From rgerhards at hq.adiscon.com Wed Aug 1 14:34:05 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 1 Aug 2007 14:34:05 +0200 Subject: [rsyslog] rsyslog 1.17.6 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2786AA@grfint2.intern.adiscon.com> Hi all, rsyslog 1.17.6 has been released. This release concludes the initial effort to create an output module interface. It is now in place. Lots of code have been changed during that effort and we solicit feedback and bug reports. Newly added is the ability to work with include files in the main config file. A few debugging configuration commands have been added. There are also a number of bug fixes. This release is a strongly recommended update for users of 1.17.1 and above. There is no specific need for others, except if they like the new feature or would like to help with testing. Changelog: http://www.rsyslog.com/Article103.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-48.phtml As always, feedback is appreciated. Rainer Gerhards From rgerhards at hq.adiscon.com Thu Aug 2 18:54:48 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 2 Aug 2007 18:54:48 +0200 Subject: [rsyslog] first time using rsyslog - some questions In-Reply-To: <1184675304.606.61.camel@cutter> References: <1184625715.606.32.camel@cutter><577465F99B41C842AAFBE9ED71E70ABA278588@grfint2.intern.adiscon.com> <1184675304.606.61.camel@cutter> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2786CC@grfint2.intern.adiscon.com> Hi sv, long, long time ago, you wrote: > As an option related to this. Allow a remote log server configuration > option to include multiple hostnames/destinations in decreasing > priority. > So as long as the first one is up, you log to it, when it stops being > up > you log to the next one in the list and so on and so on. I know you will not like the config file syntax (nor do I, but that's a different topic ;-]), but I have finally implemented that feature. I personally think it is quite powerful. Please read my blog for details: http://rgerhards.blogspot.com/2007/08/finally-ability-to-automatically-s witch.html I now go ahead and upgrade a few output drivers. Then it'll work with MySQL, too. ;) Thanks again for the suggestion, Rainer From skvidal at fedoraproject.org Fri Aug 3 07:29:21 2007 From: skvidal at fedoraproject.org (seth vidal) Date: Fri, 03 Aug 2007 01:29:21 -0400 Subject: [rsyslog] first time using rsyslog - some questions In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2786CC@grfint2.intern.adiscon.com> References: <1184625715.606.32.camel@cutter> <577465F99B41C842AAFBE9ED71E70ABA278588@grfint2.intern.adiscon.com> <1184675304.606.61.camel@cutter> <577465F99B41C842AAFBE9ED71E70ABA2786CC@grfint2.intern.adiscon.com> Message-ID: <1186118961.998.186.camel@cutter> On Thu, 2007-08-02 at 18:54 +0200, Rainer Gerhards wrote: > Hi sv, > > long, long time ago, you wrote: > > As an option related to this. Allow a remote log server configuration > > option to include multiple hostnames/destinations in decreasing > > priority. > > So as long as the first one is up, you log to it, when it stops being > > up > > you log to the next one in the list and so on and so on. > > I know you will not like the config file syntax (nor do I, but that's a > different topic ;-]), but I have finally implemented that feature. I > personally think it is quite powerful. Please read my blog for details: > > http://rgerhards.blogspot.com/2007/08/finally-ability-to-automatically-s > witch.html > > I now go ahead and upgrade a few output drivers. Then it'll work with > MySQL, too. ;) That's great, thanks! -sv From rgerhards at hq.adiscon.com Fri Aug 3 17:30:53 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Aug 2007 17:30:53 +0200 Subject: [rsyslog] rsyslog 1.18.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2786D4@grfint2.intern.adiscon.com> Hi all, rsyslog 1.18.0 has been released today. It offers a major new feature, to the best of our knowledge unseen yet in any other syslog server. Backup log destinations can now be configured. For example, rsyslog can be instructed to forward messages to a set of secondary log hosts or database servers if the primary one fails. When the primary is back online, messages are automatically been sent to it again. Backup actions do not necessarily need to be the same as the primary one. So one could also configure forwarding messages and writing them to a log file if the receiver cannot be reached. Other than that, there were a number of bug fixes and some code cleanup. Version 1.18.0 is a recommended update for all users. Changelog: http://www.rsyslog.com/Article105.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-49.phtml As always, feedback is appreciated. Rainer Gerhards From mic at npgx.com.au Sat Aug 4 17:24:57 2007 From: mic at npgx.com.au (Michael Mansour) Date: Sun, 5 Aug 2007 01:24:57 +1000 Subject: [rsyslog] rsyslog 1.18.0 released In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2786D4@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA2786D4@grfint2.intern.adiscon.com> Message-ID: <20070804152154.M5306@npgx.com.au> Hi Reiner, > Hi all, > > rsyslog 1.18.0 has been released today. It offers a major new > feature, to the best of our knowledge unseen yet in any other syslog > server. Backup log destinations can now be configured. For example, This is really the killer feature I have been waiting for Rainer, thanks for adding it. I will now look at testing this version and installing it into production shortly after. You may like to update your paper "On Reliability" here: http://www.rsyslog.com/module-Static_Docs-view-f-rsyslog_mysql.html.phtml as that section will not hold true now. Thanks again. Michael. > rsyslog can be instructed to forward messages to a set of secondary > log hosts or database servers if the primary one fails. When the > primary is back online, messages are automatically been sent to it > again. Backup actions do not necessarily need to be the same as the > primary one. So one could also configure forwarding messages and > writing them to a log file if the receiver cannot be reached. Other > than that, there were a number of bug fixes and some code cleanup. > Version 1.18.0 is a recommended update for all users. > > Changelog: > > http://www.rsyslog.com/Article105.phtml > > Download: > > http://www.rsyslog.com/Downloads-req-getit-lid-49.phtml > > As always, feedback is appreciated. > > Rainer Gerhards > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From rgerhards at hq.adiscon.com Tue Aug 7 09:43:58 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Aug 2007 09:43:58 +0200 Subject: [rsyslog] Insights into next major versions threading model Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2786E8@grfint2.intern.adiscon.com> Hi all, I blogged about my plans for the rsyslog next major release threading model. I think it will be interesting for at least some here on the list. Find the information at http://rgerhards.blogspot.com/2007/08/why-is-rsyslog-multi-threaded-and- is-it.html Be sure to follow the link at the bottom, it contains much more in-depth information and a sketch of the future design! Feedback is very much appreciate and at this point in time extremely valuable. Thanks, Rainer Gerhards From mic at npgx.com.au Tue Aug 7 15:32:29 2007 From: mic at npgx.com.au (Michael Mansour) Date: Tue, 7 Aug 2007 23:32:29 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? Message-ID: <20070807132042.M82345@npgx.com.au> Hi, I went here: http://people.redhat.com/pvrabec/rpms/rsyslog/ and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it and installed it onto an SL4.5 server (RHEL 4 U5). I then setup a MySQL database, and setup the /etc/rsyslog.conf file to output to that database based on the instructions here: http://www.rsyslog.com/module-Static_Docs-view-f-rsyslog_mysql.html.phtml After all that, I setup phpLogCon. After all that, I see no entries getting logged into the MySQL database by rsyslog. I've checked every step from the beginning and can only come to the assumption that the rsyslog RPM above is not compiled with MySQL support?? Is this assumption valid and if so, why didn't the Red Hat person also make a mysql one? I'm guessing now I need to install from tarball? (I'd prefer RPM which is why I started there first). Any way I can see what the /sbin/rsyslog binary is compiled with? Thanks. Michael. From rgerhards at hq.adiscon.com Tue Aug 7 16:05:03 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Aug 2007 16:05:03 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070807132042.M82345@npgx.com.au> References: <20070807132042.M82345@npgx.com.au> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Mansour > Sent: Tuesday, August 07, 2007 3:32 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? > > Hi, > > I went here: > > http://people.redhat.com/pvrabec/rpms/rsyslog/ > > and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it and > installed > it onto an SL4.5 server (RHEL 4 U5). > > I then setup a MySQL database, and setup the /etc/rsyslog.conf file to > output > to that database based on the instructions here: > > http://www.rsyslog.com/module-Static_Docs-view-f- > rsyslog_mysql.html.phtml > > After all that, I setup phpLogCon. > > After all that, I see no entries getting logged into the MySQL database > by > rsyslog. I've checked every step from the beginning and can only come > to the > assumption that the rsyslog RPM above is not compiled with MySQL > support?? > > Is this assumption valid and if so, why didn't the Red Hat person also > make a > mysql one? Yes, I think so. I remember there was some discussion around this. I'll try to find you the bugzilla ticket where this was discussed. > > I'm guessing now I need to install from tarball? (I'd prefer RPM which > is why > I started there first). I am not much into the RPM thing ;) If you have the source available inside the RPM try, you can eventually do a ./configure --enable-mysql > > Any way I can see what the /sbin/rsyslog binary is compiled with? rsyslog -v will show the compile-time settings. This for now, will follow-up soon. Rainer > > Thanks. > > Michael. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From r.bhatia at ipax.at Tue Aug 7 16:07:51 2007 From: r.bhatia at ipax.at (Raoul Bhatia [IPAX]) Date: Tue, 07 Aug 2007 16:07:51 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> References: <20070807132042.M82345@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> Message-ID: <46B87CB7.9090909@ipax.at> Rainer Gerhards wrote: >> Any way I can see what the /sbin/rsyslog binary is compiled with? > > rsyslog -v minor correction - adding a missing "d" ;) > rsyslogd -v kind regards, raoul bhatia -- ____________________________________________________________________ DI (FH) Raoul Bhatia M.Sc. E-Mail. r.bhatia at ipax.at IPAX Web. http://www.ipax.at Chief Technician, Support IRC. #ipax (quakenet) ____________________________________________________________________ From r.bhatia at ipax.at Tue Aug 7 16:01:06 2007 From: r.bhatia at ipax.at (Raoul Bhatia [IPAX]) Date: Tue, 07 Aug 2007 16:01:06 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070807132042.M82345@npgx.com.au> References: <20070807132042.M82345@npgx.com.au> Message-ID: <46B87B22.7070207@ipax.at> you can try to use ldd(1) to print the shared libraries which are used by a specific executable. e.g. > ldd /usr/sbin/rsyslogd | grep mysql > libmysqlclient.so.15 => /usr/lib/libmysqlclient.so.15 (0xb7d74000) kind regards, raoul bhatia Michael Mansour wrote: > Hi, > > I went here: > > http://people.redhat.com/pvrabec/rpms/rsyslog/ > > and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it and installed > it onto an SL4.5 server (RHEL 4 U5). > > I then setup a MySQL database, and setup the /etc/rsyslog.conf file to output > to that database based on the instructions here: > > http://www.rsyslog.com/module-Static_Docs-view-f-rsyslog_mysql.html.phtml > > After all that, I setup phpLogCon. > > After all that, I see no entries getting logged into the MySQL database by > rsyslog. I've checked every step from the beginning and can only come to the > assumption that the rsyslog RPM above is not compiled with MySQL support?? > > Is this assumption valid and if so, why didn't the Red Hat person also make a > mysql one? > > I'm guessing now I need to install from tarball? (I'd prefer RPM which is why > I started there first). > > Any way I can see what the /sbin/rsyslog binary is compiled with? > > Thanks. > > Michael. