Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
Central loghost using RHEL5.2 rsyslog
Samuel.Kielek at marriott
Jun 5, 2008, 7:56 AM
Post #1 of 6 (1381 views)
Permalink
I'm trying to set up a central loghost (UDP and TCP) using the version
included in RHEL. I've have come up with several partially working
configs but none work exactly as I need.

As of RHEL 5.2 rsyslog is now included, which is great news. Here's the
version:


$ rpm -q rsyslog
rsyslog-2.0.0-11.el5

$ /sbin/rsyslogd -v
rsyslogd 2.0.0, compiled with:
FEATURE_PTHREADS (dual-threading): Yes
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
SYSLOG_INET (Internet/remote support): Yes
FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No
FEATURE_DEBUG (debug build, slow code): No

See http://www.rsyslog.com for more information.



In a nutshell, here's what I need my config to have:

1.) TCP and UDP logging

2.) Local messages from the loghost itself go to /var/log/...

3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/...

4.) Additionally, I have several logs that are matched on the message
content and go into separate log files.

5.) All messages go into a named pipe (which a 3rd party security tool
reads from and analyzes the data)

From the above, numbers 2, 3 and 4 are the one's I'm having trouble
with. Individually I can make each work but getting them all working in
harmony has been a bit of a battle... I want to avoid duplicate logging
so that the local loghost logs are in /var and remote logs in /syslog.
Additionally, the messages that are matched on their content I want to
ONLY show up in the files designated for them. However, the named pipe
should get everything.

If anyone has a similar config for this version of rsyslog that they
could share I'd appreciate it immensely.

Thanks,
Sam
Central loghost using RHEL5.2 rsyslog [ In reply to ]
rgerhards at hq
Jun 5, 2008, 8:15 AM
Post #2 of 6 (1337 views)
Permalink
I have no config but at least some quick ideas.

Organize the config file as such:

General settings (like $ModLoad) should go first.
Then, actions that should always happen should come first.
At the bottom of the file should be actions that occur only once.

Use the discard action ~ (tilde) to get rid of those messages that you
already processed and no longer need to care about.

A quick sample might be this (just with files, but I hope it gets the
idea):

*.* /file-always
*.info /file-info
*.info ~ # discard these message - end of processing for them
*.* /file-all-but-info
*.err /file-err
*.err ~ # get rid of err
*.* /file-all-but-info-err

I think this will get you a bit further. In v3, we already have a better
way of doing things, but the ultimate solution will be implemented in
the coming weeks (full scripting). I understand this is not of help
here, but I thought I mention it.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Kielek, Samuel
> Sent: Thursday, June 05, 2008 4:56 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog
>
> I'm trying to set up a central loghost (UDP and TCP) using the version
> included in RHEL. I've have come up with several partially working
> configs but none work exactly as I need.
>
> As of RHEL 5.2 rsyslog is now included, which is great news. Here's
the
> version:
>
>
> $ rpm -q rsyslog
> rsyslog-2.0.0-11.el5
>
> $ /sbin/rsyslogd -v
> rsyslogd 2.0.0, compiled with:
> FEATURE_PTHREADS (dual-threading): Yes
> FEATURE_REGEXP: Yes
> FEATURE_LARGEFILE: Yes
> FEATURE_NETZIP (message compression): Yes
> SYSLOG_INET (Internet/remote support): Yes
> FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No
> FEATURE_DEBUG (debug build, slow code): No
>
> See http://www.rsyslog.com for more information.
>
>
>
> In a nutshell, here's what I need my config to have:
>
> 1.) TCP and UDP logging
>
> 2.) Local messages from the loghost itself go to /var/log/...
>
> 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/...
>
> 4.) Additionally, I have several logs that are matched on the message
> content and go into separate log files.
>
> 5.) All messages go into a named pipe (which a 3rd party security tool
> reads from and analyzes the data)
>
> >From the above, numbers 2, 3 and 4 are the one's I'm having trouble
> with. Individually I can make each work but getting them all working
in
> harmony has been a bit of a battle... I want to avoid duplicate
logging
> so that the local loghost logs are in /var and remote logs in /syslog.
> Additionally, the messages that are matched on their content I want to
> ONLY show up in the files designated for them. However, the named pipe
> should get everything.
>
> If anyone has a similar config for this version of rsyslog that they
> could share I'd appreciate it immensely.
>
> Thanks,
> Sam
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
Central loghost using RHEL5.2 rsyslog [ In reply to ]
Samuel.Kielek at marriott
Jun 5, 2008, 11:36 AM
Post #3 of 6 (1357 views)
Permalink
Thanks, but I still don't know how to separate out the local and remote
logs. I tried using expression based filters but didn't have much
success. For example these config lines:

