From David_Greco at harte-hanks.com Mon Jun 2 15:19:51 2008 From: David_Greco at harte-hanks.com (David_Greco at harte-hanks.com) Date: Mon, 2 Jun 2008 09:19:51 -0400 Subject: [rsyslog] Remote Logging Issues Message-ID: So I've enabled rsyslog on many of my servers to log to a centralized server. I have them configured to use TCP. This weekend during a disaster response test, the remote logging server was downed. At that point, the clients sending log messages had major difficulties. SSH logins started hanging up, anything writing to the log just sat there. I turned the remote logging server back on and all was well. How can I fix this? I have switched to UDP logging for now, but would like to return to TCP logging as I would like to do encryption of the log stream. ~Dave From rgerhards at hq.adiscon.com Mon Jun 2 15:43:46 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 2 Jun 2008 15:43:46 +0200 Subject: [rsyslog] Remote Logging Issues In-Reply-To: References: Message-ID: <577465F99B41C842AAFBE9ED71E70ABA30911C@grfint2.intern.adiscon.com> Hi Dave, that's a downside of reliable logging - if you make the system wait for the remote server. In rsyslog, you can have a queue in front of the logging action. That should solve the problem. Real-world feedback is appreciated. A setup is (commented out) in the sample rsyslog.conf: http://git.adiscon.com/?p=rsyslog.git;a=blob;f=rsyslog.conf;h=9a91823ca7 c96c246936381b203770c08b433f7d;hb=HEAD Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of David_Greco at harte-hanks.com > Sent: Monday, June 02, 2008 3:20 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] Remote Logging Issues > > So I've enabled rsyslog on many of my servers to log to a centralized > server. I have them configured to use TCP. This weekend during a > disaster > response test, the remote logging server was downed. At that point, the > clients sending log messages had major difficulties. SSH logins started > hanging up, anything writing to the log just sat there. I turned the > remote logging server back on and all was well. How can I fix this? I > have > switched to UDP logging for now, but would like to return to TCP > logging > as I would like to do encryption of the log stream. > > ~Dave > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From linuxweb at gmail.com Tue Jun 3 21:09:28 2008 From: linuxweb at gmail.com (Johnny Tan) Date: Tue, 03 Jun 2008 15:09:28 -0400 Subject: [rsyslog] Create log files based on host name In-Reply-To: <483A637A.3090009@tengblad.net> References: <483A637A.3090009@tengblad.net> Message-ID: <484596E8.8040206@gmail.com> Erik Tengblad wrote: > Hello all, > > First of all, let me apologize in advance for the somewhat newbie-ish > nature of this question. I'm sure there's an easy way to solve my > problem, but I've been looking for an answer for weeks now without being > able to find one. Seeing no one has yet replied, let me give this a shot (just got back from vaca, else I would've replied earlier). > 1) All the log files are written per host. IE, we want rsyslog to write > seperate log files based on the host from which the logs are being sent. > Say we have 10 machines, each called host01 to host 10. We want all the > log information from host01 to be written to /var/log/host01/logfile.log > and so on. We've tried achieving this using templates and the :hostname, > isqueal, "host01" feature, but we just can't get it to work. Most likely > we've not used the correct syntax in the rsyslog.conf file. $template HostMessages, "/var/log/%HOSTNAME%/logfile.log" > 2) We want all log information containing a certain string to be written > to separate log files as well. So everything containing 'zyx' should be > written to /var/log/host01/zyx.log and everything containing 'abc' > should be written to /var/log/host01/abc.log and so on. I think you'd need two templates: $template HostAbcMessages, "/var/log/%HOSTNAME%/abc.log" $template HostZyxMessages, "/var/log/%HOSTNAME%/zyx.log" :msg, contains, "abc" *.* ?HostAbcMessages :msg, contains, "zyx" *.* ?HostZyxMessages johnn From rgerhards at hq.adiscon.com Tue Jun 3 21:39:38 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 3 Jun 2008 21:39:38 +0200 Subject: [rsyslog] Create log files based on host name In-Reply-To: <484596E8.8040206@gmail.com> References: <483A637A.3090009@tengblad.net> <484596E8.8040206@gmail.