From sivan at omniqueue.com  Wed Sep  1 11:13:11 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Wed, 1 Sep 2010 12:13:11 +0300
Subject: [rsyslog] Snippet for MainQueue not parsed
Message-ID: <AANLkTim_+u0g-FcLU4Crh3ewVrUVSRGx4hG1mg4FWaQc@mail.gmail.com>

Hi,

 I am trying to following in order to make the main queue more
reliable than the default (as per Rainer's recommendations):


$WorkDirectory /root/rsyslog/spool


$MainQueueSaveOnShutDown on
$MainQueueType LinkedList
$MainQueueFileName mainq
$MainQueueSize 100
$MainQueueHighWatermark 10
$MainQueueLowWatermark  2
$MainQueueMaxDiskSpace 1G


However, it seems that every directive is hitting a config error or is
unrecognized, what's the way to make this work?

Thanks,

-Sivan

From rgerhards at hq.adiscon.com  Wed Sep  1 12:10:47 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 12:10:47 +0200
Subject: [rsyslog] server migration
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD295@GRFEXC.intern.adiscon.com>

Hi all,

I just wanted to make you aware that our infrastructure folks are moving some
services to a new (faster) server. Among these is almost all infrastructure
for rsyslog, like the mailing list, web site and public git. I was promised
that we will have no noticeable service interuruption. But I still thought I
let you know ;)

Should you notice a problem that persists for more than half an hour, it
would be good if you could email me an alert.

Thanks,
Rainer

From sivan at omniqueue.com  Wed Sep  1 13:20:00 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Wed, 1 Sep 2010 14:20:00 +0300
Subject: [rsyslog] Reducing the time a msg spends in the main
 unreliablemain queue to a minimum.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>

Hi Rainer,

So I tried following your suggestions but can't seem to make the
MainMsgQueue go to disk at no condition, I want to make it use the
disk for some of the msgs at least , so if power goes off, some msgs
are kept.

However, this does not seem to happen even when setting the
MainMsgQueue to be DA or Disk only, in DA mode I used quite
restrictive watermarks that I hope will cause it to spool to disk:

$WorkDirectory /root/rsyslog/spool
# $MainMsgQueueType Disk
$MainMsgQueueSaveOnShutDown on
$MainMsgQueueType LinkedList
$MainMsgQueueFileName mainq
$MainMsgQueueSize 5
$MainMsgQueueHighWatermark 4
$MainMsgQueueLowWatermark  2
$MainMsgQueueMaxDiskSpace 1g


When commenting the "type" : "disk" there's still no change in
behavior. To test it I do something like:
for i in $(seq 1 10000); do logger test$i; done

Any idea what needs to be done to make it use the disk for at least
50%-70% of the msgs?

-Sivan

On Mon, Aug 30, 2010 at 9:19 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> Hi Sivan,
>
> the main message queue supports the same set of properties and capabilities
> like the action queue. The directives just start with $MainMsg... instead of
> $Action...
>
> So you can set the main queue to pure disk mode as well.
>
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> Sent: Sunday, August 29, 2010 10:44 AM
>> To: rsyslog at lists.adiscon.com
>> Subject: [rsyslog] Reducing the time a msg spends in the main
>> unreliablemain queue to a minimum.
>>
>> Hi List,
>>
>> ?I have some critical msgs being transferred using rsyslog. Hence, I
>> would like to minimize the time a msg spends in the unreliable by
>> definition main queue. My understanding is that only action queues
>> which are where msgs arrive when dispatched from main queue ?can be
>> set to be disk only. Therefor my assumption that only they can be made
>> truly reliable.
>>
>> Any suggestions / feedback will be highly appreciated.
>>
>> -Sivan
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Wed Sep  1 13:21:58 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 13:21:58 +0200
Subject: [rsyslog] Reducing the time a msg spends in the main
	unreliablemain queue to a minimum.
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
	<AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>

This sounds like a bug. Could you provide me a debug log?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Wednesday, September 01, 2010 1:20 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
> unreliablemain queue to a minimum.
> 
> Hi Rainer,
> 
> So I tried following your suggestions but can't seem to make the
> MainMsgQueue go to disk at no condition, I want to make it use the
> disk for some of the msgs at least , so if power goes off, some msgs
> are kept.
> 
> However, this does not seem to happen even when setting the
> MainMsgQueue to be DA or Disk only, in DA mode I used quite
> restrictive watermarks that I hope will cause it to spool to disk:
> 
> $WorkDirectory /root/rsyslog/spool
> # $MainMsgQueueType Disk
> $MainMsgQueueSaveOnShutDown on
> $MainMsgQueueType LinkedList
> $MainMsgQueueFileName mainq
> $MainMsgQueueSize 5
> $MainMsgQueueHighWatermark 4
> $MainMsgQueueLowWatermark  2
> $MainMsgQueueMaxDiskSpace 1g
> 
> 
> When commenting the "type" : "disk" there's still no change in
> behavior. To test it I do something like:
> for i in $(seq 1 10000); do logger test$i; done
> 
> Any idea what needs to be done to make it use the disk for at least
> 50%-70% of the msgs?
> 
> -Sivan
> 
> On Mon, Aug 30, 2010 at 9:19 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > Hi Sivan,
> >
> > the main message queue supports the same set of properties and
> capabilities
> > like the action queue. The directives just start with $MainMsg...
> instead of
> > $Action...
> >
> > So you can set the main queue to pure disk mode as well.
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> >> Sent: Sunday, August 29, 2010 10:44 AM
> >> To: rsyslog at lists.adiscon.com
> >> Subject: [rsyslog] Reducing the time a msg spends in the main
> >> unreliablemain queue to a minimum.
> >>
> >> Hi List,
> >>
> >> ?I have some critical msgs being transferred using rsyslog. Hence, I
> >> would like to minimize the time a msg spends in the unreliable by
> >> definition main queue. My understanding is that only action queues
> >> which are where msgs arrive when dispatched from main queue ?can be
> >> set to be disk only. Therefor my assumption that only they can be
> made
> >> truly reliable.
> >>
> >> Any suggestions / feedback will be highly appreciated.
> >>
> >> -Sivan
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Wed Sep  1 11:35:19 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 11:35:19 +0200
Subject: [rsyslog] Snippet for MainQueue not parsed
References: <AANLkTim_+u0g-FcLU4Crh3ewVrUVSRGx4hG1mg4FWaQc@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD293@GRFEXC.intern.adiscon.com>

As of the queue doc [1], it looks like it is $MainMsg... and not $Main...
That's why you get the config errors. 

Rainer

[1] http://www.rsyslog.com/doc/queues.html

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Wednesday, September 01, 2010 11:13 AM
> To: rsyslog-users
> Subject: [rsyslog] Snippet for MainQueue not parsed
> 
> Hi,
> 
>  I am trying to following in order to make the main queue more
> reliable than the default (as per Rainer's recommendations):
> 
> 
> $WorkDirectory /root/rsyslog/spool
> 
> 
> $MainQueueSaveOnShutDown on
> $MainQueueType LinkedList
> $MainQueueFileName mainq
> $MainQueueSize 100
> $MainQueueHighWatermark 10
> $MainQueueLowWatermark  2
> $MainQueueMaxDiskSpace 1G
> 
> 
> However, it seems that every directive is hitting a config error or is
> unrecognized, what's the way to make this work?
> 
> Thanks,
> 
> -Sivan
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From sivan at omniqueue.com  Wed Sep  1 14:09:54 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Wed, 1 Sep 2010 15:09:54 +0300
Subject: [rsyslog] Reducing the time a msg spends in the main
 unreliablemain queue to a minimum.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
	<AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTimkxC8SRRLKPoomi+FLt-bMm0PR2qVfJXw5ehFj@mail.gmail.com>

What do you mean in debug log? Can rsyslog produce a debug log of
itself ? If so, please tell me how :-)

-Sivan

On Wed, Sep 1, 2010 at 2:21 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> This sounds like a bug. Could you provide me a debug log?
>
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> Sent: Wednesday, September 01, 2010 1:20 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
>> unreliablemain queue to a minimum.
>>
>> Hi Rainer,
>>
>> So I tried following your suggestions but can't seem to make the
>> MainMsgQueue go to disk at no condition, I want to make it use the
>> disk for some of the msgs at least , so if power goes off, some msgs
>> are kept.
>>
>> However, this does not seem to happen even when setting the
>> MainMsgQueue to be DA or Disk only, in DA mode I used quite
>> restrictive watermarks that I hope will cause it to spool to disk:
>>
>> $WorkDirectory /root/rsyslog/spool
>> # $MainMsgQueueType Disk
>> $MainMsgQueueSaveOnShutDown on
>> $MainMsgQueueType LinkedList
>> $MainMsgQueueFileName mainq
>> $MainMsgQueueSize 5
>> $MainMsgQueueHighWatermark 4
>> $MainMsgQueueLowWatermark ?2
>> $MainMsgQueueMaxDiskSpace 1g
>>
>>
>> When commenting the "type" : "disk" there's still no change in
>> behavior. To test it I do something like:
>> for i in $(seq 1 10000); do logger test$i; done
>>
>> Any idea what needs to be done to make it use the disk for at least
>> 50%-70% of the msgs?
>>
>> -Sivan
>>
>> On Mon, Aug 30, 2010 at 9:19 AM, Rainer Gerhards
>> <rgerhards at hq.adiscon.com> wrote:
>> > Hi Sivan,
>> >
>> > the main message queue supports the same set of properties and
>> capabilities
>> > like the action queue. The directives just start with $MainMsg...
>> instead of
>> > $Action...
>> >
>> > So you can set the main queue to pure disk mode as well.
>> >
>> > Rainer
>> >
>> >> -----Original Message-----
>> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> >> Sent: Sunday, August 29, 2010 10:44 AM
>> >> To: rsyslog at lists.adiscon.com
>> >> Subject: [rsyslog] Reducing the time a msg spends in the main
>> >> unreliablemain queue to a minimum.
>> >>
>> >> Hi List,
>> >>
>> >> ?I have some critical msgs being transferred using rsyslog. Hence, I
>> >> would like to minimize the time a msg spends in the unreliable by
>> >> definition main queue. My understanding is that only action queues
>> >> which are where msgs arrive when dispatched from main queue ?can be
>> >> set to be disk only. Therefor my assumption that only they can be
>> made
>> >> truly reliable.
>> >>
>> >> Any suggestions / feedback will be highly appreciated.
>> >>
>> >> -Sivan
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com
>> >
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Wed Sep  1 14:11:54 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 14:11:54 +0200
Subject: [rsyslog] Reducing the time a msg spends in the main
	unreliablemain queue to a minimum.
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com><AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
	<AANLkTimkxC8SRRLKPoomi+FLt-bMm0PR2qVfJXw5ehFj@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD29E@GRFEXC.intern.adiscon.com>

First hit on Google ;)

http://www.rsyslog.com/doc/troubleshoot.html

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Wednesday, September 01, 2010 2:10 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
> unreliablemain queue to a minimum.
> 
> What do you mean in debug log? Can rsyslog produce a debug log of
> itself ? If so, please tell me how :-)
> 
> -Sivan
> 
> On Wed, Sep 1, 2010 at 2:21 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > This sounds like a bug. Could you provide me a debug log?
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> >> Sent: Wednesday, September 01, 2010 1:20 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
> >> unreliablemain queue to a minimum.
> >>
> >> Hi Rainer,
> >>
> >> So I tried following your suggestions but can't seem to make the
> >> MainMsgQueue go to disk at no condition, I want to make it use the
> >> disk for some of the msgs at least , so if power goes off, some msgs
> >> are kept.
> >>
> >> However, this does not seem to happen even when setting the
> >> MainMsgQueue to be DA or Disk only, in DA mode I used quite
> >> restrictive watermarks that I hope will cause it to spool to disk:
> >>
> >> $WorkDirectory /root/rsyslog/spool
> >> # $MainMsgQueueType Disk
> >> $MainMsgQueueSaveOnShutDown on
> >> $MainMsgQueueType LinkedList
> >> $MainMsgQueueFileName mainq
> >> $MainMsgQueueSize 5
> >> $MainMsgQueueHighWatermark 4
> >> $MainMsgQueueLowWatermark ?2
> >> $MainMsgQueueMaxDiskSpace 1g
> >>
> >>
> >> When commenting the "type" : "disk" there's still no change in
> >> behavior. To test it I do something like:
> >> for i in $(seq 1 10000); do logger test$i; done
> >>
> >> Any idea what needs to be done to make it use the disk for at least
> >> 50%-70% of the msgs?
> >>
> >> -Sivan
> >>
> >> On Mon, Aug 30, 2010 at 9:19 AM, Rainer Gerhards
> >> <rgerhards at hq.adiscon.com> wrote:
> >> > Hi Sivan,
> >> >
> >> > the main message queue supports the same set of properties and
> >> capabilities
> >> > like the action queue. The directives just start with $MainMsg...
> >> instead of
> >> > $Action...
> >> >
> >> > So you can set the main queue to pure disk mode as well.
> >> >
> >> > Rainer
> >> >
> >> >> -----Original Message-----
> >> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> >> >> Sent: Sunday, August 29, 2010 10:44 AM
> >> >> To: rsyslog at lists.adiscon.com
> >> >> Subject: [rsyslog] Reducing the time a msg spends in the main
> >> >> unreliablemain queue to a minimum.
> >> >>
> >> >> Hi List,
> >> >>
> >> >> ?I have some critical msgs being transferred using rsyslog.
> Hence, I
> >> >> would like to minimize the time a msg spends in the unreliable by
> >> >> definition main queue. My understanding is that only action
> queues
> >> >> which are where msgs arrive when dispatched from main queue ?can
> be
> >> >> set to be disk only. Therefor my assumption that only they can be
> >> made
> >> >> truly reliable.
> >> >>
> >> >> Any suggestions / feedback will be highly appreciated.
> >> >>
> >> >> -Sivan
> >> >> _______________________________________________
> >> >> rsyslog mailing list
> >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> http://www.rsyslog.com
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com
> >> >
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From raubvogel at gmail.com  Wed Sep  1 14:11:50 2010
From: raubvogel at gmail.com (Mauricio Tavares)
Date: Wed, 1 Sep 2010 08:11:50 -0400
Subject: [rsyslog] Quick syslog-ng to rsyslog question
Message-ID: <AANLkTimrp7BmKZiCtnm-6p4ndFm1+xeeft=oy6ZAKwpr@mail.gmail.com>

This is a fragment of the syslog-ng.conf code I am converting to rsylog.conf:

source src {
    unix-stream("/dev/log" max-connections(256));
    internal();
    file("/proc/kmsg" log_prefix("kernel: "));
};

destination remote {
        tcp("127.0.0.1" port(514));
};

# Send _everything_ to the remote log server, no filters
log { source(src); destination(remote); flags(flow-control); };

What would be the best way to do the same in rsyslog?

From raubvogel at gmail.com  Wed Sep  1 15:06:44 2010
From: raubvogel at gmail.com (Mauricio Tavares)
Date: Wed, 1 Sep 2010 09:06:44 -0400
Subject: [rsyslog] Quick syslog-ng to rsyslog question
In-Reply-To: <AANLkTimrp7BmKZiCtnm-6p4ndFm1+xeeft=oy6ZAKwpr@mail.gmail.com>
References: <AANLkTimrp7BmKZiCtnm-6p4ndFm1+xeeft=oy6ZAKwpr@mail.gmail.com>
Message-ID: <AANLkTi=fUn_uHf0CLK6SyODDtmvaiu=G-Q33N9pJamqs@mail.gmail.com>

On Wed, Sep 1, 2010 at 8:11 AM, Mauricio Tavares <raubvogel at gmail.com> wrote:
> This is a fragment of the syslog-ng.conf code I am converting to rsylog.conf:
>
> source src {
> ? ?unix-stream("/dev/log" max-connections(256));
> ? ?internal();
> ? ?file("/proc/kmsg" log_prefix("kernel: "));
> };
>
> destination remote {
> ? ? ? ?tcp("127.0.0.1" port(514));
> };
>
> # Send _everything_ to the remote log server, no filters
> log { source(src); destination(remote); flags(flow-control); };
>
> What would be the best way to do the same in rsyslog?
>
      Just to make sure, first I was wondering if

*.*                             @locahost

would work (we have a tunnel between the two machines; I know you can
do better with rsyslog but let's start small), as in would cover all
the log sources mentioned above. Maybe it is sending more logs than it
needs to, and I would have to trim it down some.

From sivan at omniqueue.com  Wed Sep  1 15:37:25 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Wed, 1 Sep 2010 16:37:25 +0300
Subject: [rsyslog] Reducing the time a msg spends in the main
 unreliablemain queue to a minimum.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
	<AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com>

The debug log is here: http://www.omniqueue.com/debug.tar.gz

The configuration snippet that seems to not able to trigger disk
assisted queening:

 $WorkDirectory /root/rsyslog/spool
$MainMsgQueueSaveOnShutDown on
$MainMsgQueueType LinkedList
$MainMsgQueueFileName mainq
$MainMsgQueueSize 5
$MainMsgQueueHighWatermark 4
$MainMsgQueueLowWatermark  2
$MainMsgQueueMaxDiskSpace 1g

This is the command I try to stress the main queue to do disk buffering with:
for i in $(seq 1 1000); do `logger test$i &` ; done
or:
for i in $(seq 1 1000); do logger test$i  ; done


Thanks,

Sivan

On Wed, Sep 1, 2010 at 2:21 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> This sounds like a bug. Could you provide me a debug log?
>
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> Sent: Wednesday, September 01, 2010 1:20 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
>> unreliablemain queue to a minimum.
>>
>> Hi Rainer,
>>
>> So I tried following your suggestions but can't seem to make the
>> MainMsgQueue go to disk at no condition, I want to make it use the
>> disk for some of the msgs at least , so if power goes off, some msgs
>> are kept.
>>
>> However, this does not seem to happen even when setting the
>> MainMsgQueue to be DA or Disk only, in DA mode I used quite
>> restrictive watermarks that I hope will cause it to spool to disk:
>>
>> $WorkDirectory /root/rsyslog/spool
>> # $MainMsgQueueType Disk
>> $MainMsgQueueSaveOnShutDown on
>> $MainMsgQueueType LinkedList
>> $MainMsgQueueFileName mainq
>> $MainMsgQueueSize 5
>> $MainMsgQueueHighWatermark 4
>> $MainMsgQueueLowWatermark ?2
>> $MainMsgQueueMaxDiskSpace 1g
>>
>>
>> When commenting the "type" : "disk" there's still no change in
>> behavior. To test it I do something like:
>> for i in $(seq 1 10000); do logger test$i; done
>>
>> Any idea what needs to be done to make it use the disk for at least
>> 50%-70% of the msgs?
>>
>> -Sivan
>>
>> On Mon, Aug 30, 2010 at 9:19 AM, Rainer Gerhards
>> <rgerhards at hq.adiscon.com> wrote:
>> > Hi Sivan,
>> >
>> > the main message queue supports the same set of properties and
>> capabilities
>> > like the action queue. The directives just start with $MainMsg...
>> instead of
>> > $Action...
>> >
>> > So you can set the main queue to pure disk mode as well.
>> >
>> > Rainer
>> >
>> >> -----Original Message-----
>> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> >> Sent: Sunday, August 29, 2010 10:44 AM
>> >> To: rsyslog at lists.adiscon.com
>> >> Subject: [rsyslog] Reducing the time a msg spends in the main
>> >> unreliablemain queue to a minimum.
>> >>
>> >> Hi List,
>> >>
>> >> ?I have some critical msgs being transferred using rsyslog. Hence, I
>> >> would like to minimize the time a msg spends in the unreliable by
>> >> definition main queue. My understanding is that only action queues
>> >> which are where msgs arrive when dispatched from main queue ?can be
>> >> set to be disk only. Therefor my assumption that only they can be
>> made
>> >> truly reliable.
>> >>
>> >> Any suggestions / feedback will be highly appreciated.
>> >>
>> >> -Sivan
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com
>> >
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Wed Sep  1 15:51:23 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 15:51:23 +0200
Subject: [rsyslog] Reducing the time a msg spends in the main
	unreliablemain queue to a minimum.
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com><AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
	<AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com>

hmmm... If I look at the debug log, starting with line 1763, it says:

====
9222.964403152:b57bfb90: main Q: entry deleted, state 0, size now 4 entries
9222.964464222:b57bfb90: strm 0x9663c18: file -1(mainq) flush, buflen 420
9222.964531873:b57bfb90: file '/root/rsyslog/spool/mainq.00000001' opened as
#8 with mode 384
9222.964553588:b57bfb90: strm 0x9663c18: opened file
'/root/rsyslog/spool/mainq.00000001' for WRITE as 8
9222.964554042:b57bfb90: strm 0x9663c18: file 8 write wrote 420 bytes
9222.964651904:b57bfb90: main Q[DA]: write wrote 420 octets to disk, queue
disk size now 420 octets
9222.964674507:b57bfb90: main Q[DA]: entry added, size now 1 entries
9222.964696768:b57bfb90: wtpAdviseMaxWorkers signals busy
9222.965203228:b57bfb90: main Q[DA]: EnqueueMsg advised worker start
9222.965226061:b57bfb90: main Q: DAConsumer returns with iRet 0
9222.965249390:b57bfb90: main Q: entry deleted, state 0, size now 3 entries
9222.965285743:b57bfb90: strm 0x9663c18: file 8(mainq) flush, buflen 420
9222.965311318:b57bfb90: strm 0x9663c18: file 8 write wrote 420 bytes
9222.965335196:b57bfb90: main Q[DA]: write wrote 420 octets to disk, queue
disk size now 840 octets
9222.965357551:b57bfb90: main Q[DA]: entry added, size now 2 entries
9222.965379709:b57bfb90: wtpAdviseMaxWorkers signals bus
====

So it starts to write to disk. In line 2797 disk is turned off again, because
there is no more need to use it (empty queue). The it restarts and so on...

Looks like it works as expected. Your producer is too slow to keep rsyslog
busy for a sustained time. You could try the tcpflood utility from the
testbench. It is not documented, but has all relevant information in the file
header comment.

I also guess that the tool you use to monitor the disk is too slow to keep up
with the rate at which rsyslog creates, processes and deletes queue files.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Wednesday, September 01, 2010 3:37 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
> unreliablemain queue to a minimum.
> 
> The debug log is here: http://www.omniqueue.com/debug.tar.gz
> 
> The configuration snippet that seems to not able to trigger disk
> assisted queening:
> 
>  $WorkDirectory /root/rsyslog/spool
> $MainMsgQueueSaveOnShutDown on
> $MainMsgQueueType LinkedList
> $MainMsgQueueFileName mainq
> $MainMsgQueueSize 5
> $MainMsgQueueHighWatermark 4
> $MainMsgQueueLowWatermark  2
> $MainMsgQueueMaxDiskSpace 1g
> 
> This is the command I try to stress the main queue to do disk buffering
> with:
> for i in $(seq 1 1000); do `logger test$i &` ; done
> or:
> for i in $(seq 1 1000); do logger test$i  ; done
> 
> 
> Thanks,
> 
> Sivan
> 
> On Wed, Sep 1, 2010 at 2:21 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > This sounds like a bug. Could you provide me a debug log?
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> >> Sent: Wednesday, September 01, 2010 1:20 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
> >> unreliablemain queue to a minimum.
> >>
> >> Hi Rainer,
> >>
> >> So I tried following your suggestions but can't seem to make the
> >> MainMsgQueue go to disk at no condition, I want to make it use the
> >> disk for some of the msgs at least , so if power goes off, some msgs
> >> are kept.
> >>
> >> However, this does not seem to happen even when setting the
> >> MainMsgQueue to be DA or Disk only, in DA mode I used quite
> >> restrictive watermarks that I hope will cause it to spool to disk:
> >>
> >> $WorkDirectory /root/rsyslog/spool
> >> # $MainMsgQueueType Disk
> >> $MainMsgQueueSaveOnShutDown on
> >> $MainMsgQueueType LinkedList
> >> $MainMsgQueueFileName mainq
> >> $MainMsgQueueSize 5
> >> $MainMsgQueueHighWatermark 4
> >> $MainMsgQueueLowWatermark ?2
> >> $MainMsgQueueMaxDiskSpace 1g
> >>
> >>
> >> When commenting the "type" : "disk" there's still no change in
> >> behavior. To test it I do something like:
> >> for i in $(seq 1 10000); do logger test$i; done
> >>
> >> Any idea what needs to be done to make it use the disk for at least
> >> 50%-70% of the msgs?
> >>
> >> -Sivan
> >>
> >> On Mon, Aug 30, 2010 at 9:19 AM, Rainer Gerhards
> >> <rgerhards at hq.adiscon.com> wrote:
> >> > Hi Sivan,
> >> >
> >> > the main message queue supports the same set of properties and
> >> capabilities
> >> > like the action queue. The directives just start with $MainMsg...
> >> instead of
> >> > $Action...
> >> >
> >> > So you can set the main queue to pure disk mode as well.
> >> >
> >> > Rainer
> >> >
> >> >> -----Original Message-----
> >> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> >> >> Sent: Sunday, August 29, 2010 10:44 AM
> >> >> To: rsyslog at lists.adiscon.com
> >> >> Subject: [rsyslog] Reducing the time a msg spends in the main
> >> >> unreliablemain queue to a minimum.
> >> >>
> >> >> Hi List,
> >> >>
> >> >> ?I have some critical msgs being transferred using rsyslog.
> Hence, I
> >> >> would like to minimize the time a msg spends in the unreliable by
> >> >> definition main queue. My understanding is that only action
> queues
> >> >> which are where msgs arrive when dispatched from main queue ?can
> be
> >> >> set to be disk only. Therefor my assumption that only they can be
> >> made
> >> >> truly reliable.
> >> >>
> >> >> Any suggestions / feedback will be highly appreciated.
> >> >>
> >> >> -Sivan
> >> >> _______________________________________________
> >> >> rsyslog mailing list
> >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> http://www.rsyslog.com
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com
> >> >
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From sivan at omniqueue.com  Wed Sep  1 16:02:18 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Wed, 1 Sep 2010 17:02:18 +0300
Subject: [rsyslog] Reducing the time a msg spends in the main
 unreliablemain queue to a minimum.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com>
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
	<AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
	<AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTimk=vVZcDUe3=EvG69TfgChiAdv_iOJfA6kbyVu@mail.gmail.com>

On Wed, Sep 1, 2010 at 4:51 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> So it starts to write to disk. In line 2797 disk is turned off again, because
> there is no more need to use it (empty queue). The it restarts and so on...
>
> Looks like it works as expected. Your producer is too slow to keep rsyslog
> busy for a sustained time. You could try the tcpflood utility from the
> testbench. It is not documented, but has all relevant information in the file
> header comment.

Okay, so given my configuration, can I rest assured that no more than
5 msgs will be lost if power is lost and the file writing hasn't
started or finished yet? Can the use of checkpoints /fflush help at
the main queue level ?

-Sivan

From rgerhards at hq.adiscon.com  Wed Sep  1 16:07:38 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 16:07:38 +0200
Subject: [rsyslog] Reducing the time a msg spends in the main
	unreliablemain queue to a minimum.
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com><AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com><AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com>
	<AANLkTimk=vVZcDUe3=EvG69TfgChiAdv_iOJfA6kbyVu@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2A3@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Wednesday, September 01, 2010 4:02 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
> unreliablemain queue to a minimum.
> 
> On Wed, Sep 1, 2010 at 4:51 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > So it starts to write to disk. In line 2797 disk is turned off again,
> because
> > there is no more need to use it (empty queue). The it restarts and so
> on...
> >
> > Looks like it works as expected. Your producer is too slow to keep
> rsyslog
> > busy for a sustained time. You could try the tcpflood utility from
> the
> > testbench. It is not documented, but has all relevant information in
> the file
> > header comment.
> 
> Okay, so given my configuration, can I rest assured that no more than
> 5 msgs will be lost if power is lost and the file writing hasn't
> started or finished yet? 