# Log remotely generated authpriv messages to /syslog
$template r_secure,
"/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log"
if $source != 'localhost' and $syslogfacility-text == 'authpriv' then
-?r_secure

Cause these errors:

Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name ""
Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in
/etc/rsyslog.conf, line 25
Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without
actions will be discarded

Not sure if it's something with my syntax or is it just that this
version of rsyslog doesn't (fully) support this. I'm assuming it's not
supported since the error seems to indicate that it is interpreting that
expression filter line as a standard selector type filter.

Thanks,
Sam


-----Original Message-----
From: rsyslog-bounces@lists.adiscon.com
[mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Thursday, June 05, 2008 11:16 AM
To: rsyslog-users
Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog

I have no config but at least some quick ideas.

Organize the config file as such:

General settings (like $ModLoad) should go first.
Then, actions that should always happen should come first.
At the bottom of the file should be actions that occur only once.

Use the discard action ~ (tilde) to get rid of those messages that you
already processed and no longer need to care about.

A quick sample might be this (just with files, but I hope it gets the
idea):

*.* /file-always
*.info /file-info
*.info ~ # discard these message - end of processing for them
*.* /file-all-but-info
*.err /file-err
*.err ~ # get rid of err
*.* /file-all-but-info-err

I think this will get you a bit further. In v3, we already have a better
way of doing things, but the ultimate solution will be implemented in
the coming weeks (full scripting). I understand this is not of help
here, but I thought I mention it.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Kielek, Samuel
> Sent: Thursday, June 05, 2008 4:56 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog
>
> I'm trying to set up a central loghost (UDP and TCP) using the version
> included in RHEL. I've have come up with several partially working
> configs but none work exactly as I need.
>
> As of RHEL 5.2 rsyslog is now included, which is great news. Here's
the
> version:
>
>
> $ rpm -q rsyslog
> rsyslog-2.0.0-11.el5
>
> $ /sbin/rsyslogd -v
> rsyslogd 2.0.0, compiled with:
> FEATURE_PTHREADS (dual-threading): Yes
> FEATURE_REGEXP: Yes
> FEATURE_LARGEFILE: Yes
> FEATURE_NETZIP (message compression): Yes
> SYSLOG_INET (Internet/remote support): Yes
> FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No
> FEATURE_DEBUG (debug build, slow code): No
>
> See http://www.rsyslog.com for more information.
>
>
>
> In a nutshell, here's what I need my config to have:
>
> 1.) TCP and UDP logging
>
> 2.) Local messages from the loghost itself go to /var/log/...
>
> 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/...
>
> 4.) Additionally, I have several logs that are matched on the message
> content and go into separate log files.
>
> 5.) All messages go into a named pipe (which a 3rd party security tool
> reads from and analyzes the data)
>
> >From the above, numbers 2, 3 and 4 are the one's I'm having trouble
> with. Individually I can make each work but getting them all working
in
> harmony has been a bit of a battle... I want to avoid duplicate
logging
> so that the local loghost logs are in /var and remote logs in /syslog.
> Additionally, the messages that are matched on their content I want to
> ONLY show up in the files designated for them. However, the named pipe
> should get everything.
>
> If anyone has a similar config for this version of rsyslog that they
> could share I'd appreciate it immensely.
>
> Thanks,
> Sam
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
Central loghost using RHEL5.2 rsyslog [ In reply to ]
samuel at dragonboricua
Jun 5, 2008, 2:59 PM
Post #4 of 6 (1390 views)
Permalink
Kielek, Samuel wrote:
> Thanks, but I still don't know how to separate out the local and remote
> logs. I tried using expression based filters but didn't have much
> success. For example these config lines:
>
> # Log remotely generated authpriv messages to /syslog
> $template r_secure,
> "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log"
> if $source != 'localhost' and $syslogfacility-text == 'authpriv' then
> -?r_secure
>
> Cause these errors:
>
> Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name ""
> Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in
> /etc/rsyslog.conf, line 25
> Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without
> actions will be discarded
>
> Not sure if it's something with my syntax or is it just that this
> version of rsyslog doesn't (fully) support this. I'm assuming it's not
> supported since the error seems to indicate that it is interpreting that
> expression filter line as a standard selector type filter.
>
> Thanks,
> Sam
</snip>