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog -- ____________________________________________________________________ DI (FH) Raoul Bhatia M.Sc. E-Mail. r.bhatia at ipax.at IPAX Web. http://www.ipax.at Chief Technician, Support IRC. #ipax (quakenet) ____________________________________________________________________ From mic at npgx.com.au Tue Aug 7 16:19:13 2007 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 8 Aug 2007 00:19:13 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> References: <20070807132042.M82345@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> Message-ID: <20070807141452.M34874@npgx.com.au> Hi Rainer, Thanks for your quick response. > > Hi, > > > > I went here: > > > > http://people.redhat.com/pvrabec/rpms/rsyslog/ > > > > and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it and > > installed > > it onto an SL4.5 server (RHEL 4 U5). > > > > I then setup a MySQL database, and setup the /etc/rsyslog.conf file to > > output > > to that database based on the instructions here: > > > > http://www.rsyslog.com/module-Static_Docs-view-f- > > rsyslog_mysql.html.phtml > > > > After all that, I setup phpLogCon. > > > > After all that, I see no entries getting logged into the MySQL > database > > by > > rsyslog. I've checked every step from the beginning and can only come > > to the > > assumption that the rsyslog RPM above is not compiled with MySQL > > support?? > > > > Is this assumption valid and if so, why didn't the Red Hat person also > > make a > > mysql one? > > Yes, I think so. I remember there was some discussion around this. I'll > try to find you the bugzilla ticket where this was discussed. Ok. > > I'm guessing now I need to install from tarball? (I'd prefer RPM which > > is why > > I started there first). > > I am not much into the RPM thing ;) If you have the source available > inside the RPM try, you can eventually do a > > ./configure --enable-mysql Hmmm.. I'll try this. But I have tried to compile from sources and keep getting the error: make: warning: Clock skew detected. Your build may be incomplete. make: Warning: File `.deps/syslog.Po' has modification time 40 s in the future make all-am make[1]: Entering directory `/mnt/software/elephant/Software/rsyslog/rsyslog-1.18.0' make[1]: Warning: File `.deps/syslog.Po' has modification time 40 s in the future make[1]: Nothing to be done for `all-am'. make[1]: warning: Clock skew detected. Your build may be incomplete. make[1]: Leaving directory `/mnt/software/elephant/Software/rsyslog/rsyslog-1.18.0' make: warning: Clock skew detected. Your build may be incomplete. I've tried that with the 1.17.5 and 1.18.0 (as above) both give the same problem. > > Any way I can see what the /sbin/rsyslog binary is compiled with? > > rsyslog -v > > will show the compile-time settings. Ok, this is what I see: # rsyslogd -v rsyslogd 1.17.5, compiled with: FEATURE_PTHREADS (dual-threading) FEATURE_REGEXP FEATURE_LARGEFILE FEATURE_NETZIP (syslog message compression) SYSLOG_INET (Internet/remote support) See http://www.rsyslog.com for more information. Hmm.. this doesn't seem to show MySQL?? The 1.18.0 binary I created above with the "skew problem" make shows: # ./rsyslogd -v rsyslogd 1.18.0, compiled with: FEATURE_PTHREADS (dual-threading) FEATURE_REGEXP FEATURE_DB FEATURE_LARGEFILE FEATURE_NETZIP (syslog message compression) SYSLOG_INET (Internet/remote support) See http://www.rsyslog.com for more information. Hmm.. both don't seem to mention MySQL and I know with 1.18.0 I used the "./configure --enable-mysql" as it showed this after the configure: **************************************************** rsyslog will be compiled with the followig settings: Multithreading support enabled: yes Klogd functionality enabled: yes Regular expressions support enabled: yes Zlib compression support enabled: yes MySql support enabled: yes Large file support enabled: yes Networking support enabled: yes Debug mode enabled: no > This for now, will follow-up soon. Thanks Rainer. Michael. > Rainer > > > > Thanks. > > > > Michael. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From r.bhatia at ipax.at Tue Aug 7 16:21:43 2007 From: r.bhatia at ipax.at (Raoul Bhatia [IPAX]) Date: Tue, 07 Aug 2007 16:21:43 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070807141452.M34874@npgx.com.au> References: <20070807132042.M82345@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> <20070807141452.M34874@npgx.com.au> Message-ID: <46B87FF7.8020803@ipax.at> Michael Mansour wrote: noticed the "FEATURE_DB" entry? > # rsyslogd -v > rsyslogd 1.17.5, compiled with: > FEATURE_PTHREADS (dual-threading) > FEATURE_REGEXP > FEATURE_LARGEFILE > FEATURE_NETZIP (syslog message compression) > SYSLOG_INET (Internet/remote support) > > See http://www.rsyslog.com for more information. > > Hmm.. this doesn't seem to show MySQL?? > > The 1.18.0 binary I created above with the "skew problem" make shows: > > # ./rsyslogd -v > rsyslogd 1.18.0, compiled with: > FEATURE_PTHREADS (dual-threading) > FEATURE_REGEXP > FEATURE_DB ^^^^^^^^^^ > FEATURE_LARGEFILE > FEATURE_NETZIP (syslog message compression) > SYSLOG_INET (Internet/remote support) > > See http://www.rsyslog.com for more information. > > Hmm.. both don't seem to mention MySQL and I know with 1.18.0 I used the > "./configure --enable-mysql" as it showed this after the configure: moreover, ldd is the tool which tells you much more about a (dynamic linked) binary then any "hardcoded" program information. kind regards, raoul bhatia -- ____________________________________________________________________ DI (FH) Raoul Bhatia M.Sc. E-Mail. r.bhatia at ipax.at IPAX Web. http://www.ipax.at Chief Technician, Support IRC. #ipax (quakenet) ____________________________________________________________________ From mic at npgx.com.au Tue Aug 7 16:24:47 2007 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 8 Aug 2007 00:24:47 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <46B87B22.7070207@ipax.at> References: <20070807132042.M82345@npgx.com.au> <46B87B22.7070207@ipax.at> Message-ID: <20070807142132.M5435@npgx.com.au> Hi Raoul, > you can try to use ldd(1) to print the shared libraries which are > used by a specific executable. > > e.g. > > ldd /usr/sbin/rsyslogd | grep mysql > > libmysqlclient.so.15 => /usr/lib/libmysqlclient.so.15 > (0xb7d74000) Yes, this is what slipped my mind and what I was trying to remember. When I do this on the 1.17.5 (from the src.rpm): # ldd /sbin/rsyslogd |grep mysql # and when I do it from the 1.18.0 I compiled (but which gives that skew error): # ldd ./rsyslogd |grep mysql libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 (0x004fb000) So basically, the http://people.redhat.com/pvrabec/rpms/rsyslog/ site for this is not mysql enabled. That's somewhat frustrating because I'm not sure now I can successfully compile rsyslog with this skew error. Michael. > kind regards, > raoul bhatia > > Michael Mansour wrote: > > Hi, > > > > I went here: > > > > http://people.redhat.com/pvrabec/rpms/rsyslog/ > > > > and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it and installed > > it onto an SL4.5 server (RHEL 4 U5). > > > > I then setup a MySQL database, and setup the /etc/rsyslog.conf file to output > > to that database based on the instructions here: > > > > http://www.rsyslog.com/module-Static_Docs-view-f-rsyslog_mysql.html.phtml > > > > After all that, I setup phpLogCon. > > > > After all that, I see no entries getting logged into the MySQL database by > > rsyslog. I've checked every step from the beginning and can only come to the > > assumption that the rsyslog RPM above is not compiled with MySQL support?? > > > > Is this assumption valid and if so, why didn't the Red Hat person also make a > > mysql one? > > > > I'm guessing now I need to install from tarball? (I'd prefer RPM which is why > > I started there first). > > > > Any way I can see what the /sbin/rsyslog binary is compiled with? > > > > Thanks. > > > > Michael. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > -- > ____________________________________________________________________ > DI (FH) Raoul Bhatia M.Sc. E-Mail. r.bhatia at ipax.at > IPAX Web. http://www.ipax.at > Chief Technician, Support IRC. #ipax (quakenet) > ____________________________________________________________________ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From mic at npgx.com.au Tue Aug 7 16:53:54 2007 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 8 Aug 2007 00:53:54 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> References: <20070807132042.M82345@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> Message-ID: <20070807144229.M29413@npgx.com.au> Hi, > > Hi, > > > > I went here: > > > > http://people.redhat.com/pvrabec/rpms/rsyslog/ > > > > and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it and > > installed > > it onto an SL4.5 server (RHEL 4 U5). > > > > I then setup a MySQL database, and setup the /etc/rsyslog.conf file to > > output > > to that database based on the instructions here: > > > > http://www.rsyslog.com/module-Static_Docs-view-f- > > rsyslog_mysql.html.phtml > > > > After all that, I setup phpLogCon. > > > > After all that, I see no entries getting logged into the MySQL > database > > by > > rsyslog. I've checked every step from the beginning and can only come > > to the > > assumption that the rsyslog RPM above is not compiled with MySQL > > support?? > > > > Is this assumption valid and if so, why didn't the Red Hat person also > > make a > > mysql one? > > Yes, I think so. I remember there was some discussion around this. I'll > try to find you the bugzilla ticket where this was discussed. > > > > I'm guessing now I need to install from tarball? (I'd prefer RPM which > > is why > > I started there first). > > I am not much into the RPM thing ;) If you have the source available > inside the RPM try, you can eventually do a > > ./configure --enable-mysql > > > > > Any way I can see what the /sbin/rsyslog binary is compiled with? > > rsyslog -v > > will show the compile-time settings. > > This for now, will follow-up soon. > Rainer I've made progress but unfortunately rsyslogd ends up segfaulting when trying to run in mysql mode. I took the rsyslog-1.17.5-1.src.rpm file and installed it, modified the /usr/src/redhat/SPECS/rsyslog.spec file to add: %configure --sbindir=%{sbindir} --enable-mysql to the configure line, this then compiled a mysql enabled version (checked with ldd). However, when try to start rsyslogd with the *.* >database-server,database-name,database-userid,database-password entry (filled out to my details) as the last line in /etc/rsyslog.conf, the start up hangs. When I comment out the line above, the startup succeeds. When I run this in debug to see what's going on, pages of stuff ending with: Messages with malicious PTR DNS Records are not dropped. Control characters are replaced upon reception. Control character escape sequence prefix is '#'. -1208325536: logmsg: syslog.info<46>, flags 5, from '', msg [origin software="rsyslogd" swVersion="1.17.5" x-pid="11790"][x-configInfo udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart -1208325536: Message has legacy syslog format. -1208325536: enqueueMsg: not yet running on multiple threads -1208325536: Called fprintlog, logging to builtin-file (/var/log/messages) -1208325536: Called fprintlog, logging to builtin-mysqlSegmentation fault a segmentation fault. When I try the same thing with the rsyslog-1.18.0 I compiled earlier: [root at server rsyslog-1.18.0]# ./rsyslogd -m 0 -x -d I get this logged into the messages file: Aug 8 00:48:41 server rsyslogd: [origin software="rsyslogd" swVersion="1.18.0" x-pid="12621"][x-configInfo udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart Aug 8 00:48:41 server rsyslogd:To enable MySQL logging, a "$ModLoad MySQL" must be done - accepted for the time being, but will fail in future releases. Aug 8 00:48:41 server rsyslogd:invalid character in selector line - ';template' expected Aug 8 00:48:41 server rsyslogd:the last error occured in /etc/rsyslog.conf, line 31 Aug 8 00:48:41 server rsyslogd:warning: selector line without actions will be discarded but that may be due to not actually doing a "make install" of 1.18.0 where the klogd and rfc3195d files installed in the OS are for 1.17.5. If they're not, does it give us a clue to the problem? Thanks, Michael. From rgerhards at hq.adiscon.com Tue Aug 7 17:01:26 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Aug 2007 17:01:26 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070807144229.M29413@npgx.com.au> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> <20070807144229.M29413@npgx.com.au> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com> Michael, glad you got that far. I think output modularization brought up an old issue again: Add a semicolon to the end of the db action line. The MySQL command line parser is pretty old and could need an upgrade. I've stayed away from that, because it will be replaced when we do a new config file format. I'd appreciate if you could try. I'll also try to repro your bug, but I need to finish something else first. So the line should be like *.* >database-server,database-name,database-userid,database-password; NOTE THE END OF THE LINE! Please let me know the outcome. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Mansour > Sent: Tuesday, August 07, 2007 4:54 PM > To: rsyslog-users > Subject: Re: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? > > Hi, > > > > Hi, > > > > > > I went here: > > > > > > http://people.redhat.com/pvrabec/rpms/rsyslog/ > > > > > > and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it and > > > installed > > > it onto an SL4.5 server (RHEL 4 U5). > > > > > > I then setup a MySQL database, and setup the /etc/rsyslog.conf file > to > > > output > > > to that database based on the instructions here: > > > > > > http://www.rsyslog.com/module-Static_Docs-view-f- > > > rsyslog_mysql.html.phtml > > > > > > After all that, I setup phpLogCon. > > > > > > After all that, I see no entries getting logged into the MySQL > > database > > > by > > > rsyslog. I've checked every step from the beginning and can only > come > > > to the > > > assumption that the rsyslog RPM above is not compiled with MySQL > > > support?? > > > > > > Is this assumption valid and if so, why didn't the Red Hat person > also > > > make a > > > mysql one? > > > > Yes, I think so. I remember there was some discussion around this. > I'll > > try to find you the bugzilla ticket where this was discussed. > > > > > > I'm guessing now I need to install from tarball? (I'd prefer RPM > which > > > is why > > > I started there first). > > > > I am not much into the RPM thing ;) If you have the source available > > inside the RPM try, you can eventually do a > > > > ./configure --enable-mysql > > > > > > > > Any way I can see what the /sbin/rsyslog binary is compiled with? > > > > rsyslog -v > > > > will show the compile-time settings. > > > > This for now, will follow-up soon. > > Rainer > > I've made progress but unfortunately rsyslogd ends up segfaulting when > trying > to run in mysql mode. > > I took the rsyslog-1.17.5-1.src.rpm file and installed it, modified the > /usr/src/redhat/SPECS/rsyslog.spec file to add: > > %configure --sbindir=%{sbindir} --enable-mysql > > to the configure line, this then compiled a mysql enabled version > (checked > with ldd). > > However, when try to start rsyslogd with the > > *.