Mailing List Archive

This is strange. No,everything is supported, we never remove any
config capability without very, very strong reason. Plus, the "if" is
not BSD-Style but script, the most modern filter.

Which version is running on RHEL 8?
How does the full config look like?
What does rsyslogd -N1 split out?

Rainer

El jue, 4 may 2023 a las 11:29, Brad Van Orden via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> On RHEL 7, I have a filter:
>
> if $programname == "systemd" and ( $msg contains "Starting Session" or $msg
> contains "Started Session" ) then stop
>
> which works fine. However under RHEL 8, I get
>
> invalid property 'programname'
>
> I think this is because BSD type filters are no longer supported, but I'm
> not sure how to change this to the new style. I don't see an example of
> how to make a compound filter:
>
> :programname, isequal, "systemd" stop
>
> I'm not sure where to add the msg filters in? Could someone point me to
> the correct documentation?
>
> Thanks!
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

version is 8.2102.0-10.el8
rsyslogd -N1 spits out:
rsyslogd: error during parsing file
/etc/rsyslog.d/ignore-systemd-session-slice.conf, on or before line 2:
invalid property 'programname' [v8.2102.0-10.el8 try
https://www.rsyslog.com/e/2207 ]

rsyslog.conf:

$PreserverFQDN on
$ModLoad imuxsock
$ModLoad imklog
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.*
-/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local6.* /var/log/dhcpd
local7.* /var/log/boot.log
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdSyslog
$ActionQueueMaxDiskSpace 500m
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionQueueResumeRetryCount -1
*.debug @1.2.3.4:10975

We are running RHEL 8.7.

On Thu, May 4, 2023 at 5:48?AM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:

> This is strange. No,everything is supported, we never remove any
> config capability without very, very strong reason. Plus, the "if" is
> not BSD-Style but script, the most modern filter.
>
> Which version is running on RHEL 8?
> How does the full config look like?
> What does rsyslogd -N1 split out?
>
> Rainer
>
> El jue, 4 may 2023 a las 11:29, Brad Van Orden via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > On RHEL 7, I have a filter:
> >
> > if $programname == "systemd" and ( $msg contains "Starting Session" or
> $msg
> > contains "Started Session" ) then stop
> >
> > which works fine. However under RHEL 8, I get
> >
> > invalid property 'programname'
> >
> > I think this is because BSD type filters are no longer supported, but I'm
> > not sure how to change this to the new style. I don't see an example of
> > how to make a compound filter:
> >
> > :programname, isequal, "systemd" stop
> >
> > I'm not sure where to add the msg filters in? Could someone point me to
> > the correct documentation?
> >
> > Thanks!
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

I figured it out. I had a second line in that same file that started with:

if $progamname == "systemd-logind"

I was missing the second 'r' in programname. :(

Sorry for the bother.

On Thu, May 4, 2023 at 6:10?AM Brad Van Orden <brad.vanorden@gmail.com>
wrote:

> version is 8.2102.0-10.el8
> rsyslogd -N1 spits out:
> rsyslogd: error during parsing file
> /etc/rsyslog.d/ignore-systemd-session-slice.conf, on or before line 2:
> invalid property 'programname' [v8.2102.0-10.el8 try
> https://www.rsyslog.com/e/2207 ]
>
> rsyslog.conf:
>
> $PreserverFQDN on
> $ModLoad imuxsock
> $ModLoad imklog
> $IncludeConfig /etc/rsyslog.d/*.conf
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> authpriv.* /var/log/secure
> mail.*
> -/var/log/maillog
> cron.* /var/log/cron
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local6.* /var/log/dhcpd
> local7.* /var/log/boot.log
> $WorkDirectory /var/lib/rsyslog
> $ActionQueueFileName fwdSyslog
> $ActionQueueMaxDiskSpace 500m
> $ActionQueueSaveOnShutdown on
> $ActionQueueType LinkedList
> $ActionQueueResumeRetryCount -1
> *.debug @1.2.3.4:10975
>
> We are running RHEL 8.7.
>
> On Thu, May 4, 2023 at 5:48?AM Rainer Gerhards <rgerhards@hq.adiscon.com>
> wrote:
>
>> This is strange. No,everything is supported, we never remove any
>> config capability without very, very strong reason. Plus, the "if" is
>> not BSD-Style but script, the most modern filter.
>>
>> Which version is running on RHEL 8?
>> How does the full config look like?
>> What does rsyslogd -N1 split out?
>>
>> Rainer
>>
>> El jue, 4 may 2023 a las 11:29, Brad Van Orden via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>> >
>> > On RHEL 7, I have a filter:
>> >
>> > if $programname == "systemd" and ( $msg contains "Starting Session" or
>> $msg
>> > contains "Started Session" ) then stop
>> >
>> > which works fine. However under RHEL 8, I get
>> >
>> > invalid property 'programname'
>> >
>> > I think this is because BSD type filters are no longer supported, but
>> I'm
>> > not sure how to change this to the new style. I don't see an example of
>> > how to make a compound filter:
>> >
>> > :programname, isequal, "systemd" stop
>> >
>> > I'm not sure where to add the msg filters in? Could someone point me to
>> > the correct documentation?
>> >
>> > Thanks!
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you DON'T LIKE THAT.
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