I don't give any guarantee, use at your own risk. But assuming the rest of
your system and infrastructure supports this requirement, it looks pretty
good . But again: no guarantee at all -- I have NOT done an in-depth check of
your config statements. As I wrote yesterday, this is really not something to
be talked about casually. I've focussed on the potential bug, nothing else.

>Can the use of checkpoints /fflush help at
> the main queue level ?

Definitely, and if you do not use them, your messages are at risk.

Rainer
> 
> -Sivan
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From sivan at omniqueue.com  Wed Sep  1 16:56:21 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Wed, 1 Sep 2010 17:56:21 +0300
Subject: [rsyslog] Reducing the time a msg spends in the main
 unreliablemain queue to a minimum.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2A3@GRFEXC.intern.adiscon.com>
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
	<AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
	<AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com>
	<AANLkTimk=vVZcDUe3=EvG69TfgChiAdv_iOJfA6kbyVu@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A3@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTi=fmcKyDVv676jwGRyZ1nuyscjVK=Ps5Fu_CckC@mail.gmail.com>

On Wed, Sep 1, 2010 at 5:07 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
>>Can the use of checkpoints /fflush help at
>> the main queue level ?

On the documentation it is said that checkpoints intervals are in
terms of "records". Does this mean message lines or is there some kind
of other correlation ? I am contemplating if to set it the same as the
high water mark, or use a different value. What is your input on this?

-Sivan

From rgerhards at hq.adiscon.com  Wed Sep  1 16:57:48 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 16:57:48 +0200
Subject: [rsyslog] Reducing the time a msg spends in the main
	unreliablemain queue to a minimum.
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com><AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com><AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com><AANLkTimk=vVZcDUe3=EvG69TfgChiAdv_iOJfA6kbyVu@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD2A3@GRFEXC.intern.adiscon.com>
	<AANLkTi=fmcKyDVv676jwGRyZ1nuyscjVK=Ps5Fu_CckC@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2A6@GRFEXC.intern.adiscon.com>


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Wednesday, September 01, 2010 4:56 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
> unreliablemain queue to a minimum.
> 
> On Wed, Sep 1, 2010 at 5:07 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> >>Can the use of checkpoints /fflush help at
> >> the main queue level ?
> 
> On the documentation it is said that checkpoints intervals are in
> terms of "records". Does this mean message lines or is there some kind
> of other correlation ? I am contemplating if to set it the same as the
> high water mark, or use a different value. What is your input on this?

A record is a syslog message, sorry for the insiderish... In short, set it to
one so that each access is synced.

Rainer

> 
> -Sivan
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Wed Sep  1 17:14:31 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 1 Sep 2010 17:14:31 +0200
Subject: [rsyslog] $template to create filename, ownership,
	and other file-related questions
References: <AANLkTikxZcNDdVNjoG0ATp7JdG3Z2vAbnF7e61cZ4sJA@mail.gmail.com><alpine.DEB.2.00.1008301540510.12449@asgard.lang.hm><AANLkTina-AsorrDRZ+zu5Z9o3=ntRv1AsqX=LkKybNug@mail.gmail.com><alpine.DEB.2.00.1008301557360.12449@asgard.lang.hm><AANLkTi=q2cjizeMtDwyQO8af3jdy6w+v=B79qXiGmMM4@mail.gmail.com><alpine.DEB.2.00.1008301713290.12449@asgard.lang.hm><9B6E2A8877C38245BFB15CC491A11DA71DD289@GRFEXC.intern.adiscon.com>
	<AANLkTin76EymCdPc5t2yk1BWBAtreg9xR1Y98GFr+Sjj@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2A9@GRFEXC.intern.adiscon.com>

> Ok, I have yet another answer: the template I created,
> 
> $template AuthFile,"/var/log/auth/auth-%$YEAR%-%$MONTH%-%$DAY%.log"
> 
> is nice but i was wondering if there is a way to pass an argument to
> it from the selector line. This way, I could do, say,
> 
> $template LogFile,"/var/log/$Moose/$Moose-%$YEAR%-%$MONTH%-%$DAY%.log"
> 
> and then pass the value of $Moose when calling that template
> 
> mail.info    $Moose="mail", ?LogFile
> 
> I know the syntax is completely wrong but you can see where I am
> getting at. Is there a way to do that?

I am sorry, that's not currently possible. I expect that such a facility
becomes available as part of the v6 config file format revamping.

Rainer

From sivan at omniqueue.com  Thu Sep  2 11:26:06 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Thu, 2 Sep 2010 12:26:06 +0300
Subject: [rsyslog] Reducing the time a msg spends in the main
 unreliablemain queue to a minimum.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2A6@GRFEXC.intern.adiscon.com>
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
	<AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
	<AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com>
	<AANLkTimk=vVZcDUe3=EvG69TfgChiAdv_iOJfA6kbyVu@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A3@GRFEXC.intern.adiscon.com>
	<AANLkTi=fmcKyDVv676jwGRyZ1nuyscjVK=Ps5Fu_CckC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A6@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTinB8Vx9QehgcFK9p3pGc5dkvtPp3Vvmv1q+=OpV@mail.gmail.com>

Thanks so far Rainer,

 Now- I'm trying to understand from the documentation how you create
blocks for action queues that do forwarding, I realize one can do
something like:

:message, contains, "string" *.* @@iport

However, how do I set an action queue for that? as I want to make sure
the queue for everything with "string" inside is pure disk queue.

I couldn't make for sure out of the documentation.

Your input will be appreciated =)

-Sivan

On Wed, Sep 1, 2010 at 5:57 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> Sent: Wednesday, September 01, 2010 4:56 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
>> unreliablemain queue to a minimum.
>>
>> On Wed, Sep 1, 2010 at 5:07 PM, Rainer Gerhards
>> <rgerhards at hq.adiscon.com> wrote:
>> >>Can the use of checkpoints /fflush help at
>> >> the main queue level ?
>>
>> On the documentation it is said that checkpoints intervals are in
>> terms of "records". Does this mean message lines or is there some kind
>> of other correlation ? I am contemplating if to set it the same as the
>> high water mark, or use a different value. What is your input on this?
>
> A record is a syslog message, sorry for the insiderish... In short, set it to
> one so that each access is synced.
>
> Rainer
>
>>
>> -Sivan
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From david at lang.hm  Fri Sep  3 08:32:11 2010
From: david at lang.hm (david at lang.hm)
Date: Thu, 2 Sep 2010 23:32:11 -0700 (PDT)
Subject: [rsyslog] Reducing the time a msg spends in the main
 unreliablemain queue to a minimum.
In-Reply-To: <AANLkTinB8Vx9QehgcFK9p3pGc5dkvtPp3Vvmv1q+=OpV@mail.gmail.com>
References: <AANLkTi=FcoYYG7LHGF=Mp7epjQ3=YNmdJkMqeoSNR+SC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD275@GRFEXC.intern.adiscon.com>
	<AANLkTi=Q+B+UKbJrr5Bege=WaYdP1S6vhTNeS=jtsQep@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD29A@GRFEXC.intern.adiscon.com>
	<AANLkTimg_ueCSfAbj9-5aR9yyOQ7ASca2AvybUQ1_Wz0@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A1@GRFEXC.intern.adiscon.com>
	<AANLkTimk=vVZcDUe3=EvG69TfgChiAdv_iOJfA6kbyVu@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A3@GRFEXC.intern.adiscon.com>
	<AANLkTi=fmcKyDVv676jwGRyZ1nuyscjVK=Ps5Fu_CckC@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2A6@GRFEXC.intern.adiscon.com>
	<AANLkTinB8Vx9QehgcFK9p3pGc5dkvtPp3Vvmv1q+=OpV@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1009022330210.27921@asgard.lang.hm>

On Thu, 2 Sep 2010, Sivan Greenberg wrote:

>
> Now- I'm trying to understand from the documentation how you create
> blocks for action queues that do forwarding, I realize one can do
> something like:
>
> :message, contains, "string" *.* @@iport

one quick thing here, if you do a filter like :message, contains... you 
don't do the facility.priority filtering (*.*) as well

this line would be invalid, you would need to do:

:message, contains, "string"  @@iport

instead

David Lang

> However, how do I set an action queue for that? as I want to make sure
> the queue for everything with "string" inside is pure disk queue.
>
> I couldn't make for sure out of the documentation.
>
> Your input will be appreciated =)
>
> -Sivan
>
> On Wed, Sep 1, 2010 at 5:57 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
>>
>>> -----Original Message-----
>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>>> Sent: Wednesday, September 01, 2010 4:56 PM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] Reducing the time a msg spends in the main
>>> unreliablemain queue to a minimum.
>>>
>>> On Wed, Sep 1, 2010 at 5:07 PM, Rainer Gerhards
>>> <rgerhards at hq.adiscon.com> wrote:
>>>>> Can the use of checkpoints /fflush help at
>>>>> the main queue level ?
>>>
>>> On the documentation it is said that checkpoints intervals are in
>>> terms of "records". Does this mean message lines or is there some kind
>>> of other correlation ? I am contemplating if to set it the same as the
>>> high water mark, or use a different value. What is your input on this?
>>
>> A record is a syslog message, sorry for the insiderish... In short, set it to
>> one so that each access is synced.
>>
>> Rainer
>>
>>>
>>> -Sivan
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From david at lang.hm  Fri Sep  3 08:35:00 2010
From: david at lang.hm (david at lang.hm)
Date: Thu, 2 Sep 2010 23:35:00 -0700 (PDT)
Subject: [rsyslog] Quick syslog-ng to rsyslog question
In-Reply-To: <AANLkTi=fUn_uHf0CLK6SyODDtmvaiu=G-Q33N9pJamqs@mail.gmail.com>
References: <AANLkTimrp7BmKZiCtnm-6p4ndFm1+xeeft=oy6ZAKwpr@mail.gmail.com>
	<AANLkTi=fUn_uHf0CLK6SyODDtmvaiu=G-Q33N9pJamqs@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1009022333020.27921@asgard.lang.hm>

On Wed, 1 Sep 2010, Mauricio Tavares wrote:

> On Wed, Sep 1, 2010 at 8:11 AM, Mauricio Tavares <raubvogel at gmail.com> wrote:
>> This is a fragment of the syslog-ng.conf code I am converting to rsylog.conf:
>>
>> source src {
>> ? ?unix-stream("/dev/log" max-connections(256));
>> ? ?internal();
>> ? ?file("/proc/kmsg" log_prefix("kernel: "));
>> };
>>
>> destination remote {
>> ? ? ? ?tcp("127.0.0.1" port(514));
>> };
>>
>> # Send _everything_ to the remote log server, no filters
>> log { source(src); destination(remote); flags(flow-control); };
>>
>> What would be the best way to do the same in rsyslog?
>>
>      Just to make sure, first I was wondering if
>
> *.*                             @locahost
>
> would work (we have a tunnel between the two machines; I know you can
> do better with rsyslog but let's start small), as in would cover all
> the log sources mentioned above. Maybe it is sending more logs than it
> needs to, and I would have to trim it down some.

this would send all logs to that destination (just make sure that rsyslog 
is not listening on localhost :-)

with rsyslog you need to also configure the inputs

so you would need to have lines similar to the following at the top of 
your rsyslog.conf file.

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

David Lang

From david at lang.hm  Fri Sep  3 08:25:16 2010
From: david at lang.hm (david at lang.hm)
Date: Thu, 2 Sep 2010 23:25:16 -0700 (PDT)
Subject: [rsyslog] multi-line log files
Message-ID: <alpine.DEB.2.00.1009022317410.27921@asgard.lang.hm>

in arguing different log delivery methods, it occured to me that it 
shouldn't be too hard to modify the imfile module to handle multi-line 
log messages

my thought is that when rsyslog reads them in, the newlines in the log 
messages would get escaped like other control characters.

This leaves the question of how to identify the end of a log message

common approaches that I can think of are:

1. blank line between log messages (\n\n is the separator)

2. non-whitespace character at the start of the line (follow-on lines 
start with whitespace)

3. known string at the start of the message

4. timestamp at the start of the message


this would mean that rsyslog would always be one message behind (as it 
would not be able to tell that the prior message had been fully written), 
it may make sense to add a timeout so that if rsyslog is waiting more than 
a second for additional data to be written it assumes that the log message 
has finished.


does this sound like a reasonable idea? how hard would something along 
these lines be to implement?

David Lang

From rgerhards at hq.adiscon.com  Fri Sep  3 08:39:01 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 3 Sep 2010 08:39:01 +0200
Subject: [rsyslog] Should ActionExecOnlyOnceEveryInterval be working in
	4.2?
References: <AANLkTikW4smA5e3LZQP0W7qCim8cveCBNZ9qCJ0CVJDY@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2D0@GRFEXC.intern.adiscon.com>


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of GravyFace
> Sent: Thursday, August 26, 2010 6:12 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Should ActionExecOnlyOnceEveryInterval be working in
> 4.2?
> 
> >From the changelogs, it sounds like it was fixed in 4.4.3, and then
> included in 4.6.x I believe.


This sounds like the Ubuntu version is simply too old. I include relevant
patches in all stable versions, but NOT in ALL stable versions ever done.

Rainer
> Ubuntu 10.04 ships with 4.2, but in my config, it's not working --
> emails get sent out for each match on :msg, regardless of
> ActionExecOnlyOnceEveryInterval.
> 
> Config as follows:
> 
> $ActionMailSMTPServer 127.0.0.1
> $ActionMailFrom root at example.com
> $ActionMailTo somebody at example.com
> $template mailSubject,"Alert: Inbound Packet Denied"
> $template mailBody,"DETAILS:\r\n%timereported% %msg%"
> $ActionMailSubject mailSubject
> # make sure we receive a mail only once per hour
> $ActionExecOnlyOnceEveryInterval 3600
> :msg, contains, "Deny tcp src inside" :ommail:;mailBody
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Fri Sep  3 11:33:12 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 3 Sep 2010 11:33:12 +0200
Subject: [rsyslog] symlinks
References: <DD10BDA2-03BA-4D5B-B299-38D41D6FD314@joetify.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2D9@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Joe Williams
> Sent: Thursday, August 26, 2010 4:43 PM
> To: rsyslog-users
> Subject: [rsyslog] symlinks
> 
> 
> I have some hostnamed directories and would like to symlink to them to
> something shorter and more meaningful. Is it possible to have rsyslog
> create symlinks to make certain logs easier to get too?

Unfortunately not (yet -- it's an interesting idea).

> Alternatively,
> can I configure rsyslog to match on certain hostnames and instead of
> using the hostname use a directory name I choose.

You can do this via the usual filter mechanism, but I fear it gets a bit
ugly.

Rainer

> 
> Thanks.
> 
> -Joe
> 
> 
> 
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Fri Sep  3 13:14:48 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 3 Sep 2010 13:14:48 +0200
Subject: [rsyslog] multi-line log files
References: <alpine.DEB.2.00.1009022317410.27921@asgard.lang.hm>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2DD@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Friday, September 03, 2010 8:25 AM
> To: rsyslog-users
> Subject: [rsyslog] multi-line log files
> 
> in arguing different log delivery methods, it occured to me that it
> shouldn't be too hard to modify the imfile module to handle multi-line
> log messages
> 
> my thought is that when rsyslog reads them in, the newlines in the log
> messages would get escaped like other control characters.
> 
> This leaves the question of how to identify the end of a log message
> 
> common approaches that I can think of are:
> 
> 1. blank line between log messages (\n\n is the separator)
> 
> 2. non-whitespace character at the start of the line (follow-on lines
> start with whitespace)
> 
> 3. known string at the start of the message
> 
> 4. timestamp at the start of the message
> 
> 
> this would mean that rsyslog would always be one message behind (as it
> would not be able to tell that the prior message had been fully
> written),
> it may make sense to add a timeout so that if rsyslog is waiting more
> than
> a second for additional data to be written it assumes that the log
> message
> has finished.
> 
> 
> does this sound like a reasonable idea? how hard would something along
> these lines be to implement?

Indeed, I think this is a good suggestion. To turn this into general use, I
think we need to find a way to specify the end sequence. Alternatively, we
could use the list of four you give above and let the users chose among them.
Maybe that would be a good starting point. Obvious, simple delimiting
sequences (like \n\n) are easier than things like dates, which require far
more parsing. So depending on the delimiter, the performance profile could be
pretty different. 

I think this could probably be done within a week, with decent testing but
also some help in practice testing needed.

Rainer

From david at lang.hm  Fri Sep  3 19:17:31 2010
From: david at lang.hm (david at lang.hm)
Date: Fri, 3 Sep 2010 10:17:31 -0700 (PDT)
Subject: [rsyslog] multi-line log files
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2DD@GRFEXC.intern.adiscon.com>
References: <alpine.DEB.2.00.1009022317410.27921@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2DD@GRFEXC.intern.adiscon.com>
Message-ID: <alpine.DEB.2.00.1009031008130.1623@asgard.lang.hm>

On Fri, 3 Sep 2010, Rainer Gerhards wrote:

>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
>>
>> in arguing different log delivery methods, it occured to me that it
>> shouldn't be too hard to modify the imfile module to handle multi-line
>> log messages
>>
>> my thought is that when rsyslog reads them in, the newlines in the log
>> messages would get escaped like other control characters.
>>
>> This leaves the question of how to identify the end of a log message
>>
>> common approaches that I can think of are:
>>
>> 1. blank line between log messages (\n\n is the separator)
>>
>> 2. non-whitespace character at the start of the line (follow-on lines
>> start with whitespace)
>>
>> 3. known string at the start of the message
>>
>> 4. timestamp at the start of the message
>>
>>
>> this would mean that rsyslog would always be one message behind (as it
>> would not be able to tell that the prior message had been fully
>> written),
>> it may make sense to add a timeout so that if rsyslog is waiting more
>> than
>> a second for additional data to be written it assumes that the log
>> message
>> has finished.
>>
>>
>> does this sound like a reasonable idea? how hard would something along
>> these lines be to implement?
>
> Indeed, I think this is a good suggestion. To turn this into general use, I
> think we need to find a way to specify the end sequence. Alternatively, we
> could use the list of four you give above and let the users chose among them.
> Maybe that would be a good starting point. Obvious, simple delimiting
> sequences (like \n\n) are easier than things like dates, which require far
> more parsing. So depending on the delimiter, the performance profile could be
> pretty different.

the idea was that options #1 and #2 are pretty cheap to do and may make 
sense as hard-coded choices. options #3 and #4 would require the user to 
specify the seperator and would be slower (unless a specified fixed 
seperator ends up being fast to compare to and you can use the same code 
for \n\n as for any other fixed separator with no penalty)

David Lang

> I think this could probably be done within a week, with decent testing but
> also some help in practice testing needed.
>
> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From joe at joetify.com  Tue Sep  7 19:46:15 2010
From: joe at joetify.com (Joe Williams)
Date: Tue, 7 Sep 2010 10:46:15 -0700
Subject: [rsyslog] rsyslog stats
Message-ID: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>


Is it possible log or output stats (ala haproxy's stats socket) for rsyslog? I am thinking messages processed per second, messages written to disk per second, etc. Maybe even timing for how long messages sit in queues, etc. If not I would find this quite helpful when debugging, perhaps this could be added to a future version?

-Joe


Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From david at lang.hm  Tue Sep  7 19:57:25 2010
From: david at lang.hm (david at lang.hm)
Date: Tue, 7 Sep 2010 10:57:25 -0700 (PDT)
Subject: [rsyslog] rsyslog stats
In-Reply-To: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
Message-ID: <alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>

add to this queue lengths.

ideally there should be a way to get these stats dumped on command, but 
having a way to dump them periodically is a usable option.

David Lang

On Tue, 7 Sep 2010, Joe Williams wrote:

> Date: Tue, 7 Sep 2010 10:46:15 -0700
> From: Joe Williams <joe at joetify.com>
> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> To: rsyslog-users <rsyslog at lists.adiscon.com>
> Subject: [rsyslog] rsyslog stats
> 
>
> Is it possible log or output stats (ala haproxy's stats socket) for rsyslog? I am thinking messages processed per second, messages written to disk per second, etc. Maybe even timing for how long messages sit in queues, etc. If not I would find this quite helpful when debugging, perhaps this could be added to a future version?
>
> -Joe
>
>
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From epiphani at gmail.com  Tue Sep  7 20:00:35 2010
From: epiphani at gmail.com (Aaron Wiebe)
Date: Tue, 7 Sep 2010 14:00:35 -0400
Subject: [rsyslog] rsyslog stats
In-Reply-To: <alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
	<alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>
Message-ID: <AANLkTimK0DzdHBMKCVonwoaHyXJRhQUxqH8QzpqjRrKj@mail.gmail.com>

Thirded.

-Aaron

On Tue, Sep 7, 2010 at 1:57 PM,  <david at lang.hm> wrote:
> add to this queue lengths.
>
> ideally there should be a way to get these stats dumped on command, but
> having a way to dump them periodically is a usable option.
>
> David Lang
>
> On Tue, 7 Sep 2010, Joe Williams wrote:
>
>> Date: Tue, 7 Sep 2010 10:46:15 -0700
>> From: Joe Williams <joe at joetify.com>
>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>> Subject: [rsyslog] rsyslog stats
>>
>>
>> Is it possible log or output stats (ala haproxy's stats socket) for
>> rsyslog? I am thinking messages processed per second, messages written to
>> disk per second, etc. Maybe even timing for how long messages sit in queues,
>> etc. If not I would find this quite helpful when debugging, perhaps this
>> could be added to a future version?
>>
>> -Joe
>>
>>
>> Name: Joseph A. Williams
>> Email: joe at joetify.com
>> Blog: http://www.joeandmotorboat.com/
>> Twitter: http://twitter.com/williamsjoe
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From david at lang.hm  Tue Sep  7 20:07:26 2010
From: david at lang.hm (david at lang.hm)
Date: Tue, 7 Sep 2010 11:07:26 -0700 (PDT)
Subject: [rsyslog] rsyslog stats
In-Reply-To: <alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
	<alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>
Message-ID: <alpine.DEB.2.00.1009071102060.11634@asgard.lang.hm>

Thinking about this a few more seconds, there are probably two categories 
of stats to consider

1. stats that are cheap to gather, generate

  examples  current length of queues, age of oldest message in each queue, 
number of messages processed (possibly even per output)

2. stats that are expensive to gather or generate

   examples: average length of queues, average time to process messages


the expensive stats should require explicit configuration before the time 
is spent to gather them.

one possible issue, even with the 'cheap' stats is that as rsyslog becomes 
faster by using lock-free algorithms and using more threads, the cost of 
gathering even these 'simple' stats will grow as they are likely to 
require locks (although it may be possible to make it so that they only 
aquire locks at report time, not as the data is gathered)

David Lang

On Tue, 7 Sep 2010, david at lang.hm wrote:

> Date: Tue, 7 Sep 2010 10:57:25 -0700 (PDT)
> From: david at lang.hm
> To: rsyslog-users <rsyslog at lists.adiscon.com>
> Subject: Re: [rsyslog] rsyslog stats
> 
> add to this queue lengths.
>
> ideally there should be a way to get these stats dumped on command, but 
> having a way to dump them periodically is a usable option.
>
> David Lang
>
> On Tue, 7 Sep 2010, Joe Williams wrote:
>
>> Date: Tue, 7 Sep 2010 10:46:15 -0700
>> From: Joe Williams <joe at joetify.com>
>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>> Subject: [rsyslog] rsyslog stats
>> 
>> 
>> Is it possible log or output stats (ala haproxy's stats socket) for 
>> rsyslog? I am thinking messages processed per second, messages written to 
>> disk per second, etc. Maybe even timing for how long messages sit in 
>> queues, etc. If not I would find this quite helpful when debugging, perhaps 
>> this could be added to a future version?
>> 
>> -Joe
>> 
>> 
>> Name: Joseph A. Williams
>> Email: joe at joetify.com
>> Blog: http://www.joeandmotorboat.com/
>> Twitter: http://twitter.com/williamsjoe
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>> 
>

From epiphani at gmail.com  Tue Sep  7 20:11:11 2010
From: epiphani at gmail.com (Aaron Wiebe)
Date: Tue, 7 Sep 2010 14:11:11 -0400
Subject: [rsyslog] rsyslog stats
In-Reply-To: <alpine.DEB.2.00.1009071102060.11634@asgard.lang.hm>
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
	<alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>
	<alpine.DEB.2.00.1009071102060.11634@asgard.lang.hm>
Message-ID: <AANLkTikPo=67yzTgZ1crxhcFLFrLyaqpJjjT5-5V7v68@mail.gmail.com>

On Tue, Sep 7, 2010 at 2:07 PM,  <david at lang.hm> wrote:
>
> 1. stats that are cheap to gather, generate
> ?examples ?current length of queues, age of oldest message in each queue,
> number of messages processed (possibly even per output)
> 2. stats that are expensive to gather or generate
> ?examples: average length of queues, average time to process messages

Expensive stats shouldn't be the responsibility of rsyslog though -
trending over time and the like should be the responsibility of a
third party product (ie, cacti/mrtg).  As long as the stats are easily
made available through snmp or other methods, the trending should be
done outside rsyslog.

-Aaron

From rgerhards at hq.adiscon.com  Tue Sep  7 21:16:32 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Tue, 7 Sep 2010 21:16:32 +0200
Subject: [rsyslog] rsyslog stats
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2F3@GRFEXC.intern.adiscon.com>

This is a very valid request and I would like to have that myself.
Unfortunately, the implementation is far from being trivial. It is not
something that can be implemented as a side-activity. I understand that this
is not easily to see.

Rsyslog has a modular architecture, so we have a variable set of stats
counters. To support that, we need to introduce a new stats interface and
some kind of registry for stats that are being gathered -- so that a process
(periodic or on demand) can query and output that registry. 

Also, it is not obvious which counters should/can be provided. For example,
what means "how long a message sits inside a queue". Does that mean time
since enqueue? If so, we need to query system time for each message enqueued.
Even more, we need to persist this timestamp together with the message object
inside the queue (we need it to update the oldest timestamp on dequeue).
However, the queue engine does not support such a data element. So we need to
change the queue interface to not only contain a pointer to the message, but
now a pointer to a structure that contains the stats-required entities
together with a pointer to the message. That also has large performance
implications. One may now argue that a simple solution is to store that
timestamp inside the message object. However, this conflicts with the planned
copy-on-write feature for the message object. This would always force a full
copy due to the timestamp. There are some more subtle issues along all that,
but I hope these samples get the idea over.

Also, as David said, there are large performance implications. Even with
lock-free sync, we do have hardware sync. My testing earlier this year showed
that e.g. an atomic inc (without lock) has a very noticeable overhead (out of
my had, I think far more than double the time required). So it is absolutely
vital to implement counters in a way that they affect performance only then
when stats functions are actually turned on. This most probably means that we
need to implement some functions multiple times and select the one to use via
a function pointer (which bears some overhead, but I consider that
acceptable).

As I said, I am interested in these stats myself very much, especially when I
approach the next phase of performance enhancement later this year.
Unfortunately, I am still working on some backlog and it would probably be
counter-productive to stop doing these things and look into the stats issue
(I once was close to implementing it, but then obviously more important
things pushed it away). I thought about outputting main message queue size
periodically (relatively simple to obtain and can already be queried via
imdiag and diagtalker), but, honestly, how much does this small piece of
information help...? In some configs maybe, in others it probably is quite
misleading at best.

When I approach the next tuning step, I will probably implement the stats
registry and may make available some select counters via conditional
compilation (that reduces the complexity of keeping the performance good if
stats are not turned on).