* >database-server,database-name,database-userid,database- > password > > entry (filled out to my details) as the last line in /etc/rsyslog.conf, > the > start up hangs. When I comment out the line above, the startup > succeeds. > > When I run this in debug to see what's going on, pages of stuff ending > with: > > Messages with malicious PTR DNS Records are not dropped. > Control characters are replaced upon reception. > Control character escape sequence prefix is '#'. > -1208325536: logmsg: syslog.info<46>, flags 5, from '', msg [origin > software="rsyslogd" swVersion="1.17.5" x-pid="11790"][x-configInfo > udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart > -1208325536: Message has legacy syslog format. > -1208325536: enqueueMsg: not yet running on multiple threads > -1208325536: Called fprintlog, logging to builtin-file > (/var/log/messages) > -1208325536: Called fprintlog, logging to builtin-mysqlSegmentation > fault > > a segmentation fault. > > When I try the same thing with the rsyslog-1.18.0 I compiled earlier: > > [root at server rsyslog-1.18.0]# ./rsyslogd -m 0 -x -d > > I get this logged into the messages file: > > Aug 8 00:48:41 server rsyslogd: [origin software="rsyslogd" > swVersion="1.18.0" x-pid="12621"][x-configInfo udpReception="No" > udpPort="514" > tcpReception="No" tcpPort="0"] restart > Aug 8 00:48:41 server rsyslogd:To enable MySQL logging, a "$ModLoad > MySQL" > must be done - accepted for the time being, but will fail in future > releases. > Aug 8 00:48:41 server rsyslogd:invalid character in selector line - > ';template' expected > Aug 8 00:48:41 server rsyslogd:the last error occured in > /etc/rsyslog.conf, > line 31 > Aug 8 00:48:41 server rsyslogd:warning: selector line without actions > will be > discarded > > but that may be due to not actually doing a "make install" of 1.18.0 > where the > klogd and rfc3195d files installed in the OS are for 1.17.5. > > If they're not, does it give us a clue to the problem? > > Thanks, > > Michael. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From mic at npgx.com.au Tue Aug 7 17:18:55 2007 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 8 Aug 2007 01:18:55 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> <20070807144229.M29413@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com> Message-ID: <20070807151225.M17447@npgx.com.au> Hi Rainer, > Michael, > > glad you got that far. I think output modularization brought up an > old issue again: Add a semicolon to the end of the db action line. > The MySQL command line parser is pretty old and could need an > upgrade. I've stayed away from that, because it will be replaced > when we do a new config file format. I'd appreciate if you could > try. I'll also try to repro your bug, but I need to finish something > else first. > > So the line should be like > > *.* > >database-server,database-name,database-userid,database-password; > > NOTE THE END OF THE LINE! Yes that was spot on. I added the semicolon for 1.18.0, ran the debug and it went through and (finally) logged entries into the database (1.17.5 would still segfault). I then just moved those three binaries in /sbin to .orig and copied across the ones for 1.18.0 into /sbin, then did the "service rsyslog start" and all worked: Aug 8 01:11:37 server rsyslogd: [origin software="rsyslogd" swVersion="1.18.0" x-pid="15789"][x-configInfo udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart Aug 8 01:11:37 server rsyslogd:To enable MySQL logging, a "$ModLoad MySQL" must be done - accepted for the time being, but will fail in future releases. Aug 8 01:11:37 server rsyslog: rsyslogd startup succeeded Aug 8 01:11:37 server rsyslog: rklogd startup succeeded Aug 8 01:11:37 server kernel: rklogd 1.18.0, log source = /proc/kmsg started. where: # rsyslogd -v rsyslogd 1.18.0, compiled with: FEATURE_PTHREADS (dual-threading) FEATURE_REGEXP FEATURE_DB FEATURE_LARGEFILE FEATURE_NETZIP (syslog message compression) SYSLOG_INET (Internet/remote support) See http://www.rsyslog.com for more information. and: # ldd rsyslogd |grep mysql libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 (0x004fb000) and I see the entries getting logged into the SystemEvents table. >From here phpLogCon shows: 5 most recent logs (filter settings apply): No data found! Note: There are 23 events in the database, which are in the future! ie. there are events in the database which I can't view, but now this may be due to a database change between 1.17.5 and 1.18.0 ?? It's too late in the morning now so I'll carry on with this tomorrow sometime. But if you have suggestions on what could be wrong with phpLogCon (ie. why I'm not actually viewing the entries even though events do exist) please let me know. Thanks again. Michael. > Please let me know the outcome. > > Rainer > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Mansour > > Sent: Tuesday, August 07, 2007 4:54 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? > > > > Hi, > > > > > > Hi, > > > > > > > > I went here: > > > > > > > > http://people.redhat.com/pvrabec/rpms/rsyslog/ > > > > > > > > and grabbed the rsyslog-1.17.5-1.src.rpm RPM, I then rebuilt it > and > > > > installed > > > > it onto an SL4.5 server (RHEL 4 U5). > > > > > > > > I then setup a MySQL database, and setup the /etc/rsyslog.conf > file > > to > > > > output > > > > to that database based on the instructions here: > > > > > > > > http://www.rsyslog.com/module-Static_Docs-view-f- > > > > rsyslog_mysql.html.phtml > > > > > > > > After all that, I setup phpLogCon. > > > > > > > > After all that, I see no entries getting logged into the MySQL > > > database > > > > by > > > > rsyslog. I've checked every step from the beginning and can only > > come > > > > to the > > > > assumption that the rsyslog RPM above is not compiled with MySQL > > > > support?? > > > > > > > > Is this assumption valid and if so, why didn't the Red Hat person > > also > > > > make a > > > > mysql one? > > > > > > Yes, I think so. I remember there was some discussion around this. > > I'll > > > try to find you the bugzilla ticket where this was discussed. > > > > > > > > I'm guessing now I need to install from tarball? (I'd prefer RPM > > which > > > > is why > > > > I started there first). > > > > > > I am not much into the RPM thing ;) If you have the source available > > > inside the RPM try, you can eventually do a > > > > > > ./configure --enable-mysql > > > > > > > > > > > Any way I can see what the /sbin/rsyslog binary is compiled with? > > > > > > rsyslog -v > > > > > > will show the compile-time settings. > > > > > > This for now, will follow-up soon. > > > Rainer > > > > I've made progress but unfortunately rsyslogd ends up segfaulting when > > trying > > to run in mysql mode. > > > > I took the rsyslog-1.17.5-1.src.rpm file and installed it, modified > the > > /usr/src/redhat/SPECS/rsyslog.spec file to add: > > > > %configure --sbindir=%{sbindir} --enable-mysql > > > > to the configure line, this then compiled a mysql enabled version > > (checked > > with ldd). > > > > However, when try to start rsyslogd with the > > > > *.* >database-server,database-name,database-userid,database- > > password > > > > entry (filled out to my details) as the last line in > /etc/rsyslog.conf, > > the > > start up hangs. When I comment out the line above, the startup > > succeeds. > > > > When I run this in debug to see what's going on, pages of stuff ending > > with: > > > > Messages with malicious PTR DNS Records are not dropped. > > Control characters are replaced upon reception. > > Control character escape sequence prefix is '#'. > > -1208325536: logmsg: syslog.info<46>, flags 5, from '', msg [origin > > software="rsyslogd" swVersion="1.17.5" x-pid="11790"][x-configInfo > > udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart > > -1208325536: Message has legacy syslog format. > > -1208325536: enqueueMsg: not yet running on multiple threads > > -1208325536: Called fprintlog, logging to builtin-file > > (/var/log/messages) > > -1208325536: Called fprintlog, logging to builtin-mysqlSegmentation > > fault > > > > a segmentation fault. > > > > When I try the same thing with the rsyslog-1.18.0 I compiled earlier: > > > > [root at server rsyslog-1.18.0]# ./rsyslogd -m 0 -x -d > > > > I get this logged into the messages file: > > > > Aug 8 00:48:41 server rsyslogd: [origin software="rsyslogd" > > swVersion="1.18.0" x-pid="12621"][x-configInfo udpReception="No" > > udpPort="514" > > tcpReception="No" tcpPort="0"] restart > > Aug 8 00:48:41 server rsyslogd:To enable MySQL logging, a "$ModLoad > > MySQL" > > must be done - accepted for the time being, but will fail in future > > releases. > > Aug 8 00:48:41 server rsyslogd:invalid character in selector line - > > ';template' expected > > Aug 8 00:48:41 server rsyslogd:the last error occured in > > /etc/rsyslog.conf, > > line 31 > > Aug 8 00:48:41 server rsyslogd:warning: selector line without actions > > will be > > discarded > > > > but that may be due to not actually doing a "make install" of 1.18.0 > > where the > > klogd and rfc3195d files installed in the OS are for 1.17.5. > > > > If they're not, does it give us a clue to the problem? > > > > Thanks, > > > > Michael. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From rgerhards at hq.adiscon.com Tue Aug 7 17:24:01 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Aug 2007 17:24:01 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070807151225.M17447@npgx.com.au> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com><20070807144229.M29413@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com> <20070807151225.M17447@npgx.com.au> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2786FA@grfint2.intern.adiscon.com> Hi Michael, > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Mansour > Sent: Tuesday, August 07, 2007 5:19 PM > To: rsyslog-users > Subject: Re: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? > > Hi Rainer, > > > Michael, > > > > glad you got that far. I think output modularization brought up an > > old issue again: Add a semicolon to the end of the db action line. > > The MySQL command line parser is pretty old and could need an > > upgrade. I've stayed away from that, because it will be replaced > > when we do a new config file format. I'd appreciate if you could > > try. I'll also try to repro your bug, but I need to finish something > > else first. > > > > So the line should be like > > > > *.* > > >database-server,database-name,database-userid,database-password; > > > > NOTE THE END OF THE LINE! > > Yes that was spot on. I added the semicolon for 1.18.0, ran the debug > and it > went through and (finally) logged entries into the database (1.17.5 > would > still segfault). Interesting - I tried to repro, but so far to no avail. Will check and fix. > > I then just moved those three binaries in /sbin to .orig and copied > across the > ones for 1.18.0 into /sbin, then did the "service rsyslog start" and > all worked: > > Aug 8 01:11:37 server rsyslogd: [origin software="rsyslogd" > swVersion="1.18.0" x-pid="15789"][x-configInfo udpReception="No" > udpPort="514" > tcpReception="No" tcpPort="0"] restart > Aug 8 01:11:37 server rsyslogd:To enable MySQL logging, a "$ModLoad > MySQL" > must be done - accepted for the time being, but will fail in future > releases. > Aug 8 01:11:37 server rsyslog: rsyslogd startup succeeded > Aug 8 01:11:37 server rsyslog: rklogd startup succeeded > Aug 8 01:11:37 server kernel: rklogd 1.18.0, log source = /proc/kmsg > started. > > where: > > # rsyslogd -v > rsyslogd 1.18.0, compiled with: > FEATURE_PTHREADS (dual-threading) > FEATURE_REGEXP > FEATURE_DB > FEATURE_LARGEFILE > FEATURE_NETZIP (syslog message compression) > SYSLOG_INET (Internet/remote support) > > See http://www.rsyslog.com for more information. > > and: > > # ldd rsyslogd |grep mysql > libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 > (0x004fb000) > > and I see the entries getting logged into the SystemEvents table. > > >From here phpLogCon shows: > > 5 most recent logs (filter settings apply): > > No data found! > > Note: There are 23 events in the database, which are in the future! I think the "future problem" is probably related to your environment. This is most probably the clock skew that make also complained about. > > ie. there are events in the database which I can't view, but now this > may be > due to a database change between 1.17.5 and 1.18.0 ?? No, its unchanged for at least a year. > > It's too late in the morning now so I'll carry on with this tomorrow > sometime. > But if you have suggestions on what could be wrong with phpLogCon (ie. > why I'm > not actually viewing the entries even though events do exist) please > let me know. > I'd appreciate if you could post the phpLogCon issue (just copy and paste) to http://www.phplogcon.org/PNphpBB2.phtml I am right now way to disconnected from it - there are other folks who can probably help, but they are not necessarily reading this list ;) Thanks for your patience and help in getting rsyslog as bug-free as possible! Rainer From rgerhards at hq.adiscon.com Tue Aug 7 18:25:53 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Aug 2007 18:25:53 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070807141452.M34874@npgx.com.au> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com> <20070807141452.M34874@npgx.com.au> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA278701@grfint2.intern.adiscon.com> > > Yes, I think so. I remember there was some discussion around this. > I'll > > try to find you the bugzilla ticket where this was discussed. > > Ok. Here it is: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243831 Please note that output modularization is complete. Plug-ins, however are not yet defined and will probably not be before fall. Rainer From mic at npgx.com.au Wed Aug 8 02:46:46 2007 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 8 Aug 2007 10:46:46 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2786FA@grfint2.intern.adiscon.com> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com><20070807144229.M29413@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com> <20070807151225.M17447@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786FA@grfint2.intern.adiscon.com> Message-ID: <20070808003316.M56983@npgx.com.au> Hi Rainer, > Hi Michael, > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Mansour > > Sent: Tuesday, August 07, 2007 5:19 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? > > > > Hi Rainer, > > > > > Michael, > > > > > > glad you got that far. I think output modularization brought up an > > > old issue again: Add a semicolon to the end of the db action line. > > > The MySQL command line parser is pretty old and could need an > > > upgrade. I've stayed away from that, because it will be replaced > > > when we do a new config file format. I'd appreciate if you could > > > try. I'll also try to repro your bug, but I need to finish something > > > else first. > > > > > > So the line should be like > > > > > > *.