Have you seen this:
http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory

--
Elisamuel Resto <samuel at dragonboricua.net>
Source Mage Developer / http://sourcemage.org
GPG KEY: 18615F19 / http://simplysam.us
Central loghost using RHEL5.2 rsyslog [ In reply to ]
Samuel.Kielek at marriott
Jun 6, 2008, 4:32 AM
Post #5 of 6 (1344 views)
Permalink
Yes, but I believe the issue is that the rsyslog that ships with RHEL5
is from the v2-stable tree. For that config to work it would need to be
from the v3 tree.

At this point I have just settled for having everything (local + remote)
under one directory structure which is working nicely.

-Sam

-----Original Message-----
From: rsyslog-bounces@lists.adiscon.com
[mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Elisamuel Resto
Sent: Thursday, June 05, 2008 5:59 PM
To: rsyslog at lists.adiscon.com
Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog

Kielek, Samuel wrote:
> Thanks, but I still don't know how to separate out the local and
remote
> logs. I tried using expression based filters but didn't have much
> success. For example these config lines:
>
> # Log remotely generated authpriv messages to /syslog
> $template r_secure,
> "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log"
> if $source != 'localhost' and $syslogfacility-text == 'authpriv' then
> -?r_secure
>
> Cause these errors:
>
> Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name ""
> Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in
> /etc/rsyslog.conf, line 25
> Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without
> actions will be discarded
>
> Not sure if it's something with my syntax or is it just that this
> version of rsyslog doesn't (fully) support this. I'm assuming it's not
> supported since the error seems to indicate that it is interpreting
that
> expression filter line as a standard selector type filter.
>
> Thanks,
> Sam
</snip>

Have you seen this:
http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_sepa
rated_by_dynamic_directory

--
Elisamuel Resto <samuel at dragonboricua.net>
Source Mage Developer / http://sourcemage.org
GPG KEY: 18615F19 / http://simplysam.us
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
Central loghost using RHEL5.2 rsyslog [ In reply to ]
rgerhards at hq
Jun 6, 2008, 5:17 AM
Post #6 of 6 (1340 views)
Permalink
Hi Sam,

if you can provide me with a (partial) sample of your config, I could
try to re-arrange it. You may can also mail it privately to me.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Kielek, Samuel
> Sent: Friday, June 06, 2008 1:32 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog
>
> Yes, but I believe the issue is that the rsyslog that ships with RHEL5
> is from the v2-stable tree. For that config to work it would need to
be
> from the v3 tree.
>
> At this point I have just settled for having everything (local +
> remote)
> under one directory structure which is working nicely.
>
> -Sam
>
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Elisamuel
Resto
> Sent: Thursday, June 05, 2008 5:59 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog
>
> Kielek, Samuel wrote:
> > Thanks, but I still don't know how to separate out the local and
> remote
> > logs. I tried using expression based filters but didn't have much
> > success. For example these config lines:
> >
> > # Log remotely generated authpriv messages to /syslog
> > $template r_secure,
> > "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log"
> > if $source != 'localhost' and $syslogfacility-text == 'authpriv'
then
> > -?r_secure
> >
> > Cause these errors:
> >
> > Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name ""
> > Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in
> > /etc/rsyslog.conf, line 25
> > Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without
> > actions will be discarded
> >
> > Not sure if it's something with my syntax or is it just that this
> > version of rsyslog doesn't (fully) support this. I'm assuming it's
> not
> > supported since the error seems to indicate that it is interpreting
> that
> > expression filter line as a standard selector type filter.
> >
> > Thanks,
> > Sam
> </snip>
>
> Have you seen this:
> http://wiki.rsyslog.com/index.php/Sysklogd_drop-
> in_with_remote_logs_sepa
> rated_by_dynamic_directory
>
> --
> Elisamuel Resto <samuel at dragonboricua.net>
> Source Mage Developer / http://sourcemage.org
> GPG KEY: 18615F19 / http://simplysam.us
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal