Mailing List Archive

Dynamic file generation issue
Hey all,

I've got a pretty simple configuration as below:

module(load="imudp")
input(type="imudp" port="514")

$template
DynaFile,"/var/log/ext/%HOSTNAME%/%timestamp:::date-month%/%timestamp:::date-day%/%timestamp:::date-hour%.log"
*.* -?DynaFile


This appears to be working but I've noticed this oddity. I'm seeing logs
being sent to 2 locations, not duplicates from the looks of it. The
first location is the one specified in the template above, the other is
being sent to a file called *syslog* in /var/log/syslog. When looking at
the logs I'm not seeing any obvious differences between the messages. I
want all messages to go where I've defined the dynafile location. Does
anyone have any input as to what could be happening?

Here are some examples:

/var/log/ext/10.10.10.10/11/21$ tail 16.log
Nov 21 16:59:59 10.10.10.10 %ASA-6-106100: access-list inside_access_in
denied tcp inside/x.x.x.x(53194) -> outside/x.x.x.x(80) hit-cnt 1 first
hit [0xc58201ba, 0x38466015]

/var/log$ tail syslog
Nov 21 17:01:33 10.10.10.10 %ASA-6-106100: access-list inside_access_in
denied tcp inside/x.x.x.x(49548) -> outside/x.x.x.x(443) hit-cnt 1 first
hit [0xc58201ba, 0x6838bf3c]

Thanks,

Will
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Dynamic file generation issue [ In reply to ]
is that really your entire config, nothing else?

David Lang

On Mon, 21 Nov 2022, Will BMD via rsyslog wrote:

> Date: Mon, 21 Nov 2022 17:19:39 +0000
> From: Will BMD via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Will BMD <will@brainmeltdown.net>
> Subject: [rsyslog] Dynamic file generation issue
>
> Hey all,
>
> I've got a pretty simple configuration as below:
>
> module(load="imudp")
> input(type="imudp" port="514")
>
> $template
> DynaFile,"/var/log/ext/%HOSTNAME%/%timestamp:::date-month%/%timestamp:::date-day%/%timestamp:::date-hour%.log"
> *.* -?DynaFile
>
>
> This appears to be working but I've noticed this oddity. I'm seeing logs
> being sent to 2 locations, not duplicates from the looks of it. The first
> location is the one specified in the template above, the other is being sent
> to a file called *syslog* in /var/log/syslog. When looking at the logs I'm
> not seeing any obvious differences between the messages. I want all messages
> to go where I've defined the dynafile location. Does anyone have any input as
> to what could be happening?
>
> Here are some examples:
>
> /var/log/ext/10.10.10.10/11/21$ tail 16.log
> Nov 21 16:59:59 10.10.10.10 %ASA-6-106100: access-list inside_access_in
> denied tcp inside/x.x.x.x(53194) -> outside/x.x.x.x(80) hit-cnt 1 first hit
> [0xc58201ba, 0x38466015]
>
> /var/log$ tail syslog
> Nov 21 17:01:33 10.10.10.10 %ASA-6-106100: access-list inside_access_in
> denied tcp inside/x.x.x.x(49548) -> outside/x.x.x.x(443) hit-cnt 1 first hit
> [0xc58201ba, 0x6838bf3c]
>
> Thanks,
>
> Will
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Dynamic file generation issue [ In reply to ]
Yea, there's other config files in the same directory but nothing
references creating a syslog file. Is that a default option?

Any idea why the logs are being split?

Thanks,

Will

On 21/11/2022 17:21, David Lang wrote:
> is that really your entire config, nothing else?
>
> David Lang
>
> On Mon, 21 Nov 2022, Will BMD via rsyslog wrote:
>
>> Date: Mon, 21 Nov 2022 17:19:39 +0000
>> From: Will BMD via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog@lists.adiscon.com
>> Cc: Will BMD <will@brainmeltdown.net>
>> Subject: [rsyslog] Dynamic file generation issue
>>
>> Hey all,
>>
>> I've got a pretty simple configuration as below:
>>
>> module(load="imudp")
>> input(type="imudp" port="514")
>>
>> $template
>> DynaFile,"/var/log/ext/%HOSTNAME%/%timestamp:::date-month%/%timestamp:::date-day%/%timestamp:::date-hour%.log"
>> *.* -?DynaFile
>>
>>
>> This appears to be working but I've noticed this oddity. I'm seeing
>> logs being sent to 2 locations, not duplicates from the looks of it.
>> The first location is the one specified in the template above, the
>> other is being sent to a file called *syslog* in /var/log/syslog.
>> When looking at the logs I'm not seeing any obvious differences
>> between the messages. I want all messages to go where I've defined
>> the dynafile location. Does anyone have any input as to what could be
>> happening?
>>
>> Here are some examples:
>>
>> /var/log/ext/10.10.10.10/11/21$ tail 16.log
>> Nov 21 16:59:59 10.10.10.10 %ASA-6-106100: access-list
>> inside_access_in denied tcp inside/x.x.x.x(53194) ->
>> outside/x.x.x.x(80) hit-cnt 1 first hit [0xc58201ba, 0x38466015]
>>
>> /var/log$ tail syslog
>> Nov 21 17:01:33 10.10.10.10 %ASA-6-106100: access-list
>> inside_access_in denied tcp inside/x.x.x.x(49548) ->
>> outside/x.x.x.x(443) hit-cnt 1 first hit [0xc58201ba, 0x6838bf3c]
>>
>> Thanks,
>>
>> Will
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Dynamic file generation issue [ In reply to ]
are you talking about files in /etc/rsyslog.d? if so, those are included in
/etc/rsyslog.conf and the resulting config that rsyslog uses is the combination
of all of them (or at least, all included in /etc/rsyslog.conf)

