote1
> :msg, regex , "[Zz][SsUu][Vv][Pp][Xx]" ?TmplNetscalerFile;TmplNetcalerFormat
> & ~

this syntax still works, just put it inside the ruleset {}

or use the if...then syntax, there is a regex() function you can use for the
test

David Lang

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
The imptcp module is included in the base RH package.

(09:19:22) (root@mkr1:~)
# rpm -ql rsyslog | grep imptcp
/usr/lib64/rsyslog/imptcp.so
(09:19:32) (root@mkr1:~)
# rpm -q rsyslog
rsyslog-8.24.0-57.el7_9.1.x86_64

On 10.09.2021 03:46, David Lang via rsyslog wrote:
> please post your full config, the example config does not have 101
> lines, so it doesn't match the error you are posting.
>
> Also be aware that 8.24 is no about 5 years old and unsupported by the
> community, you are running something unique to redhat.
>
> that said, the imptcp module should be available, but they may have
> put it in a different package, but you should get similar results with
> the imtcp module
>
> David Lang
>
> On Fri, 10 Sep 2021, lists--- via rsyslog wrote:
>
>> Date: Fri, 10 Sep 2021 02:41:02 +0100
>> From: lists--- via rsyslog <rsyslog@lists.adiscon.com>
>> To: Yuri Bushmelev <jay4mail@gmail.com>
>> Cc: lists@kush-t.com, rsyslog-users <rsyslog@lists.adiscon.com>
>> Subject: Re: [rsyslog] Struggling with the basics - trying to filter
>> on text
>>     AND have logs go to /var/log/remote/yadayada
>>
>> Quoting Yuri Bushmelev <jay4mail@gmail.com>:
>>
>>> Hello!
>>>
>>> Please consider to stop useing the $ThisConfigSyntaxStyle as "it
>>> will make
>>> your life miserable" (c) Reiner Gerhards .. There is nice new syntax
>>> made
>>> more than 10 years ago.
>>>
>>> I guess this is more or less what you're looking for:
>>>
>>> ```
>>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>>>
>>> template(name="TmplVPXMsg" type="string"
>>> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
>>> template(name="TmplAppfwMsg" type="string"
>>> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
>>> template(name="TmplCiscoRouterMsg" type="string"
>>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>>
>>> ruleset(name="remote1") {
>>>  if $msg contains 'VPX' then {
>>>    action(type="omfile" name="netscaler_vpx_file"
>>> dynaFile="TmplNetscalerMsg")
>>>  } else if $msg contains 'br01' then {
>>>    action(type="omfile" name="cisco_router_file"
>>> dynaFile="TmplCiscoRouterMsg")
>>>  } else if $msg contains 'appfw' then {
>>>    action(type="omfile" name="netscaler_appfw_file"
>>> dynaFile="TmplAppfwMsg")
>>>  }
>>> }
>>> ```
>>>
>>> There is still some space for improvements though. I'd suggest creating
>>> different inputs for different kinds of logs. This way you can speedup
>>> processing a bit (because `if $msg contains ...` is slow). Do not
>>> overuse
>>> local variables though ($.something).
>>>
>>> ```
>>> # Assuming VPX and appfw logs are coming from the same device
>>> # Otherwise easier to create one more input and remove `if $msg
>>> contains`
>>> completely
>>> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
>>>
>>> input(type="imptcp" name="cisco_router" port="2515"
>>> ruleset="cisco_router")
>>>
>>> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
>>> template(name="TmplNetscalerMsg" type="list" {
>>>  constant(value="/var/log/remote/netscaler/")
>>>  property(name="hostname")
>>>  constant(value="/")
>>>  property(name="$.ns_type")
>>>  constant(value="log")
>>> }
>>>
>>> template(name="TmplCiscoRouterMsg" type="string"
>>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>>>