I know this is not the answer you looked for, but I hope it explains the
situation. Feedback, of course, is always appreciated and it may be useful to
talk about some counters that may be considered useful and potentially easy
to obtain.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Joe Williams
> Sent: Tuesday, September 07, 2010 7:46 PM
> To: rsyslog-users
> Subject: [rsyslog] rsyslog stats
> 
> 
> Is it possible log or output stats (ala haproxy's stats socket) for
> rsyslog? I am thinking messages processed per second, messages written
> to disk per second, etc. Maybe even timing for how long messages sit in
> queues, etc. If not I would find this quite helpful when debugging,
> perhaps this could be added to a future version?
> 
> -Joe
> 
> 
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From joe at joetify.com  Tue Sep  7 21:18:14 2010
From: joe at joetify.com (Joe Williams)
Date: Tue, 7 Sep 2010 12:18:14 -0700
Subject: [rsyslog] rsyslog stats
In-Reply-To: <AANLkTikPo=67yzTgZ1crxhcFLFrLyaqpJjjT5-5V7v68@mail.gmail.com>
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
	<alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>
	<alpine.DEB.2.00.1009071102060.11634@asgard.lang.hm>
	<AANLkTikPo=67yzTgZ1crxhcFLFrLyaqpJjjT5-5V7v68@mail.gmail.com>
Message-ID: <BED549B3-E2F1-45AA-9E3B-639A02C7F026@joetify.com>


On Sep 7, 2010, at 11:11 AM, Aaron Wiebe wrote:

> On Tue, Sep 7, 2010 at 2:07 PM,  <david at lang.hm> wrote:
>> 
>> 1. stats that are cheap to gather, generate
>>  examples  current length of queues, age of oldest message in each queue,
>> number of messages processed (possibly even per output)
>> 2. stats that are expensive to gather or generate
>>  examples: average length of queues, average time to process messages
> 
> Expensive stats shouldn't be the responsibility of rsyslog though -
> trending over time and the like should be the responsibility of a
> third party product (ie, cacti/mrtg).  As long as the stats are easily
> made available through snmp or other methods, the trending should be
> done outside rsyslog.
> 



Agreed, rsyslog should just report the current stats and any trending/analysis should be done externally. No different than running iostat or other tools.

One other timing stat I would love to see is the amount of time in each step of the pipeline (time to read the message from the socket, time processing it through any rules, time spent in any queues, time spent writing to disk, etc). Haproxy has a good example of this in it's logging (8.2.3. HTTP log format - http://haproxy.1wt.eu/download/1.4/doc/configuration.txt).

-Joe


Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From rgerhards at hq.adiscon.com  Tue Sep  7 21:29:29 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Tue, 7 Sep 2010 21:29:29 +0200
Subject: [rsyslog] rsyslog stats
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com><alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm><alpine.DEB.2.00.1009071102060.11634@asgard.lang.hm><AANLkTikPo=67yzTgZ1crxhcFLFrLyaqpJjjT5-5V7v68@mail.gmail.com>
	<BED549B3-E2F1-45AA-9E3B-639A02C7F026@joetify.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2F4@GRFEXC.intern.adiscon.com>


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Joe Williams
> Sent: Tuesday, September 07, 2010 9:18 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog stats
> 
> 
> On Sep 7, 2010, at 11:11 AM, Aaron Wiebe wrote:
> 
> > On Tue, Sep 7, 2010 at 2:07 PM,  <david at lang.hm> wrote:
> >>
> >> 1. stats that are cheap to gather, generate
> >>  examples  current length of queues, age of oldest message in each
> queue,
> >> number of messages processed (possibly even per output)
> >> 2. stats that are expensive to gather or generate
> >>  examples: average length of queues, average time to process
> messages
> >
> > Expensive stats shouldn't be the responsibility of rsyslog though -
> > trending over time and the like should be the responsibility of a
> > third party product (ie, cacti/mrtg).  As long as the stats are
> easily
> > made available through snmp or other methods, the trending should be
> > done outside rsyslog.
> >
> 
> 
> 
> Agreed, rsyslog should just report the current stats and any
> trending/analysis should be done externally. No different than running
> iostat or other tools.
> 
> One other timing stat I would love to see is the amount of time in each
> step of the pipeline (time to read the message from the socket, time
> processing it through any rules, time spent in any queues, time spent
> writing to disk, etc). 

Current system time resolution is probably not good enough to time single
steps. In many cases, you would not see any time used at all. But I agree it
would be interesting to have an indication.

Just one example: the tcp receiver pull a relatively large buffer (64K?) from
the socket. So a single receive may obtain 5,000 messages or more with a
single receive. Let's assume this takes 0.0001 seconds. Does this mean we
need to compute 0.0001/5000 = 0.00000002 seconds as the time required to
obtain from the socket? 

Now think about a busy system processing eg 100,000 msgs per second.
Processing involves various steps (more than 20 for a typical plain
rsyslog.conf). So we need to measure time at the nanosecond level for each
step.

Rainer

> Haproxy has a good example of this in it's
> logging (8.2.3. HTTP log format -
> http://haproxy.1wt.eu/download/1.4/doc/configuration.txt).
> 
> -Joe
> 
> 
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From david at lang.hm  Tue Sep  7 22:58:18 2010
From: david at lang.hm (david at lang.hm)
Date: Tue, 7 Sep 2010 13:58:18 -0700 (PDT)
Subject: [rsyslog] rsyslog stats
In-Reply-To: <BED549B3-E2F1-45AA-9E3B-639A02C7F026@joetify.com>
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
	<alpine.DEB.2.00.1009071056070.11634@asgard.lang.hm>
	<alpine.DEB.2.00.1009071102060.11634@asgard.lang.hm>
	<AANLkTikPo=67yzTgZ1crxhcFLFrLyaqpJjjT5-5V7v68@mail.gmail.com>
	<BED549B3-E2F1-45AA-9E3B-639A02C7F026@joetify.com>
Message-ID: <alpine.DEB.2.00.1009071349400.11634@asgard.lang.hm>

On Tue, 7 Sep 2010, Joe Williams wrote:

> On Sep 7, 2010, at 11:11 AM, Aaron Wiebe wrote:
>
>> On Tue, Sep 7, 2010 at 2:07 PM,  <david at lang.hm> wrote:
>>>
>>> 1. stats that are cheap to gather, generate
>>>  examples  current length of queues, age of oldest message in each queue,
>>> number of messages processed (possibly even per output)
>>> 2. stats that are expensive to gather or generate
>>>  examples: average length of queues, average time to process messages
>>
>> Expensive stats shouldn't be the responsibility of rsyslog though -
>> trending over time and the like should be the responsibility of a
>> third party product (ie, cacti/mrtg).  As long as the stats are easily
>> made available through snmp or other methods, the trending should be
>> done outside rsyslog.
>>
>
>

> Agreed, rsyslog should just report the current stats and any 
> trending/analysis should be done externally. No different than running 
> iostat or other tools.

iostat and vmstat actually provide some of these expensive stats.

an example of an expensive stat would be the average age of messages in 
the queue.

finding the age of the oldest message is relativly cheap (one lookup to 
the oldest message in the queue, that lookup may delay something 
processing the message so it's only 'relativly' cheap)

but finding the average age of all messages in the queue will require 
looking up the age of every message in the queue, and probably freezing 
the queue while you do so to make sure that it's not changing under you.

> One other timing stat I would love to see is the amount of time in each 
> step of the pipeline (time to read the message from the socket, time 
> processing it through any rules, time spent in any queues, time spent 
> writing to disk, etc). Haproxy has a good example of this in it's 
> logging (8.2.3. HTTP log format - 
> http://haproxy.1wt.eu/download/1.4/doc/configuration.txt).

message processing in rsyslog is done at such a high rate that you can get 
a noticable performance improvement by doing one gettimeofday call for 
every 10 messages instead of one call per message. looking up the time at 
different stages within rsyslog definantly qualifies as an expensive stat 
to gather.

cheap things to gather are things that can be gathered by modifying a 
per-thread variable.

relativly cheap things to gather are things that require locking to gather 
(either to update a central variable, or to prevent other threads from 
modifying what you are reading)

expensive things to gather include things that require syscalls 
(for example, gettimeofday()), or that require looking at a lot of data 
(average age of all messages in a queue)

David Lang

From rgerhards at hq.adiscon.com  Tue Sep  7 23:22:52 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Tue, 7 Sep 2010 23:22:52 +0200
Subject: [rsyslog] rsyslog stats
Message-ID: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com>

Finding the age of the oldest message is not necessarily cheap - think about out of order processing and delays. The one at queue top is not necessarily the oldest one...

rainer

----- Urspr?ngliche Nachricht -----
Von: david at lang.hm <david at lang.hm>
Gesendet: Dienstag, 7. September 2010 22:58
An: rsyslog-users <rsyslog at lists.adiscon.com>
Betreff: Re: [rsyslog] rsyslog stats

On Tue, 7 Sep 2010, Joe Williams wrote:

> On Sep 7, 2010, at 11:11 AM, Aaron Wiebe wrote:
>
>> On Tue, Sep 7, 2010 at 2:07 PM,  <david at lang.hm> wrote:
>>>
>>> 1. stats that are cheap to gather, generate
>>>  examples  current length of queues, age of oldest message in each queue,
>>> number of messages processed (possibly even per output)
>>> 2. stats that are expensive to gather or generate
>>>  examples: average length of queues, average time to process messages
>>
>> Expensive stats shouldn't be the responsibility of rsyslog though -
>> trending over time and the like should be the responsibility of a
>> third party product (ie, cacti/mrtg).  As long as the stats are easily
>> made available through snmp or other methods, the trending should be
>> done outside rsyslog.
>>
>
>

> Agreed, rsyslog should just report the current stats and any 
> trending/analysis should be done externally. No different than running 
> iostat or other tools.

iostat and vmstat actually provide some of these expensive stats.

an example of an expensive stat would be the average age of messages in 
the queue.

finding the age of the oldest message is relativly cheap (one lookup to 
the oldest message in the queue, that lookup may delay something 
processing the message so it's only 'relativly' cheap)

but finding the average age of all messages in the queue will require 
looking up the age of every message in the queue, and probably freezing 
the queue while you do so to make sure that it's not changing under you.

> One other timing stat I would love to see is the amount of time in each 
> step of the pipeline (time to read the message from the socket, time 
> processing it through any rules, time spent in any queues, time spent 
> writing to disk, etc). Haproxy has a good example of this in it's 
> logging (8.2.3. HTTP log format - 
> http://haproxy.1wt.eu/download/1.4/doc/configuration.txt).

message processing in rsyslog is done at such a high rate that you can get 
a noticable performance improvement by doing one gettimeofday call for 
every 10 messages instead of one call per message. looking up the time at 
different stages within rsyslog definantly qualifies as an expensive stat 
to gather.

cheap things to gather are things that can be gathered by modifying a 
per-thread variable.

relativly cheap things to gather are things that require locking to gather 
(either to update a central variable, or to prevent other threads from 
modifying what you are reading)

expensive things to gather include things that require syscalls 
(for example, gettimeofday()), or that require looking at a lot of data 
(average age of all messages in a queue)

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

From david at lang.hm  Tue Sep  7 23:37:33 2010
From: david at lang.hm (david at lang.hm)
Date: Tue, 7 Sep 2010 14:37:33 -0700 (PDT)
Subject: [rsyslog] rsyslog stats
In-Reply-To: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com>
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com>
Message-ID: <alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm>

On Tue, 7 Sep 2010, Rainer Gerhards wrote:

> Finding the age of the oldest message is not necessarily cheap - think about out of order processing and delays. The one at queue top is not necessarily the oldest one...

even with out of order processing, it would still have arrived in that 
queue at or before the time of any other message in the queue.

the OoO processing would mean that it may not be the next message to be 
processed (especially if there was a delivery problem for that message), 
but I don't see how an earlier message could end up elsewhere in the 
queue.

with secondary queues, you could have something that's not the oldest 
message in the main queue go into the secondary queue before the oldest 
message from the main queue. I think that we are still 'good enough' just 
providing the timestamp of the oldest message in the secondary queue as I 
expect that the messages will move fast enough that the timestamp of the 
'earliest message to arrive in the queue' will be very close to the 
oldest.

the reason for wanting the time of the oldest message in the queue is to 
get an idea of how far behind (time wise) rsyslog is in it's output vs 
it's input. I don't think it needs to be precise.

David Lang


> rainer
>
> ----- Urspr?ngliche Nachricht -----
> Von: david at lang.hm <david at lang.hm>
> Gesendet: Dienstag, 7. September 2010 22:58
> An: rsyslog-users <rsyslog at lists.adiscon.com>
> Betreff: Re: [rsyslog] rsyslog stats
>
> On Tue, 7 Sep 2010, Joe Williams wrote:
>
>> On Sep 7, 2010, at 11:11 AM, Aaron Wiebe wrote:
>>
>>> On Tue, Sep 7, 2010 at 2:07 PM,  <david at lang.hm> wrote:
>>>>
>>>> 1. stats that are cheap to gather, generate
>>>>  examples  current length of queues, age of oldest message in each queue,
>>>> number of messages processed (possibly even per output)
>>>> 2. stats that are expensive to gather or generate
>>>>  examples: average length of queues, average time to process messages
>>>
>>> Expensive stats shouldn't be the responsibility of rsyslog though -
>>> trending over time and the like should be the responsibility of a
>>> third party product (ie, cacti/mrtg).  As long as the stats are easily
>>> made available through snmp or other methods, the trending should be
>>> done outside rsyslog.
>>>
>>
>>
>
>> Agreed, rsyslog should just report the current stats and any
>> trending/analysis should be done externally. No different than running
>> iostat or other tools.
>
> iostat and vmstat actually provide some of these expensive stats.
>
> an example of an expensive stat would be the average age of messages in
> the queue.
>
> finding the age of the oldest message is relativly cheap (one lookup to
> the oldest message in the queue, that lookup may delay something
> processing the message so it's only 'relativly' cheap)
>
> but finding the average age of all messages in the queue will require
> looking up the age of every message in the queue, and probably freezing
> the queue while you do so to make sure that it's not changing under you.
>
>> One other timing stat I would love to see is the amount of time in each
>> step of the pipeline (time to read the message from the socket, time
>> processing it through any rules, time spent in any queues, time spent
>> writing to disk, etc). Haproxy has a good example of this in it's
>> logging (8.2.3. HTTP log format -
>> http://haproxy.1wt.eu/download/1.4/doc/configuration.txt).
>
> message processing in rsyslog is done at such a high rate that you can get
> a noticable performance improvement by doing one gettimeofday call for
> every 10 messages instead of one call per message. looking up the time at
> different stages within rsyslog definantly qualifies as an expensive stat
> to gather.
>
> cheap things to gather are things that can be gathered by modifying a
> per-thread variable.
>
> relativly cheap things to gather are things that require locking to gather
> (either to update a central variable, or to prevent other threads from
> modifying what you are reading)
>
> expensive things to gather include things that require syscalls
> (for example, gettimeofday()), or that require looking at a lot of data
> (average age of all messages in a queue)
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From sean at conman.org  Wed Sep  8 00:30:33 2010
From: sean at conman.org (Sean Conner)
Date: Tue, 7 Sep 2010 18:30:33 -0400
Subject: [rsyslog] rsyslog stats
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2F3@GRFEXC.intern.adiscon.com>
References: <4E419194-0B27-4633-9976-46F9CEB21DA5@joetify.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2F3@GRFEXC.intern.adiscon.com>
Message-ID: <20100907223033.GA18134@brevard.conman.org>

It was thus said that the Great Rainer Gerhards once stated:
>
> When I approach the next tuning step, I will probably implement the stats
> registry and may make available some select counters via conditional
> compilation (that reduces the complexity of keeping the performance good if
> stats are not turned on).
> 
> I know this is not the answer you looked for, but I hope it explains the
> situation. Feedback, of course, is always appreciated and it may be useful to
> talk about some counters that may be considered useful and potentially easy
> to obtain.

If you can measure the size of a message queue over five minute intervals,
you can get a feel for how large the backlog is (and in thinking this
over---you don't even need to reset the counts as long as your reporting
tool records the value on a set schedule).  For a particular module, I would
think two metrics would be good enough: messages queued in, and messages
queued out.  For instance:

	 0m: in       0 out       0
	 5m: in  900000 out  899973
	10m: in 1799992 out 1799433
	15m: in 2600343 out 2600343

from that, you can calulate deltas:

	 0m din      0 dout      0 diff    0
	 5m din 900000 dout 899973 diff   27
	10m din 899992 dout 899460 diff  532
	15m din 800351 dout 800910 diff -559

So, from these made up figures, you can see that the input exceeded the
output until it dropped below a certain figure and the output caught up. 
Does this tell you how long on average that a message sat in the queue?  

No.

Does it tell you there might be an issue with too much data coming in at
rates above, say, 2700/second (800000 / 300 seconds)?  Yeah, you might be
able to make that correlation.  

To generate the stats, you can do what I did for a project [1]---fork the
server and have the child process calculate the stats.  Under Unix, a child
process inherits the memory space of the parent, but under copy-on-write
semantics, so the parent process (and threads) can continue processing
requests without locking the counters more than neccessary.  I'm not sure
what you can do under Windows, but it's an idea.

  -spc

[1]	http://www.x-grey.com/

From rgerhards at hq.adiscon.com  Wed Sep  8 07:57:37 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 8 Sep 2010 07:57:37 +0200
Subject: [rsyslog] rsyslog stats
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com>
	<alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Tuesday, September 07, 2010 11:38 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog stats
> 
> On Tue, 7 Sep 2010, Rainer Gerhards wrote:
> 
> > Finding the age of the oldest message is not necessarily cheap -
> think about out of order processing and delays. The one at queue top is
> not necessarily the oldest one...
> 
> even with out of order processing, it would still have arrived in that
> queue at or before the time of any other message in the queue.

Jup, but as I said in my first message, we do not have a timestamp for
"arrived at queue". All we have is the message creation timestamp (or the
timestamp from the message itself, which I think does not help here). This
timestamp does not respect queue enqueue time.

> 
> the OoO processing would mean that it may not be the next message to be
> processed (especially if there was a delivery problem for that
> message),
> but I don't see how an earlier message could end up elsewhere in the
> queue.

When you look only at the ruleset main queues, this is true for the most
part. Still, task switching may come into our way, e.g. we receive a 64K
buffer of tcp messages, process them, then control is switched to UDP
receiver. We may have tcpmsgms1-udpmsg-tcpmsgs2 inside the queue, where
udpmsgs is actually earlier than tcpmsgs2 (but obviously in close proximity).

> with secondary queues, you could have something that's not the oldest
> message in the main queue go into the secondary queue before the oldest
> message from the main queue. I think that we are still 'good enough'
> just
> providing the timestamp of the oldest message in the secondary queue as
> I
> expect that the messages will move fast enough that the timestamp of
> the
> 'earliest message to arrive in the queue' will be very close to the
> oldest.
> 
> the reason for wanting the time of the oldest message in the queue is
> to
> get an idea of how far behind (time wise) rsyslog is in it's output vs
> it's input. I don't think it needs to be precise.

Well, if a rough indication is OK and we could live with the fact that in
some cases the information is taken with a big grain of salt, we could do
this. We would still have issues with disk queues, because I need to do i/o
in order to "peek" at a message (peek is not supported at all). A solution
would probably be to forbid this for disk queues.

Rainer

> 
> David Lang
> 
> 
> > rainer
> >
> > ----- Urspr?ngliche Nachricht -----
> > Von: david at lang.hm <david at lang.hm>
> > Gesendet: Dienstag, 7. September 2010 22:58
> > An: rsyslog-users <rsyslog at lists.adiscon.com>
> > Betreff: Re: [rsyslog] rsyslog stats
> >
> > On Tue, 7 Sep 2010, Joe Williams wrote:
> >
> >> On Sep 7, 2010, at 11:11 AM, Aaron Wiebe wrote:
> >>
> >>> On Tue, Sep 7, 2010 at 2:07 PM,  <david at lang.hm> wrote:
> >>>>
> >>>> 1. stats that are cheap to gather, generate
> >>>>  examples  current length of queues, age of oldest message in each
> queue,
> >>>> number of messages processed (possibly even per output)
> >>>> 2. stats that are expensive to gather or generate
> >>>>  examples: average length of queues, average time to process
> messages
> >>>
> >>> Expensive stats shouldn't be the responsibility of rsyslog though -
> >>> trending over time and the like should be the responsibility of a
> >>> third party product (ie, cacti/mrtg).  As long as the stats are
> easily
> >>> made available through snmp or other methods, the trending should
> be
> >>> done outside rsyslog.
> >>>
> >>
> >>
> >
> >> Agreed, rsyslog should just report the current stats and any
> >> trending/analysis should be done externally. No different than
> running
> >> iostat or other tools.
> >
> > iostat and vmstat actually provide some of these expensive stats.
> >
> > an example of an expensive stat would be the average age of messages
> in
> > the queue.
> >
> > finding the age of the oldest message is relativly cheap (one lookup
> to
> > the oldest message in the queue, that lookup may delay something
> > processing the message so it's only 'relativly' cheap)
> >
> > but finding the average age of all messages in the queue will require
> > looking up the age of every message in the queue, and probably
> freezing
> > the queue while you do so to make sure that it's not changing under
> you.
> >
> >> One other timing stat I would love to see is the amount of time in
> each
> >> step of the pipeline (time to read the message from the socket, time
> >> processing it through any rules, time spent in any queues, time
> spent
> >> writing to disk, etc). Haproxy has a good example of this in it's
> >> logging (8.2.3. HTTP log format -
> >> http://haproxy.1wt.eu/download/1.4/doc/configuration.txt).
> >
> > message processing in rsyslog is done at such a high rate that you
> can get
> > a noticable performance improvement by doing one gettimeofday call
> for
> > every 10 messages instead of one call per message. looking up the
> time at
> > different stages within rsyslog definantly qualifies as an expensive
> stat
> > to gather.
> >
> > cheap things to gather are things that can be gathered by modifying a
> > per-thread variable.
> >
> > relativly cheap things to gather are things that require locking to
> gather
> > (either to update a central variable, or to prevent other threads
> from
> > modifying what you are reading)
> >
> > expensive things to gather include things that require syscalls
> > (for example, gettimeofday()), or that require looking at a lot of
> data
> > (average age of all messages in a queue)
> >
> > David Lang
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Wed Sep  8 08:12:39 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 8 Sep 2010 08:12:39 +0200
Subject: [rsyslog] rsyslog stats - counters
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com><alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com>

I have thought once again about which counters I could provide without
generating most of the plumbing. Probably the only one I can envision is the
number of message objects inside the system (assuming that number of queues
itself and such is of really no interest at all), or more precisely number of
messages generated and number of messages deleted. This does roughly reflect
the number of messages processed, but only if no async queues are used (they
require some message duplication). If this is considered useful, I could look
into that. It probably takes two to three days to get that going with some
minimal plumbing for the background writer (done in a clean way).

I could also output the main queue size, but once again be reminded that this
reflects only part of the picture (depending on config only a very small
part...).

Feedback appreciated.

Rainer

From lpinsivy at merethis.com  Wed Sep  8 16:53:38 2010
From: lpinsivy at merethis.com (Laurent Pinsivy)
Date: Wed, 8 Sep 2010 16:53:38 +0200
Subject: [rsyslog] Problem to receive TCP event
Message-ID: <AANLkTikLFezGCxz0CWYnhjTjCo6tyQ8rf+i5LqL4E6Ga@mail.gmail.com>

Hello,

I try to receive TCP event from windows machine using Centreon-E2S (which I
developed) on Rsyslog 3.22.1

Rsyslog listen on TCP/514 and UDP/514:

# netstat -ano | grep 514
tcp        0      0 0.0.0.0:514                 0.0.0.0:*
LISTEN      off (0.00/0/0)
tcp        0      0 :::514                      :::*
LISTEN      off (0.00/0/0)
udp        0      0 0.0.0.0:514                 0.0.0.0:*
off (0.00/0/0)
udp        0      0 :::514
:::*                                    off (0.00/0/0)

If I insert breakpoint in my program, I can see:

tcp        0      0 192.168.2.170:514           192.168.1.14:62637
ESTABLISHED off (0.00/0/0)

With wireshark, i can see message of event:

108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN] Seq=0
Win=8192 Len=0 MSS=1260 WS=2
108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK] Seq=1 Ack=1
Win=66780 Len=0
108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent EventCreate
Type: Error, Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
Description: test
108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN, ACK]
Seq=119 Ack=1 Win=66780 Len=0
108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK] Seq=120
Ack=2 Win=66780 Len=0

But rsyslog don't insert it into a database or on a file /var/log/messages

Rsyslog configuration is:

$ModLoad imtcp.so
$InputTCPServerRun 514
$ModLoad imudp.so
$UDPServerRun 514

UDP/514 messages are working well and are inserted into a database and a
file /var/log/messages:

2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type: Error,
Category: (0), Event ID: 7, User: E6400-Laurent\Laurent, Description: test

I try to use the rsyslog debug but I don't understand the result:

4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 5): 4 5
4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 16): 4 5 16
4793.006450000:imtcp.c: netstream 0x16602f40 with new data
4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 16): 4 5 16
4793.007708000:imtcp.c: netstream 0x16602f40 with new data
4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 5): 4 5

Function to send UDP or TCP message is the same expected transport. I try to
encode the message using ANSI or ASCII but nothing appear.

Do you have any solution+?

Best regards,

Laurent Pinsivy

From joe at joetify.com  Wed Sep  8 17:24:30 2010
From: joe at joetify.com (Joe Williams)
Date: Wed, 8 Sep 2010 08:24:30 -0700
Subject: [rsyslog] rsyslog stats - counters
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com>
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com><alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com>
Message-ID: <5F7A27F0-B32C-41A7-B7B8-55FD236B1F98@joetify.com>


On Sep 7, 2010, at 11:12 PM, Rainer Gerhards wrote:

> I have thought once again about which counters I could provide without
> generating most of the plumbing. Probably the only one I can envision is the
> number of message objects inside the system (assuming that number of queues
> itself and such is of really no interest at all), or more precisely number of
> messages generated and number of messages deleted. This does roughly reflect
> the number of messages processed, but only if no async queues are used (they
> require some message duplication). If this is considered useful, I could look
> into that. It probably takes two to three days to get that going with some
> minimal plumbing for the background writer (done in a clean way).
> 
> I could also output the main queue size, but once again be reminded that this
> reflects only part of the picture (depending on config only a very small
> part...).
> 
> Feedback appreciated.


Thanks Rainier,

I'm of the opinion that any introspection is better than none and this is a move in the right direction.

-Joe


Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From rgerhards at hq.adiscon.com  Wed Sep  8 18:53:31 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 8 Sep 2010 18:53:31 +0200
Subject: [rsyslog] Problem to receive TCP event
References: <AANLkTikLFezGCxz0CWYnhjTjCo6tyQ8rf+i5LqL4E6Ga@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD30F@GRFEXC.intern.adiscon.com>



> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> Sent: Wednesday, September 08, 2010 4:54 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Problem to receive TCP event
> 
> Hello,
> 
> I try to receive TCP event from windows machine using Centreon-E2S
> (which I
> developed) on Rsyslog 3.22.1
> 
> Rsyslog listen on TCP/514 and UDP/514:
> 
> # netstat -ano | grep 514
> tcp        0      0 0.0.0.0:514                 0.0.0.0:*
> LISTEN      off (0.00/0/0)
> tcp        0      0 :::514                      :::*
> LISTEN      off (0.00/0/0)
> udp        0      0 0.0.0.0:514                 0.0.0.0:*
> off (0.00/0/0)
> udp        0      0 :::514
> :::*                                    off (0.00/0/0)
> 
> If I insert breakpoint in my program, I can see:
> 
> tcp        0      0 192.168.2.170:514           192.168.1.14:62637
> ESTABLISHED off (0.00/0/0)
> 
> With wireshark, i can see message of event:
> 
> 108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN] Seq=0
> Win=8192 Len=0 MSS=1260 WS=2
> 108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK] Seq=1
> Ack=1
> Win=66780 Len=0
> 108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent
> EventCreate
> Type: Error, Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
> Description: test

The message is not well-formed, so some properties are probably not correctly
populated.