* > > > >database-server,database-name,database-userid,database-password; > > > > > > NOTE THE END OF THE LINE! > > > > Yes that was spot on. I added the semicolon for 1.18.0, ran the debug > > and it > > went through and (finally) logged entries into the database (1.17.5 > > would > > still segfault). > > Interesting - I tried to repro, but so far to no avail. Will check > and fix. > > > > > I then just moved those three binaries in /sbin to .orig and copied > > across the > > ones for 1.18.0 into /sbin, then did the "service rsyslog start" and > > all worked: > > > > Aug 8 01:11:37 server rsyslogd: [origin software="rsyslogd" > > swVersion="1.18.0" x-pid="15789"][x-configInfo udpReception="No" > > udpPort="514" > > tcpReception="No" tcpPort="0"] restart > > Aug 8 01:11:37 server rsyslogd:To enable MySQL logging, a "$ModLoad > > MySQL" > > must be done - accepted for the time being, but will fail in future > > releases. > > Aug 8 01:11:37 server rsyslog: rsyslogd startup succeeded > > Aug 8 01:11:37 server rsyslog: rklogd startup succeeded > > Aug 8 01:11:37 server kernel: rklogd 1.18.0, log source = /proc/kmsg > > started. > > > > where: > > > > # rsyslogd -v > > rsyslogd 1.18.0, compiled with: > > FEATURE_PTHREADS (dual-threading) > > FEATURE_REGEXP > > FEATURE_DB > > FEATURE_LARGEFILE > > FEATURE_NETZIP (syslog message compression) > > SYSLOG_INET (Internet/remote support) > > > > See http://www.rsyslog.com for more information. > > > > and: > > > > # ldd rsyslogd |grep mysql > > libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 > > (0x004fb000) > > > > and I see the entries getting logged into the SystemEvents table. > > > > >From here phpLogCon shows: > > > > 5 most recent logs (filter settings apply): > > > > No data found! > > > > Note: There are 23 events in the database, which are in the future! > > I think the "future problem" is probably related to your environment. > This is most probably the clock skew that make also complained about. I worked out why there was the clock skew. Basically I was running the compile on an nfs mount point, and the server doing the nfs export was in the future (I hadn't finished the ntp setup on it). I fixed the ntp setup on the nfs exported server, and after a few minutes it synced correctly in time with every other server. I also extracted the 1.18.0 tarball into a local filesystem on the server running rsyslog, and the make went through fine without any clock skew. I then moved those newly generated rsyslog files to the /sbin directory, and started rsyslog and it's logging to the database. Currently the database has (from phpLogcon): 5 most recent logs (filter settings apply): No data found! Note: There are 2142 events in the database, which are in the future! I'm not sure why it still says "in the future", so what I did was stop rsyslog, truncate the systemevents table, restart rsyslog, and still got: 5 most recent logs (filter settings apply): No data found! Note: There are 11 events in the database, which are in the future! I know you provided me with a link to a forum on this, so I'll try and take this issue with phpLogCon up there. Do you know of any other software I can use which does was phpLogCon does? so that I can allow user accounts to login and show syslog events from the web? > > ie. there are events in the database which I can't view, but now this > > may be > > due to a database change between 1.17.5 and 1.18.0 ?? > > No, its unchanged for at least a year. Ok, that rules out that problem out then. > > It's too late in the morning now so I'll carry on with this tomorrow > > sometime. > > But if you have suggestions on what could be wrong with phpLogCon (ie. > > why I'm > > not actually viewing the entries even though events do exist) please > > let me know. > > > > I'd appreciate if you could post the phpLogCon issue (just copy and > paste) to > > http://www.phplogcon.org/PNphpBB2.phtml > > I am right now way to disconnected from it - there are other folks > who can probably help, but they are not necessarily reading this > list ;) I'll do this now. > Thanks for your patience and help in getting rsyslog as bug-free as > possible! My pleasure Rainer, your software is also immensely helpful for what I need to get out of it too, so anything I can do to make it better... Michael. > Rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From mic at npgx.com.au Wed Aug 8 05:13:40 2007 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 8 Aug 2007 13:13:40 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070808003316.M56983@npgx.com.au> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com><20070807144229.M29413@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com> <20070807151225.M17447@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786FA@grfint2.intern.adiscon.com> <20070808003316.M56983@npgx.com.au> Message-ID: <20070808021021.M77866@npgx.com.au> Hi Rainer, > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Michael Mansour > > > Sent: Tuesday, August 07, 2007 5:19 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? > > > > > > Hi Rainer, > > > > > > > Michael, > > > > > > > > glad you got that far. I think output modularization brought up an > > > > old issue again: Add a semicolon to the end of the db action line. > > > > The MySQL command line parser is pretty old and could need an > > > > upgrade. I've stayed away from that, because it will be replaced > > > > when we do a new config file format. I'd appreciate if you could > > > > try. I'll also try to repro your bug, but I need to finish something > > > > else first. > > > > > > > > So the line should be like > > > > > > > > *.* > > > > >database-server,database-name,database-userid,database-password; > > > > > > > > NOTE THE END OF THE LINE! > > > > > > Yes that was spot on. I added the semicolon for 1.18.0, ran the debug > > > and it > > > went through and (finally) logged entries into the database (1.17.5 > > > would > > > still segfault). > > > > Interesting - I tried to repro, but so far to no avail. Will check > > and fix. > > > > > I then just moved those three binaries in /sbin to .orig and copied > > > across the > > > ones for 1.18.0 into /sbin, then did the "service rsyslog start" and > > > all worked: > > > > > > Aug 8 01:11:37 server rsyslogd: [origin software="rsyslogd" > > > swVersion="1.18.0" x-pid="15789"][x-configInfo udpReception="No" > > > udpPort="514" > > > tcpReception="No" tcpPort="0"] restart > > > Aug 8 01:11:37 server rsyslogd:To enable MySQL logging, a "$ModLoad > > > MySQL" > > > must be done - accepted for the time being, but will fail in future > > > releases. > > > Aug 8 01:11:37 server rsyslog: rsyslogd startup succeeded > > > Aug 8 01:11:37 server rsyslog: rklogd startup succeeded > > > Aug 8 01:11:37 server kernel: rklogd 1.18.0, log source = /proc/kmsg > > > started. > > > > > > where: > > > > > > # rsyslogd -v > > > rsyslogd 1.18.0, compiled with: > > > FEATURE_PTHREADS (dual-threading) > > > FEATURE_REGEXP > > > FEATURE_DB > > > FEATURE_LARGEFILE > > > FEATURE_NETZIP (syslog message compression) > > > SYSLOG_INET (Internet/remote support) > > > > > > See http://www.rsyslog.com for more information. > > > > > > and: > > > > > > # ldd rsyslogd |grep mysql > > > libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 > > > (0x004fb000) > > > > > > and I see the entries getting logged into the SystemEvents table. > > > > > > >From here phpLogCon shows: > > > > > > 5 most recent logs (filter settings apply): > > > > > > No data found! > > > > > > Note: There are 23 events in the database, which are in the future! > > > > I think the "future problem" is probably related to your environment. > > This is most probably the clock skew that make also complained about. > > I worked out why there was the clock skew. Basically I was running > the compile on an nfs mount point, and the server doing the nfs > export was in the future > (I hadn't finished the ntp setup on it). I fixed the ntp setup on > the nfs exported server, and after a few minutes it synced correctly > in time with every other server. > > I also extracted the 1.18.0 tarball into a local filesystem on the server > running rsyslog, and the make went through fine without any clock skew. > > I then moved those newly generated rsyslog files to the /sbin > directory, and started rsyslog and it's logging to the database. As an update to this, I modified the spec file that was in the 1.17.5 src rpm to just look for the 1.18.0, and built the 1.18.0 binary rpm without an issue. Regards, Michael. > Currently the database has (from phpLogcon): > > 5 most recent logs (filter settings apply): > > No data found! > > Note: There are 2142 events in the database, which are in the future! > > I'm not sure why it still says "in the future", so what I did was > stop rsyslog, truncate the systemevents table, restart rsyslog, and > still got: > > 5 most recent logs (filter settings apply): > > No data found! > > Note: There are 11 events in the database, which are in the future! > > I know you provided me with a link to a forum on this, so I'll try > and take this issue with phpLogCon up there. > > Do you know of any other software I can use which does was phpLogCon > does? so that I can allow user accounts to login and show syslog > events from the web? > > > > ie. there are events in the database which I can't view, but now this > > > may be > > > due to a database change between 1.17.5 and 1.18.0 ?? > > > > No, its unchanged for at least a year. > > Ok, that rules out that problem out then. > > > > It's too late in the morning now so I'll carry on with this tomorrow > > > sometime. > > > But if you have suggestions on what could be wrong with phpLogCon (ie. > > > why I'm > > > not actually viewing the entries even though events do exist) please > > > let me know. > > > > > > > I'd appreciate if you could post the phpLogCon issue (just copy and > > paste) to > > > > http://www.phplogcon.org/PNphpBB2.phtml > > > > I am right now way to disconnected from it - there are other folks > > who can probably help, but they are not necessarily reading this > > list ;) > > I'll do this now. > > > Thanks for your patience and help in getting rsyslog as bug-free as > > possible! > > My pleasure Rainer, your software is also immensely helpful for what > I need to get out of it too, so anything I can do to make it better... > > Michael. > > > Rainer > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > ------- End of Original Message ------- > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From mic at npgx.com.au Wed Aug 8 08:54:51 2007 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 8 Aug 2007 16:54:51 +1000 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070808003316.M56983@npgx.com.au> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com><20070807144229.M29413@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com> <20070807151225.M17447@npgx.com.au> <577465F99B41C842AAFBE9ED71E70ABA2786FA@grfint2.intern.adiscon.com> <20070808003316.M56983@npgx.com.au> Message-ID: <20070808064618.M1387@npgx.com.au> Hi Rainer, > > Hi Michael, > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Michael Mansour > > > Sent: Tuesday, August 07, 2007 5:19 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? > > > > > > Hi Rainer, > > > > > > > Michael, > > > > > > > > glad you got that far. I think output modularization brought up an > > > > old issue again: Add a semicolon to the end of the db action line. > > > > The MySQL command line parser is pretty old and could need an > > > > upgrade. I've stayed away from that, because it will be replaced > > > > when we do a new config file format. I'd appreciate if you could > > > > try. I'll also try to repro your bug, but I need to finish something > > > > else first. > > > > > > > > So the line should be like > > > > > > > > *.