>>> ruleset(name="netscaler") {
>>>  if $msg contains 'VPX' then {
>>>    set $.ns_type = "vpx";
>>>  } else if $msg contains 'appfw' then {
>>>    set $.ns_type = "appfw";
>>>  } else {
>>>    set $.ns_type = "UNKNOWN";
>>>  }
>>>  action(type="omfile" name="netscaler_appfw_file"
>>> dynaFile="TmplNetscalerMsg")
>>> }
>>>
>>> ruleset(name="cisco_router") {
>>>  action(type="omfile" name="cisco_router_file"
>>> dynaFile="TmplCiscoRouterMsg")
>>> }
>>> ```
>>>
>>> All this knowledge I got from reading the Rsyslog docs here:
>>> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
>>> Yes, it's not that well structured but still worth reading if you're
>>> using
>>> Rsyslog a lot.
>>>
>>>
>>> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
>>> rsyslog@lists.adiscon.com> wrote:
>>>
>>>> I can successfully have logs going to the correct files under
>>>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>>>>
>>>>   $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>>>>   $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
>>>>   $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
>>>>   $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
>>>>   $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>>>>
>>>> and following ruleset:
>>>>
>>>>   $RuleSet justlogs
>>>>   *.info;mail.none;authpriv.none;cron.none   ?TmplMsg
>>>>   $RuleSet RSYSLOG_DefaultRuleset
>>>>   $InputTCPServerBindRuleset justlogs
>>>>   $InputTCPServerRun 514
>>>>
>>>>
>>>> And direct some logs into specific folders, a la:
>>>>
>>>>   ruleset(name="remote1"){
>>>>           if $msg contains 'VPX' then {
>>>>                   action(type="omfile"
>>>> file="/var/log/remote/netscaler/netscalerlog")
>>>>           }
>>>>           if $msg contains 'br01' then {
>>>>                   action(type="omfile"
>>>> file="/var/log/remote/cisco/router/routerlog")
>>>>           }
>>>>           if $msg contains 'appfw' then {
>>>>                   action(type="omfile"
>>>> file="/var/log/remote/netscaler/appfwlog")
>>>>           }
>>>>   }
>>>>   $RuleSet RSYSLOG_DefaultRuleset   #End the rule set by switching
>>>> back to the default rule set
>>>>   $InputTCPServerBindRuleset remote1  #Define a new input and bind it
>>>> to the "remote1" rule set
>>>>   $InputTCPServerRun 514
>>>>
>>>> But not both at the same time! I've tried smashing the rulesets
>>>> together, but no joy.
>>>>
>>>> Reading the manual makes my brain hurt. And the online rsyslog.conf
>>>> builder isn't working for me.
>>>>
>>>> Pointers appreciated!
>>>>
>>>> TIA
>>>>
>>>> Pete
>>>> --
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>
>>>
>>> --
>>> Yury Bushmelev
>>>
>>
>> Thanks Yuri
>>
>> This is all good, but rsyslog doesn't like the config!
>>
>> rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level 1),
>> master config /etc/rsyslog.conf |
>> rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
>> try http://www.rsyslog.com/e/2209 ] |
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'ruleset' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http
>> ://www.rsyslog.com/e/2207 ]
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'port' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http://
>> www.rsyslog.com/e/2207 ]
>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> line 101: parameter 'name' not known -- typo in config file?
>> [v8.24.0-57.el7_9.1 try http://
>> www.rsyslog.com/e/2207 ]
>>
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
Hi David!