> 108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN, ACK]
> Seq=119 Ack=1 Win=66780 Len=0
> 108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> Seq=120
> Ack=2 Win=66780 Len=0
> 
> But rsyslog don't insert it into a database or on a file
> /var/log/messages
> 
> Rsyslog configuration is:
> 
> $ModLoad imtcp.so
> $InputTCPServerRun 514
> $ModLoad imudp.so
> $UDPServerRun 514
> 

That's not the full config, it has no actions ;)

Can you use

*.* /path/to/catchall;RSYSLOG_DebugFormat

And let us know if something arrives there (and if so, what)

> UDP/514 messages are working well and are inserted into a database and
> a
> file /var/log/messages:
> 
> 2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type: Error,
> Category: (0), Event ID: 7, User: E6400-Laurent\Laurent, Description:
> test
> 
> I try to use the rsyslog debug but I don't understand the result:
> 
> 4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 5): 4 5
> 4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
> 4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 16): 4 5 16
> 4793.006450000:imtcp.c: netstream 0x16602f40 with new data
> 4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 16): 4 5 16
> 4793.007708000:imtcp.c: netstream 0x16602f40 with new data
> 4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 5): 4 5

This looks like you snipped parts oft he log?

Rainer

> 
> Function to send UDP or TCP message is the same expected transport. I
> try to
> encode the message using ANSI or ASCII but nothing appear.
> 
> Do you have any solution+?
> 
> Best regards,
> 
> Laurent Pinsivy
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From david at lang.hm  Wed Sep  8 19:03:33 2010
From: david at lang.hm (david at lang.hm)
Date: Wed, 8 Sep 2010 10:03:33 -0700 (PDT)
Subject: [rsyslog] rsyslog stats - counters
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com>
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com><alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com>
Message-ID: <alpine.DEB.2.00.1009081002040.19849@asgard.lang.hm>

On Wed, 8 Sep 2010, Rainer Gerhards wrote:

> I have thought once again about which counters I could provide without
> generating most of the plumbing. Probably the only one I can envision is the
> number of message objects inside the system (assuming that number of queues
> itself and such is of really no interest at all), or more precisely number of
> messages generated and number of messages deleted. This does roughly reflect
> the number of messages processed, but only if no async queues are used (they
> require some message duplication). If this is considered useful, I could look
> into that. It probably takes two to three days to get that going with some
> minimal plumbing for the background writer (done in a clean way).
>
> I could also output the main queue size, but once again be reminded that this
> reflects only part of the picture (depending on config only a very small
> part...).
>
> Feedback appreciated.

I think that this would be useful to have. As it is, it's hard to tell if 
rsyslog is queuing messages or not, this would give you a tool to use to 
tell this.

David Lang

From david at lang.hm  Wed Sep  8 19:39:11 2010
From: david at lang.hm (david at lang.hm)
Date: Wed, 8 Sep 2010 10:39:11 -0700 (PDT)
Subject: [rsyslog] rsyslog stats
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com>
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com>
	<alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com>
Message-ID: <alpine.DEB.2.00.1009081003400.19849@asgard.lang.hm>

On Wed, 8 Sep 2010, Rainer Gerhards wrote:

>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
>> Sent: Tuesday, September 07, 2010 11:38 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] rsyslog stats
>>
>> On Tue, 7 Sep 2010, Rainer Gerhards wrote:
>>
>>> Finding the age of the oldest message is not necessarily cheap -
>> think about out of order processing and delays. The one at queue top is
>> not necessarily the oldest one...
>>
>> even with out of order processing, it would still have arrived in that
>> queue at or before the time of any other message in the queue.
>
> Jup, but as I said in my first message, we do not have a timestamp for
> "arrived at queue". All we have is the message creation timestamp (or the
> timestamp from the message itself, which I think does not help here). This
> timestamp does not respect queue enqueue time.
>
>>
>> the OoO processing would mean that it may not be the next message to be
>> processed (especially if there was a delivery problem for that
>> message),
>> but I don't see how an earlier message could end up elsewhere in the
>> queue.
>
> When you look only at the ruleset main queues, this is true for the most
> part. Still, task switching may come into our way, e.g. we receive a 64K
> buffer of tcp messages, process them, then control is switched to UDP
> receiver. We may have tcpmsgms1-udpmsg-tcpmsgs2 inside the queue, where
> udpmsgs is actually earlier than tcpmsgs2 (but obviously in close proximity).
>
>> with secondary queues, you could have something that's not the oldest
>> message in the main queue go into the secondary queue before the oldest
>> message from the main queue. I think that we are still 'good enough'
>> just
>> providing the timestamp of the oldest message in the secondary queue as
>> I
>> expect that the messages will move fast enough that the timestamp of
>> the
>> 'earliest message to arrive in the queue' will be very close to the
>> oldest.
>>
>> the reason for wanting the time of the oldest message in the queue is
>> to
>> get an idea of how far behind (time wise) rsyslog is in it's output vs
>> it's input. I don't think it needs to be precise.
>
> Well, if a rough indication is OK and we could live with the fact that in
> some cases the information is taken with a big grain of salt, we could do
> this. We would still have issues with disk queues, because I need to do i/o
> in order to "peek" at a message (peek is not supported at all). A solution
> would probably be to forbid this for disk queues.

I am thinking that we have two timestamps with each message.

1. the timestamp from the message itself

2. the timestamp of when rsyslog received the message (not when it got put 
in a particular queue, but when the input module processed it)

I would expect that even with async processing, the timestamp of when 
rsyslog received the message would probably be within a small number of 
seconds of the oldest message.

I wouldn't expect the value of this timestamp to be significant from a 
monitoring perspective until it's at least a couple of minutes old.

David Lang

From rgerhards at hq.adiscon.com  Wed Sep  8 21:00:02 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 8 Sep 2010 21:00:02 +0200
Subject: [rsyslog] rsyslog stats - counters
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com><alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm><9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com>
	<alpine.DEB.2.00.1009081002040.19849@asgard.lang.hm>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD311@GRFEXC.intern.adiscon.com>

Hi David and Joe,

many thanks for the feedback. I have thought a bit about this and I think I
can craft pragmatic - but sufficiently clean - solution today. Maybe we can
try to *evolve* this as a side-activity. I'll target v5-devel and above.

Rainer 

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Wednesday, September 08, 2010 7:04 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog stats - counters
> 
> On Wed, 8 Sep 2010, Rainer Gerhards wrote:
> 
> > I have thought once again about which counters I could provide
> without
> > generating most of the plumbing. Probably the only one I can envision
> is the
> > number of message objects inside the system (assuming that number of
> queues
> > itself and such is of really no interest at all), or more precisely
> number of
> > messages generated and number of messages deleted. This does roughly
> reflect
> > the number of messages processed, but only if no async queues are
> used (they
> > require some message duplication). If this is considered useful, I
> could look
> > into that. It probably takes two to three days to get that going with
> some
> > minimal plumbing for the background writer (done in a clean way).
> >
> > I could also output the main queue size, but once again be reminded
> that this
> > reflects only part of the picture (depending on config only a very
> small
> > part...).
> >
> > Feedback appreciated.
> 
> I think that this would be useful to have. As it is, it's hard to tell
> if
> rsyslog is queuing messages or not, this would give you a tool to use
> to
> tell this.
> 
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Wed Sep  8 21:02:46 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 8 Sep 2010 21:02:46 +0200
Subject: [rsyslog] rsyslog stats - counters
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com><alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm><9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com><alpine.DEB.2.00.1009081002040.19849@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DD311@GRFEXC.intern.adiscon.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD312@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, September 08, 2010 9:00 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog stats - counters
> 
> Hi David and Joe,
> 
> many thanks for the feedback. I have thought a bit about this and I
> think I
> can craft pragmatic - but sufficiently clean - solution today. 

Whishful thinking ;) tomorrow I meant...

>Maybe we
> can
> try to *evolve* this as a side-activity. I'll target v5-devel and
> above.
> 
> Rainer
> 
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> > Sent: Wednesday, September 08, 2010 7:04 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] rsyslog stats - counters
> >
> > On Wed, 8 Sep 2010, Rainer Gerhards wrote:
> >
> > > I have thought once again about which counters I could provide
> > without
> > > generating most of the plumbing. Probably the only one I can
> envision
> > is the
> > > number of message objects inside the system (assuming that number
> of
> > queues
> > > itself and such is of really no interest at all), or more precisely
> > number of
> > > messages generated and number of messages deleted. This does
> roughly
> > reflect
> > > the number of messages processed, but only if no async queues are
> > used (they
> > > require some message duplication). If this is considered useful, I
> > could look
> > > into that. It probably takes two to three days to get that going
> with
> > some
> > > minimal plumbing for the background writer (done in a clean way).
> > >
> > > I could also output the main queue size, but once again be reminded
> > that this
> > > reflects only part of the picture (depending on config only a very
> > small
> > > part...).
> > >
> > > Feedback appreciated.
> >
> > I think that this would be useful to have. As it is, it's hard to
> tell
> > if
> > rsyslog is queuing messages or not, this would give you a tool to use
> > to
> > tell this.
> >
> > David Lang
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From joe at joetify.com  Thu Sep  9 02:43:16 2010
From: joe at joetify.com (Joe Williams)
Date: Wed, 8 Sep 2010 17:43:16 -0700
Subject: [rsyslog] REST output plugin
Message-ID: <F655A94D-1F8B-48BC-80C8-DF38C8BEF42A@joetify.com>


Anyone have an idea of how difficult it would be to create an output plugin that uses REST to PUT log lines as JSON to a specific URL? Probably something equivalent to the following curl command. 

curl -X PUT http://host/ -d '{"app-name": "foo", "msg": "bar", "proc-id":"baz", "timestamp":"timestamp:::date-rfc3339", "hostname":"hostname", "severity":"syslogseverity-text"}'

Thanks.

-Joe


Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From lpinsivy at merethis.com  Thu Sep  9 10:21:40 2010
From: lpinsivy at merethis.com (Laurent Pinsivy)
Date: Thu, 9 Sep 2010 10:21:40 +0200
Subject: [rsyslog] Problem to receive TCP event
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD30F@GRFEXC.intern.adiscon.com>
References: <AANLkTikLFezGCxz0CWYnhjTjCo6tyQ8rf+i5LqL4E6Ga@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD30F@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTin660JtmBirYyGP7OaZGuzZ3Mvk37eirAMPZq2-@mail.gmail.com>

Thank you for your answer.

Complete rsyslog configuration is:

$ModLoad ommysql
$ModLoad imtcp.so
$InputTCPServerRun 514
$ModLoad imudp.so
$UDPServerRun 514
$ModLoad immark.so
$ModLoad imklog.so
$ModLoad imuxsock.so

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
*.*
/var/log/catchall;RSYSLOG_DebugFormat

$EscapeControlCharactersOnReceive off

$template sysMysql,"INSERT INTO logs (host,facility,
priority,level,tag,datetime,program,msg)
VALUES('%HOSTNAME%','%syslogfacility-text%','%syslogpriority-text%','%syslogseverity%','%syslogtag%','%timereported:::date-mysql%','%programname%',
'%msg:::space-cc%')", SQL

if $programname == 'snmpd' and $syslogseverity > '4' then ~
if $syslogseverity == '7' then ~
*.* >127.0.0.1,syslog,syslogadmin,syslogpass;sysMysql

And file "/etc/sysconfig/rsyslog" contain:

SYSLOGD_OPTIONS="-c3"
KLOGD_OPTIONS="-x"

I change syslog format to add date and wireshark receive:

251.121928 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [SYN] Seq=0
Win=8192 Len=0 MSS=1260 WS=2
251.122250 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK] Seq=1 Ack=1
Win=66780 Len=0
251.122502 192.168.1.14 -> 192.168.2.170 RSH <132>Sep  9 10:13:01
E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7, User:
E6400-Laurent\Laurent, Description: test
251.124991 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [FIN, ACK]
Seq=137 Ack=1 Win=66780 Len=0
251.125256 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK] Seq=138
Ack=2 Win=66780 Len=0

This event don't appear in file /var/log/catchall.

But if I send the same event by UDP wireshark receive:

370.297874 192.168.1.14 -> 192.168.2.170 Syslog LOCAL0.WARNING:
E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7, User:
E6400-Laurent\Laurent, Description: test

And in file /var/log/catchall I can find:

Debug line with all properties:
FROMHOST: 'lpinsivy.merethis.net', fromhost-ip: '192.168.1.14', HOSTNAME:
'E6400-Laurent', PRI: 132,
syslogtag 'EventCreate', programname: 'EventCreate', APP-NAME:
'EventCreate', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep  9 10:15:19', STRUCTURED-DATA: '-',
msg: ' Type: Warning, Category: (0), Event ID: 7, User:
E6400-Laurent\Laurent, Description: test'
escaped msg: ' Type: Warning, Category: (0), Event ID: 7, User:
E6400-Laurent\Laurent, Description: test'
rawmsg: '<132>E6400-Laurent EventCreate Type: Warning, Category: (0), Event
ID: 7, User: E6400-Laurent\Laurent, Description: test'


2010/9/8 Rainer Gerhards <rgerhards at hq.adiscon.com>

>
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> > Sent: Wednesday, September 08, 2010 4:54 PM
> > To: rsyslog at lists.adiscon.com
> > Subject: [rsyslog] Problem to receive TCP event
> >
> > Hello,
> >
> > I try to receive TCP event from windows machine using Centreon-E2S
> > (which I
> > developed) on Rsyslog 3.22.1
> >
> > Rsyslog listen on TCP/514 and UDP/514:
> >
> > # netstat -ano | grep 514
> > tcp        0      0 0.0.0.0:514                 0.0.0.0:*
> > LISTEN      off (0.00/0/0)
> > tcp        0      0 :::514                      :::*
> > LISTEN      off (0.00/0/0)
> > udp        0      0 0.0.0.0:514                 0.0.0.0:*
> > off (0.00/0/0)
> > udp        0      0 :::514
> > :::*                                    off (0.00/0/0)
> >
> > If I insert breakpoint in my program, I can see:
> >
> > tcp        0      0 192.168.2.170:514           192.168.1.14:62637
> > ESTABLISHED off (0.00/0/0)
> >
> > With wireshark, i can see message of event:
> >
> > 108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN] Seq=0
> > Win=8192 Len=0 MSS=1260 WS=2
> > 108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK] Seq=1
> > Ack=1
> > Win=66780 Len=0
> > 108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent
> > EventCreate
> > Type: Error, Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
> > Description: test
>
> The message is not well-formed, so some properties are probably not
> correctly
> populated.
>
> > 108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN, ACK]
> > Seq=119 Ack=1 Win=66780 Len=0
> > 108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> > Seq=120
> > Ack=2 Win=66780 Len=0
> >
> > But rsyslog don't insert it into a database or on a file
> > /var/log/messages
> >
> > Rsyslog configuration is:
> >
> > $ModLoad imtcp.so
> > $InputTCPServerRun 514
> > $ModLoad imudp.so
> > $UDPServerRun 514
> >
>
> That's not the full config, it has no actions ;)
>
> Can you use
>
> *.* /path/to/catchall;RSYSLOG_DebugFormat
>
> And let us know if something arrives there (and if so, what)
>
> > UDP/514 messages are working well and are inserted into a database and
> > a
> > file /var/log/messages:
> >
> > 2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type: Error,
> > Category: (0), Event ID: 7, User: E6400-Laurent\Laurent, Description:
> > test
> >
> > I try to use the rsyslog debug but I don't understand the result:
> >
> > 4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> > fds
> > (max 5): 4 5
> > 4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
> > 4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> > fds
> > (max 16): 4 5 16
> > 4793.006450000:imtcp.c: netstream 0x16602f40 with new data
> > 4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> > fds
> > (max 16): 4 5 16
> > 4793.007708000:imtcp.c: netstream 0x16602f40 with new data
> > 4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> > fds
> > (max 5): 4 5
>
> This looks like you snipped parts oft he log?
>
> Rainer
>
> >
> > Function to send UDP or TCP message is the same expected transport. I
> > try to
> > encode the message using ANSI or ASCII but nothing appear.
> >
> > Do you have any solution+?
> >
> > Best regards,
> >
> > Laurent Pinsivy
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>



-- 
Laurent Pinsivy | Ing?nieur Logiciel

Tel.   +33 (0)1 49 69 97 12
Mob. +33 (0)6 23 20 81 96
Fax   +33 (0)1 78 12 00 28

MERETHIS est ?diteur du logiciel Centreon.

From rgerhards at hq.adiscon.com  Thu Sep  9 10:24:30 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 9 Sep 2010 10:24:30 +0200
Subject: [rsyslog] REST output plugin
References: <F655A94D-1F8B-48BC-80C8-DF38C8BEF42A@joetify.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD31D@GRFEXC.intern.adiscon.com>

If you know how to do the REST part, integrating this into a plugin is rather
simple. If you provide me working code for that part, I can setup a skeleton
and you just need to tweak the result.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Joe Williams
> Sent: Thursday, September 09, 2010 2:43 AM
> To: rsyslog-users
> Subject: [rsyslog] REST output plugin
> 
> 
> Anyone have an idea of how difficult it would be to create an output
> plugin that uses REST to PUT log lines as JSON to a specific URL?
> Probably something equivalent to the following curl command.
> 
> curl -X PUT http://host/ -d '{"app-name": "foo", "msg": "bar", "proc-
> id":"baz", "timestamp":"timestamp:::date-rfc3339",
> "hostname":"hostname", "severity":"syslogseverity-text"}'
> 
> Thanks.
> 
> -Joe
> 
> 
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Thu Sep  9 10:28:18 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 9 Sep 2010 10:28:18 +0200
Subject: [rsyslog] Problem to receive TCP event
References: <AANLkTikLFezGCxz0CWYnhjTjCo6tyQ8rf+i5LqL4E6Ga@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD30F@GRFEXC.intern.adiscon.com>
	<AANLkTin660JtmBirYyGP7OaZGuzZ3Mvk37eirAMPZq2-@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD31E@GRFEXC.intern.adiscon.com>

May it be that you do the framing wrong? There is no RFC, but industry
standard is to use octet-stuffing, with LF being used as a frame delimiter
(in other words: there must be a \n between syslog messages). I don't see any
other reason why the message does not show up in the catchall log.

Rainer 

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> Sent: Thursday, September 09, 2010 10:22 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem to receive TCP event
> 
> Thank you for your answer.
> 
> Complete rsyslog configuration is:
> 
> $ModLoad ommysql
> $ModLoad imtcp.so
> $InputTCPServerRun 514
> $ModLoad imudp.so
> $UDPServerRun 514
> $ModLoad immark.so
> $ModLoad imklog.so
> $ModLoad imuxsock.so
> 
> *.info;mail.none;authpriv.none;cron.none
> /var/log/messages
> authpriv.*                                              /var/log/secure
> mail.*                                                  -
> /var/log/maillog
> cron.*                                                  /var/log/cron
> *.emerg                                                 *
> uucp,news.crit
> /var/log/spooler
> local7.*
> /var/log/boot.log
> *.*
> /var/log/catchall;RSYSLOG_DebugFormat
> 
> $EscapeControlCharactersOnReceive off
> 
> $template sysMysql,"INSERT INTO logs (host,facility,
> priority,level,tag,datetime,program,msg)
> VALUES('%HOSTNAME%','%syslogfacility-text%','%syslogpriority-
> text%','%syslogseverity%','%syslogtag%','%timereported:::date-
> mysql%','%programname%',
> '%msg:::space-cc%')", SQL
> 
> if $programname == 'snmpd' and $syslogseverity > '4' then ~
> if $syslogseverity == '7' then ~
> *.* >127.0.0.1,syslog,syslogadmin,syslogpass;sysMysql
> 
> And file "/etc/sysconfig/rsyslog" contain:
> 
> SYSLOGD_OPTIONS="-c3"
> KLOGD_OPTIONS="-x"
> 
> I change syslog format to add date and wireshark receive:
> 
> 251.121928 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [SYN] Seq=0
> Win=8192 Len=0 MSS=1260 WS=2
> 251.122250 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK] Seq=1
> Ack=1
> Win=66780 Len=0
> 251.122502 192.168.1.14 -> 192.168.2.170 RSH <132>Sep  9 10:13:01
> E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7,
> User:
> E6400-Laurent\Laurent, Description: test
> 251.124991 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [FIN, ACK]
> Seq=137 Ack=1 Win=66780 Len=0
> 251.125256 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK]
> Seq=138
> Ack=2 Win=66780 Len=0
> 
> This event don't appear in file /var/log/catchall.
> 
> But if I send the same event by UDP wireshark receive:
> 
> 370.297874 192.168.1.14 -> 192.168.2.170 Syslog LOCAL0.WARNING:
> E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7,
> User:
> E6400-Laurent\Laurent, Description: test
> 
> And in file /var/log/catchall I can find:
> 
> Debug line with all properties:
> FROMHOST: 'lpinsivy.merethis.net', fromhost-ip: '192.168.1.14',
> HOSTNAME:
> 'E6400-Laurent', PRI: 132,
> syslogtag 'EventCreate', programname: 'EventCreate', APP-NAME:
> 'EventCreate', PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep  9 10:15:19', STRUCTURED-DATA: '-',
> msg: ' Type: Warning, Category: (0), Event ID: 7, User:
> E6400-Laurent\Laurent, Description: test'
> escaped msg: ' Type: Warning, Category: (0), Event ID: 7, User:
> E6400-Laurent\Laurent, Description: test'
> rawmsg: '<132>E6400-Laurent EventCreate Type: Warning, Category: (0),
> Event
> ID: 7, User: E6400-Laurent\Laurent, Description: test'
> 
> 
> 2010/9/8 Rainer Gerhards <rgerhards at hq.adiscon.com>
> 
> >
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> > > Sent: Wednesday, September 08, 2010 4:54 PM
> > > To: rsyslog at lists.adiscon.com
> > > Subject: [rsyslog] Problem to receive TCP event
> > >
> > > Hello,
> > >
> > > I try to receive TCP event from windows machine using Centreon-E2S
> > > (which I
> > > developed) on Rsyslog 3.22.1
> > >
> > > Rsyslog listen on TCP/514 and UDP/514:
> > >
> > > # netstat -ano | grep 514
> > > tcp        0      0 0.0.0.0:514                 0.0.0.0:*
> > > LISTEN      off (0.00/0/0)
> > > tcp        0      0 :::514                      :::*
> > > LISTEN      off (0.00/0/0)
> > > udp        0      0 0.0.0.0:514                 0.0.0.0:*
> > > off (0.00/0/0)
> > > udp        0      0 :::514
> > > :::*                                    off (0.00/0/0)
> > >
> > > If I insert breakpoint in my program, I can see:
> > >
> > > tcp        0      0 192.168.2.170:514           192.168.1.14:62637
> > > ESTABLISHED off (0.00/0/0)
> > >
> > > With wireshark, i can see message of event:
> > >
> > > 108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN]
> Seq=0
> > > Win=8192 Len=0 MSS=1260 WS=2
> > > 108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> Seq=1
> > > Ack=1
> > > Win=66780 Len=0
> > > 108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent
> > > EventCreate
> > > Type: Error, Category: (0), Event ID: 7, User: E6400-
> Laurent\Laurent,
> > > Description: test
> >
> > The message is not well-formed, so some properties are probably not
> > correctly
> > populated.
> >
> > > 108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN,
> ACK]
> > > Seq=119 Ack=1 Win=66780 Len=0
> > > 108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> > > Seq=120
> > > Ack=2 Win=66780 Len=0
> > >
> > > But rsyslog don't insert it into a database or on a file
> > > /var/log/messages
> > >
> > > Rsyslog configuration is:
> > >
> > > $ModLoad imtcp.so
> > > $InputTCPServerRun 514
> > > $ModLoad imudp.so
> > > $UDPServerRun 514
> > >
> >
> > That's not the full config, it has no actions ;)
> >
> > Can you use
> >
> > *.* /path/to/catchall;RSYSLOG_DebugFormat
> >
> > And let us know if something arrives there (and if so, what)
> >
> > > UDP/514 messages are working well and are inserted into a database
> and
> > > a
> > > file /var/log/messages:
> > >
> > > 2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type:
> Error,
> > > Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
> Description:
> > > test
> > >
> > > I try to use the rsyslog debug but I don't understand the result:
> > >
> > > 4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 5): 4 5
> > > 4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
> > > 4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 16): 4 5 16
> > > 4793.006450000:imtcp.c: netstream 0x16602f40 with new data
> > > 4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 16): 4 5 16
> > > 4793.007708000:imtcp.c: netstream 0x16602f40 with new data
> > > 4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 5): 4 5
> >
> > This looks like you snipped parts oft he log?
> >
> > Rainer
> >
> > >
> > > Function to send UDP or TCP message is the same expected transport.
> I
> > > try to
> > > encode the message using ANSI or ASCII but nothing appear.
> > >
> > > Do you have any solution+?
> > >
> > > Best regards,
> > >
> > > Laurent Pinsivy
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> 
> 
> 
> --
> Laurent Pinsivy | Ing?nieur Logiciel
> 
> Tel.   +33 (0)1 49 69 97 12
> Mob. +33 (0)6 23 20 81 96
> Fax   +33 (0)1 78 12 00 28
> 
> MERETHIS est ?diteur du logiciel Centreon.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From lpinsivy at merethis.com  Thu Sep  9 10:50:12 2010
From: lpinsivy at merethis.com (Laurent Pinsivy)
Date: Thu, 9 Sep 2010 10:50:12 +0200
Subject: [rsyslog] Problem to receive TCP event
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD31E@GRFEXC.intern.adiscon.com>
References: <AANLkTikLFezGCxz0CWYnhjTjCo6tyQ8rf+i5LqL4E6Ga@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD30F@GRFEXC.intern.adiscon.com>
	<AANLkTin660JtmBirYyGP7OaZGuzZ3Mvk37eirAMPZq2-@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD31E@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTimuHNjEofJjk1QQK31H7WiLOXE0mVtN16O3_+mm@mail.gmail.com>

Thank you.

A simple "\n" at the end of message solve problem.

Debug line with all properties:
FROMHOST: 'lpinsivy.merethis.net', fromhost-ip: '192.168.1.14', HOSTNAME:
'E6400-Laurent', PRI: 132,
syslogtag 'EventCreate', programname: 'EventCreate', APP-NAME:
'EventCreate', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep  9 10:12:16', STRUCTURED-DATA: '-',
msg: ' Type: Warning, Category: (0), Event ID: 7, User:
E6400-Laurent\Laurent, Description: test'
escaped msg: ' Type: Warning, Category: (0), Event ID: 7, User:
E6400-Laurent\Laurent, Description: test'
rawmsg: '<132>Sep  9 10:12:16 E6400-Laurent EventCreate Type: Warning,
Category: (0), Event ID: 7, User: E6400-Laurent\Laurent, Description: test'


2010/9/9 Rainer Gerhards <rgerhards at hq.adiscon.com>

> May it be that you do the framing wrong? There is no RFC, but industry
> standard is to use octet-stuffing, with LF being used as a frame delimiter
> (in other words: there must be a \n between syslog messages). I don't see
> any
> other reason why the message does not show up in the catchall log.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> > Sent: Thursday, September 09, 2010 10:22 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] Problem to receive TCP event
> >
> > Thank you for your answer.
> >
> > Complete rsyslog configuration is:
> >
> > $ModLoad ommysql
> > $ModLoad imtcp.so
> > $InputTCPServerRun 514
> > $ModLoad imudp.so
> > $UDPServerRun 514
> > $ModLoad immark.so
> > $ModLoad imklog.so
> > $ModLoad imuxsock.so
> >
> > *.info;mail.none;authpriv.none;cron.none
> > /var/log/messages
> > authpriv.*                                              /var/log/secure
> > mail.*                                                  -
> > /var/log/maillog
> > cron.*                                                  /var/log/cron
> > *.emerg                                                 *
> > uucp,news.crit
> > /var/log/spooler
> > local7.*
> > /var/log/boot.log
> > *.*
> > /var/log/catchall;RSYSLOG_DebugFormat
> >
> > $EscapeControlCharactersOnReceive off
> >
> > $template sysMysql,"INSERT INTO logs (host,facility,
> > priority,level,tag,datetime,program,msg)
> > VALUES('%HOSTNAME%','%syslogfacility-text%','%syslogpriority-
> > text%','%syslogseverity%','%syslogtag%','%timereported:::date-
> > mysql%','%programname%',
> > '%msg:::space-cc%')", SQL
> >
> > if $programname == 'snmpd' and $syslogseverity > '4' then ~
> > if $syslogseverity == '7' then ~
> > *.* >127.0.0.1,syslog,syslogadmin,syslogpass;sysMysql
> >
> > And file "/etc/sysconfig/rsyslog" contain:
> >
> > SYSLOGD_OPTIONS="-c3"
> > KLOGD_OPTIONS="-x"
> >
> > I change syslog format to add date and wireshark receive:
> >
> > 251.121928 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [SYN] Seq=0
> > Win=8192 Len=0 MSS=1260 WS=2
> > 251.122250 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK] Seq=1
> > Ack=1
> > Win=66780 Len=0
> > 251.122502 192.168.1.14 -> 192.168.2.170 RSH <132>Sep  9 10:13:01
> > E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7,
> > User:
> > E6400-Laurent\Laurent, Description: test
> > 251.124991 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [FIN, ACK]
> > Seq=137 Ack=1 Win=66780 Len=0
> > 251.125256 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK]
> > Seq=138
> > Ack=2 Win=66780 Len=0
> >
> > This event don't appear in file /var/log/catchall.
> >
> > But if I send the same event by UDP wireshark receive:
> >
> > 370.297874 192.168.1.14 -> 192.168.2.170 Syslog LOCAL0.WARNING:
> > E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7,
> > User:
> > E6400-Laurent\Laurent, Description: test
> >
> > And in file /var/log/catchall I can find:
> >
> > Debug line with all properties:
> > FROMHOST: 'lpinsivy.merethis.net', fromhost-ip: '192.168.1.14',
> > HOSTNAME:
> > 'E6400-Laurent', PRI: 132,
> > syslogtag 'EventCreate', programname: 'EventCreate', APP-NAME:
> > 'EventCreate', PROCID: '-', MSGID: '-',
> > TIMESTAMP: 'Sep  9 10:15:19', STRUCTURED-DATA: '-',
> > msg: ' Type: Warning, Category: (0), Event ID: 7, User:
> > E6400-Laurent\Laurent, Description: test'
> > escaped msg: ' Type: Warning, Category: (0), Event ID: 7, User:
> > E6400-Laurent\Laurent, Description: test'
> > rawmsg: '<132>E6400-Laurent EventCreate Type: Warning, Category: (0),
> > Event
> > ID: 7, User: E6400-Laurent\Laurent, Description: test'
> >
> >
> > 2010/9/8 Rainer Gerhards <rgerhards at hq.adiscon.com>
> >
> > >
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> > > > Sent: Wednesday, September 08, 2010 4:54 PM
> > > > To: rsyslog at lists.adiscon.com
> > > > Subject: [rsyslog] Problem to receive TCP event
> > > >
> > > > Hello,
> > > >
> > > > I try to receive TCP event from windows machine using Centreon-E2S
> > > > (which I
> > > > developed) on Rsyslog 3.22.1
> > > >
> > > > Rsyslog listen on TCP/514 and UDP/514:
> > > >
> > > > # netstat -ano | grep 514
> > > > tcp        0      0 0.0.0.0:514                 0.0.0.0:*
> > > > LISTEN      off (0.00/0/0)
> > > > tcp        0      0 :::514                      :::*
> > > > LISTEN      off (0.00/0/0)
> > > > udp        0      0 0.0.0.0:514                 0.0.0.0:*
> > > > off (0.00/0/0)
> > > > udp        0      0 :::514
> > > > :::*                                    off (0.00/0/0)
> > > >
> > > > If I insert breakpoint in my program, I can see:
> > > >
> > > > tcp        0      0 192.168.2.170:514           192.168.1.14:62637
> > > > ESTABLISHED off (0.00/0/0)
> > > >
> > > > With wireshark, i can see message of event:
> > > >
> > > > 108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN]
> > Seq=0
> > > > Win=8192 Len=0 MSS=1260 WS=2
> > > > 108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> > Seq=1
> > > > Ack=1
> > > > Win=66780 Len=0
> > > > 108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent
> > > > EventCreate
> > > > Type: Error, Category: (0), Event ID: 7, User: E6400-
> > Laurent\Laurent,
> > > > Description: test
> > >
> > > The message is not well-formed, so some properties are probably not
> > > correctly
> > > populated.
> > >
> > > > 108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN,
> > ACK]
> > > > Seq=119 Ack=1 Win=66780 Len=0
> > > > 108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> > > > Seq=120
> > > > Ack=2 Win=66780 Len=0
> > > >
> > > > But rsyslog don't insert it into a database or on a file
> > > > /var/log/messages
> > > >
> > > > Rsyslog configuration is:
> > > >
> > > > $ModLoad imtcp.so
> > > > $InputTCPServerRun 514
> > > > $ModLoad imudp.so
> > > > $UDPServerRun 514
> > > >
> > >
> > > That's not the full config, it has no actions ;)
> > >
> > > Can you use
> > >
> > > *.* /path/to/catchall;RSYSLOG_DebugFormat
> > >
> > > And let us know if something arrives there (and if so, what)
> > >
> > > > UDP/514 messages are working well and are inserted into a database
> > and
> > > > a
> > > > file /var/log/messages:
> > > >
> > > > 2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type:
> > Error,
> > > > Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
> > Description:
> > > > test
> > > >
> > > > I try to use the rsyslog debug but I don't understand the result:
> > > >
> > > > 4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> > active
> > > > fds
> > > > (max 5): 4 5
> > > > 4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
> > > > 4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> > active
> > > > fds
> > > > (max 16): 4 5 16
> > > > 4793.006450000:imtcp.c: netstream 0x16602f40 with new data
> > > > 4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> > active
> > > > fds
> > > > (max 16): 4 5 16
> > > > 4793.007708000:imtcp.c: netstream 0x16602f40 with new data
> > > > 4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> > active
> > > > fds
> > > > (max 5): 4 5
> > >
> > > This looks like you snipped parts oft he log?
> > >
> > > Rainer
> > >
> > > >
> > > > Function to send UDP or TCP message is the same expected transport.
> > I
> > > > try to
> > > > encode the message using ANSI or ASCII but nothing appear.
> > > >
> > > > Do you have any solution+?
> > > >
> > > > Best regards,
> > > >
> > > > Laurent Pinsivy
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > >
> >
> >
> >
> > --
> > Laurent Pinsivy | Ing?nieur Logiciel
> >
> > Tel.   +33 (0)1 49 69 97 12
> > Mob. +33 (0)6 23 20 81 96
> > Fax   +33 (0)1 78 12 00 28
> >
> > MERETHIS est ?diteur du logiciel Centreon.
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>



-- 
Laurent Pinsivy | Ing?nieur Logiciel

Tel.   +33 (0)1 49 69 97 12
Mob. +33 (0)6 23 20 81 96
Fax   +33 (0)1 78 12 00 28

MERETHIS est ?diteur du logiciel Centreon.

From joe at joetify.com  Thu Sep  9 20:26:32 2010
From: joe at joetify.com (Joe Williams)
Date: Thu, 9 Sep 2010 11:26:32 -0700
Subject: [rsyslog] REST output plugin
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD31D@GRFEXC.intern.adiscon.com>
References: <F655A94D-1F8B-48BC-80C8-DF38C8BEF42A@joetify.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD31D@GRFEXC.intern.adiscon.com>
Message-ID: <E2D19BD1-957F-492A-B284-4ECAF5B31431@joetify.com>

Rainier,

Here is some basic code using libcurl for doing what I want:

http://gist.github.com/572182

The data variable is json key/value pairs where I would like to put the syslog fields as in my aforementioned example.

Let me know if you have any questions.

Thanks for the help.

-Joe



On Sep 9, 2010, at 1:24 AM, Rainer Gerhards wrote:

> If you know how to do the REST part, integrating this into a plugin is rather
> simple. If you provide me working code for that part, I can setup a skeleton
> and you just need to tweak the result.
> 
> Rainer
> 
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Joe Williams
>> Sent: Thursday, September 09, 2010 2:43 AM
>> To: rsyslog-users
>> Subject: [rsyslog] REST output plugin
>> 
>> 
>> Anyone have an idea of how difficult it would be to create an output
>> plugin that uses REST to PUT log lines as JSON to a specific URL?
>> Probably something equivalent to the following curl command.
>> 
>> curl -X PUT http://host/ -d '{"app-name": "foo", "msg": "bar", "proc-
>> id":"baz", "timestamp":"timestamp:::date-rfc3339",
>> "hostname":"hostname", "severity":"syslogseverity-text"}'
>> 
>> Thanks.
>> 
>> -Joe
>> 
>> 
>> Name: Joseph A. Williams
>> Email: joe at joetify.com
>> Blog: http://www.joeandmotorboat.com/
>> Twitter: http://twitter.com/williamsjoe
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From rgerhards at hq.adiscon.com  Thu Sep  9 21:55:08 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 9 Sep 2010 21:55:08 +0200
Subject: [rsyslog] REST output plugin
References: <F655A94D-1F8B-48BC-80C8-DF38C8BEF42A@joetify.com><9B6E2A8877C38245BFB15CC491A11DA71DD31D@GRFEXC.intern.adiscon.com>
	<E2D19BD1-957F-492A-B284-4ECAF5B31431@joetify.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD325@GRFEXC.intern.adiscon.com>

Quite honestly, this looks like quite some work for me vs. no work for you. I
thought the major part of the work was on the party that gained the benefits
;)

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Joe Williams
> Sent: Thursday, September 09, 2010 8:27 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] REST output plugin
> 
> Rainier,
> 
> Here is some basic code using libcurl for doing what I want:
> 
> http://gist.github.com/572182
> 
> The data variable is json key/value pairs where I would like to put the
> syslog fields as in my aforementioned example.
> 
> Let me know if you have any questions.
> 
> Thanks for the help.
> 
> -Joe
> 
> 
> 
> On Sep 9, 2010, at 1:24 AM, Rainer Gerhards wrote:
> 
> > If you know how to do the REST part, integrating this into a plugin
> is rather
> > simple. If you provide me working code for that part, I can setup a
> skeleton
> > and you just need to tweak the result.
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Joe Williams
> >> Sent: Thursday, September 09, 2010 2:43 AM
> >> To: rsyslog-users
> >> Subject: [rsyslog] REST output plugin
> >>
> >>
> >> Anyone have an idea of how difficult it would be to create an output
> >> plugin that uses REST to PUT log lines as JSON to a specific URL?
> >> Probably something equivalent to the following curl command.
> >>
> >> curl -X PUT http://host/ -d '{"app-name": "foo", "msg": "bar",
> "proc-
> >> id":"baz", "timestamp":"timestamp:::date-rfc3339",
> >> "hostname":"hostname", "severity":"syslogseverity-text"}'
> >>
> >> Thanks.
> >>
> >> -Joe
> >>
> >>
> >> Name: Joseph A. Williams
> >> Email: joe at joetify.com
> >> Blog: http://www.joeandmotorboat.com/
> >> Twitter: http://twitter.com/williamsjoe
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> 
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Thu Sep  9 22:01:27 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 9 Sep 2010 22:01:27 +0200
Subject: [rsyslog] rsyslog stats - counters
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com><alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm><9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com><alpine.DEB.2.00.1009081002040.19849@asgard.lang.hm><9B6E2A8877C38245BFB15CC491A11DA71DD311@GRFEXC.intern.adiscon.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD312@GRFEXC.intern.adiscon.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD326@GRFEXC.intern.adiscon.com>

I have been able to craft at least a small step forward today:

http://git.adiscon.com/?p=rsyslog.git;a=shortlog;h=refs/heads/v5-devel

But I have also begun to work on a somewhat better solution, with a pragmatic
implementation of a counter registry and stats subsystem. Hopefully I am able
to commit some of that tomorrow. It should give queue sizes at least for all
queues inside the system and also provide the plumbing to support easy
counters.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, September 08, 2010 9:03 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog stats - counters
> 
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Wednesday, September 08, 2010 9:00 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] rsyslog stats - counters
> >
> > Hi David and Joe,
> >
> > many thanks for the feedback. I have thought a bit about this and I
> > think I
> > can craft pragmatic - but sufficiently clean - solution today.
> 
> Whishful thinking ;) tomorrow I meant...
> 
> >Maybe we
> > can
> > try to *evolve* this as a side-activity. I'll target v5-devel and
> > above.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> > > Sent: Wednesday, September 08, 2010 7:04 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] rsyslog stats - counters
> > >
> > > On Wed, 8 Sep 2010, Rainer Gerhards wrote:
> > >
> > > > I have thought once again about which counters I could provide
> > > without
> > > > generating most of the plumbing. Probably the only one I can
> > envision
> > > is the
> > > > number of message objects inside the system (assuming that number
> > of
> > > queues
> > > > itself and such is of really no interest at all), or more
> precisely
> > > number of
> > > > messages generated and number of messages deleted. This does
> > roughly
> > > reflect
> > > > the number of messages processed, but only if no async queues are
> > > used (they
> > > > require some message duplication). If this is considered useful,
> I
> > > could look
> > > > into that. It probably takes two to three days to get that going
> > with
> > > some
> > > > minimal plumbing for the background writer (done in a clean way).
> > > >
> > > > I could also output the main queue size, but once again be
> reminded
> > > that this
> > > > reflects only part of the picture (depending on config only a
> very
> > > small
> > > > part...).
> > > >
> > > > Feedback appreciated.
> > >
> > > I think that this would be useful to have. As it is, it's hard to
> > tell
> > > if
> > > rsyslog is queuing messages or not, this would give you a tool to
> use
> > > to
> > > tell this.
> > >
> > > David Lang
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From joe at joetify.com  Thu Sep  9 22:59:00 2010
From: joe at joetify.com (Joe Williams)
Date: Thu, 9 Sep 2010 13:59:00 -0700
Subject: [rsyslog] REST output plugin
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD325@GRFEXC.intern.adiscon.com>
References: <F655A94D-1F8B-48BC-80C8-DF38C8BEF42A@joetify.com><9B6E2A8877C38245BFB15CC491A11DA71DD31D@GRFEXC.intern.adiscon.com>
	<E2D19BD1-957F-492A-B284-4ECAF5B31431@joetify.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD325@GRFEXC.intern.adiscon.com>
Message-ID: <BCD8E999-DFFF-4D9F-819D-FD4681A7E77D@joetify.com>

Fair enough. :P 

To be honest that was the first C I have written in years. If you want to off load some of the work I am happy to take it on with some guidance.

-Joe


On Sep 9, 2010, at 12:55 PM, Rainer Gerhards wrote:

> Quite honestly, this looks like quite some work for me vs. no work for you. I
> thought the major part of the work was on the party that gained the benefits
> ;)
> 
> Rainer
> 
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Joe Williams
>> Sent: Thursday, September 09, 2010 8:27 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] REST output plugin
>> 
>> Rainier,
>> 
>> Here is some basic code using libcurl for doing what I want:
>> 
>> http://gist.github.com/572182
>> 
>> The data variable is json key/value pairs where I would like to put the
>> syslog fields as in my aforementioned example.
>> 
>> Let me know if you have any questions.
>> 
>> Thanks for the help.
>> 
>> -Joe
>> 
>> 
>> 
>> On Sep 9, 2010, at 1:24 AM, Rainer Gerhards wrote:
>> 
>>> If you know how to do the REST part, integrating this into a plugin
>> is rather
>>> simple. If you provide me working code for that part, I can setup a
>> skeleton
>>> and you just need to tweak the result.
>>> 
>>> Rainer
>>> 
>>>> -----Original Message-----
>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>> bounces at lists.adiscon.com] On Behalf Of Joe Williams
>>>> Sent: Thursday, September 09, 2010 2:43 AM
>>>> To: rsyslog-users
>>>> Subject: [rsyslog] REST output plugin
>>>> 
>>>> 
>>>> Anyone have an idea of how difficult it would be to create an output
>>>> plugin that uses REST to PUT log lines as JSON to a specific URL?
>>>> Probably something equivalent to the following curl command.
>>>> 
>>>> curl -X PUT http://host/ -d '{"app-name": "foo", "msg": "bar",
>> "proc-
>>>> id":"baz", "timestamp":"timestamp:::date-rfc3339",
>>>> "hostname":"hostname", "severity":"syslogseverity-text"}'
>>>> 
>>>> Thanks.
>>>> 
>>>> -Joe
>>>> 
>>>> 
>>>> Name: Joseph A. Williams
>>>> Email: joe at joetify.com
>>>> Blog: http://www.joeandmotorboat.com/
>>>> Twitter: http://twitter.com/williamsjoe
>>>> 
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> 
>> Name: Joseph A. Williams
>> Email: joe at joetify.com
>> Blog: http://www.joeandmotorboat.com/
>> Twitter: http://twitter.com/williamsjoe
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From linuxmail at 4lin.net  Mon Sep 13 15:34:36 2010
From: linuxmail at 4lin.net (Denny Schierz)
Date: Mon, 13 Sep 2010 15:34:36 +0200
Subject: [rsyslog] IP Adressrange in one logfile
Message-ID: <1284384876.7951.56.camel@denny-tk.rbg.informatik.tu-darmstadt.de>

hi,

I'm new to rsyslog and I  want to log all incoming Logs from 192.168.1.1
till 192.168.1.135 to one logfile.

I found something interesting on the webpage:

http://www.rsyslog.com/doc/multi_ruleset.html

$InputTCPServerRun 10514
# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~

But it seems, that I need regex to do the work, what is slower ..., but
if so, how does this example looks like?

cu denny



From rgerhards at hq.adiscon.com  Mon Sep 13 15:57:12 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 13 Sep 2010 15:57:12 +0200
Subject: [rsyslog] rsyslog stats - counters
References: <002801cb4ed2$d35caef7$100013ac@intern.adiscon.com><alpine.DEB.2.00.1009071426190.11634@asgard.lang.hm><9B6E2A8877C38245BFB15CC491A11DA71DD2F5@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DD2F6@GRFEXC.intern.adiscon.com>
	<5F7A27F0-B32C-41A7-B7B8-55FD236B1F98@joetify.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD34F@GRFEXC.intern.adiscon.com>

Hi Joe and David,

thanks for your persistence. I have just committed a new version that
supports a "statistics subsystem":

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=e86cb62f1299ef18732f7b3b
87d45a840ee38f1e

It is not a big system, but contains a counter registry and the necessary
plumbing to define simple counters. So far, I have implemented a counter for
the number of messages received by imuxsock, and for the queue current queue
size, max queue size ever and how often the queue was full. Of course, these
are demo counters and others can (and will) be added.

They all fall into the "easy to obtain" category, done with atomic
instructions where available. Counters are always present, but are maintained
only when impstats is loaded. So the performance toll should be minimal when
not in use. I still plan to add a configure option to turn off stats at all
(for very high-end environments).

I hope to have this as a official release soon. Feedback on the current
status is appreciated.

Thanks,
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Joe Williams
> Sent: Wednesday, September 08, 2010 5:25 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog stats - counters
> 
> 
> On Sep 7, 2010, at 11:12 PM, Rainer Gerhards wrote:
> 
> > I have thought once again about which counters I could provide
> without
> > generating most of the plumbing. Probably the only one I can envision
> is the
> > number of message objects inside the system (assuming that number of
> queues
> > itself and such is of really no interest at all), or more precisely
> number of
> > messages generated and number of messages deleted. This does roughly
> reflect
> > the number of messages processed, but only if no async queues are
> used (they
> > require some message duplication). If this is considered useful, I
> could look
> > into that. It probably takes two to three days to get that going with
> some
> > minimal plumbing for the background writer (done in a clean way).
> >
> > I could also output the main queue size, but once again be reminded
> that this
> > reflects only part of the picture (depending on config only a very
> small
> > part...).
> >
> > Feedback appreciated.
> 
> 
> Thanks Rainier,
> 
> I'm of the opinion that any introspection is better than none and this
> is a move in the right direction.
> 
> -Joe
> 
> 
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From linuxmail at 4lin.net  Mon Sep 13 16:40:02 2010
From: linuxmail at 4lin.net (Denny Schierz)
Date: Mon, 13 Sep 2010 16:40:02 +0200
Subject: [rsyslog] suppress double entries
Message-ID: <1284388802.7951.60.camel@denny-tk.rbg.informatik.tu-darmstadt.de>

hi,

is it possible to suppress/discard/flooding log entries? We get many
entries from ssh through cron:

2010-09-13T16:36:26+02:00 server01 sshd[28289]: [ID 800047 auth.info]
Accepted publickey for root from 192.168.1.5 port 53182 ssh2
2010-09-13T16:36:27+02:00 server01 sshd[28306]: [ID 800047 auth.info]
Accepted publickey for root from 192.168.1.5 port 53183 ssh2
2010-09-13T16:36:28+02:00 server01 sshd[28319]: [ID 800047 auth.info]
Accepted publickey for root from 192.168.1.5 port 53186 ssh2
[...]

we use rsyslog 4.7.2 on Solaris

cu denny




From sivan at omniqueue.com  Mon Sep 13 16:45:09 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Mon, 13 Sep 2010 16:45:09 +0200
Subject: [rsyslog] suppress double entries
In-Reply-To: <1284388802.7951.60.camel@denny-tk.rbg.informatik.tu-darmstadt.de>
References: <1284388802.7951.60.camel@denny-tk.rbg.informatik.tu-darmstadt.de>
Message-ID: <AANLkTinau2o+wSzmUhdz-HTr_FkG1X4O9XZSO9_fWXcO@mail.gmail.com>

I would say you'd need to setup a filter with the non variable part of
the msg and discard it, there is support for automatically discarding
duplicated messages but this is not the case here, as the 'port'
changes.

BR,

-Sivan

On Mon, Sep 13, 2010 at 4:40 PM, Denny Schierz <linuxmail at 4lin.net> wrote:
> hi,
>
> is it possible to suppress/discard/flooding log entries? We get many
> entries from ssh through cron:
>
> 2010-09-13T16:36:26+02:00 server01 sshd[28289]: [ID 800047 auth.info]
> Accepted publickey for root from 192.168.1.5 port 53182 ssh2
> 2010-09-13T16:36:27+02:00 server01 sshd[28306]: [ID 800047 auth.info]
> Accepted publickey for root from 192.168.1.5 port 53183 ssh2
> 2010-09-13T16:36:28+02:00 server01 sshd[28319]: [ID 800047 auth.info]
> Accepted publickey for root from 192.168.1.5 port 53186 ssh2
> [...]
>
> we use rsyslog 4.7.2 on Solaris
>
> cu denny
>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From marcin at mejor.pl  Mon Sep 13 16:44:36 2010
From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=)
Date: Mon, 13 Sep 2010 16:44:36 +0200
Subject: [rsyslog] suppress double entries
In-Reply-To: <1284388802.7951.60.camel@denny-tk.rbg.informatik.tu-darmstadt.de>
References: <1284388802.7951.60.camel@denny-tk.rbg.informatik.tu-darmstadt.de>
Message-ID: <4C8E38D4.9060709@mejor.pl>

W dniu 13.09.2010 16:40, Denny Schierz pisze:
> hi,
> 
> is it possible to suppress/discard/flooding log entries? We get many
> entries from ssh through cron:
> 
> 2010-09-13T16:36:26+02:00 server01 sshd[28289]: [ID 800047 auth.info]
> Accepted publickey for root from 192.168.1.5 port 53182 ssh2
> 2010-09-13T16:36:27+02:00 server01 sshd[28306]: [ID 800047 auth.info]
> Accepted publickey for root from 192.168.1.5 port 53183 ssh2
> 2010-09-13T16:36:28+02:00 server01 sshd[28319]: [ID 800047 auth.info]
> Accepted publickey for root from 192.168.1.5 port 53186 ssh2
> [...]
> 
> we use rsyslog 4.7.2 on Solaris

Hello, maybe this will be helpfull:
http://www.rsyslog.com/doc/rsconf1_repeatedmsgreduction.html

Regards
-- 
xmpp (jabber): marcin  [at]  mejor.pl


From linuxmail at 4lin.net  Tue Sep 14 08:57:37 2010
From: linuxmail at 4lin.net (Denny Schierz)
Date: Tue, 14 Sep 2010 08:57:37 +0200
Subject: [rsyslog] suppress double entries
In-Reply-To: <4C8E38D4.9060709@mejor.pl>
References: <1284388802.7951.60.camel@denny-tk.rbg.informatik.tu-darmstadt.de>
	<4C8E38D4.9060709@mejor.pl>
Message-ID: <1284447457.7951.96.camel@denny-tk.rbg.informatik.tu-darmstadt.de>

hi,

Am Montag, den 13.09.2010, 16:44 +0200 schrieb Marcin Miros?aw:

> Hello, maybe this will be helpfull:
> http://www.rsyslog.com/doc/rsconf1_repeatedmsgreduction.html

it works, but not for ssh, cause of change ports ... but, this option
has under Solaris 10 in version 4.7.2 a bug:

enable this function let rsyslog create directories for messages itself:

 /var/log/remote/0/
/var/log/remote/last/
/var/log/remote/ a67\>Sep\ 13\ 17\:20\:38\ slapd\[6967\]\:\ \[Islapd
\[6967\]\:/
/var/log/remote/n/
/var/log/r\'?/

...

Writing a bug report.


cu denny


From H.G.K.vanLingen at uu.nl  Tue Sep 14 14:28:38 2010
From: H.G.K.vanLingen at uu.nl (Henk van Lingen)
Date: Tue, 14 Sep 2010 14:28:38 +0200
Subject: [rsyslog] Dropping non UTF8 messages
Message-ID: <20100914122838.GA30581@uu.nl>


Hi,

Is it possible to drop messages in rsyslog containing non UTF8
characters?

I've the problem that I'm writing messages to a PostgreSQL database
with UTF8 encoding, and because off 

#$ActionResumeRetryCount -1    # infinite retries if host is down

this results in blocking all processing when the database rejects
the input.

I looked into thinks as the 'property replacer', but can find a clue.

Regards,
-- 
Henk van Lingen, ICT-SC Netwerk & Telefonie,                  (o-      -+
Universiteit Utrecht, Jenalaan 18a, room 0.12                 /\        |
phone: +31-30-2538453                                         v_/_      |
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

From ktm at rice.edu  Tue Sep 14 14:43:12 2010
From: ktm at rice.edu (Kenneth Marshall)
Date: Tue, 14 Sep 2010 07:43:12 -0500
Subject: [rsyslog] Dropping non UTF8 messages
In-Reply-To: <20100914122838.GA30581@uu.nl>
References: <20100914122838.GA30581@uu.nl>
Message-ID: <20100914124312.GF27825@aart.is.rice.edu>

Hi Henk,

I have not looked at the rsyslog side of this problem. We ended
up using SQL_ASCII encoding instead. You could trap also the error
from the problem insert and discard it with a trigger on INSERT.

Regards,
Ken

On Tue, Sep 14, 2010 at 02:28:38PM +0200, Henk van Lingen wrote:
> 
> Hi,
> 
> Is it possible to drop messages in rsyslog containing non UTF8
> characters?
> 
> I've the problem that I'm writing messages to a PostgreSQL database
> with UTF8 encoding, and because off 
> 
> #$ActionResumeRetryCount -1    # infinite retries if host is down
> 
> this results in blocking all processing when the database rejects
> the input.
> 
> I looked into thinks as the 'property replacer', but can find a clue.
> 
> Regards,
> -- 
> Henk van Lingen, ICT-SC Netwerk & Telefonie,                  (o-      -+
> Universiteit Utrecht, Jenalaan 18a, room 0.12                 /\        |
> phone: +31-30-2538453                                         v_/_      |
> http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> 

From nicolas.even at aznetwork.eu  Tue Sep 14 15:49:45 2010
From: nicolas.even at aznetwork.eu (Nicolas Even)
Date: Tue, 14 Sep 2010 15:49:45 +0200 (CEST)
Subject: [rsyslog] how to define global and host specific filters ?
Message-ID: <5380344.1221284472186091.JavaMail.VOYAGER$@VOYAGER>

Hello, 

I plan to use rsyslog in order to manage logs from multiple sites/machines. 
I would like to define global filters (e. g. I have an error that I want to ignore on all hosts ) and host specific filters (e. g. A specific host generate an error that isn't relevant but could be on another host). 
In fact, I want to create a conf file by machine, apply global filters first and then apply specific filters. 
In that way, I do nat have to edit all conf files when I want to filter an error on all hosts. 

Rsyslog documentation (syslog_ng vs rsyslog) indicates that "reusable filters" feature is not supported . 
But I do not want to believe that :) 
Is there a way to define such global filters and apply them into multiple conf files ? 

Have any suggestion ? 

Regards, 
Nicolas. 

From rgerhards at hq.adiscon.com  Tue Sep 14 16:09:56 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Tue, 14 Sep 2010 16:09:56 +0200
Subject: [rsyslog] how to define global and host specific filters ?
References: <5380344.1221284472186091.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD36C@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Nicolas Even
> Sent: Tuesday, September 14, 2010 3:50 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] how to define global and host specific filters ?
> 
> Hello,
> 
> I plan to use rsyslog in order to manage logs from multiple
> sites/machines.
> I would like to define global filters (e. g. I have an error that I
> want to ignore on all hosts ) and host specific filters (e. g. A
> specific host generate an error that isn't relevant but could be on
> another host).
> In fact, I want to create a conf file by machine, apply global filters
> first and then apply specific filters.
> In that way, I do nat have to edit all conf files when I want to filter
> an error on all hosts.
> 
> Rsyslog documentation (syslog_ng vs rsyslog) indicates that "reusable
> filters" feature is not supported .
> But I do not want to believe that :)
> Is there a way to define such global filters and apply them into
> multiple conf files ?
> ^

Well, the question is if you really mean only the filter part or filter plus
action. I assume the later. In that case, you can simply place these global
actions into a file and $includeconfig this file whereever needed.

Does this help?

Rainer
> Have any suggestion ?
> 
> Regards,
> Nicolas.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From nicolas.even at aznetwork.eu  Tue Sep 14 17:35:11 2010
From: nicolas.even at aznetwork.eu (Nicolas Even)
Date: Tue, 14 Sep 2010 17:35:11 +0200 (CEST)
Subject: [rsyslog] how to define global and host specific filters ?
In-Reply-To: <11706997.1421284478328397.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <3612733.1441284478511808.JavaMail.VOYAGER$@VOYAGER>

Thanks for your help. 

I really mean the filter part. 
Indeed, I would like to have this kind of output on my filesystem: 


/var/log/syslog/<site name>/<host>_error.log 
/var/log/syslog/<site name>/<host>_warn.log 
/var/log/syslog/<site name>/ <host>_mail.log 
/var/log/syslog/<site name>/<host>_other.log 

Note: I will send <host>_error.log content by mail. 

I need to discard some error logs at global level (for all hosts) and I also need to filter error logs at host level. 
>From my point of view, an action can be done only after processing global and specific filters. 

Maybe your suggestion is good, but I do not see how to achieve my plan in that way. 

Regards, 
Nicolas Even. 


----- Mail Original ----- 
De: "Rainer Gerhards" <rgerhards at hq.adiscon.com> 
?: "Nicolas Even" <nicolas.even at aznetwork.fr>, "rsyslog-users" <rsyslog at lists.adiscon.com> 
Envoy?: Mardi 14 Septembre 2010 16h09:56 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne 
Objet: RE: [rsyslog] how to define global and host specific filters ? 

> -----Original Message----- 
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- 
> bounces at lists.adiscon.com] On Behalf Of Nicolas Even 
> Sent: Tuesday, September 14, 2010 3:50 PM 
> To: rsyslog at lists.adiscon.com 
> Subject: [rsyslog] how to define global and host specific filters ? 
> 
> Hello, 
> 
> I plan to use rsyslog in order to manage logs from multiple 
> sites/machines. 
> I would like to define global filters (e. g. I have an error that I 
> want to ignore on all hosts ) and host specific filters (e. g. A 
> specific host generate an error that isn't relevant but could be on 
> another host). 
> In fact, I want to create a conf file by machine, apply global filters 
> first and then apply specific filters. 
> In that way, I do nat have to edit all conf files when I want to filter 
> an error on all hosts. 
> 
> Rsyslog documentation (syslog_ng vs rsyslog) indicates that "reusable 
> filters" feature is not supported . 
> But I do not want to believe that :) 
> Is there a way to define such global filters and apply them into 
> multiple conf files ? 
> ^ 

Well, the question is if you really mean only the filter part or filter plus 
action. I assume the later. In that case, you can simply place these global 
actions into a file and $includeconfig this file whereever needed. 

Does this help? 

Rainer 
> Have any suggestion ? 
> 
> Regards, 
> Nicolas. 
> _______________________________________________ 
> rsyslog mailing list 
> http://lists.adiscon.net/mailman/listinfo/rsyslog 
> http://www.rsyslog.com 

From david at lang.hm  Wed Sep 15 00:28:07 2010
From: david at lang.hm (david at lang.hm)
Date: Tue, 14 Sep 2010 15:28:07 -0700 (PDT)
Subject: [rsyslog] Dropping non UTF8 messages
In-Reply-To: <20100914122838.GA30581@uu.nl>
References: <20100914122838.GA30581@uu.nl>
Message-ID: <alpine.DEB.2.00.1009141527100.13071@asgard.lang.hm>

On Tue, 14 Sep 2010, Henk van Lingen wrote:

> Hi,
>
> Is it possible to drop messages in rsyslog containing non UTF8
> characters?

you could, but since rsyslog escapes such characters by default, I'm 
surprised that you're running into a problem. Are you sure you don't have 
extra quotes showing up somewhere?

David Lang

> I've the problem that I'm writing messages to a PostgreSQL database
> with UTF8 encoding, and because off
>
> #$ActionResumeRetryCount -1    # infinite retries if host is down
>
> this results in blocking all processing when the database rejects
> the input.
>
> I looked into thinks as the 'property replacer', but can find a clue.
>
> Regards,
>

From david at lang.hm  Wed Sep 15 00:40:36 2010
From: david at lang.hm (david at lang.hm)
Date: Tue, 14 Sep 2010 15:40:36 -0700 (PDT)
Subject: [rsyslog] how to define global and host specific filters ?
In-Reply-To: <3612733.1441284478511808.JavaMail.VOYAGER$@VOYAGER>
References: <3612733.1441284478511808.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <alpine.DEB.2.00.1009141529020.13071@asgard.lang.hm>

On Tue, 14 Sep 2010, Nicolas Even wrote:

> Thanks for your help. 
>
> I really mean the filter part. 
> Indeed, I would like to have this kind of output on my filesystem: 
>
>
> /var/log/syslog/<site name>/<host>_error.log 
> /var/log/syslog/<site name>/<host>_warn.log 
> /var/log/syslog/<site name>/ <host>_mail.log 
> /var/log/syslog/<site name>/<host>_other.log

Ok, to put things into different files by hostname/etc you need to look at 
the Dynafiles option

> Note: I will send <host>_error.log content by mail. 
>
> I need to discard some error logs at global level (for all hosts) and I also need to filter error logs at host level. 
> From my point of view, an action can be done only after processing global and specific filters.

you can have any number of rules, with any criteria you want.

> Maybe your suggestion is good, but I do not see how to achieve my plan in that way.

I see two approaches, and it's hard to know which is better for you.

approach #1

have a lot of rules that do things like

if (host is X and severity is Y and message contains Z) ~

followed by
*.* Dynafile (where your Dynafile template has hostname and severity as 
part of the filename)


approach #2

1. have some global rules to filter out global stuff

2. split the logs into separate queues, each with their own ruleset based 
on hostname (or network, or whatever criteria makes sense to you)

3. in each of the new rulesets, define rules specific to that ruleset.


approach #1 is more straightforward to setup (although still not trivial), 
but since every line must be evaluated by every rule, there is a lot of 
work to do here.

approach #2 is significantly more work to setup, and is using features 
that have just been added to rsyslog in the last few months, so it's 
possible that you will find bugs, and there is not that much in the way of 
documentation or examples yet. If you go this way you should seriously 
consider hiring Adiscon to help you configure this. The advantage is that 
it will be much faster if you have a lot of logs and rules to deal with.

David Lang


> Regards, 
> Nicolas Even. 
>
>
> ----- Mail Original ----- 
> De: "Rainer Gerhards" <rgerhards at hq.adiscon.com> 
> ?: "Nicolas Even" <nicolas.even at aznetwork.fr>, "rsyslog-users" <rsyslog at lists.adiscon.com> 
> Envoy?: Mardi 14 Septembre 2010 16h09:56 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne 
> Objet: RE: [rsyslog] how to define global and host specific filters ? 
>
>> -----Original Message----- 
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- 
>> bounces at lists.adiscon.com] On Behalf Of Nicolas Even 
>> Sent: Tuesday, September 14, 2010 3:50 PM 
>> To: rsyslog at lists.adiscon.com 
>> Subject: [rsyslog] how to define global and host specific filters ? 
>> 
>> Hello, 
>> 
>> I plan to use rsyslog in order to manage logs from multiple 
>> sites/machines. 
>> I would like to define global filters (e. g. I have an error that I 
>> want to ignore on all hosts ) and host specific filters (e. g. A 
>> specific host generate an error that isn't relevant but could be on 
>> another host). 
>> In fact, I want to create a conf file by machine, apply global filters 
>> first and then apply specific filters. 
>> In that way, I do nat have to edit all conf files when I want to filter 
>> an error on all hosts. 
>> 
>> Rsyslog documentation (syslog_ng vs rsyslog) indicates that "reusable 
>> filters" feature is not supported . 
>> But I do not want to believe that :) 
>> Is there a way to define such global filters and apply them into 
>> multiple conf files ? 
>> ^ 
>
> Well, the question is if you really mean only the filter part or filter plus 
> action. I assume the later. In that case, you can simply place these global 
> actions into a file and $includeconfig this file whereever needed. 
>
> Does this help? 
>
> Rainer 
>> Have any suggestion ? 
>> 
>> Regards, 
>> Nicolas. 
>> _______________________________________________ 
>> rsyslog mailing list 
>> http://lists.adiscon.net/mailman/listinfo/rsyslog 
>> http://www.rsyslog.com 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From nicolas.even at aznetwork.eu  Wed Sep 15 09:20:28 2010
From: nicolas.even at aznetwork.eu (Nicolas Even)
Date: Wed, 15 Sep 2010 09:20:28 +0200 (CEST)
Subject: [rsyslog] how to define global and host specific filters ?
In-Reply-To: <26837728.2191284535086581.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <25367914.2211284535228572.JavaMail.VOYAGER$@VOYAGER>


Thank you so much for this clarification. 
I think I will use the fist approach. 
I will consider the second one in case of performances problems. 

Let's install ! 


----- Mail Original ----- 
De: david at lang.hm 
?: "Nicolas Even" <nicolas.even at aznetwork.fr>, "rsyslog-users" <rsyslog at lists.adiscon.com> 
Cc: "Rainer Gerhards" <rgerhards at hq.adiscon.com> 
Envoy?: Mercredi 15 Septembre 2010 00h40:36 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne 
Objet: Re: [rsyslog] how to define global and host specific filters ? 

On Tue, 14 Sep 2010, Nicolas Even wrote: 

> Thanks for your help. 
> 
> I really mean the filter part. 
> Indeed, I would like to have this kind of output on my filesystem: 
> 
> 
> /var/log/syslog/<site name>/<host>_error.log 
> /var/log/syslog/<site name>/<host>_warn.log 
> /var/log/syslog/<site name>/ <host>_mail.log 
> /var/log/syslog/<site name>/<host>_other.log 

Ok, to put things into different files by hostname/etc you need to look at 
the Dynafiles option 

> Note: I will send <host>_error.log content by mail. 
> 
> I need to discard some error logs at global level (for all hosts) and I also need to filter error logs at host level. 
> From my point of view, an action can be done only after processing global and specific filters. 

you can have any number of rules, with any criteria you want. 

> Maybe your suggestion is good, but I do not see how to achieve my plan in that way. 

I see two approaches, and it's hard to know which is better for you. 

approach #1 

have a lot of rules that do things like 

if (host is X and severity is Y and message contains Z) ~ 

followed by 
*.* Dynafile (where your Dynafile template has hostname and severity as 
part of the filename) 


approach #2 

1. have some global rules to filter out global stuff 

2. split the logs into separate queues, each with their own ruleset based 
on hostname (or network, or whatever criteria makes sense to you) 

3. in each of the new rulesets, define rules specific to that ruleset. 


approach #1 is more straightforward to setup (although still not trivial), 
but since every line must be evaluated by every rule, there is a lot of 
work to do here. 

approach #2 is significantly more work to setup, and is using features 
that have just been added to rsyslog in the last few months, so it's 
possible that you will find bugs, and there is not that much in the way of 
documentation or examples yet. If you go this way you should seriously 
consider hiring Adiscon to help you configure this. The advantage is that 
it will be much faster if you have a lot of logs and rules to deal with. 

David Lang 


> Regards, 
> Nicolas Even. 
> 
> 
> ----- Mail Original ----- 
> De: "Rainer Gerhards" <rgerhards at hq.adiscon.com> 
> ?: "Nicolas Even" <nicolas.even at aznetwork.fr>, "rsyslog-users" <rsyslog at lists.adiscon.com> 
> Envoy?: Mardi 14 Septembre 2010 16h09:56 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne 
> Objet: RE: [rsyslog] how to define global and host specific filters ? 
> 
>> -----Original Message----- 
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- 
>> bounces at lists.adiscon.com] On Behalf Of Nicolas Even 
>> Sent: Tuesday, September 14, 2010 3:50 PM 
>> To: rsyslog at lists.adiscon.com 
>> Subject: [rsyslog] how to define global and host specific filters ? 
>> 
>> Hello, 
>> 
>> I plan to use rsyslog in order to manage logs from multiple 
>> sites/machines. 
>> I would like to define global filters (e. g. I have an error that I 
>> want to ignore on all hosts ) and host specific filters (e. g. A 
>> specific host generate an error that isn't relevant but could be on 
>> another host). 
>> In fact, I want to create a conf file by machine, apply global filters 
>> first and then apply specific filters. 
>> In that way, I do nat have to edit all conf files when I want to filter 
>> an error on all hosts. 
>> 
>> Rsyslog documentation (syslog_ng vs rsyslog) indicates that "reusable 
>> filters" feature is not supported . 
>> But I do not want to believe that :) 
>> Is there a way to define such global filters and apply them into 
>> multiple conf files ? 
>> ^ 
> 
> Well, the question is if you really mean only the filter part or filter plus 
> action. I assume the later. In that case, you can simply place these global 
> actions into a file and $includeconfig this file whereever needed. 
> 
> Does this help? 
> 
> Rainer 
>> Have any suggestion ? 
>> 
>> Regards, 
>> Nicolas. 
>> _______________________________________________ 
>> rsyslog mailing list 
>> http://lists.adiscon.net/mailman/listinfo/rsyslog 
>> http://www.rsyslog.com 
> _______________________________________________ 
> rsyslog mailing list 
> http://lists.adiscon.net/mailman/listinfo/rsyslog 
> http://www.rsyslog.com 

From jjk.saji at gmail.com  Wed Sep 15 14:48:11 2010
From: jjk.saji at gmail.com (Joseph John)
Date: Wed, 15 Sep 2010 16:48:11 +0400
Subject: [rsyslog] Hardware specs for rsyslog server
Message-ID: <AANLkTinVSfNszLj+L9qgSQ8dgqC1icCN=cvL8aPrxAPV@mail.gmail.com>

Hi
  I am new to the list and to  rsyslog, I have installed rsylog +
loganalyser for testing and it worked well. I was able to get the logs
from the Linux clients. Good documentation helped me.

Now I am planning to have  a rsylog server which can take log files from
(a) up to 10 Linux machine
(b)  5 windows machine
(c) 20 Network devices

Is there any  calculator for us to calculate the server specs in term
of storage space and memory . We will be using this server only for
keeping the logs.


-- 
Thanks
Joseph John
http://www.oss101.com/

From epiphani at gmail.com  Wed Sep 15 14:51:42 2010
From: epiphani at gmail.com (Aaron Wiebe)
Date: Wed, 15 Sep 2010 08:51:42 -0400
Subject: [rsyslog] Hardware specs for rsyslog server
In-Reply-To: <AANLkTinVSfNszLj+L9qgSQ8dgqC1icCN=cvL8aPrxAPV@mail.gmail.com>
References: <AANLkTinVSfNszLj+L9qgSQ8dgqC1icCN=cvL8aPrxAPV@mail.gmail.com>
Message-ID: <AANLkTi=-w2Oe_NLE-X-KF9XodRmOzRLhskZAfJrDTucc@mail.gmail.com>

How busy are those machines?  Are they application logs or system
logs?  Do you have a rough idea of messages generated per second?

Without context we can't make any recommendations.  My first guess
based on this is you do not require anything too powerful.

-Aaron

On Wed, Sep 15, 2010 at 8:48 AM, Joseph John <jjk.saji at gmail.com> wrote:
> Hi
> ?I am new to the list and to ?rsyslog, I have installed rsylog +
> loganalyser for testing and it worked well. I was able to get the logs
> from the Linux clients. Good documentation helped me.
>
> Now I am planning to have ?a rsylog server which can take log files from
> (a) up to 10 Linux machine
> (b) ?5 windows machine
> (c) 20 Network devices
>
> Is there any ?calculator for us to calculate the server specs in term
> of storage space and memory . We will be using this server only for
> keeping the logs.
>
>
> --
> Thanks
> Joseph John
> http://www.oss101.com/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From jjk.saji at gmail.com  Wed Sep 15 15:19:02 2010
From: jjk.saji at gmail.com (Joseph John)
Date: Wed, 15 Sep 2010 17:19:02 +0400
Subject: [rsyslog] Hardware specs for rsyslog server
In-Reply-To: <AANLkTi=-w2Oe_NLE-X-KF9XodRmOzRLhskZAfJrDTucc@mail.gmail.com>
References: <AANLkTinVSfNszLj+L9qgSQ8dgqC1icCN=cvL8aPrxAPV@mail.gmail.com>
	<AANLkTi=-w2Oe_NLE-X-KF9XodRmOzRLhskZAfJrDTucc@mail.gmail.com>
Message-ID: <AANLkTi=Fh_HKuT5bFX1DPYrQr9g0ZixHVF_prFUNRHBJ@mail.gmail.com>

Thanks Aaron
What I plan to do is that, I will setup the rsyslog server with
vmware. I will study how it goes for few months,in this way I will
come to know more about the clients . Based on this study I will make
my rsyslog  server.



On Wed, Sep 15, 2010 at 4:51 PM, Aaron Wiebe <epiphani at gmail.com> wrote:
> How busy are those machines? ?Are they application logs or system
> logs? ?Do you have a rough idea of messages generated per second?
>
> Without context we can't make any recommendations. ?My first guess
> based on this is you do not require anything too powerful.
>
> -Aaron
>
> On Wed, Sep 15, 2010 at 8:48 AM, Joseph John <jjk.saji at gmail.com> wrote:
>> Hi
>> ?I am new to the list and to ?rsyslog, I have installed rsylog +
>> loganalyser for testing and it worked well. I was able to get the logs
>> from the Linux clients. Good documentation helped me.
>>
>> Now I am planning to have ?a rsylog server which can take log files from
>> (a) up to 10 Linux machine
>> (b) ?5 windows machine
>> (c) 20 Network devices
>>
>> Is there any ?calculator for us to calculate the server specs in term
>> of storage space and memory . We will be using this server only for
>> keeping the logs.
>>
>>
>> --
>> Thanks
>> Joseph John
>> http://www.oss101.com/
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>



-- 
Thanks
Joseph John
http://www.oss101.com/

From sivan at omniqueue.com  Wed Sep 15 18:18:33 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Wed, 15 Sep 2010 18:18:33 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
Message-ID: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>

Hi List,

 I am wondering if there's a possibility to execute a shell command
based on a msg received in rsyslog. If so, is there an option to
execute the command with the content of the msg or with parts of it
for that matter?

Relating to availability, I'm also keen to know what happens when:

 - It tries to start when there's no network interface available to bind to?
 - If the hostname on which rsyslog is reporting from/to changes
between reboots but not necessarily?
 - What happens if text log files consume entire free space on the
machine where rsyslog runs?

Also, I'm interested to know if in subsecond resolution there can
occur a false duplicate msg reduction ? Or if it can occur on any
other grounds? Does RSYSLOG_ForwardFormat solve this?

And last, but not least :) Can I send rsyslog'd debugging or
error/warning logs to somewhere different like /tmp/rsyslog.log for
easy troubleshooting of /var/log becomes inaccessible for any reason.

Many thanks,

-Sivan

From david at lang.hm  Wed Sep 15 19:53:45 2010
From: david at lang.hm (david at lang.hm)
Date: Wed, 15 Sep 2010 10:53:45 -0700 (PDT)
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>

On Wed, 15 Sep 2010, Sivan Greenberg wrote:

> Hi List,
>
> I am wondering if there's a possibility to execute a shell command
> based on a msg received in rsyslog. If so, is there an option to
> execute the command with the content of the msg or with parts of it
> for that matter?
>
> Relating to availability, I'm also keen to know what happens when:
>
> - It tries to start when there's no network interface available to bind to?

by default, rsyslog will bind to IPANY, not to a particular IP address, if 
you leave it like this rsyslog will start and then when the network comes 
up the traffic will get to rsyslog.

> - If the hostname on which rsyslog is reporting from/to changes
> between reboots but not necessarily?

I don't think rsyslog will care

> - What happens if text log files consume entire free space on the
> machine where rsyslog runs?

rsyslog will stop writing to disk, receiving messages into it's memory 
queue (by default) until it hits the configured limit, then it will stop 
accepting new messages (which will mean dropping UDP messages or stalling 
TCP messages)

> Also, I'm interested to know if in subsecond resolution there can
> occur a false duplicate msg reduction ? Or if it can occur on any
> other grounds? Does RSYSLOG_ForwardFormat solve this?

duplicate message supression is an optional feature, it just looks at the 
message itself, not at the timestamp

> And last, but not least :) Can I send rsyslog'd debugging or
> error/warning logs to somewhere different like /tmp/rsyslog.log for
> easy troubleshooting of /var/log becomes inaccessible for any reason.

you can configure rsyslog to write messages whereever you want to (system 
permissions permitting)

David Lang

> Many thanks,
>
> -Sivan
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From sivan at omniqueue.com  Thu Sep 16 09:19:09 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Thu, 16 Sep 2010 09:19:09 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
	<alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
Message-ID: <AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>

On Wed, Sep 15, 2010 at 7:53 PM,  <david at lang.hm> wrote:
>> And last, but not least :) Can I send rsyslog'd debugging or
>> error/warning logs to somewhere different like /tmp/rsyslog.log for
>> easy troubleshooting of /var/log becomes inaccessible for any reason.
>
> you can configure rsyslog to write messages whereever you want to (system
> permissions permitting)

Okay, but how do I separate rsyslog's *own* messages alone to a
different place ? using property filters ?


Thanks,

-Sivan

From rgerhards at hq.adiscon.com  Thu Sep 16 10:35:22 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 16 Sep 2010 10:35:22 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com><alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
	<AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Thursday, September 16, 2010 9:19 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reliability questions about rsyslog and
> capabilities.
> 
> On Wed, Sep 15, 2010 at 7:53 PM,  <david at lang.hm> wrote:
> >> And last, but not least :) Can I send rsyslog'd debugging or
> >> error/warning logs to somewhere different like /tmp/rsyslog.log for
> >> easy troubleshooting of /var/log becomes inaccessible for any
> reason.
> >
> > you can configure rsyslog to write messages whereever you want to
> (system
> > permissions permitting)
> 
> Okay, but how do I separate rsyslog's *own* messages alone to a
> different place ? using property filters ?

They are just regular filters. I think (almost?) all are syslog.info
(syslog.* to be sure). So you can process them like any other message, e.g.

syslog.* /var/log/rsyslogd
syslog.* @@host.example.net

Rainer

From sivan at omniqueue.com  Thu Sep 16 13:59:51 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Thu, 16 Sep 2010 13:59:51 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
	<alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
	<AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com>

Thanks for the reply Rainer!

So the syslog.* facility caters for ONLY the error and warning
messages that can come out of rsyslog itself and no other source? The
aim here is to create a place to have only the error or other messages
pertaining to rsyslog's operation only.

Still on the capabilities side, is there an option to add a string or
so to a produced msg line through formatting or property manipulation?
(instead of replacing a hostname property for example for that).

-Sivan

On Thu, Sep 16, 2010 at 10:35 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> Sent: Thursday, September 16, 2010 9:19 AM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Reliability questions about rsyslog and
>> capabilities.
>>
>> On Wed, Sep 15, 2010 at 7:53 PM, ?<david at lang.hm> wrote:
>> >> And last, but not least :) Can I send rsyslog'd debugging or
>> >> error/warning logs to somewhere different like /tmp/rsyslog.log for
>> >> easy troubleshooting of /var/log becomes inaccessible for any
>> reason.
>> >
>> > you can configure rsyslog to write messages whereever you want to
>> (system
>> > permissions permitting)
>>
>> Okay, but how do I separate rsyslog's *own* messages alone to a
>> different place ? using property filters ?
>
> They are just regular filters. I think (almost?) all are syslog.info
> (syslog.* to be sure). So you can process them like any other message, e.g.
>
> syslog.* /var/log/rsyslogd
> syslog.* @@host.example.net
>
> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Thu Sep 16 14:03:08 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 16 Sep 2010 14:03:08 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com><alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm><AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
	<AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Thursday, September 16, 2010 2:00 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reliability questions about rsyslog and
> capabilities.
> 
> Thanks for the reply Rainer!
> 
> So the syslog.* facility caters for ONLY the error and warning
> messages that can come out of rsyslog itself and no other source? The
> aim here is to create a place to have only the error or other messages
> pertaining to rsyslog's operation only.

Well, it depends... If you receive messages from an external source, they can
have syslog.* as well (e.g. the startup message from a remote rsyslogd).
Also, a local app may use the same settings. So you will probably need to
apply more filters / additional rulesets to enforce this restriction.