* > > > > >database-server,database-name,database-userid,database-password; > > > > > > > > NOTE THE END OF THE LINE! > > > > > > Yes that was spot on. I added the semicolon for 1.18.0, ran the debug > > > and it > > > went through and (finally) logged entries into the database (1.17.5 > > > would > > > still segfault). > > > > Interesting - I tried to repro, but so far to no avail. Will check > > and fix. I'm ignoring this 1.17.5 version now since 1.18.0 is working fine. > > > I then just moved those three binaries in /sbin to .orig and copied > > > across the > > > ones for 1.18.0 into /sbin, then did the "service rsyslog start" and > > > all worked: > > > > > > Aug 8 01:11:37 server rsyslogd: [origin software="rsyslogd" > > > swVersion="1.18.0" x-pid="15789"][x-configInfo udpReception="No" > > > udpPort="514" > > > tcpReception="No" tcpPort="0"] restart > > > Aug 8 01:11:37 server rsyslogd:To enable MySQL logging, a "$ModLoad > > > MySQL" > > > must be done - accepted for the time being, but will fail in future > > > releases. > > > Aug 8 01:11:37 server rsyslog: rsyslogd startup succeeded > > > Aug 8 01:11:37 server rsyslog: rklogd startup succeeded > > > Aug 8 01:11:37 server kernel: rklogd 1.18.0, log source = /proc/kmsg > > > started. > > > > > > where: > > > > > > # rsyslogd -v > > > rsyslogd 1.18.0, compiled with: > > > FEATURE_PTHREADS (dual-threading) > > > FEATURE_REGEXP > > > FEATURE_DB > > > FEATURE_LARGEFILE > > > FEATURE_NETZIP (syslog message compression) > > > SYSLOG_INET (Internet/remote support) > > > > > > See http://www.rsyslog.com for more information. > > > > > > and: > > > > > > # ldd rsyslogd |grep mysql > > > libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 > > > (0x004fb000) > > > > > > and I see the entries getting logged into the SystemEvents table. > > > > > > >From here phpLogCon shows: > > > > > > 5 most recent logs (filter settings apply): > > > > > > No data found! > > > > > > Note: There are 23 events in the database, which are in the future! > > > > I think the "future problem" is probably related to your environment. > > This is most probably the clock skew that make also complained about. > > I worked out why there was the clock skew. Basically I was running > the compile on an nfs mount point, and the server doing the nfs > export was in the future > (I hadn't finished the ntp setup on it). I fixed the ntp setup on > the nfs exported server, and after a few minutes it synced correctly > in time with every other server. > > I also extracted the 1.18.0 tarball into a local filesystem on the server > running rsyslog, and the make went through fine without any clock skew. > > I then moved those newly generated rsyslog files to the /sbin > directory, and started rsyslog and it's logging to the database. > > Currently the database has (from phpLogcon): > > 5 most recent logs (filter settings apply): > > No data found! > > Note: There are 2142 events in the database, which are in the future! > > I'm not sure why it still says "in the future", so what I did was > stop rsyslog, truncate the systemevents table, restart rsyslog, and > still got: > > 5 most recent logs (filter settings apply): > > No data found! > > Note: There are 11 events in the database, which are in the future! > > I know you provided me with a link to a forum on this, so I'll try > and take this issue with phpLogCon up there. > > Do you know of any other software I can use which does was phpLogCon > does? so that I can allow user accounts to login and show syslog > events from the web? > > > > ie. there are events in the database which I can't view, but now this > > > may be > > > due to a database change between 1.17.5 and 1.18.0 ?? > > > > No, its unchanged for at least a year. > > Ok, that rules out that problem out then. > > > > It's too late in the morning now so I'll carry on with this tomorrow > > > sometime. > > > But if you have suggestions on what could be wrong with phpLogCon (ie. > > > why I'm > > > not actually viewing the entries even though events do exist) please > > > let me know. > > > > > > > I'd appreciate if you could post the phpLogCon issue (just copy and > > paste) to > > > > http://www.phplogcon.org/PNphpBB2.phtml > > > > I am right now way to disconnected from it - there are other folks > > who can probably help, but they are not necessarily reading this > > list ;) > > I'll do this now. Although I posted the forum post, after that I read the FAQ: http://www.phplogcon.org/Topic3.phtml which actually solved the problem (by turning off UTC time). That solved the "future problem" displayed within phpLogCon and enabled me to pull rows out of the database. So basically, all is now working as expected and now I'm looking for the ability to use the 1.18.0 backup mysql server feature to complete the setup for redundancy. Where would the docs be for this? I'm also wondering if there are scripts around which will prune database entries over time that I could cron? so the database doesn't keep growing ad infinitum. Thanks for all your assistance so far Rainer. Michael. > > Thanks for your patience and help in getting rsyslog as bug-free as > > possible! > > My pleasure Rainer, your software is also immensely helpful for what > I need to get out of it too, so anything I can do to make it better... > > Michael. > > > Rainer > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > ------- End of Original Message ------- > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From rgerhards at hq.adiscon.com Wed Aug 8 10:26:00 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 8 Aug 2007 10:26:00 +0200 Subject: [rsyslog] potential segfault on HUP in 1.18.0 Message-ID: <577465F99B41C842AAFBE9ED71E70ABA27870E@grfint2.intern.adiscon.com> Hi all, there is a potential segfault after HUPing rsyslog in 1.18.0. This was found by varmojfekoj, who also supplied a patch. The CVS version is already patched. I will release 1.18.1 with the patch today. Rainer Gerhards From rgerhards at hq.adiscon.com Wed Aug 8 11:34:42 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 8 Aug 2007 11:34:42 +0200 Subject: [rsyslog] Is rsyslog 1.17.5 RPM MySQL capable? In-Reply-To: <20070808064618.M1387@npgx.com.au> References: <20070807132042.M82345@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F2@grfint2.intern.adiscon.com><20070807144229.M29413@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786F5@grfint2.intern.adiscon.com><20070807151225.M17447@npgx.com.au><577465F99B41C842AAFBE9ED71E70ABA2786FA@grfint2.intern.adiscon.com><20070808003316.M56983@npgx.com.au> <20070808064618.M1387@npgx.com.au> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA278716@grfint2.intern.adiscon.com> > > > > Yes that was spot on. I added the semicolon for 1.18.0, ran the > debug > > > > and it > > > > went through and (finally) logged entries into the database > (1.17.5 > > > > would > > > > still segfault). > > > > > > Interesting - I tried to repro, but so far to no avail. Will check > > > and fix. > > I'm ignoring this 1.17.5 version now since 1.18.0 is working fine. Looks like this was actually a 1.17.5 issue. I tried once again to repro with 1.18.0, but to no avail. I think I close the bug for now. If someone else experiences it, please speak up. Thanks, Rainer From rgerhards at hq.adiscon.com Wed Aug 8 15:46:59 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 8 Aug 2007 15:46:59 +0200 Subject: [rsyslog] rsyslog 1.18.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA278727@grfint2.intern.adiscon.com> Hi all, rsyslog 1.18.1 has been released today. Most importantly, the release fixes a potential segfault on HUPing rsyslogd as well as some other fixes. The size of the main message queue can now be configured, which is especially useful in high-volume environments with large traffic bursts. Also, the resume interval for actions can be configured. Rsyslog now compiles and runs under Debian sid. Performance has been tweaked a bit and a number of minor changes happened. Version 1.18.1 is a recommended update for all users. Changelog: http://www.rsyslog.com/Article108.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-50.phtml As always, feedback is appreciated, Rainer Gerhards From rgerhards at hq.adiscon.com Fri Aug 10 22:44:33 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 10 Aug 2007 22:44:33 +0200 Subject: [rsyslog] Rsyslog now has a wiki Message-ID: <577465F99B41C842AAFBE9ED71E70ABA278776@grfint2.intern.adiscon.com> Hi all, I have just created the initial pages for a rsyslog wiki. I'd appreciate if you could have a look at my blog at http://rgerhards.blogspot.com/2007/08/wiki-for-rsyslog.html All contributions to the wiki are of course highly appreciated. Please help to get the whole thing started. Esepacially success stories (aka "what I did with rsyslog and why do I use it") are very valuable. Thanks, Rainer Gerhards From mmeckelein at hq.adiscon.com Mon Aug 13 16:54:16 2007 From: mmeckelein at hq.adiscon.com (Michael Meckelein) Date: Mon, 13 Aug 2007 16:54:16 +0200 Subject: [rsyslog] rsyslog 1.18.2 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA27879F@grfint2.intern.adiscon.com> Hi all, rsyslog 1.18.2 has been released today. Besides two bug fixes in outchannel code and in ommysql the overall documentation got a refresh. Also by request of a debian packager rsyslog's debian subdirectory was removed. Some preparation for dynamically loadable modules were added, too. Version 1.18.2 is a recommended update for all users. Changelog: http://www.rsyslog.com/Article112.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-51.phtml As always, feedback is appreciated. Michael Meckelein From mmeckelein at hq.adiscon.com Thu Aug 16 14:33:56 2007 From: mmeckelein at hq.adiscon.com (Michael Meckelein) Date: Thu, 16 Aug 2007 14:33:56 +0200 Subject: [rsyslog] rsyslog 1.19.0 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2787DD@grfint2.intern.adiscon.com> Hi all, rsyslog 1.19.0 has been released today. This release is the first to support dynamically loading of output plug-ins. The MySQL output module has been converted into a loadable plug-in. This enables packagers to create much cleaner solutions by providing a rsyslog base package and a MySQL add-on package. This release is recommended for all users. Changelog: http://www.rsyslog.com/Article115.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-52.phtml As always, feedback is appreciated. Michael Meckelein From ashutosh.kaul at amd.com Thu Aug 16 15:13:51 2007 From: ashutosh.kaul at amd.com (Kaul, Ashutosh) Date: Thu, 16 Aug 2007 08:13:51 -0500 Subject: [rsyslog] Rsyslog /var/log/messages In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2787DD@grfint2.intern.adiscon.com> Message-ID: Hi all, I have a installed and configured rsyslog-1.17.6 for a centralized syslog server, currently it's accepting syslogs at both UDP as well as TCP but when I check my /var/log/messages file I find that it doesn't log the hostname. Pasting the one of the syslog Aug 16 08:07:56 50091162 08/16/2007 07:08:03.390 ..truncated In place of 50091162 it should log the ip address. I did some initial research in which it was mentioned the template needs to have %FROMHOST% rather than %HOSTNAME% which I did but to no luck. http://www.rsyslog.com/PNphpBB2-viewtopic-t-101.phtml Thanks in advance for help. Regards, Ashutosh From mmeckelein at hq.adiscon.com Fri Aug 17 10:06:57 2007 From: mmeckelein at hq.adiscon.com (Michael Meckelein) Date: Fri, 17 Aug 2007 10:06:57 +0200 Subject: [rsyslog] Rsyslog /var/log/messages In-Reply-To: References: <577465F99B41C842AAFBE9ED71E70ABA2787DD@grfint2.intern.adiscon.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2787E8@grfint2.intern.adiscon.com> Hi Ashutosh, > I have a installed and configured rsyslog-1.17.6 for a centralized > syslog server, currently it's accepting syslogs at both UDP as well as > TCP but when I check my /var/log/messages file I find that it doesn't > log the hostname. rsyslog 1.19.0 was released yesterday. Maybe you want to give it a try. > Pasting the one of the syslog > Aug 16 08:07:56 50091162 08/16/2007 07:08:03.390 ..truncated > > In place of 50091162 it should log the ip address. > > I did some initial research in which it was mentioned the template needs > to have %FROMHOST% rather than %HOSTNAME% which I did but to no luck. If the problem still persist, could you provide a raw message as it is received by rsyslog. More information about rawmsg and properties at http://www.rsyslog.com/module-Static_Docs-view-f-/property_replacer.html .phtml Michael From rgerhards at hq.adiscon.com Fri Aug 17 10:11:16 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 17 Aug 2007 10:11:16 +0200 Subject: [rsyslog] Rsyslog /var/log/messages In-Reply-To: References: <577465F99B41C842AAFBE9ED71E70ABA2787DD@grfint2.intern.adiscon.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2787ED@grfint2.intern.adiscon.com> Can you post the output of %rawmsg% - I think it has to do with the message. However, FROMHOST should always work. I would be useful if you run it in debug mode (-d -n) and post that output, too. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Kaul, Ashutosh > Sent: Thursday, August 16, 2007 3:14 PM > To: rsyslog-users > Subject: [rsyslog] Rsyslog /var/log/messages > > Hi all, > > I have a installed and configured rsyslog-1.17.6 for a centralized > syslog server, currently it's accepting syslogs at both UDP as well as > TCP but when I check my /var/log/messages file I find that it doesn't > log the hostname. > > Pasting the one of the syslog > Aug 16 08:07:56 50091162 08/16/2007 07:08:03.390 ..truncated > > In place of 50091162 it should log the ip address. > > I did some initial research in which it was mentioned the > template needs > to have %FROMHOST% rather than %HOSTNAME% which I did but to no luck. > > http://www.rsyslog.com/PNphpBB2-viewtopic-t-101.phtml > > Thanks in advance for help. > > Regards, > Ashutosh > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From infofarmer at FreeBSD.org Fri Aug 17 19:29:28 2007 From: infofarmer at FreeBSD.org (Andrew Pantyukhin) Date: Fri, 17 Aug 2007 21:29:28 +0400 Subject: [rsyslog] negative app selector does not work Message-ID: A line like "!