No problem, thanks!

Sent from phone, thus brief.

Brad Van Orden <brad.vanorden@gmail.com> schrieb am Do., 4. Mai 2023, 14:45:

> I figured it out. I had a second line in that same file that started with:
>
> if $progamname == "systemd-logind"
>
> I was missing the second 'r' in programname. :(
>
> Sorry for the bother.
>
> On Thu, May 4, 2023 at 6:10?AM Brad Van Orden <brad.vanorden@gmail.com>
> wrote:
>
>> version is 8.2102.0-10.el8
>> rsyslogd -N1 spits out:
>> rsyslogd: error during parsing file
>> /etc/rsyslog.d/ignore-systemd-session-slice.conf, on or before line 2:
>> invalid property 'programname' [v8.2102.0-10.el8 try
>> https://www.rsyslog.com/e/2207 ]
>>
>> rsyslog.conf:
>>
>> $PreserverFQDN on
>> $ModLoad imuxsock
>> $ModLoad imklog
>> $IncludeConfig /etc/rsyslog.d/*.conf
>> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>> authpriv.* /var/log/secure
>> mail.*
>> -/var/log/maillog
>> cron.* /var/log/cron
>> *.emerg :omusrmsg:*
>> uucp,news.crit /var/log/spooler
>> local6.* /var/log/dhcpd
>> local7.*
>> /var/log/boot.log
>> $WorkDirectory /var/lib/rsyslog
>> $ActionQueueFileName fwdSyslog
>> $ActionQueueMaxDiskSpace 500m
>> $ActionQueueSaveOnShutdown on
>> $ActionQueueType LinkedList
>> $ActionQueueResumeRetryCount -1
>> *.debug @1.2.3.4:10975
>>
>> We are running RHEL 8.7.
>>
>> On Thu, May 4, 2023 at 5:48?AM Rainer Gerhards <rgerhards@hq.adiscon.com>
>> wrote:
>>
>>> This is strange. No,everything is supported, we never remove any
>>> config capability without very, very strong reason. Plus, the "if" is
>>> not BSD-Style but script, the most modern filter.
>>>
>>> Which version is running on RHEL 8?
>>> How does the full config look like?
>>> What does rsyslogd -N1 split out?
>>>
>>> Rainer
>>>
>>> El jue, 4 may 2023 a las 11:29, Brad Van Orden via rsyslog
>>> (<rsyslog@lists.adiscon.com>) escribió:
>>> >
>>> > On RHEL 7, I have a filter:
>>> >
>>> > if $programname == "systemd" and ( $msg contains "Starting Session" or
>>> $msg
>>> > contains "Started Session" ) then stop
>>> >
>>> > which works fine. However under RHEL 8, I get
>>> >
>>> > invalid property 'programname'
>>> >
>>> > I think this is because BSD type filters are no longer supported, but
>>> I'm
>>> > not sure how to change this to the new style. I don't see an example
>>> of
>>> > how to make a compound filter:
>>> >
>>> > :programname, isequal, "systemd" stop
>>> >
>>> > I'm not sure where to add the msg filters in? Could someone point me
>>> to
>>> > the correct documentation?
>>> >
>>> > Thanks!
>>> > _______________________________________________
>>> > rsyslog mailing list
>>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> > http://www.rsyslog.com/professional-services/
>>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>> you DON'T LIKE THAT.
>>>
>>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.