> 
> Still on the capabilities side, is there an option to add a string or
> so to a produced msg line through formatting or property manipulation?
> (instead of replacing a hostname property for example for that).
> 

Not sure what you mean. A template string "%hostname%-bla" adds the string
"-bla" right after the value of hostname...

Rainer

> -Sivan
> 
> On Thu, Sep 16, 2010 at 10:35 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> >> Sent: Thursday, September 16, 2010 9:19 AM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Reliability questions about rsyslog and
> >> capabilities.
> >>
> >> On Wed, Sep 15, 2010 at 7:53 PM, ?<david at lang.hm> wrote:
> >> >> And last, but not least :) Can I send rsyslog'd debugging or
> >> >> error/warning logs to somewhere different like /tmp/rsyslog.log
> for
> >> >> easy troubleshooting of /var/log becomes inaccessible for any
> >> reason.
> >> >
> >> > you can configure rsyslog to write messages whereever you want to
> >> (system
> >> > permissions permitting)
> >>
> >> Okay, but how do I separate rsyslog's *own* messages alone to a
> >> different place ? using property filters ?
> >
> > They are just regular filters. I think (almost?) all are syslog.info
> > (syslog.* to be sure). So you can process them like any other
> message, e.g.
> >
> > syslog.* /var/log/rsyslogd
> > syslog.* @@host.example.net
> >
> > Rainer
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From sivan at omniqueue.com  Thu Sep 16 18:38:29 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Thu, 16 Sep 2010 18:38:29 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
	<alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
	<AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
	<AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTinktaN+GybokkoBhLJH8G1OuHVM8NtrjVTiZ85=@mail.gmail.com>

On Thu, Sep 16, 2010 at 2:03 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
>
> Not sure what you mean. A template string "%hostname%-bla" adds the string
> "-bla" right after the value of hostname...

Yes, this is along what I need, however, I would like to reuse the
RSYSLOG_ForwardFormat template in something like that, or as you show
in your webcast "Message: msg" together with the precise forward
format.

How can this be done? Is there a way to concatenate templates or use
one's value inside another?

-Sivan

From rgerhards at hq.adiscon.com  Thu Sep 16 18:41:58 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 16 Sep 2010 18:41:58 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com><alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm><AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com><AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>
	<AANLkTinktaN+GybokkoBhLJH8G1OuHVM8NtrjVTiZ85=@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD392@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Thursday, September 16, 2010 6:38 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reliability questions about rsyslog and
> capabilities.
> 
> On Thu, Sep 16, 2010 at 2:03 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> >
> > Not sure what you mean. A template string "%hostname%-bla" adds the
> string
> > "-bla" right after the value of hostname...
> 
> Yes, this is along what I need, however, I would like to reuse the
> RSYSLOG_ForwardFormat template in something like that, or as you show
> in your webcast "Message: msg" together with the precise forward
> format.
> 
> How can this be done? Is there a way to concatenate templates or use
> one's value inside another?

Actually no, but usually there is no need to do so. The forward format is
based on standards, so it is extremely unlikely to change. So you can simple
copy it into your template.

Rainer

From sivan at omniqueue.com  Thu Sep 16 18:49:10 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Thu, 16 Sep 2010 18:49:10 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD392@GRFEXC.intern.adiscon.com>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
	<alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
	<AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
	<AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>
	<AANLkTinktaN+GybokkoBhLJH8G1OuHVM8NtrjVTiZ85=@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD392@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTimi2huGdT6CPdzY7LfmB6Z9ARGpWJ=Fv_xEsOCV@mail.gmail.com>

What is the spec for the forward format then? Btw, when using a
template on an action the hostname is dropped and the reported host is
127.0.0.1. Is this right?

Thanks!

-Sivan

On Thu, Sep 16, 2010 at 6:41 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
>> Sent: Thursday, September 16, 2010 6:38 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Reliability questions about rsyslog and
>> capabilities.
>>
>> On Thu, Sep 16, 2010 at 2:03 PM, Rainer Gerhards
>> <rgerhards at hq.adiscon.com> wrote:
>> >
>> > Not sure what you mean. A template string "%hostname%-bla" adds the
>> string
>> > "-bla" right after the value of hostname...
>>
>> Yes, this is along what I need, however, I would like to reuse the
>> RSYSLOG_ForwardFormat template in something like that, or as you show
>> in your webcast "Message: msg" together with the precise forward
>> format.
>>
>> How can this be done? Is there a way to concatenate templates or use
>> one's value inside another?
>
> Actually no, but usually there is no need to do so. The forward format is
> based on standards, so it is extremely unlikely to change. So you can simple
> copy it into your template.
>
> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Thu Sep 16 19:07:41 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 16 Sep 2010 19:07:41 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com><alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm><AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com><AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com><AANLkTinktaN+GybokkoBhLJH8G1OuHVM8NtrjVTiZ85=@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DD392@GRFEXC.intern.adiscon.com>
	<AANLkTimi2huGdT6CPdzY7LfmB6Z9ARGpWJ=Fv_xEsOCV@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD394@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> Sent: Thursday, September 16, 2010 6:49 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Reliability questions about rsyslog and
> capabilities.
> 
> What is the spec for the forward format then? 

At the bottom of this page:

http://www.rsyslog.com/doc/rsyslog_conf_templates.html

> Btw, when using a
> template on an action the hostname is dropped and the reported host is
> 127.0.0.1. Is this right?

That depends on a number of factors, including the template itself as well as
the message format from the source.

Rainer
> 
> Thanks!
> 
> -Sivan
> 
> On Thu, Sep 16, 2010 at 6:41 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Sivan Greenberg
> >> Sent: Thursday, September 16, 2010 6:38 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Reliability questions about rsyslog and
> >> capabilities.
> >>
> >> On Thu, Sep 16, 2010 at 2:03 PM, Rainer Gerhards
> >> <rgerhards at hq.adiscon.com> wrote:
> >> >
> >> > Not sure what you mean. A template string "%hostname%-bla" adds
> the
> >> string
> >> > "-bla" right after the value of hostname...
> >>
> >> Yes, this is along what I need, however, I would like to reuse the
> >> RSYSLOG_ForwardFormat template in something like that, or as you
> show
> >> in your webcast "Message: msg" together with the precise forward
> >> format.
> >>
> >> How can this be done? Is there a way to concatenate templates or use
> >> one's value inside another?
> >
> > Actually no, but usually there is no need to do so. The forward
> format is
> > based on standards, so it is extremely unlikely to change. So you can
> simple
> > copy it into your template.
> >
> > Rainer
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From tbergfeld at hq.adiscon.com  Fri Sep 17 16:20:53 2010
From: tbergfeld at hq.adiscon.com (Tom Bergfeld)
Date: Fri, 17 Sep 2010 16:20:53 +0200
Subject: [rsyslog] rsyslog 5.7.0 (v5-devel) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD39C@GRFEXC.intern.adiscon.com>

Hi all,

We have just released rsyslog 5.7.0, the new v5-devel. This is a
feature-enhancement release. It now supports a module to periodically output
statistics about rsyslog's internal processing (like queue sizes). Also,
support for the systemd effort has been added.

You can find a first guide how to use that module <a
href="http://www.rsyslog.com/periodic-statistics-on-rsyslog-counters/">here.<
/a>

ChangeLog:

<a
href="http://www.rsyslog.com/changelog-for-5-7-0-v5-devel/">http://www.rsyslo
g.com/changelog-for-5-7-0-v5-devel/</a>

Download:

<a
href="http://www.rsyslog.com/rsyslog-5-7-0-v5-devel/">http://www.rsyslog.com/
rsyslog-5-7-0-v5-devel/</a>

As always, feedback is appreciated.

Best regards,
Tom Bergfeld
--
Support
=======

Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.

Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html .

From bernard.fay at gmail.com  Fri Sep 17 20:32:45 2010
From: bernard.fay at gmail.com (Bernard Fay)
Date: Fri, 17 Sep 2010 14:32:45 -0400
Subject: [rsyslog] Problem with Linux logger command and expression-based
	filter?
Message-ID: <AANLkTi=ckxyHqsLnfG+qimGCtFov3VXoUanEevs=-LQ=@mail.gmail.com>

Hi,

Is it possible rsyslog expression-based filter cannot parse output form the
linux command logger?

I try to log events with /bin/logger to rsyslog, for example:  "logger -p
local3.info -t tag1 -- string to log".

In rsyslog.conf, if I use for example "local3.*    /var/log/tag1.log"  it
works fine.
When I try to use expression-based filter it does not work.  I would like to
use expression similar to the following:

if $syslogfacility-test == 'local3' and $programname == 'tag1'  then
/var/log/tag1.log

At first, I thought $programname could be my problem then I tried with the
following without success:
if $syslogfacility-test == 'local3'  then /var/log/tag1.log
if $syslogfacility == 3  then /var/log/tag1.log


Does someone has a trick to /bin/logger with expression-based filter?

Thanks,
Bernard

From rgerhards at hq.adiscon.com  Fri Sep 17 21:01:38 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 17 Sep 2010 21:01:38 +0200
Subject: [rsyslog] Problem with Linux logger command and
	expression-basedfilter?
References: <AANLkTi=ckxyHqsLnfG+qimGCtFov3VXoUanEevs=-LQ=@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD39D@GRFEXC.intern.adiscon.com>

I have no concrete idea, but we should look at what the properties actually
are.

Add

*.* /var/log/all.log;RSYSLOG_DebugFromat

To your conf. It will tell you this-

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Bernard Fay
> Sent: Friday, September 17, 2010 8:33 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Problem with Linux logger command and expression-
> basedfilter?
> 
> Hi,
> 
> Is it possible rsyslog expression-based filter cannot parse output form
> the
> linux command logger?
> 
> I try to log events with /bin/logger to rsyslog, for example:  "logger
> -p
> local3.info -t tag1 -- string to log".
> 
> In rsyslog.conf, if I use for example "local3.*    /var/log/tag1.log"
> it
> works fine.
> When I try to use expression-based filter it does not work.  I would
> like to
> use expression similar to the following:
> 
> if $syslogfacility-test == 'local3' and $programname == 'tag1'  then
> /var/log/tag1.log
> 
> At first, I thought $programname could be my problem then I tried with
> the
> following without success:
> if $syslogfacility-test == 'local3'  then /var/log/tag1.log
> if $syslogfacility == 3  then /var/log/tag1.log
> 
> 
> Does someone has a trick to /bin/logger with expression-based filter?
> 
> Thanks,
> Bernard
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From bernard.fay at gmail.com  Fri Sep 17 21:16:05 2010
From: bernard.fay at gmail.com (Bernard Fay)
Date: Fri, 17 Sep 2010 15:16:05 -0400
Subject: [rsyslog] Problem with Linux logger command and
	expression-basedfilter?
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD39D@GRFEXC.intern.adiscon.com>
References: <AANLkTi=ckxyHqsLnfG+qimGCtFov3VXoUanEevs=-LQ=@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD39D@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTikjmUksCDo8ngcQFZ++-yRY19FNKTG5zsStU=5Y@mail.gmail.com>

Thanks Rainer for your help.

Here is what I got while using *.* /var/log/all.log;RSYSLOG_DebugFormat

I ran:  logger -p local2.info -t taggit -- some information to log

I try to filter in rsyslog.conf with :  if $syslogfacility-test == 'local2'
and $programname == 'taggit' then /var/log/test_logger

In /var/log/all.log I got :

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374" x-info="
http://www.rsyslog.com"] (re)start'
escaped msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
x-info="http://www.rsyslog.com"] (re)start'
rawmsg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
x-info="http://www.rsyslog.com"] (re)start'

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
43,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
msg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
generated config directives may interfer with your rsyslog.conf settings. We
suggest upgrading your config and adding -c3 as the first rsyslogd option.'
escaped msg: 'WARNING: rsyslogd is running in compatibility mode.
Automatically generated config directives may interfer with your
rsyslog.conf settings. We suggest upgrading your config and adding -c3 as
the first rsyslogd option.'
rawmsg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
generated config directives may interfer with your rsyslog.conf settings. We
suggest upgrading your config and adding -c3 as the first rsyslogd option.'

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
43,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
msg: 'Warning: backward compatibility layer added to following directive to
rsyslog.conf: ModLoad imuxsock'
escaped msg: 'Warning: backward compatibility layer added to following
directive to rsyslog.conf: ModLoad imuxsock'
rawmsg: 'Warning: backward compatibility layer added to following directive
to rsyslog.conf: ModLoad imuxsock'

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
150,
syslogtag 'taggit:', programname: 'taggit', APP-NAME: 'taggit', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:09', STRUCTURED-DATA: '-',
msg: ' some information to log'
escaped msg: ' some information to log'
rawmsg: '<150>Sep 17 15:09:09 taggit: some information to log'


If something is useful from this let me know.  In the mean time I will try
to understand it.

Thanks again,
Bernard

On Fri, Sep 17, 2010 at 3:01 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com>wrote:

> I have no concrete idea, but we should look at what the properties actually
> are.
>
> Add
>
> *.* /var/log/all.log;RSYSLOG_DebugFromat
>
> To your conf. It will tell you this-
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Bernard Fay
> > Sent: Friday, September 17, 2010 8:33 PM
> > To: rsyslog at lists.adiscon.com
> > Subject: [rsyslog] Problem with Linux logger command and expression-
> > basedfilter?
> >
> > Hi,
> >
> > Is it possible rsyslog expression-based filter cannot parse output form
> > the
> > linux command logger?
> >
> > I try to log events with /bin/logger to rsyslog, for example:  "logger
> > -p
> > local3.info -t tag1 -- string to log".
> >
> > In rsyslog.conf, if I use for example "local3.*    /var/log/tag1.log"
> > it
> > works fine.
> > When I try to use expression-based filter it does not work.  I would
> > like to
> > use expression similar to the following:
> >
> > if $syslogfacility-test == 'local3' and $programname == 'tag1'  then
> > /var/log/tag1.log
> >
> > At first, I thought $programname could be my problem then I tried with
> > the
> > following without success:
> > if $syslogfacility-test == 'local3'  then /var/log/tag1.log
> > if $syslogfacility == 3  then /var/log/tag1.log
> >
> >
> > Does someone has a trick to /bin/logger with expression-based filter?
> >
> > Thanks,
> > Bernard
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Fri Sep 17 21:19:41 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 17 Sep 2010 21:19:41 +0200
Subject: [rsyslog] Problem with Linux logger command
	andexpression-basedfilter?
Message-ID: <005501cb569d$447593f8$100013ac@intern.adiscon.com>

I just notice one thing: do you really have -test instead of -text?

----- Urspr?ngliche Nachricht -----
Von: Bernard Fay <bernard.fay at gmail.com>
Gesendet: Freitag, 17. September 2010 21:16
An: rsyslog-users <rsyslog at lists.adiscon.com>
Betreff: Re: [rsyslog] Problem with Linux logger command andexpression-basedfilter?

Thanks Rainer for your help.

Here is what I got while using *.* /var/log/all.log;RSYSLOG_DebugFormat

I ran:  logger -p local2.info -t taggit -- some information to log

I try to filter in rsyslog.conf with :  if $syslogfacility-test == 'local2'
and $programname == 'taggit' then /var/log/test_logger

In /var/log/all.log I got :

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374" x-info="
http://www.rsyslog.com"] (re)start'
escaped msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
x-info="http://www.rsyslog.com"] (re)start'
rawmsg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
x-info="http://www.rsyslog.com"] (re)start'

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
43,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
msg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
generated config directives may interfer with your rsyslog.conf settings. We
suggest upgrading your config and adding -c3 as the first rsyslogd option.'
escaped msg: 'WARNING: rsyslogd is running in compatibility mode.
Automatically generated config directives may interfer with your
rsyslog.conf settings. We suggest upgrading your config and adding -c3 as
the first rsyslogd option.'
rawmsg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
generated config directives may interfer with your rsyslog.conf settings. We
suggest upgrading your config and adding -c3 as the first rsyslogd option.'

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
43,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
msg: 'Warning: backward compatibility layer added to following directive to
rsyslog.conf: ModLoad imuxsock'
escaped msg: 'Warning: backward compatibility layer added to following
directive to rsyslog.conf: ModLoad imuxsock'
rawmsg: 'Warning: backward compatibility layer added to following directive
to rsyslog.conf: ModLoad imuxsock'

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
150,
syslogtag 'taggit:', programname: 'taggit', APP-NAME: 'taggit', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Sep 17 15:09:09', STRUCTURED-DATA: '-',
msg: ' some information to log'
escaped msg: ' some information to log'
rawmsg: '<150>Sep 17 15:09:09 taggit: some information to log'


If something is useful from this let me know.  In the mean time I will try
to understand it.

Thanks again,
Bernard

On Fri, Sep 17, 2010 at 3:01 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com>wrote:

> I have no concrete idea, but we should look at what the properties actually
> are.
>
> Add
>
> *.* /var/log/all.log;RSYSLOG_DebugFromat
>
> To your conf. It will tell you this-
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Bernard Fay
> > Sent: Friday, September 17, 2010 8:33 PM
> > To: rsyslog at lists.adiscon.com
> > Subject: [rsyslog] Problem with Linux logger command and expression-
> > basedfilter?
> >
> > Hi,
> >
> > Is it possible rsyslog expression-based filter cannot parse output form
> > the
> > linux command logger?
> >
> > I try to log events with /bin/logger to rsyslog, for example:  "logger
> > -p
> > local3.info -t tag1 -- string to log".
> >
> > In rsyslog.conf, if I use for example "local3.*    /var/log/tag1.log"
> > it
> > works fine.
> > When I try to use expression-based filter it does not work.  I would
> > like to
> > use expression similar to the following:
> >
> > if $syslogfacility-test == 'local3' and $programname == 'tag1'  then
> > /var/log/tag1.log
> >
> > At first, I thought $programname could be my problem then I tried with
> > the
> > following without success:
> > if $syslogfacility-test == 'local3'  then /var/log/tag1.log
> > if $syslogfacility == 3  then /var/log/tag1.log
> >
> >
> > Does someone has a trick to /bin/logger with expression-based filter?
> >
> > Thanks,
> > Bernard
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

From bernard.fay at gmail.com  Fri Sep 17 21:26:55 2010
From: bernard.fay at gmail.com (Bernard Fay)
Date: Fri, 17 Sep 2010 15:26:55 -0400
Subject: [rsyslog] Problem with Linux logger command
	andexpression-basedfilter?
In-Reply-To: <005501cb569d$447593f8$100013ac@intern.adiscon.com>
References: <005501cb569d$447593f8$100013ac@intern.adiscon.com>
Message-ID: <AANLkTim4Oi92GY_-ADRW5Y3aZ7y7YoXeV=oRU4+vLr=u@mail.gmail.com>

Ouchhhh.....   red face, hands sweating,....  I feel so shy now!!!

It now works.

Thanks a lot Rainer


On Fri, Sep 17, 2010 at 3:19 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com>wrote:

> I just notice one thing: do you really have -test instead of -text?
>
> ----- Urspr?ngliche Nachricht -----
> Von: Bernard Fay <bernard.fay at gmail.com>
> Gesendet: Freitag, 17. September 2010 21:16
> An: rsyslog-users <rsyslog at lists.adiscon.com>
> Betreff: Re: [rsyslog] Problem with Linux logger command
> andexpression-basedfilter?
>
> Thanks Rainer for your help.
>
> Here is what I got while using *.* /var/log/all.log;RSYSLOG_DebugFormat
>
> I ran:  logger -p local2.info -t taggit -- some information to log
>
> I try to filter in rsyslog.conf with :  if $syslogfacility-test == 'local2'
> and $programname == 'taggit' then /var/log/test_logger
>
> In /var/log/all.log I got :
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 46,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
> msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374" x-info="
> http://www.rsyslog.com"] (re)start'
> escaped msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
> x-info="http://www.rsyslog.com"] (re)start'
> rawmsg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
> x-info="http://www.rsyslog.com"] (re)start'
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 43,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
> msg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
> generated config directives may interfer with your rsyslog.conf settings.
> We
> suggest upgrading your config and adding -c3 as the first rsyslogd option.'
> escaped msg: 'WARNING: rsyslogd is running in compatibility mode.
> Automatically generated config directives may interfer with your
> rsyslog.conf settings. We suggest upgrading your config and adding -c3 as
> the first rsyslogd option.'
> rawmsg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
> generated config directives may interfer with your rsyslog.conf settings.
> We
> suggest upgrading your config and adding -c3 as the first rsyslogd option.'
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 43,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
> msg: 'Warning: backward compatibility layer added to following directive to
> rsyslog.conf: ModLoad imuxsock'
> escaped msg: 'Warning: backward compatibility layer added to following
> directive to rsyslog.conf: ModLoad imuxsock'
> rawmsg: 'Warning: backward compatibility layer added to following directive
> to rsyslog.conf: ModLoad imuxsock'
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 150,
> syslogtag 'taggit:', programname: 'taggit', APP-NAME: 'taggit', PROCID:
> '-',
> MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:09', STRUCTURED-DATA: '-',
> msg: ' some information to log'
> escaped msg: ' some information to log'
> rawmsg: '<150>Sep 17 15:09:09 taggit: some information to log'
>
>
> If something is useful from this let me know.  In the mean time I will try
> to understand it.
>
> Thanks again,
> Bernard
>
> On Fri, Sep 17, 2010 at 3:01 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com>wrote:
>
> > I have no concrete idea, but we should look at what the properties
> actually
> > are.
> >
> > Add
> >
> > *.* /var/log/all.log;RSYSLOG_DebugFromat
> >
> > To your conf. It will tell you this-
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Bernard Fay
> > > Sent: Friday, September 17, 2010 8:33 PM
> > > To: rsyslog at lists.adiscon.com
> > > Subject: [rsyslog] Problem with Linux logger command and expression-
> > > basedfilter?
> > >
> > > Hi,
> > >
> > > Is it possible rsyslog expression-based filter cannot parse output form
> > > the
> > > linux command logger?
> > >
> > > I try to log events with /bin/logger to rsyslog, for example:  "logger
> > > -p
> > > local3.info -t tag1 -- string to log".
> > >
> > > In rsyslog.conf, if I use for example "local3.*    /var/log/tag1.log"
> > > it
> > > works fine.
> > > When I try to use expression-based filter it does not work.  I would
> > > like to
> > > use expression similar to the following:
> > >
> > > if $syslogfacility-test == 'local3' and $programname == 'tag1'  then
> > > /var/log/tag1.log
> > >
> > > At first, I thought $programname could be my problem then I tried with
> > > the
> > > following without success:
> > > if $syslogfacility-test == 'local3'  then /var/log/tag1.log
> > > if $syslogfacility == 3  then /var/log/tag1.log
> > >
> > >
> > > Does someone has a trick to /bin/logger with expression-based filter?
> > >
> > > Thanks,
> > > Bernard
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Fri Sep 17 21:30:26 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 17 Sep 2010 21:30:26 +0200
Subject: [rsyslog] Problem with Linux logger
	commandandexpression-basedfilter?
Message-ID: <005601cb569e$c5681346$100013ac@intern.adiscon.com>

No problem, i overlooked it initially as well ;)

rainer

----- Urspr?ngliche Nachricht -----
Von: Bernard Fay <bernard.fay at gmail.com>
Gesendet: Freitag, 17. September 2010 21:27
An: rsyslog-users <rsyslog at lists.adiscon.com>
Betreff: Re: [rsyslog] Problem with Linux logger commandandexpression-basedfilter?

Ouchhhh.....   red face, hands sweating,....  I feel so shy now!!!

It now works.

Thanks a lot Rainer


On Fri, Sep 17, 2010 at 3:19 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com>wrote:

> I just notice one thing: do you really have -test instead of -text?
>
> ----- Urspr?ngliche Nachricht -----
> Von: Bernard Fay <bernard.fay at gmail.com>
> Gesendet: Freitag, 17. September 2010 21:16
> An: rsyslog-users <rsyslog at lists.adiscon.com>
> Betreff: Re: [rsyslog] Problem with Linux logger command
> andexpression-basedfilter?
>
> Thanks Rainer for your help.
>
> Here is what I got while using *.* /var/log/all.log;RSYSLOG_DebugFormat
>
> I ran:  logger -p local2.info -t taggit -- some information to log
>
> I try to filter in rsyslog.conf with :  if $syslogfacility-test == 'local2'
> and $programname == 'taggit' then /var/log/test_logger
>
> In /var/log/all.log I got :
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 46,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
> msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374" x-info="
> http://www.rsyslog.com"] (re)start'
> escaped msg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
> x-info="http://www.rsyslog.com"] (re)start'
> rawmsg: ' [origin software="rsyslogd" swVersion="3.22.1" x-pid="9374"
> x-info="http://www.rsyslog.com"] (re)start'
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 43,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
> msg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
> generated config directives may interfer with your rsyslog.conf settings.
> We
> suggest upgrading your config and adding -c3 as the first rsyslogd option.'
> escaped msg: 'WARNING: rsyslogd is running in compatibility mode.
> Automatically generated config directives may interfer with your
> rsyslog.conf settings. We suggest upgrading your config and adding -c3 as
> the first rsyslogd option.'
> rawmsg: 'WARNING: rsyslogd is running in compatibility mode. Automatically
> generated config directives may interfer with your rsyslog.conf settings.
> We
> suggest upgrading your config and adding -c3 as the first rsyslogd option.'
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 43,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:02', STRUCTURED-DATA: '-',
> msg: 'Warning: backward compatibility layer added to following directive to
> rsyslog.conf: ModLoad imuxsock'
> escaped msg: 'Warning: backward compatibility layer added to following
> directive to rsyslog.conf: ModLoad imuxsock'
> rawmsg: 'Warning: backward compatibility layer added to following directive
> to rsyslog.conf: ModLoad imuxsock'
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 150,
> syslogtag 'taggit:', programname: 'taggit', APP-NAME: 'taggit', PROCID:
> '-',
> MSGID: '-',
> TIMESTAMP: 'Sep 17 15:09:09', STRUCTURED-DATA: '-',
> msg: ' some information to log'
> escaped msg: ' some information to log'
> rawmsg: '<150>Sep 17 15:09:09 taggit: some information to log'
>
>
> If something is useful from this let me know.  In the mean time I will try
> to understand it.
>
> Thanks again,
> Bernard
>
> On Fri, Sep 17, 2010 at 3:01 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com>wrote:
>
> > I have no concrete idea, but we should look at what the properties
> actually
> > are.
> >
> > Add
> >
> > *.* /var/log/all.log;RSYSLOG_DebugFromat
> >
> > To your conf. It will tell you this-
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Bernard Fay
> > > Sent: Friday, September 17, 2010 8:33 PM
> > > To: rsyslog at lists.adiscon.com
> > > Subject: [rsyslog] Problem with Linux logger command and expression-
> > > basedfilter?
> > >
> > > Hi,
> > >
> > > Is it possible rsyslog expression-based filter cannot parse output form
> > > the
> > > linux command logger?
> > >
> > > I try to log events with /bin/logger to rsyslog, for example:  "logger
> > > -p
> > > local3.info -t tag1 -- string to log".
> > >
> > > In rsyslog.conf, if I use for example "local3.*    /var/log/tag1.log"
> > > it
> > > works fine.
> > > When I try to use expression-based filter it does not work.  I would
> > > like to
> > > use expression similar to the following:
> > >
> > > if $syslogfacility-test == 'local3' and $programname == 'tag1'  then
> > > /var/log/tag1.log
> > >
> > > At first, I thought $programname could be my problem then I tried with
> > > the
> > > following without success:
> > > if $syslogfacility-test == 'local3'  then /var/log/tag1.log
> > > if $syslogfacility == 3  then /var/log/tag1.log
> > >
> > >
> > > Does someone has a trick to /bin/logger with expression-based filter?
> > >
> > > Thanks,
> > > Bernard
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

From bernard.fay at gmail.com  Fri Sep 17 22:49:28 2010
From: bernard.fay at gmail.com (Bernard Fay)
Date: Fri, 17 Sep 2010 16:49:28 -0400
Subject: [rsyslog] Apache and /bin/logger
Message-ID: <AANLkTiny0-APBziCTiL_uOt8R_d2CVXM7GGxKoqX2JVO@mail.gmail.com>

Hi,

According to the Apache documentation, we should be able to pipe the logs to
a program.  By default Apache send its logs without using a syslog
environment.  I have spent some time looking for a solution by using
something like CustomLog "|/bin/logger ..." but it is not working. Does
someone know why?  It could have been so simple.