-foo" effectively disables all logging until a line like "!bar" while it should just filter all messages from application named foo. From rgerhards at hq.adiscon.com Fri Aug 17 21:40:16 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 17 Aug 2007 21:40:16 +0200 Subject: [rsyslog] On the rsyslog config file Message-ID: <577465F99B41C842AAFBE9ED71E70ABA278800@grfint2.intern.adiscon.com> Hi Folks, Please see my blog post at http://rgerhards.blogspot.com/2007/08/on-rsyslog-config-file-format.html If you are interested in the config file format. I have also setup a section in the wiki, if you'd like to contribute ideas there: http://wiki.rsyslog.com/index.php/Config_file_format_for_version_3.x Thanks, Rainer From rgerhards at hq.adiscon.com Sun Aug 19 21:34:35 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Sun, 19 Aug 2007 21:34:35 +0200 Subject: [rsyslog] negative app selector does not work In-Reply-To: References: Message-ID: <577465F99B41C842AAFBE9ED71E70ABA278808@grfint2.intern.adiscon.com> If I remember correctly, the negative app selector is not currently supported. I'll add a feature request. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Andrew Pantyukhin > Sent: Friday, August 17, 2007 7:29 PM > To: rsyslog-users > Subject: [rsyslog] negative app selector does not work > > A line like "!-foo" effectively disables all logging > until a line like "!bar" while it should just filter > all messages from application named foo. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From ashutosh.kaul at amd.com Tue Aug 21 17:08:15 2007 From: ashutosh.kaul at amd.com (Kaul, Ashutosh) Date: Tue, 21 Aug 2007 10:08:15 -0500 Subject: [rsyslog] Rsyslog /var/log/messages In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA2787ED@grfint2.intern.adiscon.com> Message-ID: Hi Rainer/all, Thanks for the help, actually there were two problems, 1) Not able to log hostname from HP-UX - Sorted by using the %HOSTNAME% directive 2) Not able to log hostname from CISCO IOS. It's able to send to old syslog server - Still Pending. Pasting the logs for the same Aug 21 09:56:08 50644414 08/21/2007 08:56:20.820 SEV=5 RPT=1426140 Group [groupname] User [ysofer] Sending IKE Delete With Reason message: No Reason Provided. Aug 21 09:56:08 50644418 08/21/2007 08:56:20.830 SEV=4 RPT=1013753 User [username] Group [Groupname] disconnected: Session Type: IPSec/NAT-T Duration: 7:59:39 Bytes xmt: 27550464 Bytes rcv: 11482680 Reason: User Requested Aug 21 09:56:08 50644418 08/21/2007 08:56:20.830 SEV=4 RPT=1013753 User [username] Group [Group Name] disconnected: Session Type: IPSec/NAT-T Duration: 7:59:39 Bytes xmt: 27550464 Bytes rcv: 11482680 Reason: User Requested And really appreciate the support provided by all. Regards, Ashutosh -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Friday, August 17, 2007 3:11 AM To: rsyslog-users Subject: Re: [rsyslog] Rsyslog /var/log/messages Can you post the output of %rawmsg% - I think it has to do with the message. However, FROMHOST should always work. I would be useful if you run it in debug mode (-d -n) and post that output, too. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Kaul, Ashutosh > Sent: Thursday, August 16, 2007 3:14 PM > To: rsyslog-users > Subject: [rsyslog] Rsyslog /var/log/messages > > Hi all, > > I have a installed and configured rsyslog-1.17.6 for a centralized > syslog server, currently it's accepting syslogs at both UDP as well as > TCP but when I check my /var/log/messages file I find that it doesn't > log the hostname. > > Pasting the one of the syslog > Aug 16 08:07:56 50091162 08/16/2007 07:08:03.390 ..truncated > > In place of 50091162 it should log the ip address. > > I did some initial research in which it was mentioned the template > needs to have %FROMHOST% rather than %HOSTNAME% which I did but to no > luck. > > http://www.rsyslog.com/PNphpBB2-viewtopic-t-101.phtml > > Thanks in advance for help. > > Regards, > Ashutosh > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From ashutosh.kaul at amd.com Tue Aug 21 18:45:23 2007 From: ashutosh.kaul at amd.com (Kaul, Ashutosh) Date: Tue, 21 Aug 2007 11:45:23 -0500 Subject: [rsyslog] Rsyslog /var/log/messages In-Reply-To: Message-ID: Addition RSYSLOG CONFIGURATION: Aug 21 11:35:44 1672072 08/21/2007 11:35:05.830 SEV=4 CONFIG/17 RPT=18 Done writing configuration file, Success. Older SYSLOG CONFIGURATION Aug 21 11:34:13 1672023 08/21/2007 11:33:32.910 SEV=4 CONFIG/17 RPT=16 Done writing configuration file, Success. Actually older syslog is writing hostname in front of message id and rsyslog is not logging the hostname ( The logs are sent from a CISCO IOS) Regards, Ashutosh -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Kaul, Ashutosh Sent: Tuesday, August 21, 2007 10:08 AM To: rsyslog-users Subject: Re: [rsyslog] Rsyslog /var/log/messages Hi Rainer/all, Thanks for the help, actually there were two problems, 1) Not able to log hostname from HP-UX - Sorted by using the %HOSTNAME% directive 2) Not able to log hostname from CISCO IOS. It's able to send to old syslog server - Still Pending. Pasting the logs for the same Aug 21 09:56:08 50644414 08/21/2007 08:56:20.820 SEV=5 RPT=1426140 Group [groupname] User [ysofer] Sending IKE Delete With Reason message: No Reason Provided. Aug 21 09:56:08 50644418 08/21/2007 08:56:20.830 SEV=4 RPT=1013753 User [username] Group [Groupname] disconnected: Session Type: IPSec/NAT-T Duration: 7:59:39 Bytes xmt: 27550464 Bytes rcv: 11482680 Reason: User Requested Aug 21 09:56:08 50644418 08/21/2007 08:56:20.830 SEV=4 RPT=1013753 User [username] Group [Group Name] disconnected: Session Type: IPSec/NAT-T Duration: 7:59:39 Bytes xmt: 27550464 Bytes rcv: 11482680 Reason: User Requested And really appreciate the support provided by all. Regards, Ashutosh -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Friday, August 17, 2007 3:11 AM To: rsyslog-users Subject: Re: [rsyslog] Rsyslog /var/log/messages Can you post the output of %rawmsg% - I think it has to do with the message. However, FROMHOST should always work. I would be useful if you run it in debug mode (-d -n) and post that output, too. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Kaul, Ashutosh > Sent: Thursday, August 16, 2007 3:14 PM > To: rsyslog-users > Subject: [rsyslog] Rsyslog /var/log/messages > > Hi all, > > I have a installed and configured rsyslog-1.17.6 for a centralized > syslog server, currently it's accepting syslogs at both UDP as well as > TCP but when I check my /var/log/messages file I find that it doesn't > log the hostname. > > Pasting the one of the syslog > Aug 16 08:07:56 50091162 08/16/2007 07:08:03.390 ..truncated > > In place of 50091162 it should log the ip address. > > I did some initial research in which it was mentioned the template > needs to have %FROMHOST% rather than %HOSTNAME% which I did but to no > luck. > > http://www.rsyslog.com/PNphpBB2-viewtopic-t-101.phtml > > Thanks in advance for help. > > Regards, > Ashutosh > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From mmeckelein at hq.adiscon.com Wed Aug 22 13:00:31 2007 From: mmeckelein at hq.adiscon.com (Michael Meckelein) Date: Wed, 22 Aug 2007 13:00:31 +0200 Subject: [rsyslog] rsyslog 1.19.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA278855@grfint2.intern.adiscon.com> Hi all, rsyslog 1.19.1 has been released today. This is a cleanup and bug fixing release. It fixes a bug which can lead to a high load closing a remote connection. A potential sefault on reinit was fixed as well as some other bugs. Further the unloading of modules was enhanced. Especially the MySQL output module has been optimized. The hardcoded module path "/lib/rsyslog" changed to $(pkglibdir) in order to support 64 bit platforms. This is a recommended update for all users. Changelog: http://www.rsyslog.com/Article117.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-53.phtml As always feedback is appreciated. Michael Meckelein From janfrode at tanso.net Mon Aug 27 21:32:06 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 27 Aug 2007 21:32:06 +0200 Subject: [rsyslog] rsyslog 1.19.1 released References: <577465F99B41C842AAFBE9ED71E70ABA278855@grfint2.intern.adiscon.com> Message-ID: On 2007-08-22, Michael Meckelein wrote: > > rsyslog 1.19.1 has been released today. This is a cleanup and bug fixing > release. It fixes a bug which can lead to a high load closing a remote > connection. A potential sefault on reinit was fixed as well as some > other bugs. Further the unloading of modules was enhanced. Especially > the MySQL output module has been optimized. FYI: this seems to make mysql mandatory for building rsyslog, as the output module is built even if I specify --disable-mysql. -jf From janfrode at tanso.net Mon Aug 27 22:07:31 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 27 Aug 2007 22:07:31 +0200 Subject: [rsyslog] per programname logs Message-ID: I'm trying to get rsyslog to log each programname to separate logfiles, so I have: $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log" *.* -?PerAppLogs This seems to show a couple of problems with %programname%. It will be set to a bit strange strings for some of the messages: 1.4.1.log: Aug 27 21:58:01 syslogd 1.4.1: restart. Aug 27 21:58:01 syslogd 1.4.1: restart. Aug 27 21:58:01 syslogd 1.4.1: restart. message.log: Aug 27 22:02:48 last message repeated 12 times Aug 27 22:02:49 last message repeated 6 times Aug 27 22:02:49 last message repeated 92 times Not sure who's to blame.. -jf From rgerhards at hq.adiscon.com Mon Aug 27 22:16:09 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 27 Aug 2007 22:16:09 +0200 Subject: [rsyslog] rsyslog 1.19.1 released In-Reply-To: References: <577465F99B41C842AAFBE9ED71E70ABA278855@grfint2.intern.adiscon.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA27889D@grfint2.intern.adiscon.com> That's a good point. Probably we need a separate make target. The --disable-mysql switch should go away in the not so distant future. The reason is that core rsyslog does no longer support MySQL at all - it is a separate module that does. However, so it should compile without mysql dev libs, of course. I think a separate make target for the plugin is probably the best to do. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Jan-Frode Myklebust > Sent: Monday, August 27, 2007 9:32 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] rsyslog 1.19.1 released > > On 2007-08-22, Michael Meckelein wrote: > > > > rsyslog 1.19.1 has been released today. This is a cleanup > and bug fixing > > release. It fixes a bug which can lead to a high load > closing a remote > > connection. A potential sefault on reinit was fixed as well as some > > other bugs. Further the unloading of modules was enhanced. > Especially > > the MySQL output module has been optimized. > > FYI: this seems to make mysql mandatory for building rsyslog, as the > output module is built even if I specify --disable-mysql. > > > > -jf > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Mon Aug 27 22:34:20 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 27 Aug 2007 22:34:20 +0200 Subject: [rsyslog] per programname logs In-Reply-To: References: Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788A5@grfint2.intern.adiscon.com> Can you let us know which strings it is set to? That would definitely help troubleshooting (one lab less to do ;)). Thanks, Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Jan-Frode Myklebust > Sent: Monday, August 27, 2007 10:08 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] per programname logs > > I'm trying to get rsyslog to log each programname to separate > logfiles, > so I have: > > $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log" > *.* -?PerAppLogs > > This seems to show a couple of problems with %programname%. > It will be set > to a bit strange strings for some of the messages: > > 1.4.1.log: > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > > message.log: > Aug 27 22:02:48 last message repeated 12 times > Aug 27 22:02:49 last message repeated 6 times > Aug 27 22:02:49 last message repeated 92 times > > > Not sure who's to blame.. > > > -jf > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From janfrode at tanso.net Mon Aug 27 22:53:02 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 27 Aug 2007 22:53:02 +0200 Subject: [rsyslog] per programname logs References: Message-ID: On 2007-08-27, Jan-Frode Myklebust wrote: > > 1.4.1.log: > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > > message.log: > Aug 27 22:02:48 last message repeated 12 times > Aug 27 22:02:49 last message repeated 6 times > Aug 27 22:02:49 last message repeated 92 times BTW, the same happens for per-host template: $template DailyPerHostLogs,"/var/log/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log" *.* -?DailyPerHostLogs which interprets the above as coming from %HOSTNAME% "syslogd" and "last", and therefore gives me the logfiles last.log and syslogd.log. -jf From janfrode at tanso.net Mon Aug 27 23:06:55 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 27 Aug 2007 23:06:55 +0200 Subject: [rsyslog] per programname logs References: <577465F99B41C842AAFBE9ED71E70ABA2788A5@grfint2.intern.adiscon.com> Message-ID: On 2007-08-27, Rainer Gerhards wrote: > Can you let us know which strings it is set to? That would definitely > help troubleshooting (one lab less to do ;)). Not sure what you're asking.. I have this rsyslog.conf entry: $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log" *.