I guess you and the topic starter already replied to your question why the
new syntax is better :)
Really, just have a look at the config posted below. I understand your
point but well.. I cannot remember any person who come to the maillist with
simple configuration. It's always more or less complex. So if a person
would like to read and understand the config written a year ago I'd say
there is only way..


On Fri, 10 Sept 2021 at 09:54, David Lang <david@lang.hm> wrote:

> On Thu, 9 Sep 2021, Yuri Bushmelev via rsyslog wrote:
>
> > Please consider to stop useing the $ThisConfigSyntaxStyle as "it will
> make
> > your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
> > more than 10 years ago.
>
> please explain why
>
> template(name="TmplVPXMsg" type="string"
> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
>
> is better than
>
> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>
> or why
>
> action(type="omfile" file="/var/log/remote/netscaler/netscalerlog")
>
> is better than
>
> /var/log/remote/netscaler/netscalerlog
>
> it gets a bit closer when you compare
>
> action(type="omfile" dynaFile="TmplNetscalerMsg")
>
> with
>
> ?TmplNetscalerMsg
>
> but only because of the ?
>
> Now, I agree that if you are doing more complex things, the new syntax is
> better, but for simple things the old syntax is frequently as good or
> better.
>
> When the new syntax was introduced, Reiner was thinking that the old
> syntax
> would be phased out, but with further disucssion and examples, he changed
> his
> mind because simple things are so much simpler in the old syntax.
>
> if your config requires setting one thing to affect a future line, you are
> probably better off doing it in a single line with the new syntax.
>
> The new template() and action() syntax allow a lot of options that don't
> exist
> with the old format (and names in the action() syntax can be incredibly
> valuable when debugging things), but if you aren't doing complex things,
> the old
> syntax can be btter due to it's brevity.
>
> David Lang
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
Hello!

JFYI, there is no point to use template and dynaFIle below because your
template is constant. I.e. filename is the same always. You can just use
the "file" option instead. When I proposed this I was expecting you'd like
to place the file under /var/log/remote/%HOSTNAME% path. That's why I did
"dynaFile" there.

```
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplVPXMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
```

On Fri, 10 Sept 2021 at 10:25, <lists@kush-t.com> wrote:

> Thanks David
>
> Yes, my bad, i was still trying to load the "imtcp" module instead of
> the "imptcp" module. The rsyslog syntax is now valid, which is a good
> start.
>
> And yes, I'm constrained by what I can pull from redhat. Not my choice!
>
> So, my entire config now looks like the below:
>
> $ModLoad imuxsock # provides support for local system logging (e.g.
> via logger command)
> $ModLoad imjournal # provides access to the systemd journal
> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
> template (name="TmplCiscoFirewallFormat" type="string"
> string="%TIMESTAMP% %HOSTNAME%
> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
> )
> template (name="TmplCiscoFirewallFile" type="string"
> string="/var/log/remote/cisco/firewalllog"
> )
> $ModLoad imudp
> $RuleSet remoteudp1
> :programname, isequal, "SFIMS"
> ?TmplCiscoFirewallFile;TmplCiscoFirewallFormat
> & ~
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> $RuleSet RSYSLOG_DefaultRuleset
> $InputUDPServerBindRuleset remoteudp1
> $UDPServerRun 514
> $ModLoad imptcp
> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
> template(name="TmplVPXMsg" type="string"
> string="/var/log/remote/netscaler/netscalerlog")
> template(name="TmplAppfwMsg" type="string"
> string="/var/log/remote/netscaler/appfwlog")
> template(name="TmplCiscoRouterMsg" type="string"
> string="/var/log/remote/cisco/router/routerlog")
> ruleset(name="remote1") {
> if $msg contains 'VPX' then {
> action(type="omfile" name="netscaler_vpx_file"
> dynaFile="TmplVPXMsg")
> } else if $msg contains 'br01' then {
> action(type="omfile" name="cisco_router_file"
> dynaFile="TmplCiscoRouterMsg")
> } else if $msg contains 'appfw' then {
> action(type="omfile" name="netscaler_appfw_file"
> dynaFile="TmplAppfwMsg")
> }
> }
> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
> $WorkDirectory /var/lib/rsyslog
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $IncludeConfig /etc/rsyslog.d/*.conf
> $OmitLocalLogging on
> $IMJournalStateFile imjournal.state
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> authpriv.* /var/log/secure
> mail.* -/var/log/maillog
> cron.* /var/log/cron
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local7.* /var/log/boot.log
> local7.notice /var/log/cmd.log
>
>
> It's a mish-mash of old and new styles.
>
> The logs for the templated "TmplVPXMsg" "TmplAppfwMsg"
> "TmplCiscoRouterMsg" are working nicely.
>
> My issue is still how to pick out the remaining logs coming in over
> 514/TCP (ruleset="remote1") and stash them into the templated
> "TmplAuthpriv" "TmplMsg" "TmplCron" "TmplMail" "TmplCmd".
> I don't know the correct syntax for catching these within the
> "remote1" ruleset!
>
> Within previous iterations we had something like:
>
> # Provides TCP syslog reception
> $ModLoad imtcp
>
> $RuleSet remote1
> :msg, regex , "[Zz][SsUu][Vv][Pp][Xx]"
> ?TmplNetscalerFile;TmplNetcalerFormat
> & ~
> authpriv.* ?TmplAuthpriv
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> cron.* ?TmplCron
> mail.* ?TmplMail
> local7.notice ?TmplCmd
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back
> to the default rule set
> $InputTCPServerBindRuleset remote1 #Define a new input and bind it to
> the "remote1" rule set
> $InputTCPServerRun 514
>
> Pointers appreciated!
>
> TIA
>
> Pete
> --
>
>
>
> Quoting David Lang <david@lang.hm>:
>
> > please post your full config, the example config does not have 101
> > lines, so it doesn't match the error you are posting.
> >
> > Also be aware that 8.24 is no about 5 years old and unsupported by
> > the community, you are running something unique to redhat.
> >
> > that said, the imptcp module should be available, but they may have
> > put it in a different package, but you should get similar results
> > with the imtcp module
> >
> > David Lang
> >
> > On Fri, 10 Sep 2021, lists--- via rsyslog wrote:
> >
> >> Date: Fri, 10 Sep 2021 02:41:02 +0100
> >> From: lists--- via rsyslog <rsyslog@lists.adiscon.com>
> >> To: Yuri Bushmelev <jay4mail@gmail.com>
> >> Cc: lists@kush-t.com, rsyslog-users <rsyslog@lists.adiscon.com>
> >> Subject: Re: [rsyslog] Struggling with the basics - trying to filter on
> text
> >> AND have logs go to /var/log/remote/yadayada
> >>
> >> Quoting Yuri Bushmelev <jay4mail@gmail.com>:
> >>
> >>> Hello!
> >>>
> >>> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will
> make
> >>> your life miserable" (c) Reiner Gerhards .. There is nice new syntax
> made
> >>> more than 10 years ago.
> >>>
> >>> I guess this is more or less what you're looking for:
> >>>
> >>> ```
> >>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
> >>>
> >>> template(name="TmplVPXMsg" type="string"
> >>> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
> >>> template(name="TmplAppfwMsg" type="string"
> >>> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
> >>> template(name="TmplCiscoRouterMsg" type="string"
> >>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
> >>>
> >>> ruleset(name="remote1") {
> >>> if $msg contains 'VPX' then {