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA309131@grfint2.intern.adiscon.com> Sorry, looks like I overlooked this message before. But Johnn has provided a perfect answer :) Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Johnny Tan > Sent: Tuesday, June 03, 2008 9:09 PM > To: rsyslog-users; erik at tengblad.net > Subject: Re: [rsyslog] Create log files based on host name > > Erik Tengblad wrote: > > Hello all, > > > > First of all, let me apologize in advance for the somewhat > newbie-ish > > nature of this question. I'm sure there's an easy way to solve my > > problem, but I've been looking for an answer for weeks now > without being > > able to find one. > > Seeing no one has yet replied, let me give this a shot (just > got back from vaca, else I would've replied earlier). > > > > 1) All the log files are written per host. IE, we want > rsyslog to write > > seperate log files based on the host from which the logs > are being sent. > > Say we have 10 machines, each called host01 to host 10. We > want all the > > log information from host01 to be written to > /var/log/host01/logfile.log > > and so on. We've tried achieving this using templates and > the :hostname, > > isqueal, "host01" feature, but we just can't get it to > work. Most likely > > we've not used the correct syntax in the rsyslog.conf file. > > $template HostMessages, "/var/log/%HOSTNAME%/logfile.log" > > > > > 2) We want all log information containing a certain string > to be written > > to separate log files as well. So everything containing > 'zyx' should be > > written to /var/log/host01/zyx.log and everything containing 'abc' > > should be written to /var/log/host01/abc.log and so on. > > I think you'd need two templates: > $template HostAbcMessages, "/var/log/%HOSTNAME%/abc.log" > $template HostZyxMessages, "/var/log/%HOSTNAME%/zyx.log" > > :msg, contains, "abc" > *.* ?HostAbcMessages > > :msg, contains, "zyx" > *.* ?HostZyxMessages > > > johnn > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From Samuel.Kielek at marriott.com Thu Jun 5 16:56:08 2008 From: Samuel.Kielek at marriott.com (Kielek, Samuel) Date: Thu, 5 Jun 2008 10:56:08 -0400 Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog Message-ID: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79B07@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> I'm trying to set up a central loghost (UDP and TCP) using the version included in RHEL. I've have come up with several partially working configs but none work exactly as I need. As of RHEL 5.2 rsyslog is now included, which is great news. Here's the version: $ rpm -q rsyslog rsyslog-2.0.0-11.el5 $ /sbin/rsyslogd -v rsyslogd 2.0.0, compiled with: FEATURE_PTHREADS (dual-threading): Yes FEATURE_REGEXP: Yes FEATURE_LARGEFILE: Yes FEATURE_NETZIP (message compression): Yes SYSLOG_INET (Internet/remote support): Yes FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No FEATURE_DEBUG (debug build, slow code): No See http://www.rsyslog.com for more information. In a nutshell, here's what I need my config to have: 1.) TCP and UDP logging 2.) Local messages from the loghost itself go to /var/log/... 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/... 4.) Additionally, I have several logs that are matched on the message content and go into separate log files. 5.) All messages go into a named pipe (which a 3rd party security tool reads from and analyzes the data) >From the above, numbers 2, 3 and 4 are the one's I'm having trouble with. Individually I can make each work but getting them all working in harmony has been a bit of a battle... I want to avoid duplicate logging so that the local loghost logs are in /var and remote logs in /syslog. Additionally, the messages that are matched on their content I want to ONLY show up in the files designated for them. However, the named pipe should get everything. If anyone has a similar config for this version of rsyslog that they could share I'd appreciate it immensely. Thanks, Sam From rgerhards at hq.adiscon.com Thu Jun 5 17:15:34 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 5 Jun 2008 17:15:34 +0200 Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog In-Reply-To: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79B07@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> References: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79B07@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA30917D@grfint2.intern.adiscon.com> I have no config but at least some quick ideas. Organize the config file as such: General settings (like $ModLoad) should go first. Then, actions that should always happen should come first. At the bottom of the file should be actions that occur only once. Use the discard action ~ (tilde) to get rid of those messages that you already processed and no longer need to care about. A quick sample might be this (just with files, but I hope it gets the idea): *.* /file-always *.info /file-info *.info ~ # discard these message - end of processing for them *.* /file-all-but-info *.err /file-err *.err ~ # get rid of err *.