David Lang

On Mon, 21 Nov
2022, Will BMD wrote:

> Date: Mon, 21 Nov 2022 23:41:30 +0000
> From: Will BMD <will@brainmeltdown.net>
> To: David Lang <david@lang.hm>,
> Will BMD via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Dynamic file generation issue
>
> Yea, there's other config files in the same directory but nothing references
> creating a syslog file. Is that a default option?
>
> Any idea why the logs are being split?
>
> Thanks,
>
> Will
>
> On 21/11/2022 17:21, David Lang wrote:
>> is that really your entire config, nothing else?
>>
>> David Lang
>>
>> On Mon, 21 Nov 2022, Will BMD via rsyslog wrote:
>>
>>> Date: Mon, 21 Nov 2022 17:19:39 +0000
>>> From: Will BMD via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog@lists.adiscon.com
>>> Cc: Will BMD <will@brainmeltdown.net>
>>> Subject: [rsyslog] Dynamic file generation issue
>>>
>>> Hey all,
>>>
>>> I've got a pretty simple configuration as below:
>>>
>>> module(load="imudp")
>>> input(type="imudp" port="514")
>>>
>>> $template
>>> DynaFile,"/var/log/ext/%HOSTNAME%/%timestamp:::date-month%/%timestamp:::date-day%/%timestamp:::date-hour%.log"
>>> *.* -?DynaFile
>>>
>>>
>>> This appears to be working but I've noticed this oddity. I'm seeing logs
>>> being sent to 2 locations, not duplicates from the looks of it. The first
>>> location is the one specified in the template above, the other is being
>>> sent to a file called *syslog* in /var/log/syslog. When looking at the
>>> logs I'm not seeing any obvious differences between the messages. I want
>>> all messages to go where I've defined the dynafile location. Does anyone
>>> have any input as to what could be happening?
>>>
>>> Here are some examples:
>>>
>>> /var/log/ext/10.10.10.10/11/21$ tail 16.log
>>> Nov 21 16:59:59 10.10.10.10 %ASA-6-106100: access-list inside_access_in
>>> denied tcp inside/x.x.x.x(53194) -> outside/x.x.x.x(80) hit-cnt 1 first
>>> hit [0xc58201ba, 0x38466015]
>>>
>>> /var/log$ tail syslog
>>> Nov 21 17:01:33 10.10.10.10 %ASA-6-106100: access-list inside_access_in
>>> denied tcp inside/x.x.x.x(49548) -> outside/x.x.x.x(443) hit-cnt 1 first
>>> hit [0xc58201ba, 0x6838bf3c]
>>>
>>> Thanks,
>>>
>>> Will
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Dynamic file generation issue [ In reply to ]
you can start rsyslog with -o /path/to/file and the resulting file will show the
complete, combined config that rsyslog is using.

David Lang


On Mon, 21 Nov 2022, Will BMD wrote:

> Date: Mon, 21 Nov 2022 23:41:30 +0000
> From: Will BMD <will@brainmeltdown.net>
> To: David Lang <david@lang.hm>,
> Will BMD via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Dynamic file generation issue
>
> Yea, there's other config files in the same directory but nothing references
> creating a syslog file. Is that a default option?
>
> Any idea why the logs are being split?
>
> Thanks,
>
> Will
>
> On 21/11/2022 17:21, David Lang wrote:
>> is that really your entire config, nothing else?
>>
>> David Lang
>>
>> On Mon, 21 Nov 2022, Will BMD via rsyslog wrote:
>>
>>> Date: Mon, 21 Nov 2022 17:19:39 +0000
>>> From: Will BMD via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog@lists.adiscon.com
>>> Cc: Will BMD <will@brainmeltdown.net>
>>> Subject: [rsyslog] Dynamic file generation issue
>>>
>>> Hey all,
>>>
>>> I've got a pretty simple configuration as below:
>>>
>>> module(load="imudp")
>>> input(type="imudp" port="514")
>>>
>>> $template
>>> DynaFile,"/var/log/ext/%HOSTNAME%/%timestamp:::date-month%/%timestamp:::date-day%/%timestamp:::date-hour%.log"
>>> *.* -?DynaFile
>>>
>>>
>>> This appears to be working but I've noticed this oddity. I'm seeing logs
>>> being sent to 2 locations, not duplicates from the looks of it. The first
>>> location is the one specified in the template above, the other is being
>>> sent to a file called *syslog* in /var/log/syslog. When looking at the
>>> logs I'm not seeing any obvious differences between the messages. I want
>>> all messages to go where I've defined the dynafile location. Does anyone
>>> have any input as to what could be happening?
>>>
>>> Here are some examples:
>>>
>>> /var/log/ext/10.10.10.10/11/21$ tail 16.log
>>> Nov 21 16:59:59 10.10.10.10 %ASA-6-106100: access-list inside_access_in
>>> denied tcp inside/x.x.x.x(53194) -> outside/x.x.x.x(80) hit-cnt 1 first
>>> hit [0xc58201ba, 0x38466015]
>>>
>>> /var/log$ tail syslog
>>> Nov 21 17:01:33 10.10.10.10 %ASA-6-106100: access-list inside_access_in
>>> denied tcp inside/x.x.x.x(49548) -> outside/x.x.x.x(443) hit-cnt 1 first
>>> hit [0xc58201ba, 0x6838bf3c]
>>>
>>> Thanks,
>>>
>>> Will
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.