> >>> action(type="omfile" name="netscaler_vpx_file"
> >>> dynaFile="TmplNetscalerMsg")
> >>> } else if $msg contains 'br01' then {
> >>> action(type="omfile" name="cisco_router_file"
> >>> dynaFile="TmplCiscoRouterMsg")
> >>> } else if $msg contains 'appfw' then {
> >>> action(type="omfile" name="netscaler_appfw_file"
> >>> dynaFile="TmplAppfwMsg")
> >>> }
> >>> }
> >>> ```
> >>>
> >>> There is still some space for improvements though. I'd suggest creating
> >>> different inputs for different kinds of logs. This way you can speedup
> >>> processing a bit (because `if $msg contains ...` is slow). Do not
> overuse
> >>> local variables though ($.something).
> >>>
> >>> ```
> >>> # Assuming VPX and appfw logs are coming from the same device
> >>> # Otherwise easier to create one more input and remove `if $msg
> contains`
> >>> completely
> >>> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
> >>>
> >>> input(type="imptcp" name="cisco_router" port="2515"
> ruleset="cisco_router")
> >>>
> >>> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
> >>> template(name="TmplNetscalerMsg" type="list" {
> >>> constant(value="/var/log/remote/netscaler/")
> >>> property(name="hostname")
> >>> constant(value="/")
> >>> property(name="$.ns_type")
> >>> constant(value="log")
> >>> }
> >>>
> >>> template(name="TmplCiscoRouterMsg" type="string"
> >>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
> >>>
> >>> ruleset(name="netscaler") {
> >>> if $msg contains 'VPX' then {
> >>> set $.ns_type = "vpx";
> >>> } else if $msg contains 'appfw' then {
> >>> set $.ns_type = "appfw";
> >>> } else {
> >>> set $.ns_type = "UNKNOWN";
> >>> }
> >>> action(type="omfile" name="netscaler_appfw_file"
> >>> dynaFile="TmplNetscalerMsg")
> >>> }
> >>>
> >>> ruleset(name="cisco_router") {
> >>> action(type="omfile" name="cisco_router_file"
> >>> dynaFile="TmplCiscoRouterMsg")
> >>> }
> >>> ```
> >>>
> >>> All this knowledge I got from reading the Rsyslog docs here:
> >>> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
> >>> Yes, it's not that well structured but still worth reading if you're
> using
> >>> Rsyslog a lot.
> >>>
> >>>
> >>> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
> >>> rsyslog@lists.adiscon.com> wrote:
> >>>
> >>>> I can successfully have logs going to the correct files under
> >>>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
> >>>>
> >>>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> >>>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> >>>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> >>>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> >>>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
> >>>>
> >>>> and following ruleset:
> >>>>
> >>>> $RuleSet justlogs
> >>>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> >>>> $RuleSet RSYSLOG_DefaultRuleset
> >>>> $InputTCPServerBindRuleset justlogs
> >>>> $InputTCPServerRun 514
> >>>>
> >>>>
> >>>> And direct some logs into specific folders, a la:
> >>>>
> >>>> ruleset(name="remote1"){
> >>>> if $msg contains 'VPX' then {
> >>>> action(type="omfile"
> >>>> file="/var/log/remote/netscaler/netscalerlog")
> >>>> }
> >>>> if $msg contains 'br01' then {
> >>>> action(type="omfile"
> >>>> file="/var/log/remote/cisco/router/routerlog")
> >>>> }
> >>>> if $msg contains 'appfw' then {
> >>>> action(type="omfile"
> >>>> file="/var/log/remote/netscaler/appfwlog")
> >>>> }
> >>>> }
> >>>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
> >>>> back to the default rule set
> >>>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
> >>>> to the "remote1" rule set
> >>>> $InputTCPServerRun 514
> >>>>
> >>>> But not both at the same time! I've tried smashing the rulesets
> >>>> together, but no joy.
> >>>>
> >>>> Reading the manual makes my brain hurt. And the online rsyslog.conf
> >>>> builder isn't working for me.
> >>>>
> >>>> Pointers appreciated!
> >>>>
> >>>> TIA
> >>>>
> >>>> Pete
> >>>> --
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>
> >>>
> >>> --
> >>> Yury Bushmelev
> >>>
> >>
> >> Thanks Yuri
> >>
> >> This is all good, but rsyslog doesn't like the config!
> >>
> >> rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level
> >> 1), master config /etc/rsyslog.conf |
> >> rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
> >> try http://www.rsyslog.com/e/2209 ] |
> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
> >> line 101: parameter 'ruleset' not known -- typo in config file?
> >> [v8.24.0-57.el7_9.1 try http
> >> ://www.rsyslog.com/e/2207 ]
> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
> >> line 101: parameter 'port' not known -- typo in config file?
> >> [v8.24.0-57.el7_9.1 try http://
> >> www.rsyslog.com/e/2207 ]
> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
> >> line 101: parameter 'name' not known -- typo in config file?
> >> [v8.24.0-57.el7_9.1 try http://
> >> www.rsyslog.com/e/2207 ]
> >>
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you DON'T LIKE THAT.
> >
>
>
>
>
>

--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada [ In reply to ]
Thank you _all_ for your help. With the addition of a couple of "stop"
directives, I now have logs going where I need.

Much appreciated!

Pete
--

Quoting Yuri Bushmelev <jay4mail@gmail.com>:

> Hello!
>
> JFYI, there is no point to use template and dynaFIle below because your
> template is constant. I.e. filename is the same always. You can just use
> the "file" option instead. When I proposed this I was expecting you'd like
> to place the file under /var/log/remote/%HOSTNAME% path. That's why I did
> "dynaFile" there.
>
> ```
> template(name="TmplVPXMsg" type="string"
> string="/var/log/remote/netscaler/netscalerlog")
> template(name="TmplAppfwMsg" type="string"
> string="/var/log/remote/netscaler/appfwlog")
> template(name="TmplCiscoRouterMsg" type="string"
> string="/var/log/remote/cisco/router/routerlog")
> ruleset(name="remote1") {
> if $msg contains 'VPX' then {
> action(type="omfile" name="netscaler_vpx_file"
> dynaFile="TmplVPXMsg")
> } else if $msg contains 'br01' then {
> action(type="omfile" name="cisco_router_file"
> dynaFile="TmplCiscoRouterMsg")
> } else if $msg contains 'appfw' then {
> action(type="omfile" name="netscaler_appfw_file"
> dynaFile="TmplAppfwMsg")
> }
> }
> ```
>
> On Fri, 10 Sept 2021 at 10:25, <lists@kush-t.com> wrote:
>
>> Thanks David
>>
>> Yes, my bad, i was still trying to load the "imtcp" module instead of
>> the "imptcp" module. The rsyslog syntax is now valid, which is a good
>> start.
>>
>> And yes, I'm constrained by what I can pull from redhat. Not my choice!
>>
>> So, my entire config now looks like the below:
>>
>> $ModLoad imuxsock # provides support for local system logging (e.g.
>> via logger command)
>> $ModLoad imjournal # provides access to the systemd journal
>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>> template (name="TmplCiscoFirewallFormat" type="string"
>> string="%TIMESTAMP% %HOSTNAME%
>> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
>> )
>> template (name="TmplCiscoFirewallFile" type="string"
>> string="/var/log/remote/cisco/firewalllog"
>> )
>> $ModLoad imudp
>> $RuleSet remoteudp1
>> :programname, isequal, "SFIMS"
>> ?TmplCiscoFirewallFile;TmplCiscoFirewallFormat
>> & ~
>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
>> $RuleSet RSYSLOG_DefaultRuleset
>> $InputUDPServerBindRuleset remoteudp1
>> $UDPServerRun 514
>> $ModLoad imptcp
>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>> template(name="TmplVPXMsg" type="string"
>> string="/var/log/remote/netscaler/netscalerlog")
>> template(name="TmplAppfwMsg" type="string"
>> string="/var/log/remote/netscaler/appfwlog")
>> template(name="TmplCiscoRouterMsg" type="string"
>> string="/var/log/remote/cisco/router/routerlog")
>> ruleset(name="remote1") {
>> if $msg contains 'VPX' then {
>> action(type="omfile" name="netscaler_vpx_file"
>> dynaFile="TmplVPXMsg")
>> } else if $msg contains 'br01' then {
>> action(type="omfile" name="cisco_router_file"
>> dynaFile="TmplCiscoRouterMsg")
>> } else if $msg contains 'appfw' then {
>> action(type="omfile" name="netscaler_appfw_file"
>> dynaFile="TmplAppfwMsg")
>> }
>> }
>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>> $WorkDirectory /var/lib/rsyslog
>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> $IncludeConfig /etc/rsyslog.d/*.conf
>> $OmitLocalLogging on
>> $IMJournalStateFile imjournal.state
>> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>> authpriv.* /var/log/secure
>> mail.* -/var/log/maillog
>> cron.* /var/log/cron
>> *.emerg :omusrmsg:*
>> uucp,news.crit /var/log/spooler
>> local7.* /var/log/boot.log
>> local7.notice /var/log/cmd.log
>>
>>
>> It's a mish-mash of old and new styles.
>>
>> The logs for the templated "TmplVPXMsg" "TmplAppfwMsg"
>> "TmplCiscoRouterMsg" are working nicely.
>>
>> My issue is still how to pick out the remaining logs coming in over
>> 514/TCP (ruleset="remote1") and stash them into the templated
>> "TmplAuthpriv" "TmplMsg" "TmplCron" "TmplMail" "TmplCmd".