* /file-all-but-info-err I think this will get you a bit further. In v3, we already have a better way of doing things, but the ultimate solution will be implemented in the coming weeks (full scripting). I understand this is not of help here, but I thought I mention it. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Kielek, Samuel > Sent: Thursday, June 05, 2008 4:56 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog > > I'm trying to set up a central loghost (UDP and TCP) using the version > included in RHEL. I've have come up with several partially working > configs but none work exactly as I need. > > As of RHEL 5.2 rsyslog is now included, which is great news. Here's the > version: > > > $ rpm -q rsyslog > rsyslog-2.0.0-11.el5 > > $ /sbin/rsyslogd -v > rsyslogd 2.0.0, compiled with: > FEATURE_PTHREADS (dual-threading): Yes > FEATURE_REGEXP: Yes > FEATURE_LARGEFILE: Yes > FEATURE_NETZIP (message compression): Yes > SYSLOG_INET (Internet/remote support): Yes > FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No > FEATURE_DEBUG (debug build, slow code): No > > See http://www.rsyslog.com for more information. > > > > In a nutshell, here's what I need my config to have: > > 1.) TCP and UDP logging > > 2.) Local messages from the loghost itself go to /var/log/... > > 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/... > > 4.) Additionally, I have several logs that are matched on the message > content and go into separate log files. > > 5.) All messages go into a named pipe (which a 3rd party security tool > reads from and analyzes the data) > > >From the above, numbers 2, 3 and 4 are the one's I'm having trouble > with. Individually I can make each work but getting them all working in > harmony has been a bit of a battle... I want to avoid duplicate logging > so that the local loghost logs are in /var and remote logs in /syslog. > Additionally, the messages that are matched on their content I want to > ONLY show up in the files designated for them. However, the named pipe > should get everything. > > If anyone has a similar config for this version of rsyslog that they > could share I'd appreciate it immensely. > > Thanks, > Sam > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From Samuel.Kielek at marriott.com Thu Jun 5 20:36:37 2008 From: Samuel.Kielek at marriott.com (Kielek, Samuel) Date: Thu, 5 Jun 2008 14:36:37 -0400 Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA30917D@grfint2.intern.adiscon.com> References: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79B07@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> <577465F99B41C842AAFBE9ED71E70ABA30917D@grfint2.intern.adiscon.com> Message-ID: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79C1E@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> Thanks, but I still don't know how to separate out the local and remote logs. I tried using expression based filters but didn't have much success. For example these config lines: # Log remotely generated authpriv messages to /syslog $template r_secure, "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log" if $source != 'localhost' and $syslogfacility-text == 'authpriv' then -?r_secure Cause these errors: Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name "" Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in /etc/rsyslog.conf, line 25 Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without actions will be discarded Not sure if it's something with my syntax or is it just that this version of rsyslog doesn't (fully) support this. I'm assuming it's not supported since the error seems to indicate that it is interpreting that expression filter line as a standard selector type filter. Thanks, Sam -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Thursday, June 05, 2008 11:16 AM To: rsyslog-users Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog I have no config but at least some quick ideas. Organize the config file as such: General settings (like $ModLoad) should go first. Then, actions that should always happen should come first. At the bottom of the file should be actions that occur only once. Use the discard action ~ (tilde) to get rid of those messages that you already processed and no longer need to care about. A quick sample might be this (just with files, but I hope it gets the idea): *.* /file-always *.info /file-info *.info ~ # discard these message - end of processing for them *.* /file-all-but-info *.err /file-err *.err ~ # get rid of err *.* /file-all-but-info-err I think this will get you a bit further. In v3, we already have a better way of doing things, but the ultimate solution will be implemented in the coming weeks (full scripting). I understand this is not of help here, but I thought I mention it. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Kielek, Samuel > Sent: Thursday, June 05, 2008 4:56 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog > > I'm trying to set up a central loghost (UDP and TCP) using the version > included in RHEL. I've have come up with several partially working > configs but none work exactly as I need. > > As of RHEL 5.2 rsyslog is now included, which is great news. Here's the > version: > > > $ rpm -q rsyslog > rsyslog-2.0.0-11.el5 > > $ /sbin/rsyslogd -v > rsyslogd 2.0.0, compiled with: > FEATURE_PTHREADS (dual-threading): Yes > FEATURE_REGEXP: Yes > FEATURE_LARGEFILE: Yes > FEATURE_NETZIP (message compression): Yes > SYSLOG_INET (Internet/remote support): Yes > FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No > FEATURE_DEBUG (debug build, slow code): No > > See http://www.rsyslog.com for more information. > > > > In a nutshell, here's what I need my config to have: > > 1.) TCP and UDP logging > > 2.) Local messages from the loghost itself go to /var/log/... > > 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/... > > 4.) Additionally, I have several logs that are matched on the message > content and go into separate log files. > > 5.) All messages go into a named pipe (which a 3rd party security tool > reads from and analyzes the data) > > >From the above, numbers 2, 3 and 4 are the one's I'm having trouble > with. Individually I can make each work but getting them all working in > harmony has been a bit of a battle... I want to avoid duplicate logging > so that the local loghost logs are in /var and remote logs in /syslog. > Additionally, the messages that are matched on their content I want to > ONLY show up in the files designated for them. However, the named pipe > should get everything. > > If anyone has a similar config for this version of rsyslog that they > could share I'd appreciate it immensely. > > Thanks, > Sam > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From samuel at dragonboricua.net Thu Jun 5 23:59:07 2008 From: samuel at dragonboricua.net (Elisamuel Resto) Date: Thu, 05 Jun 2008 17:59:07 -0400 Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog In-Reply-To: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79C1E@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> References: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79B07@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> <577465F99B41C842AAFBE9ED71E70ABA30917D@grfint2.intern.adiscon.com> <140D865F4BA13C4B9D3AFEFEAD1EA53205E79C1E@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> Message-ID: <484861AB.6000404@dragonboricua.net> Kielek, Samuel wrote: > Thanks, but I still don't know how to separate out the local and remote > logs. I tried using expression based filters but didn't have much > success. For example these config lines: > > # Log remotely generated authpriv messages to /syslog > $template r_secure, > "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log" > if $source != 'localhost' and $syslogfacility-text == 'authpriv' then > -?r_secure > > Cause these errors: > > Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name "" > Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in > /etc/rsyslog.conf, line 25 > Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without > actions will be discarded > > Not sure if it's something with my syntax or is it just that this > version of rsyslog doesn't (fully) support this. I'm assuming it's not > supported since the error seems to indicate that it is interpreting that > expression filter line as a standard selector type filter. > > Thanks, > Sam Have you seen this: http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory -- Elisamuel Resto Source Mage Developer / http://sourcemage.org GPG KEY: 18615F19 / http://simplysam.us From rgerhards at hq.adiscon.com Fri Jun 6 10:15:57 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 6 Jun 2008 10:15:57 +0200 Subject: [rsyslog] sourceforge community awards Message-ID: <577465F99B41C842AAFBE9ED71E70ABA30918E@grfint2.intern.adiscon.com> Hi all, This is one of these little intrusive on-technical mails ;) I've just seen that Sourceforge does its "Community Awards". To be honest, I don't know if it's actually such a big thing, but it wouldn't hurt if someone (or even few) nominated rsyslog ;) For details, please visit http://sourceforge.net/community/wp-content/uploads/2008/06/nominate.htm l Thanks, Rainer From friedl at hq.adiscon.com Fri Jun 6 12:22:17 2008 From: friedl at hq.adiscon.com (Florian Riedl) Date: Fri, 6 Jun 2008 12:22:17 +0200 Subject: [rsyslog] rsyslog 3.19.6 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA30919A@grfint2.intern.adiscon.com> Hi all, I have just released rsyslog 3.19.6. This is primarily a bug-fixing release. It solves a couple of issues in the TLS