* -?PerAppLogs which produce two log files "1.4.1.log" and "message.log" containing Aug 27 21:58:01 syslogd 1.4.1: restart. Aug 27 21:58:01 syslogd 1.4.1: restart. Aug 27 21:58:01 syslogd 1.4.1: restart. Aug 27 22:02:48 last message repeated 12 times Aug 27 22:02:49 last message repeated 6 times Aug 27 22:02:49 last message repeated 92 times respectively. I think that's all information I have.. plus maybe also say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5 with sysklogd sending the logs over standard udp (*.* @loghost). Another thing that scared me a bit is that from the same template I got a logfile named ".log" containing: Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save which makes me think it tried to create the file /usr/bin/sudo.log.. Wonder if it might be possible to make rsyslogd overwrite /etc/passwd with a sufficientlty crafted %programname% string... -jf From mic at npgx.com.au Tue Aug 28 02:53:26 2007 From: mic at npgx.com.au (Michael Mansour) Date: Tue, 28 Aug 2007 10:53:26 +1000 Subject: [rsyslog] rsyslog 1.19.1 released In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA27889D@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA278855@grfint2.intern.adiscon.com> <577465F99B41C842AAFBE9ED71E70ABA27889D@grfint2.intern.adiscon.com> Message-ID: <20070828005031.M38013@npgx.com.au> Hi Rainer, > That's a good point. Probably we need a separate make target. The > --disable-mysql switch should go away in the not so distant future. The > reason is that core rsyslog does no longer support MySQL at all - it > is a separate module that does. However, so it should compile > without mysql dev libs, of course. I think a separate make target > for the plugin is probably the best to do. This will be good, as I can then create a spec file with a variable the user can set (0 or 1) whether they want the mysql rpm built or not. I can do this now in the specs I make available in the wiki, but with the necessity to require mysql to build anyway I saw no point in doing that. Regards, Michael. > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > Jan-Frode Myklebust > > Sent: Monday, August 27, 2007 9:32 PM > > To: rsyslog at lists.adiscon.com > > Subject: Re: [rsyslog] rsyslog 1.19.1 released > > > > On 2007-08-22, Michael Meckelein wrote: > > > > > > rsyslog 1.19.1 has been released today. This is a cleanup > > and bug fixing > > > release. It fixes a bug which can lead to a high load > > closing a remote > > > connection. A potential sefault on reinit was fixed as well as some > > > other bugs. Further the unloading of modules was enhanced. > > Especially > > > the MySQL output module has been optimized. > > > > FYI: this seems to make mysql mandatory for building rsyslog, as the > > output module is built even if I specify --disable-mysql. > > > > > > > > -jf > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog ------- End of Original Message ------- From mmeckelein at hq.adiscon.com Tue Aug 28 13:00:25 2007 From: mmeckelein at hq.adiscon.com (Michael Meckelein) Date: Tue, 28 Aug 2007 13:00:25 +0200 Subject: [rsyslog] rsyslog 1.19.2 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788B2@grfint2.intern.adiscon.com> Hi all, rsyslog 1.19.2 has been released today. Most importantly, the release fixes a segfault on receiving a specifically formed message. Some other minor bugs have been fixed as well as an issue with applying Global Directives on file creation. This is a recommended update for all users. Changelog: http://www.rsyslog.com/Article119.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-54.phtml As always, feedback is very appreciated. Michael Meckelein From rgerhards at hq.adiscon.com Tue Aug 28 21:32:43 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 28 Aug 2007 21:32:43 +0200 Subject: [rsyslog] per programname logs In-Reply-To: References: <577465F99B41C842AAFBE9ED71E70ABA2788A5@grfint2.intern.adiscon.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788BA@grfint2.intern.adiscon.com> Good points and I probably see the reason for the internal messages. I just happen to be on the road this week without access to the code. Will fix next week. Also, you are right that using the properties in file name generation without further sanitizing is not a good thing. There needs to be created a solution. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Jan-Frode Myklebust > Sent: Monday, August 27, 2007 11:07 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] per programname logs > > On 2007-08-27, Rainer Gerhards wrote: > > Can you let us know which strings it is set to? That would > definitely > > help troubleshooting (one lab less to do ;)). > > Not sure what you're asking.. I have this rsyslog.conf entry: > > $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log" > *.* -?PerAppLogs > > which produce two log files "1.4.1.log" and "message.log" containing > > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > > Aug 27 22:02:48 last message repeated 12 times > Aug 27 22:02:49 last message repeated 6 times > Aug 27 22:02:49 last message repeated 92 times > > respectively. I think that's all information I have.. plus maybe also > say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5 > with sysklogd sending the logs over standard udp (*.* @loghost). > > Another thing that scared me a bit is that from the same template I > got a logfile named ".log" containing: > > Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks > : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; > COMMAND=/sbin/iptables-save > Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks > : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; > COMMAND=/sbin/iptables-save > Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks > : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; > COMMAND=/sbin/iptables-save > Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks > : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; > COMMAND=/sbin/iptables-save > Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks > : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; > COMMAND=/sbin/iptables-save > > which makes me think it tried to create the file /usr/bin/sudo.log.. > Wonder if it might be possible to make rsyslogd overwrite /etc/passwd > with a sufficientlty crafted %programname% string... > > > -jf > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From theinric at redhat.com Wed Aug 29 12:57:14 2007 From: theinric at redhat.com (theinric@redhat.com) Date: Wed, 29 Aug 2007 12:57:14 +0200 Subject: [rsyslog] per programname logs In-Reply-To: References: <577465F99B41C842AAFBE9ED71E70ABA2788A5@grfint2.intern.adiscon.com> Message-ID: <46D5510A.4060902@redhat.com> Jan-Frode Myklebust wrote: > On 2007-08-27, Rainer Gerhards wrote: >> Can you let us know which strings it is set to? That would definitely >> help troubleshooting (one lab less to do ;)). > > Not sure what you're asking.. I have this rsyslog.conf entry: > > $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log" > *.* -?PerAppLogs > > which produce two log files "1.4.1.log" and "message.log" containing > > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > > Aug 27 22:02:48 last message repeated 12 times > Aug 27 22:02:49 last message repeated 6 times > Aug 27 22:02:49 last message repeated 92 times > > respectively. I think that's all information I have.. plus maybe also > say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5 > with sysklogd sending the logs over standard udp (*.* @loghost). > > Another thing that scared me a bit is that from the same template I > got a logfile named ".log" containing: > > Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > > which makes me think it tried to create the file /usr/bin/sudo.log.. > Wonder if it might be possible to make rsyslogd overwrite /etc/passwd > with a sufficientlty crafted %programname% string... > Hi, in your example above, %programname% was an empty string, so you've ended up with the logfile /var/log/rsyslog/apps/.log. Additionally, programname can't contain '/', so you example should be fairly safe. The reason of files like 1.4.1.log being produced is in the way hostname and tag are parsed. For example, message "s y s l o g: asdf" would have its hostname set to "s" and programname to "y". From janfrode at tanso.net Wed Aug 29 13:35:24 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Wed, 29 Aug 2007 13:35:24 +0200 Subject: [rsyslog] per programname logs References: <577465F99B41C842AAFBE9ED71E70ABA2788A5@grfint2.intern.adiscon.com> <46D5510A.4060902@redhat.com> Message-ID: On 2007-08-29, theinric at redhat.com wrote: >> >> Aug 27 21:58:01 syslogd 1.4.1: restart. >> Aug 27 21:58:01 syslogd 1.4.1: restart. >> Aug 27 21:58:01 syslogd 1.4.1: restart. >> >> Aug 27 22:02:48 last message repeated 12 times >> Aug 27 22:02:49 last message repeated 6 times >> Aug 27 22:02:49 last message repeated 92 times >> > > in your example above, %programname% was an empty string, so you've > ended up with the logfile /var/log/rsyslog/apps/.log. In the entry: Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save I'd expect it to be "/usr/bin/sudo djksjdks ", and that's what I think sudo intended it to be. Testing using "logger" I see that %programname% gets a bit strange interpretations: # logger -t xyz test # cat xyz.log Aug 29 13:18:27 loghost1 xyz: test # logger -t "x y z" test # cat x.log Aug 29 13:19:30 loghost1 x y z: test # logger -t "y z " test # cat y.log Aug 29 13:21:17 loghost1 y z : test And strangely, this one sets the %programname% to the hostname: # logger -t " w" test # cat loghost1.log Aug 29 13:26:08 loghost1 loghost1 w: test -jf From mykleb at no.ibm.com Wed Aug 29 14:14:01 2007 From: mykleb at no.ibm.com (Jan-Frode Myklebust) Date: Wed, 29 Aug 2007 14:14:01 +0200 Subject: [rsyslog] mixing Property-Based Filters Message-ID: Is it possible to mix several property based filters to f.ex. filter out that all programname=httpd from hostname=webserver is logged to a specific file ? Alternatively that all facility=local2 from hostname=webserver is logged to a specific file ? -jf From theinric at redhat.com Wed Aug 29 15:30:02 2007 From: theinric at redhat.com (theinric@redhat.com) Date: Wed, 29 Aug 2007 15:30:02 +0200 Subject: [rsyslog] mixing Property-Based Filters In-Reply-To: References: Message-ID: <46D574DA.2040903@redhat.com> Jan-Frode Myklebust wrote: > Is it possible to mix several property based filters to f.ex. filter > out that all programname=httpd from hostname=webserver is logged to > a specific file ? > > Alternatively that all facility=local2 from hostname=webserver is > logged to a specific file ? > > > > -jf > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog Property based filters can currently handle only one condition each. What you're asking for can be done using host and tag selectors: !httpd +webserver *.* /var/log/webserver-httpd.log +* !* ... +webserver =local2.* /var/log/webserver-local2 +* From rgerhards at hq.adiscon.com Wed Aug 29 22:38:25 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 29 Aug 2007 22:38:25 +0200 Subject: [rsyslog] rsyslog 1.19.1 released In-Reply-To: <20070828005031.M38013@npgx.com.au> References: <577465F99B41C842AAFBE9ED71E70ABA278855@grfint2.intern.adiscon.com><577465F99B41C842AAFBE9ED71E70ABA27889D@grfint2.intern.adiscon.com> <20070828005031.M38013@npgx.com.au> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788CA@grfint2.intern.adiscon.com> Michael, As I've written in the other post, that'll probably happen next week (Because I can not access the code right now). But possibly some other folks pick it up an fix it ;) Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Michael Mansour > Sent: Tuesday, August 28, 2007 2:53 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 1.19.1 released > > Hi Rainer, > > > That's a good point. Probably we need a separate make target. The > > --disable-mysql switch should go away in the not so distant > future. The > > reason is that core rsyslog does no longer support MySQL at > all - it > > is a separate module that does. However, so it should compile > > without mysql dev libs, of course. I think a separate make target > > for the plugin is probably the best to do. > > This will be good, as I can then create a spec file with a > variable the user > can set (0 or 1) whether they want the mysql rpm built or not. > > I can do this now in the specs I make available in the wiki, > but with the > necessity to require mysql to build anyway I saw no point in > doing that. > > Regards, > > Michael. > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > > Jan-Frode Myklebust > > > Sent: Monday, August 27, 2007 9:32 PM > > > To: rsyslog at lists.adiscon.com > > > Subject: Re: [rsyslog] rsyslog 1.19.1 released > > > > > > On 2007-08-22, Michael Meckelein > wrote: > > > > > > > > rsyslog 1.19.1 has been released today. This is a cleanup > > > and bug fixing > > > > release. It fixes a bug which can lead to a high load > > > closing a remote > > > > connection. A potential sefault on reinit was fixed as > well as some > > > > other bugs. Further the unloading of modules was enhanced. > > > Especially > > > > the MySQL output module has been optimized. > > > > > > FYI: this seems to make mysql mandatory for building > rsyslog, as the > > > output module is built even if I specify --disable-mysql. > > > > > > > > > > > > -jf > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > ------- End of Original Message ------- > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Thu Aug 30 10:29:30 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 30 Aug 2007 10:29:30 +0200 Subject: [rsyslog] mixing Property-Based Filters In-Reply-To: <46D574DA.2040903@redhat.com> References: <46D574DA.2040903@redhat.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788D7@grfint2.intern.adiscon.com> What theinric posts is the current work-around for this situation. There is nothing I can add to it - except some insight into the future plans: we plan to support full boolean expression trees of any complexity. However, the future enhanced config file format must be fixed first (see my blog at http://rgerhards.blogspot.com). Also, some internal workings must be changed. So I'd say that boolean expressions will become available in the late fall, winter time frame (actually it looks more like winter). I may be wrong here - a real schedule can only be done when the design for 3.0 is mostly finished, which is not as of now. (BTW: any feedback and suggestions are highly appreciated). I hope this extra information is helpful. And, yes, maybe some very helpful and skilled volunteer might jump in and implement the feature in an instant - this has happend in the past and I have to admit that I like these kind of changes to the "official" (what's that?;)) schedule. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > theinric at redhat.com > Sent: Wednesday, August 29, 2007 3:30 PM > To: rsyslog-users > Subject: Re: [rsyslog] mixing Property-Based Filters > > Jan-Frode Myklebust wrote: > > Is it possible to mix several property based filters to f.ex. filter > > out that all programname=httpd from hostname=webserver is logged to > > a specific file ? > > > > Alternatively that all facility=local2 from hostname=webserver is > > logged to a specific file ? > > > > > > > > -jf > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > Property based filters can currently handle only one condition each. > What you're asking for can be done using host and tag selectors: > > !httpd > +webserver > *.* /var/log/webserver-httpd.log > +* > !* > > ... > > +webserver > =local2.* /var/log/webserver-local2 > +* > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From janfrode at tanso.net Thu Aug 30 13:32:07 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 30 Aug 2007 13:32:07 +0200 Subject: [rsyslog] mixing Property-Based Filters References: <46D574DA.2040903@redhat.com> <577465F99B41C842AAFBE9ED71E70ABA2788D7@grfint2.intern.adiscon.com> Message-ID: On 2007-08-30, Rainer Gerhards wrote: > What theinric posts is the current work-around for this situation. Yes, thanks.. With this work-around we should be able to do the same filtering we did with syslog-ng earlier :-) > There is nothing I can add to it - except some insight into the future > plans: we plan to support full boolean expression trees of any > complexity. However, the future enhanced config file format must be > fixed first (see my blog at http://rgerhards.blogspot.com). Thanks, I've been following your blog and have read your "config file" entry. I tend to agree with Seth Vidal's suggestion of a programming language style config. Looks very readable. But it doesn't matter too much.. as long as the funcionality is there :-) Also, from the same posting: SV> For additional feature sets: SV> Something that syslog-ng cannot do but I've always wanted a syslog SV> daemon to do is store-and-forward remote logging and/or failover remote SV> logging. That would be a killer feature! I know about http://wiki.rsyslog.com/index.php/FailoverSyslogServer, but the /var/log/localbuffer needs to be flushed after recovery too... -jf From rgerhards at hq.adiscon.com Thu Aug 30 21:44:16 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 30 Aug 2007 21:44:16 +0200 Subject: [rsyslog] Rsyslog v3 object model and config file Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788DE@grfint2.intern.adiscon.com> Hi folks, ss you may be aware, I am in the process of designing the rsyslog v3 object model and config file. I have written a preliminary version of the object model today. And, what is probably even more important, I have also sketched the flow of a message inside that new engine. The posting is available at http://rgerhards.blogspot.com/2007/08/rsyslog-v3-object-model-and-messag e.html As I've written I intend to post a few sample config lines. I would deeply appreciate any feedback, as this is a very critial time for the project's future direction. Thanks, Rainer From janfrode at tanso.net Thu Aug 30 23:48:54 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 30 Aug 2007 23:48:54 +0200 Subject: [rsyslog] v1.19.1 is crashing Message-ID: v1.19.1 hasn't been totally stable for us on RHEL5.. I think it's crashed a couple of times this week. Here's the latest log entry from the crash: *** glibc detected *** rsyslogd: corrupted double-linked list: 0xb3427a98 *** ======= Backtrace: ========= /lib/libc.so.6[0x4152cda9] /lib/libc.so.6(cfree+0x90)[0x415305d0] rsyslogd[0x804ddba] rsyslogd(llExecFunc+0x3f)[0x805e86f] rsyslogd[0x804d80a] rsyslogd[0x804d938] /lib/libpthread.so.0[0x416112db] /lib/libc.so.6(clone+0x5e)[0x4159414e] Is there any tricks for getting a coredump ? I've started it with unlimited core size now, in case it goes down again.. -jf From infofarmer at FreeBSD.org Fri Aug 31 01:07:22 2007 From: infofarmer at FreeBSD.org (Andrew Pantyukhin) Date: Fri, 31 Aug 2007 03:07:22 +0400 Subject: [rsyslog] v1.19.1 is crashing In-Reply-To: References: Message-ID: On 8/31/07, Jan-Frode Myklebust wrote: > v1.19.1 hasn't been totally stable for us on RHEL5.. I think it's crashed > a couple of times this week. Here's the latest log entry from the crash: rsyslog has never been quite stable for me since I started using it in production (around version 1.17.x). It's annoying, but I'm too lazy to debug it right now. Every version is crashing every now and again. Under load it can stay up a few hours or a few days, but I've never seen it work for more than 3-4 days on end. From rgerhards at hq.adiscon.com Fri Aug 31 10:06:35 2007 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 31 Aug 2007 10:06:35 +0200 Subject: [rsyslog] mixing Property-Based Filters In-Reply-To: References: <46D574DA.2040903@redhat.com><577465F99B41C842AAFBE9ED71E70ABA2788D7@grfint2.intern.adiscon.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788DF@grfint2.intern.adiscon.com> Our messages seems have crossed, I am currently on dial-up. So my config file/object model mail went out while I received that one. Please bear this order of events in mind when you read this mail. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Jan-Frode Myklebust > Sent: Thursday, August 30, 2007 1:32 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] mixing Property-Based Filters > > On 2007-08-30, Rainer Gerhards wrote: > > What theinric posts is the current work-around for this situation. > > Yes, thanks.. With this work-around we should be able to do the same > filtering we did with syslog-ng earlier :-) > > > > There is nothing I can add to it - except some insight into > the future > > plans: we plan to support full boolean expression trees of any > > complexity. However, the future enhanced config file format must be > > fixed first (see my blog at http://rgerhards.blogspot.com). > > Thanks, I've been following your blog and have read your "config file" > entry. I tend to agree with Seth Vidal's suggestion of a programming > language style config. Looks very readable. But it doesn't matter too > much.. as long as the funcionality is there :-) I am trying very hard to find something useful. It's not easy. Some ways look very elegant, but come at the expense that the config file actually turns into a programming-like thing. Others are not capable to support all of the desired features and the full power of the object model. At times, I end up with things that look pretty much like syslog-ng, which I do not like because I do not want to get into traps of mimicing its config. Also, there *are* people who like rsyslog because it builds on the old style config. For them, I'd like to keep it as simple as possible for the basic needs. I do not say I will stick with the old-style config: no way, that's simply insufficinet to configure the new powerful object model. Read about the object model, and you'll see that we will have multiple listeners which use potentially many different *sets* of rules. In today's term, the full config file is a single rule set. The ability to support multiple sets of rules make sense when - in the long term - the input modules become more flexible. For example, you will probably bind a different rule set to a file reader than to a syslog receiver than to a SNMP trap receiver... You see where the complexity begins? ;) > > Also, from the same posting: > > SV> For additional feature sets: > SV> Something that syslog-ng cannot do but I've always wanted a syslog > SV> daemon to do is store-and-forward remote logging and/or > failover remote > SV> logging. > > That would be a killer feature! I know about > http://wiki.rsyslog.com/index.php/FailoverSyslogServer, > but the /var/log/localbuffer needs to be flushed after recovery too... These are two different things. What you are asking for is not *yet* implemented. It will be called queued execution mode. And it will be implemented as part of 3.0. If you read my blog post from the 30th, you'll notice it is already present in the action object (by concept, of course and you need to read very carefully to actually notice it ;)). The bottom line is that I need to get the new object model first. I also need to get the new threading model, because this functionality requires two threads (one to feed the on-disk queueu, one to read it). Even when design is finished, I can not implement it as long as I do not know how to configure it. Now you (and everybody else) know why I am so eagerly looking at the config file format. It's maybe a detail, but without it, development comes to a standstil. Rainer > > > -jf > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From mmeckelein at hq.adiscon.com Fri Aug 31 15:07:40 2007 From: mmeckelein at hq.adiscon.com (Michael Meckelein) Date: Fri, 31 Aug 2007 15:07:40 +0200 Subject: [rsyslog] rsyslog release 1.19.3 Message-ID: <577465F99B41C842AAFBE9ED71E70ABA2788E8@grfint2.intern.adiscon.com> Hi all, rsyslog 1.19.3 has been released today. This is a cleanup and bug fixing release. It fixes a critical bug in dynamic file generation as well as a small memory leak. The negative selector for program name filter (Blocks in rsyslog.conf) works as expected now. Further the rsyslog.conf documentation has been enhanced. This is a highly recommended update for all users. Changelog: http://www.rsyslog.com/Article121.phtml Download: http://www.rsyslog.com/Downloads-req-getit-lid-55.phtml As always, feedback is appreciated. Michael Meckelein From theinric at redhat.com Fri Aug 31 15:14:26 2007 From: theinric at redhat.com (theinric@redhat.com) Date: Fri, 31 Aug 2007 15:14:26 +0200 Subject: [rsyslog] v1.19.1 is crashing In-Reply-To: References: Message-ID: <46D81432.1090302@redhat.com> Jan-Frode Myklebust wrote: > v1.19.1 hasn't been totally stable for us on RHEL5.. I think it's crashed > a couple of times this week. Here's the latest log entry from the crash: > > *** glibc detected *** rsyslogd: corrupted double-linked list: 0xb3427a98 *** > ======= Backtrace: ========= > /lib/libc.so.6[0x4152cda9] > /lib/libc.so.6(cfree+0x90)[0x415305d0] > rsyslogd[0x804ddba] > rsyslogd(llExecFunc+0x3f)[0x805e86f] > rsyslogd[0x804d80a] > rsyslogd[0x804d938] > /lib/libpthread.so.0[0x416112db] > /lib/libc.so.6(clone+0x5e)[0x4159414e] > > Is there any tricks for getting a coredump ? I've started it with > unlimited core size now, in case it goes down again.. > Hi, could you please provide some more info on your configuration? Configuration file, options used, log entries preceding the crash, ... If logging forwarded messages, is the remote logger also rsyslog? Does it use any templates? From janfrode at tanso.net Fri Aug 31 19:29:04 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 31 Aug 2007 19:29:04 +0200 Subject: [rsyslog] v1.19.1 is crashing References: <46D81432.1090302@redhat.com> Message-ID: On 2007-08-31, theinric at redhat.com wrote: > > could you please provide some more info on your configuration? > Configuration file, ################################################################################# $ grep -v ^# /etc/rsyslog.conf|grep -v ^$ $template DailyPerHostLogs,"/var/log/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log" *.* -?DailyPerHostLogs $template MaillogTemplate,"%timegenerated::fulltime% %HOSTNAME% %syslogtag%: %msg%\n" $template HourlyMaillog,"/var/log/syslog/maillog/%$YEAR%/%$MONTH%/%$DAY%/maillog-%$YEAR%%$MONTH%%$DAY%%$HOUR%.log" mail.* -?HourlyMaillog;MaillogTemplate $template precise,"%timegenerated::fulltime% %HOSTNAME% %syslogfacility-text%/%syslogseverity-text% %syslogtag% %msg%\n" *.* -/var/log/syslog/everything;precise mail.* ~ $template PerAppLogs,"/var/log/syslog/apps/%programname%.log" *.* -?PerAppLogs :msg, contains, "ServeRAID" -/var/log/syslog/apps/serveraid.log :HOSTNAME, !isequal, "loghost1" ~ *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log ################################################################################# > options used, $ grep -v ^# /etc/sysconfig/rsyslog SYSLOGD_OPTIONS="-m 0 -r514" KLOGD_OPTIONS="-x" SYSLOG_UMASK=077 > log entries preceding the crash, ... It's a quite busy log server, with about 70 active old style syslog servers sending logs to it. The second it crashed it wrote 111 log-messages.. (273 the second before), mostly various postfix daemons, and I'd need to anonymize them before sharing.. Can't see anything special. > If logging forwarded messages, is the remote logger also rsyslog? No, all are RHEL3/4/5 with their default syslogd server. -jf