>> I don't know the correct syntax for catching these within the
>> "remote1" ruleset!
>>
>> Within previous iterations we had something like:
>>
>> # Provides TCP syslog reception
>> $ModLoad imtcp
>>
>> $RuleSet remote1
>> :msg, regex , "[Zz][SsUu][Vv][Pp][Xx]"
>> ?TmplNetscalerFile;TmplNetcalerFormat
>> & ~
>> authpriv.* ?TmplAuthpriv
>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
>> cron.* ?TmplCron
>> mail.* ?TmplMail
>> local7.notice ?TmplCmd
>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back
>> to the default rule set
>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it to
>> the "remote1" rule set
>> $InputTCPServerRun 514
>>
>> Pointers appreciated!
>>
>> TIA
>>
>> Pete
>> --
>>
>>
>>
>> Quoting David Lang <david@lang.hm>:
>>
>> > please post your full config, the example config does not have 101
>> > lines, so it doesn't match the error you are posting.
>> >
>> > Also be aware that 8.24 is no about 5 years old and unsupported by
>> > the community, you are running something unique to redhat.
>> >
>> > that said, the imptcp module should be available, but they may have
>> > put it in a different package, but you should get similar results
>> > with the imtcp module
>> >
>> > David Lang
>> >
>> > On Fri, 10 Sep 2021, lists--- via rsyslog wrote:
>> >
>> >> Date: Fri, 10 Sep 2021 02:41:02 +0100
>> >> From: lists--- via rsyslog <rsyslog@lists.adiscon.com>
>> >> To: Yuri Bushmelev <jay4mail@gmail.com>
>> >> Cc: lists@kush-t.com, rsyslog-users <rsyslog@lists.adiscon.com>
>> >> Subject: Re: [rsyslog] Struggling with the basics - trying to filter on
>> text
>> >> AND have logs go to /var/log/remote/yadayada
>> >>
>> >> Quoting Yuri Bushmelev <jay4mail@gmail.com>:
>> >>
>> >>> Hello!
>> >>>
>> >>> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will
>> make
>> >>> your life miserable" (c) Reiner Gerhards .. There is nice new syntax
>> made
>> >>> more than 10 years ago.
>> >>>
>> >>> I guess this is more or less what you're looking for:
>> >>>
>> >>> ```
>> >>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
>> >>>
>> >>> template(name="TmplVPXMsg" type="string"
>> >>> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
>> >>> template(name="TmplAppfwMsg" type="string"
>> >>> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
>> >>> template(name="TmplCiscoRouterMsg" type="string"
>> >>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>> >>>
>> >>> ruleset(name="remote1") {
>> >>> if $msg contains 'VPX' then {
>> >>> action(type="omfile" name="netscaler_vpx_file"
>> >>> dynaFile="TmplNetscalerMsg")
>> >>> } else if $msg contains 'br01' then {
>> >>> action(type="omfile" name="cisco_router_file"
>> >>> dynaFile="TmplCiscoRouterMsg")
>> >>> } else if $msg contains 'appfw' then {
>> >>> action(type="omfile" name="netscaler_appfw_file"
>> >>> dynaFile="TmplAppfwMsg")
>> >>> }
>> >>> }
>> >>> ```
>> >>>
>> >>> There is still some space for improvements though. I'd suggest creating
>> >>> different inputs for different kinds of logs. This way you can speedup
>> >>> processing a bit (because `if $msg contains ...` is slow). Do not
>> overuse
>> >>> local variables though ($.something).
>> >>>
>> >>> ```
>> >>> # Assuming VPX and appfw logs are coming from the same device
>> >>> # Otherwise easier to create one more input and remove `if $msg
>> contains`
>> >>> completely
>> >>> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
>> >>>
>> >>> input(type="imptcp" name="cisco_router" port="2515"
>> ruleset="cisco_router")
>> >>>
>> >>> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
>> >>> template(name="TmplNetscalerMsg" type="list" {
>> >>> constant(value="/var/log/remote/netscaler/")
>> >>> property(name="hostname")
>> >>> constant(value="/")
>> >>> property(name="$.ns_type")
>> >>> constant(value="log")
>> >>> }
>> >>>
>> >>> template(name="TmplCiscoRouterMsg" type="string"
>> >>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
>> >>>
>> >>> ruleset(name="netscaler") {
>> >>> if $msg contains 'VPX' then {
>> >>> set $.ns_type = "vpx";
>> >>> } else if $msg contains 'appfw' then {
>> >>> set $.ns_type = "appfw";
>> >>> } else {
>> >>> set $.ns_type = "UNKNOWN";
>> >>> }
>> >>> action(type="omfile" name="netscaler_appfw_file"
>> >>> dynaFile="TmplNetscalerMsg")
>> >>> }
>> >>>
>> >>> ruleset(name="cisco_router") {
>> >>> action(type="omfile" name="cisco_router_file"
>> >>> dynaFile="TmplCiscoRouterMsg")
>> >>> }
>> >>> ```
>> >>>
>> >>> All this knowledge I got from reading the Rsyslog docs here:
>> >>> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
>> >>> Yes, it's not that well structured but still worth reading if you're
>> using
>> >>> Rsyslog a lot.
>> >>>
>> >>>
>> >>> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
>> >>> rsyslog@lists.adiscon.com> wrote:
>> >>>
>> >>>> I can successfully have logs going to the correct files under
>> >>>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>> >>>>
>> >>>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
>> >>>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
>> >>>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
>> >>>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
>> >>>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>> >>>>
>> >>>> and following ruleset:
>> >>>>
>> >>>> $RuleSet justlogs
>> >>>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
>> >>>> $RuleSet RSYSLOG_DefaultRuleset
>> >>>> $InputTCPServerBindRuleset justlogs
>> >>>> $InputTCPServerRun 514
>> >>>>
>> >>>>
>> >>>> And direct some logs into specific folders, a la:
>> >>>>
>> >>>> ruleset(name="remote1"){
>> >>>> if $msg contains 'VPX' then {
>> >>>> action(type="omfile"
>> >>>> file="/var/log/remote/netscaler/netscalerlog")
>> >>>> }
>> >>>> if $msg contains 'br01' then {
>> >>>> action(type="omfile"
>> >>>> file="/var/log/remote/cisco/router/routerlog")
>> >>>> }
>> >>>> if $msg contains 'appfw' then {
>> >>>> action(type="omfile"
>> >>>> file="/var/log/remote/netscaler/appfwlog")
>> >>>> }
>> >>>> }
>> >>>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
>> >>>> back to the default rule set
>> >>>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
>> >>>> to the "remote1" rule set
>> >>>> $InputTCPServerRun 514
>> >>>>
>> >>>> But not both at the same time! I've tried smashing the rulesets
>> >>>> together, but no joy.
>> >>>>
>> >>>> Reading the manual makes my brain hurt. And the online rsyslog.conf
>> >>>> builder isn't working for me.
>> >>>>
>> >>>> Pointers appreciated!
>> >>>>
>> >>>> TIA
>> >>>>
>> >>>> Pete
>> >>>> --
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> rsyslog mailing list
>> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>>> http://www.rsyslog.com/professional-services/
>> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> >>>> DON'T LIKE THAT.
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>> Yury Bushmelev
>> >>>
>> >>
>> >> Thanks Yuri
>> >>
>> >> This is all good, but rsyslog doesn't like the config!
>> >>
>> >> rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level
>> >> 1), master config /etc/rsyslog.conf |
>> >> rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
>> >> try http://www.rsyslog.com/e/2209 ] |
>> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> >> line 101: parameter 'ruleset' not known -- typo in config file?
>> >> [v8.24.0-57.el7_9.1 try http
>> >> ://www.rsyslog.com/e/2207 ]
>> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> >> line 101: parameter 'port' not known -- typo in config file?
>> >> [v8.24.0-57.el7_9.1 try http://
>> >> www.rsyslog.com/e/2207 ]
>> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>> >> line 101: parameter 'name' not known -- typo in config file?
>> >> [v8.24.0-57.el7_9.1 try http://
>> >> www.rsyslog.com/e/2207 ]
>> >>
>> >>
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com/professional-services/
>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> >> POST if you DON'T LIKE THAT.
>> >
>>
>>
>>
>>
>>
>
> --
> Yury Bushmelev
>




_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.