implementation including one bug that could lead to peer authentication failures. The release also provides enhanced regular expression support inside fields, where now multiple matches are supported. This is a recommended release for all development branch users. Download: http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-111.phtml Changelog: http://www.rsyslog.com/Article238.phtml As always, feedback is appreciated. Florian Riedl -- Support ======= Improving rsyslog is costly, but you can help! We are looking for organizations that find rsyslog useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for rsyslog are available, and they help finance continued maintenance. Adiscon GmbH, a privately held German company, is currently funding rsyslog development. We are always looking for interesting development projects. For details on how to help, please see http://www.rsyslog.com/doc-how2help.html . From Samuel.Kielek at marriott.com Fri Jun 6 13:32:12 2008 From: Samuel.Kielek at marriott.com (Kielek, Samuel) Date: Fri, 6 Jun 2008 07:32:12 -0400 Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog In-Reply-To: <484861AB.6000404@dragonboricua.net> References: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79B07@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> <577465F99B41C842AAFBE9ED71E70ABA30917D@grfint2.intern.adiscon.com><140D865F4BA13C4B9D3AFEFEAD1EA53205E79C1E@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> <484861AB.6000404@dragonboricua.net> Message-ID: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79D37@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> Yes, but I believe the issue is that the rsyslog that ships with RHEL5 is from the v2-stable tree. For that config to work it would need to be from the v3 tree. At this point I have just settled for having everything (local + remote) under one directory structure which is working nicely. -Sam -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Elisamuel Resto Sent: Thursday, June 05, 2008 5:59 PM To: rsyslog at lists.adiscon.com Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog Kielek, Samuel wrote: > Thanks, but I still don't know how to separate out the local and remote > logs. I tried using expression based filters but didn't have much > success. For example these config lines: > > # Log remotely generated authpriv messages to /syslog > $template r_secure, > "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log" > if $source != 'localhost' and $syslogfacility-text == 'authpriv' then > -?r_secure > > Cause these errors: > > Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name "" > Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in > /etc/rsyslog.conf, line 25 > Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without > actions will be discarded > > Not sure if it's something with my syntax or is it just that this > version of rsyslog doesn't (fully) support this. I'm assuming it's not > supported since the error seems to indicate that it is interpreting that > expression filter line as a standard selector type filter. > > Thanks, > Sam Have you seen this: http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_sepa rated_by_dynamic_directory -- Elisamuel Resto Source Mage Developer / http://sourcemage.org GPG KEY: 18615F19 / http://simplysam.us _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Fri Jun 6 14:17:42 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 6 Jun 2008 14:17:42 +0200 Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog In-Reply-To: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79D37@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> References: <140D865F4BA13C4B9D3AFEFEAD1EA53205E79B07@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> <577465F99B41C842AAFBE9ED71E70ABA30917D@grfint2.intern.adiscon.com><140D865F4BA13C4B9D3AFEFEAD1EA53205E79C1E@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com><484861AB.6000404@dragonboricua.net> <140D865F4BA13C4B9D3AFEFEAD1EA53205E79D37@HDQNCEXCL1V2.mihdq.marrcorp.marriott.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA30919E@grfint2.intern.adiscon.com> Hi Sam, if you can provide me with a (partial) sample of your config, I could try to re-arrange it. You may can also mail it privately to me. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Kielek, Samuel > Sent: Friday, June 06, 2008 1:32 PM > To: rsyslog-users > Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog > > Yes, but I believe the issue is that the rsyslog that ships with RHEL5 > is from the v2-stable tree. For that config to work it would need to be > from the v3 tree. > > At this point I have just settled for having everything (local + > remote) > under one directory structure which is working nicely. > > -Sam > > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Elisamuel Resto > Sent: Thursday, June 05, 2008 5:59 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog > > Kielek, Samuel wrote: > > Thanks, but I still don't know how to separate out the local and > remote > > logs. I tried using expression based filters but didn't have much > > success. For example these config lines: > > > > # Log remotely generated authpriv messages to /syslog > > $template r_secure, > > "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log" > > if $source != 'localhost' and $syslogfacility-text == 'authpriv' then > > -?r_secure > > > > Cause these errors: > > > > Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name "" > > Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in > > /etc/rsyslog.conf, line 25 > > Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without > > actions will be discarded > > > > Not sure if it's something with my syntax or is it just that this > > version of rsyslog doesn't (fully) support this. I'm assuming it's > not > > supported since the error seems to indicate that it is interpreting > that > > expression filter line as a standard selector type filter. > > > > Thanks, > > Sam > > > Have you seen this: > http://wiki.rsyslog.com/index.php/Sysklogd_drop- > in_with_remote_logs_sepa > rated_by_dynamic_directory > > -- > Elisamuel Resto > Source Mage Developer / http://sourcemage.org > GPG KEY: 18615F19 / http://simplysam.us > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From maurizio.rottin at gmail.com Fri Jun 6 22:33:41 2008 From: maurizio.rottin at gmail.com (Maurizio Rottin) Date: Fri, 6 Jun 2008 22:33:41 +0200 Subject: [rsyslog] sourceforge community awards In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA30918E@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA30918E@grfint2.intern.adiscon.com> Message-ID: 2008/6/6 Rainer Gerhards : > For details, please visit > > http://sourceforge.net/community/wp-content/uploads/2008/06/nominate.htm > l that link does not work for me (gives error 404) -- mr From samuel at dragonboricua.net Fri Jun 6 23:35:07 2008 From: samuel at dragonboricua.net (Elisamuel Resto) Date: Fri, 06 Jun 2008 17:35:07 -0400 Subject: [rsyslog] sourceforge community awards In-Reply-To: References: <577465F99B41C842AAFBE9ED71E70ABA30918E@grfint2.intern.adiscon.com> Message-ID: <4849AD8B.9070009@dragonboricua.net> Maurizio Rottin wrote: > 2008/6/6 Rainer Gerhards : >> For details, please visit >> >> http://sourceforge.net/community/wp-content/uploads/2008/06/nominate.htm >> l > > that link does not work for me (gives error 404) > it ends in .html but the l is on a newline. Maybe this link won't wrap: http://sourceforge.net/community/wp-content/uploads/2008/06/nominate.html -- Elisamuel Resto Source Mage Developer / http://sourcemage.org GPG KEY: 18615F19 / http://simplysam.us From theinric at redhat.com Mon Jun 9 16:52:06 2008 From: theinric at redhat.com (theinric at redhat.com) Date: Mon, 09 Jun 2008 16:52:06 +0200 Subject: [rsyslog] imklog symbol translation Message-ID: <484D4396.1040108@redhat.com> Hi all, I want to propose that the symbol translation in imklog is disabled by default. The 2.6.x kernels do the translation automatically, so it seems unnecessary to enable it in imklog. Does anyone know a reason why it shouldn't be changed? Regards, Tomas From rgerhards at hq.adiscon.com Mon Jun 9 16:56:08 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 9 Jun 2008 16:56:08 +0200 Subject: [rsyslog] imklog symbol translation In-Reply-To: <484D4396.1040108@redhat.com> References: <484D4396.1040108@redhat.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA3091B8@grfint2.intern.adiscon.com> Please let me add that the symbol translation code inside imklog is inherited from sysklogd. The BSD driver does not at all try to translate the symbols (because the BSD syslogd did not do that). I personally consider it even partly evil to do the symbol translation - I supported it, because the original sysklogd did. From the designer's point of view, translation code is not really a syslog functionality - it belongs into the kernel or loader space. If a recent enough kernel now supports the translation natively, I would even recommend to DROP the code altogether (maybe after some period of being off by default). That would also result in a good cleanup of MOST of the imklog code (and code, as I said, that actually belongs to a different computing domain). Feedback deeply appreciated. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of theinric at redhat.com > Sent: Monday, June 09, 2008 4:52 PM > To: rsyslog-users > Subject: [rsyslog] imklog symbol translation > > Hi all, > > I want to propose that the symbol translation in imklog is disabled by > default. The 2.6.x kernels do the translation automatically, so it > seems unnecessary to enable it in imklog. Does anyone know a reason > why it shouldn't be changed? > > Regards, > Tomas > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From aoz.syn at gmail.com Tue Jun 10 00:29:00 2008 From: aoz.syn at gmail.com (RB) Date: Mon, 9 Jun 2008 16:29:00 -0600 Subject: [rsyslog] imklog symbol translation In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA3091B8@grfint2.intern.adiscon.com> References: <484D4396.1040108@redhat.com> <577465F99B41C842AAFBE9ED71E70ABA3091B8@grfint2.intern.adiscon.com> Message-ID: <4255c2570806091529v3614451fvfe1e4c5d73cba317@mail.gmail.com> > now supports the translation natively, I would even recommend to DROP > the code altogether (maybe after some period of being off by default). > That would also result in a good cleanup of MOST of the imklog code (and > code, as I said, that actually belongs to a different computing domain). I guess my question would be what valid reasons there could be for retaining the functionality, turned off or not. Appropriately placed or not, could anyone provide justification for leaving that bit in? If the end result is getting rid of it, turning it off by default may be a start but should come with a hard deadline of complete removal - we all know how unused code rots. From friedl at hq.adiscon.com Wed Jun 11 18:16:13 2008 From: friedl at hq.adiscon.com (Florian Riedl) Date: Wed, 11 Jun 2008 18:16:13 +0200 Subject: [rsyslog] rsyslog 3.19.7 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA3091DD@grfint2.intern.adiscon.com> Hi all, we have just released rsyslog 3.19.7. This release provides new functionality. The reliability of plain TCP syslog has been improved. Also, rsyslog is now tickless in the most common configuration, helping to save the environment. A new property replacer option has been added and some general cleanup done. This is a recommended update for all devel branch users. If you use plain tcp syslog, I suggest having a look at this post on the reliability improvements: http://blog.gerhards.net/2008/06/reliable-plain-tcp-syslog-once-again.ht ml In short, be aware that it still isn't perfect and it never will be, because full reliability is impossible with the plain tcp syslog protocol. Regarding the new tickless configuration and its impact on the environment (or your notebook's battery capacity), you may want to have a look at http://blog.gerhards.net/2008/06/coding-to-save-environment.html Download: http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-112.phtml Changelog: http://www.rsyslog.com/Article240.phtml As always, feedback is appreciated. Florian Riedl -- Support ======= Improving rsyslog is costly, but you can help! We are looking for organizations that find rsyslog useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for rsyslog are available, and they help finance continued maintenance. Adiscon GmbH, a privately held German company, is currently funding rsyslog development. We are always looking for interesting development projects. For details on how to help, please see http://www.rsyslog.com/doc-how2help.html . From rgerhards at hq.adiscon.com Thu Jun 12 08:00:12 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 12 Jun 2008 08:00:12 +0200 Subject: [rsyslog] imklog symbol translation In-Reply-To: <4255c2570806091529v3614451fvfe1e4c5d73cba317@mail.gmail.com> References: <484D4396.1040108@redhat.com><577465F99B41C842AAFBE9ED71E70ABA3091B8@grfint2.intern.adiscon.com> <4255c2570806091529v3614451fvfe1e4c5d73cba317@mail.gmail.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA3091E3@grfint2.intern.adiscon.com> I will now change the default starting in the beta (3.16.2). I'll also schedule this feature for removal - maybe with 4.x. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of RB > Sent: Tuesday, June 10, 2008 12:29 AM > To: rsyslog-users > Subject: Re: [rsyslog] imklog symbol translation > > > now supports the translation natively, I would even recommend to > DROP > > the code altogether (maybe after some period of being off by > default). > > That would also result in a good cleanup of MOST of the imklog code > (and > > code, as I said, that actually belongs to a different computing > domain). > > I guess my question would be what valid reasons there could be for > retaining the functionality, turned off or not. Appropriately placed > or not, could anyone provide justification for leaving that bit in? > If the end result is getting rid of it, turning it off by default may > be a start but should come with a hard deadline of complete removal - > we all know how unused code rots. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Thu Jun 12 08:05:53 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 12 Jun 2008 08:05:53 +0200 Subject: [rsyslog] imklog symbol translation In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA3091E3@grfint2.intern.adiscon.com> References: <484D4396.1040108@redhat.com><577465F99B41C842AAFBE9ED71E70ABA3091B8@grfint2.intern.adiscon.com><4255c2570806091529v3614451fvfe1e4c5d73cba317@mail.gmail.com> <577465F99B41C842AAFBE9ED71E70ABA3091E3@grfint2.intern.adiscon.com> Message-ID: <577465F99B41C842AAFBE9ED71E70ABA3091E4@grfint2.intern.adiscon.com> > I will now change the default starting in the beta (3.16.2). I'll also > schedule this feature for removal - maybe with 4.x. Ummmm... of course, I meant 3.17.4 (3.16 is the current stable). > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of RB > > Sent: Tuesday, June 10, 2008 12:29 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] imklog symbol translation > > > > > now supports the translation natively, I would even recommend to > > DROP > > > the code altogether (maybe after some period of being off by > > default). > > > That would also result in a good cleanup of MOST of the imklog > code > > (and > > > code, as I said, that actually belongs to a different computing > > domain). > > > > I guess my question would be what valid reasons there could be for > > retaining the functionality, turned off or not. Appropriately placed > > or not, could anyone provide justification for leaving that bit in? > > If the end result is getting rid of it, turning it off by default may > > be a start but should come with a hard deadline of complete removal - > > we all know how unused code rots. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From friedl at hq.adiscon.com Mon Jun 16 12:34:47 2008 From: friedl at hq.adiscon.com (Florian Riedl) Date: Mon, 16 Jun 2008 12:34:47 +0200 Subject: [rsyslog] rsyslog 3.17.4 (beta) released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA30920B@grfint2.intern.adiscon.com> Hi all, rsyslog 3.17.4, an update of the beta branch, has been released. This version fixes a problem with klog symbol lookup on newer kernels. Recent kernels do the symbol lookup themselves. The default behavior of imklog was to also do the symbol lookup. This uncoordinated dual-lookup caused the symbol information to be destroyed. This has been fixed by changing imklog's default to not do any lookup. The lookup functionality as whole has been deprecated and is scheduled to be removed with the next version. Download: http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-113.phtml Changelog: http://www.rsyslog.com/Article242.phtml As always, feedback is very appreciated. Florian Riedl -- Support ======= Improving rsyslog is costly, but you can help! We are looking for organizations that find rsyslog useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for rsyslog are available, and they help finance continued maintenance. Adiscon GmbH, a privately held German company, is currently funding rsyslog development. We are always looking for interesting development projects. For details on how to help, please see http://www.rsyslog.com/doc-how2help.html . From rgerhards at hq.adiscon.com Wed Jun 25 15:11:37 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 25 Jun 2008 15:11:37 +0200 Subject: [rsyslog] rsyslog 3.16.2 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA3092A4@grfint2.intern.adiscon.com> Hi all, I have just released rsyslog 3.16.2, a version of the v3-stable branch. It contains some bug fixes which mostly affect the initial startup. This is a recommended update for all v3-stable branch users. ChangeLog: http://www.rsyslog.com/Article244.phtml Download: http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-114.phtml Please note that this is most probably the last 3.16 version. The current beta will soon turn into the next v3-stable (with one more bugfixing update due to the current beta). I hope this release is useful. As always, feedback is appreciated. Best regards, Rainer Gerhards From rgerhards at hq.adiscon.com Fri Jun 27 17:23:54 2008 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 27 Jun 2008 17:23:54 +0200 Subject: [rsyslog] rsyslog 3.17.5 (beta) released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA3092D0@grfint2.intern.adiscon.com> Hi all, I have just released rsyslog 3.17.5, an update of the beta branch. It contains improved documentation on setting up a reliable logging system as well as a fix for invalid treatment of comments in rsyslog.conf. This is a recommended update for all beta branch users. ChangeLog: http://www.rsyslog.com/Article246.phtml Download: http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-115.phtml I hope this release is useful. Expect a new devel early next week. Rainer