My goal is to have Apache logs locally on my web server and also to a
central rsyslog server.  Does the imfile module could do the trick?  * *I
have to investigate this possibility.

Thanks,
Bernard

From sean at conman.org  Sat Sep 18 02:59:49 2010
From: sean at conman.org (Sean Conner)
Date: Fri, 17 Sep 2010 20:59:49 -0400
Subject: [rsyslog] Apache and /bin/logger
In-Reply-To: <AANLkTiny0-APBziCTiL_uOt8R_d2CVXM7GGxKoqX2JVO@mail.gmail.com>
References: <AANLkTiny0-APBziCTiL_uOt8R_d2CVXM7GGxKoqX2JVO@mail.gmail.com>
Message-ID: <20100918005949.GA29725@brevard.conman.org>

It was thus said that the Great Bernard Fay once stated:
> Hi,
> 
> According to the Apache documentation, we should be able to pipe the logs to
> a program.  By default Apache send its logs without using a syslog
> environment.  I have spent some time looking for a solution by using
> something like CustomLog "|/bin/logger ..." but it is not working. Does
> someone know why?  It could have been so simple.
> 
> My goal is to have Apache logs locally on my web server and also to a
> central rsyslog server.  Does the imfile module could do the trick?  * *I
> have to investigate this possibility.

  Here's a setup that works for me:

Listen		192.168.1.10:80
NameVirualHost	192.168.1.10:80

Listen          [fc00::1:a]:80
NameVirtualHost [fc00::1:a]:80

<VirtualHost 192.168.1.10:80 [fc00::1:a]:80>
        ServerName      playground.roswell.area51
        ServerAdmin     root at localhost
        DocumentRoot    /home/spc/web/playground/htdocs
        ErrorLog        syslog:daemon
        LogLevel        warn
        CustomLog       "|/usr/bin/logger -t httpd -p local3.notice" combined

        <Directory      /home/spc/web/playground/htdocs>
                Options         All
                AllowOverride   None
        </Directory>
</VirtualHost>

  This sends both regular access logs plus the error logs to syslogd.  Then
in the configuration for rsyslogd, do the forwarding to another host.

  -spc

From sivan at omniqueue.com  Sun Sep 19 16:37:57 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Sun, 19 Sep 2010 16:37:57 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD394@GRFEXC.intern.adiscon.com>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
	<alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
	<AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
	<AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>
	<AANLkTinktaN+GybokkoBhLJH8G1OuHVM8NtrjVTiZ85=@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD392@GRFEXC.intern.adiscon.com>
	<AANLkTimi2huGdT6CPdzY7LfmB6Z9ARGpWJ=Fv_xEsOCV@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD394@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTinjznoOSwXZzmdCogwb_HQjTWfsJZgzx4Gzr9u4@mail.gmail.com>

On Thu, Sep 16, 2010 at 7:07 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> That depends on a number of factors, including the template itself as well as
> the message format from the source.
>

Right, so I managed to successfully combine the formats and achieve
what I wanted! Thanks :)

And on to another related reliability issue:

When a log file part of an action is being accidentally erased,
messages never re-appear in it. Is there a way to treat it as a
forward target e.g. have it recreated with all the messages that
failed writing to that file when the file is re-created? Come to think
of it, is there a way to have rsyslog recreate the file after it has
been deleted ? This is not much a problem in the client machine, but
if it is in the master final endpoint server machine for the logs that
losing the file entries without ability to recreate essentially means
complete message loss. So a way to get them out of the disk queue must
exist! :-)

What's the right way to handle this?

Your replies have been muchly appreciated and very helpful so far , Thanks!

-Sivan

From sivan at omniqueue.com  Sun Sep 19 16:55:51 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Sun, 19 Sep 2010 16:55:51 +0200
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <AANLkTinjznoOSwXZzmdCogwb_HQjTWfsJZgzx4Gzr9u4@mail.gmail.com>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
	<alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
	<AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
	<AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>
	<AANLkTinktaN+GybokkoBhLJH8G1OuHVM8NtrjVTiZ85=@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD392@GRFEXC.intern.adiscon.com>
	<AANLkTimi2huGdT6CPdzY7LfmB6Z9ARGpWJ=Fv_xEsOCV@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD394@GRFEXC.intern.adiscon.com>
	<AANLkTinjznoOSwXZzmdCogwb_HQjTWfsJZgzx4Gzr9u4@mail.gmail.com>
Message-ID: <AANLkTikS+E+O2Dfew4068yRRjK4OtTTe=RrF8244AQnq@mail.gmail.com>

One last thing- I see the syslog supports piping output to another
program, can this be done using rsyslog as well? For example, to pipe
specific filtered messages to a user created program and execute shell
commands based on it ?

Gazillion thanks,

-Sivan

On Sun, Sep 19, 2010 at 4:37 PM, Sivan Greenberg <sivan at omniqueue.com> wrote:
> On Thu, Sep 16, 2010 at 7:07 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
>> That depends on a number of factors, including the template itself as well as
>> the message format from the source.
>>
>
> Right, so I managed to successfully combine the formats and achieve
> what I wanted! Thanks :)
>
> And on to another related reliability issue:
>
> When a log file part of an action is being accidentally erased,
> messages never re-appear in it. Is there a way to treat it as a
> forward target e.g. have it recreated with all the messages that
> failed writing to that file when the file is re-created? Come to think
> of it, is there a way to have rsyslog recreate the file after it has
> been deleted ? This is not much a problem in the client machine, but
> if it is in the master final endpoint server machine for the logs that
> losing the file entries without ability to recreate essentially means
> complete message loss. So a way to get them out of the disk queue must
> exist! :-)
>
> What's the right way to handle this?
>
> Your replies have been muchly appreciated and very helpful so far , Thanks!
>
> -Sivan
>

From aoz.syn at gmail.com  Sun Sep 19 19:48:19 2010
From: aoz.syn at gmail.com (RB)
Date: Sun, 19 Sep 2010 11:48:19 -0600
Subject: [rsyslog] Reliability questions about rsyslog and capabilities.
In-Reply-To: <AANLkTinjznoOSwXZzmdCogwb_HQjTWfsJZgzx4Gzr9u4@mail.gmail.com>
References: <AANLkTimOp2LNr4727hF+XRF7rMzsLdzowb5OnZ8M0kP5@mail.gmail.com>
	<alpine.DEB.2.00.1009151050240.14504@asgard.lang.hm>
	<AANLkTi=1tQanzOs5pO9mK6chMpV+day4yva5afzCxrx8@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38A@GRFEXC.intern.adiscon.com>
	<AANLkTi=1qpjspQs7-89v=vansy=yrF=b49_GW62NKf=A@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD38E@GRFEXC.intern.adiscon.com>
	<AANLkTinktaN+GybokkoBhLJH8G1OuHVM8NtrjVTiZ85=@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD392@GRFEXC.intern.adiscon.com>
	<AANLkTimi2huGdT6CPdzY7LfmB6Z9ARGpWJ=Fv_xEsOCV@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD394@GRFEXC.intern.adiscon.com>
	<AANLkTinjznoOSwXZzmdCogwb_HQjTWfsJZgzx4Gzr9u4@mail.gmail.com>
Message-ID: <AANLkTinSDfoEHnuROTkb76HA26zbn+8R5OTYQbhcNX6v@mail.gmail.com>

On Sun, Sep 19, 2010 at 08:37, Sivan Greenberg <sivan at omniqueue.com> wrote:
> And on to another related reliability issue:
>
> When a log file part of an action is being accidentally erased,
> messages never re-appear in it. Is there a way to treat it as a
> forward target e.g. have it recreated with all the messages that
> failed writing to that file when the file is re-created? Come to think
> of it, is there a way to have rsyslog recreate the file after it has
> been deleted ?

This really isn't a reliability "issue", rather it has to do with
basic filesystem design.  Without going too deeply into filesystem
philosophy, what you're really asking for is to write your logs to
WORM storage and not a traditional filesystem.  The log file is
rsyslog's only record of the messages, and for it to somehow re-create
them it would have to be saving a second copy "elsewhere".  All that
to say, this isn't really a problem for rsyslog to solve, but one for
the operating system (wherein the truncation or deletion is
occurring).  Some BSDs have the ability to set given files to
append-only status, which suffices for most purposes.

> This is not much a problem in the client machine, but
> if it is in the master final endpoint server machine for the logs that
> losing the file entries without ability to recreate essentially means
> complete message loss. So a way to get them out of the disk queue must
> exist! :-)

As noted, it already exists and has been used - they were written out
of the disk queue and into the file.  To do otherwise is to store
multiple copies.  What if the malicious/accidental user wiped all
copies, the disk queue, and killed rsyslog?  Nothing you can do,
frankly.  Something every auditor eventually learns is that it's never
about perfect systems, only sufficient ones.


RB

From Anthony.Caetano at Sanlam.co.za  Mon Sep 20 13:38:32 2010
From: Anthony.Caetano at Sanlam.co.za (Anthony.Caetano at Sanlam.co.za)
Date: Mon, 20 Sep 2010 13:38:32 +0200
Subject: [rsyslog] mark facility not being used for mark messages (3.22)
Message-ID: <OF0A042A8E.6E5F0697-ON422577A4.003F8EFC-422577A4.003FF3BD@Sanlam.co.za>

Hi

I used rsyslog 2.0.6 (with RHEL/CentOS) and upgraded some time ago to 
rsyslog 3.22.1.

I had a problem on 2.0.6 that mark messages were written with facility and 
priority "kern.info" and therefore a selector line such as: 
        mark.* /var/log/marklog
never takes effect, and the mark messages appear in my kernel and messages 
log.

I was hoping that the upgrades might resolve this, but I see they don'. Is 
there are particular reason for the immark module to log mark messages are 
kern.info rather then mark.info?

Note: I can work around this with filters and such, and I am investigating 
do this, but I find it strange that mark is not used in an explicit mark 
message...

Regards
-ant
....................................................................................................................

=[ Phone me ]==  +27 21 947 2057  ||  +27 82 466 8512
=[ Find me ]==  head office 8th floor A9




Disclaimer
Sanlam Life Insurance Limited - Reg No 1998/021121/06 - Licensed Financial 
Services Provider
Disclaimer and Directors
Alternatively, send a blank email to Disclaimer

From bernard.fay at gmail.com  Mon Sep 20 15:00:39 2010
From: bernard.fay at gmail.com (Bernard Fay)
Date: Mon, 20 Sep 2010 09:00:39 -0400
Subject: [rsyslog] Apache and /bin/logger
In-Reply-To: <20100918005949.GA29725@brevard.conman.org>
References: <AANLkTiny0-APBziCTiL_uOt8R_d2CVXM7GGxKoqX2JVO@mail.gmail.com>
	<20100918005949.GA29725@brevard.conman.org>
Message-ID: <AANLkTi=UYCjBf12b8an-QWy4ZW+xtJ1x3ixPRUb9Y-J+@mail.gmail.com>

That's exactly what I do and it does not work.  I tried this on CentOS and
Debian without success.

Someone has a trick to debug this?

Thanks,
Bernard

On Fri, Sep 17, 2010 at 8:59 PM, Sean Conner <sean at conman.org> wrote:

> It was thus said that the Great Bernard Fay once stated:
> > Hi,
> >
> > According to the Apache documentation, we should be able to pipe the logs
> to
> > a program.  By default Apache send its logs without using a syslog
> > environment.  I have spent some time looking for a solution by using
> > something like CustomLog "|/bin/logger ..." but it is not working. Does
> > someone know why?  It could have been so simple.
> >
> > My goal is to have Apache logs locally on my web server and also to a
> > central rsyslog server.  Does the imfile module could do the trick?  * *I
> > have to investigate this possibility.
>
>   Here's a setup that works for me:
>
> Listen          192.168.1.10:80
> NameVirualHost  192.168.1.10:80
>
> Listen          [fc00::1:a]:80
> NameVirtualHost [fc00::1:a]:80
>
> <VirtualHost 192.168.1.10:80 [fc00::1:a]:80>
>        ServerName      playground.roswell.area51
>        ServerAdmin     root at localhost
>        DocumentRoot    /home/spc/web/playground/htdocs
>        ErrorLog        syslog:daemon
>        LogLevel        warn
>        CustomLog       "|/usr/bin/logger -t httpd -p local3.notice"
> combined
>
>        <Directory      /home/spc/web/playground/htdocs>
>                Options         All
>                AllowOverride   None
>        </Directory>
> </VirtualHost>
>
>  This sends both regular access logs plus the error logs to syslogd.  Then
> in the configuration for rsyslogd, do the forwarding to another host.
>
>  -spc
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From nicolas.even at aznetwork.eu  Mon Sep 20 15:02:19 2010
From: nicolas.even at aznetwork.eu (Nicolas Even)
Date: Mon, 20 Sep 2010 15:02:19 +0200 (CEST)
Subject: [rsyslog] Several Actions associated to a single filter : Mail +
	File
In-Reply-To: <21550497.3311284987599485.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <19163880.3351284987735175.JavaMail.VOYAGER$@VOYAGER>


Hello, 

I would like to have several actions associated to one filter. 
When an error is detected, I want to notify someone by mail but I also want to keep that log in a special file. 

I succeded to write the log in a file, then I succeded to send the log via ommail module. 
But I want to do both actions. 

I tried it without success. 


if $fromhost-ip == '192.168.254.29' \ 
and not ( \ 
$msg contains 'discard' \ 
or $msg contains 'discard2' \ 
)\ 
then :ommail:;MailBody -?ErrorLogFile 

I saw interesting things here : http://download.rsyslog.com/rainerscript2_rsyslog.conf 
But I did not suceed to have the wanted behaviour. 

Someone can help ? 

regards, 
Nicolas Even 

From rgerhards at hq.adiscon.com  Mon Sep 20 15:04:06 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 20 Sep 2010 15:04:06 +0200
Subject: [rsyslog] Several Actions associated to a single filter : Mail
	+File
References: <19163880.3351284987735175.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD3AF@GRFEXC.intern.adiscon.com>

This should work:

if $fromhost-ip == '192.168.254.29' \ 
and not ( \ 
$msg contains 'discard' \ 
or $msg contains 'discard2' \ 
)\ 
then :ommail:;MailBody 
& ?ErrorLogFile

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Nicolas Even
> Sent: Monday, September 20, 2010 3:02 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Several Actions associated to a single filter : Mail
> +File
> 
> 
> Hello,
> 
> I would like to have several actions associated to one filter.
> When an error is detected, I want to notify someone by mail but I also
> want to keep that log in a special file.
> 
> I succeded to write the log in a file, then I succeded to send the log
> via ommail module.
> But I want to do both actions.
> 
> I tried it without success.
> 
> 
> if $fromhost-ip == '192.168.254.29' \
> and not ( \
> $msg contains 'discard' \
> or $msg contains 'discard2' \
> )\
> then :ommail:;MailBody -?ErrorLogFile
> 
> I saw interesting things here :
> http://download.rsyslog.com/rainerscript2_rsyslog.conf
> But I did not suceed to have the wanted behaviour.
> 
> Someone can help ?
> 
> regards,
> Nicolas Even
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From Anthony.Caetano at Sanlam.co.za  Mon Sep 20 15:09:47 2010
From: Anthony.Caetano at Sanlam.co.za (Anthony.Caetano at Sanlam.co.za)
Date: Mon, 20 Sep 2010 15:09:47 +0200
Subject: [rsyslog] mark facility not being used for mark messages (3.22)
In-Reply-To: <OF0A042A8E.6E5F0697-ON422577A4.003F8EFC-422577A4.003FF3BD@Sanlam.co.za>
References: <OF0A042A8E.6E5F0697-ON422577A4.003F8EFC-422577A4.003FF3BD@Sanlam.co.za>
Message-ID: <OF636E0352.9AEFF7C9-ON422577A4.0047E1F7-422577A4.00484E82@Sanlam.co.za>

Anthony.Caetano at Sanlam.co.za wrote on 09/20/2010 01:38:32 PM:

> mark messages were written with facility and 
> priority "kern.info" and therefore a selector line such as: 

Looking at the code in ./plugins/immark/immark.c 

I see: 
        logmsgInternal(NO_ERRCODE, LOG_INFO, (uchar*)"-- MARK --", MARK);

Shouldn't this be:
        logmsgInternal(NO_ERRCODE, LOG_MARK|LOG_INFO, (uchar*)"-- MARK 
--", MARK);

I haven't done enough to verify if this correct but other uses of 
logmsgInternal() in ./tools/syslogd.c or it with LOG_SYSLOG and those 
messages are logged with the "syslog" facility.

Regards
-ant
ps. I checked the 3.22.2 and the 6.1.0 version of code and this line is 
the same in both




Disclaimer
Sanlam Life Insurance Limited - Reg No 1998/021121/06 - Licensed Financial 
Services Provider
Disclaimer and Directors
Alternatively, send a blank email to Disclaimer

From nicolas.even at aznetwork.eu  Mon Sep 20 15:19:24 2010
From: nicolas.even at aznetwork.eu (Nicolas Even)
Date: Mon, 20 Sep 2010 15:19:24 +0200 (CEST)
Subject: [rsyslog] Several Actions associated to a single filter : Mail
 +File
In-Reply-To: <4247997.3371284988683031.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <21746111.3721284988758744.JavaMail.VOYAGER$@VOYAGER>

It does ! 
Thank you a lot ! 

Regards, 
Nicolas Even 

----- Mail Original ----- 
De: "Rainer Gerhards" <rgerhards at hq.adiscon.com> 
?: "Nicolas Even" <nicolas.even at aznetwork.fr>, "rsyslog-users" <rsyslog at lists.adiscon.com> 
Envoy?: Lundi 20 Septembre 2010 15h04:06 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne 
Objet: Re: [rsyslog] Several Actions associated to a single filter : Mail +File 

This should work: 

if $fromhost-ip == '192.168.254.29' \ 
and not ( \ 
$msg contains 'discard' \ 
or $msg contains 'discard2' \ 
)\ 
then :ommail:;MailBody 
& ?ErrorLogFile 

Rainer 

> -----Original Message----- 
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- 
> bounces at lists.adiscon.com] On Behalf Of Nicolas Even 
> Sent: Monday, September 20, 2010 3:02 PM 
> To: rsyslog at lists.adiscon.com 
> Subject: [rsyslog] Several Actions associated to a single filter : Mail 
> +File 
> 
> 
> Hello, 
> 
> I would like to have several actions associated to one filter. 
> When an error is detected, I want to notify someone by mail but I also 
> want to keep that log in a special file. 
> 
> I succeded to write the log in a file, then I succeded to send the log 
> via ommail module. 
> But I want to do both actions. 
> 
> I tried it without success. 
> 
> 
> if $fromhost-ip == '192.168.254.29' \ 
> and not ( \ 
> $msg contains 'discard' \ 
> or $msg contains 'discard2' \ 
> )\ 
> then :ommail:;MailBody -?ErrorLogFile 
> 
> I saw interesting things here : 
> http://download.rsyslog.com/rainerscript2_rsyslog.conf 
> But I did not suceed to have the wanted behaviour. 
> 
> Someone can help ? 
> 
> regards, 
> Nicolas Even 
> _______________________________________________ 
> rsyslog mailing list 
> http://lists.adiscon.net/mailman/listinfo/rsyslog 
> http://www.rsyslog.com 
_______________________________________________ 
rsyslog mailing list 
http://lists.adiscon.net/mailman/listinfo/rsyslog 
http://www.rsyslog.com 

From bernard.fay at gmail.com  Mon Sep 20 17:39:40 2010
From: bernard.fay at gmail.com (Bernard Fay)
Date: Mon, 20 Sep 2010 11:39:40 -0400
Subject: [rsyslog] Unable to log somewhere else than /var/log/
Message-ID: <AANLkTikoYp0DKE8jkqiRAqKZ5Ev_AKP=BwMKqdz3c1rx@mail.gmail.com>

I tried to setup the following in /etc/rsyslog.conf:

local5.* /var/log/httpd/test_logger

To help debug I also have this:
*.* /var/log/all.log;RSYSLOG_DebugFormat

When I restart rsyslog, I can see this in my debug log:

Debug line with all properties:
FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
43,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Sep 20 11:21:26', STRUCTURED-DATA: '-',
msg: '/var/log/httpd/test_logger'
escaped msg: '/var/log/httpd/test_logger'
rawmsg: '/var/log/httpd/test_logger'


I tried to log something in '/var/log/httpd/test_logger'  with
logger -p local5.debug -- test to log in httpd/test_logger

but the content appear in /var/log/messages not
in '/var/log/httpd/test_logger'.

If I try to write in a directory other than /var/log/ it does not work.

Someone has a clue on this?

Thanks
Bernard

From joe at joetify.com  Mon Sep 20 19:02:10 2010
From: joe at joetify.com (Joe Williams)
Date: Mon, 20 Sep 2010 10:02:10 -0700
Subject: [rsyslog] REST output plugin
In-Reply-To: <BCD8E999-DFFF-4D9F-819D-FD4681A7E77D@joetify.com>
References: <F655A94D-1F8B-48BC-80C8-DF38C8BEF42A@joetify.com><9B6E2A8877C38245BFB15CC491A11DA71DD31D@GRFEXC.intern.adiscon.com>
	<E2D19BD1-957F-492A-B284-4ECAF5B31431@joetify.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD325@GRFEXC.intern.adiscon.com>
	<BCD8E999-DFFF-4D9F-819D-FD4681A7E77D@joetify.com>
Message-ID: <25FE6B31-55B5-448B-B68C-85FFDBA95ABF@joetify.com>

Rainer,

I'm sure you have been busy with other stuff (stats subsystem, etc) but have you had a chance to look into this?

Thanks.

-Joe


On Sep 9, 2010, at 1:59 PM, Joe Williams wrote:

> Fair enough. :P 
> 
> To be honest that was the first C I have written in years. If you want to off load some of the work I am happy to take it on with some guidance.
> 
> -Joe
> 
> 
> On Sep 9, 2010, at 12:55 PM, Rainer Gerhards wrote:
> 
>> Quite honestly, this looks like quite some work for me vs. no work for you. I
>> thought the major part of the work was on the party that gained the benefits
>> ;)
>> 
>> Rainer
>> 
>>> -----Original Message-----
>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>> bounces at lists.adiscon.com] On Behalf Of Joe Williams
>>> Sent: Thursday, September 09, 2010 8:27 PM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] REST output plugin
>>> 
>>> Rainier,
>>> 
>>> Here is some basic code using libcurl for doing what I want:
>>> 
>>> http://gist.github.com/572182
>>> 
>>> The data variable is json key/value pairs where I would like to put the
>>> syslog fields as in my aforementioned example.
>>> 
>>> Let me know if you have any questions.
>>> 
>>> Thanks for the help.
>>> 
>>> -Joe
>>> 
>>> 
>>> 
>>> On Sep 9, 2010, at 1:24 AM, Rainer Gerhards wrote:
>>> 
>>>> If you know how to do the REST part, integrating this into a plugin
>>> is rather
>>>> simple. If you provide me working code for that part, I can setup a
>>> skeleton
>>>> and you just need to tweak the result.
>>>> 
>>>> Rainer
>>>> 
>>>>> -----Original Message-----
>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>>> bounces at lists.adiscon.com] On Behalf Of Joe Williams
>>>>> Sent: Thursday, September 09, 2010 2:43 AM
>>>>> To: rsyslog-users
>>>>> Subject: [rsyslog] REST output plugin
>>>>> 
>>>>> 
>>>>> Anyone have an idea of how difficult it would be to create an output
>>>>> plugin that uses REST to PUT log lines as JSON to a specific URL?
>>>>> Probably something equivalent to the following curl command.
>>>>> 
>>>>> curl -X PUT http://host/ -d '{"app-name": "foo", "msg": "bar",
>>> "proc-
>>>>> id":"baz", "timestamp":"timestamp:::date-rfc3339",
>>>>> "hostname":"hostname", "severity":"syslogseverity-text"}'
>>>>> 
>>>>> Thanks.
>>>>> 
>>>>> -Joe
>>>>> 
>>>>> 
>>>>> Name: Joseph A. Williams
>>>>> Email: joe at joetify.com
>>>>> Blog: http://www.joeandmotorboat.com/
>>>>> Twitter: http://twitter.com/williamsjoe
>>>>> 
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>> 
>>> Name: Joseph A. Williams
>>> Email: joe at joetify.com
>>> Blog: http://www.joeandmotorboat.com/
>>> Twitter: http://twitter.com/williamsjoe
>>> 
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> 
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From joe at joetify.com  Mon Sep 20 19:50:09 2010
From: joe at joetify.com (Joe Williams)
Date: Mon, 20 Sep 2010 10:50:09 -0700
Subject: [rsyslog] rsyslog versions
Message-ID: <C93F1A38-FDC1-4195-BAE3-985161C565D9@joetify.com>


Is there any documentation of what the "big" differences are between the stable versions (v3, v4, v5) of rsyslog are? I would like to upgrade from v3 but am unsure what advantages (dynamic message length, etc) the later versions have.

-Joe



Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From david at lang.hm  Mon Sep 20 20:19:05 2010
From: david at lang.hm (david at lang.hm)
Date: Mon, 20 Sep 2010 11:19:05 -0700 (PDT)
Subject: [rsyslog] Unable to log somewhere else than /var/log/
In-Reply-To: <AANLkTikoYp0DKE8jkqiRAqKZ5Ev_AKP=BwMKqdz3c1rx@mail.gmail.com>
References: <AANLkTikoYp0DKE8jkqiRAqKZ5Ev_AKP=BwMKqdz3c1rx@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1009201118440.22328@asgard.lang.hm>

my guess is that it's a permission problem. nothing in rsyslog would 
prevent this.

David Lang

On Mon, 20 Sep 2010, Bernard Fay wrote:

> Date: Mon, 20 Sep 2010 11:39:40 -0400
> From: Bernard Fay <bernard.fay at gmail.com>
> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> To: rsyslog-users <rsyslog at lists.adiscon.com>
> Subject: [rsyslog] Unable to log somewhere else than /var/log/
> 
> I tried to setup the following in /etc/rsyslog.conf:
>
> local5.* /var/log/httpd/test_logger
>
> To help debug I also have this:
> *.* /var/log/all.log;RSYSLOG_DebugFormat
>
> When I restart rsyslog, I can see this in my debug log:
>
> Debug line with all properties:
> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
> 43,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep 20 11:21:26', STRUCTURED-DATA: '-',
> msg: '/var/log/httpd/test_logger'
> escaped msg: '/var/log/httpd/test_logger'
> rawmsg: '/var/log/httpd/test_logger'
>
>
> I tried to log something in '/var/log/httpd/test_logger'  with
> logger -p local5.debug -- test to log in httpd/test_logger
>
> but the content appear in /var/log/messages not
> in '/var/log/httpd/test_logger'.
>
> If I try to write in a directory other than /var/log/ it does not work.
>
> Someone has a clue on this?
>
> Thanks
> Bernard
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From bernard.fay at gmail.com  Mon Sep 20 20:28:13 2010
From: bernard.fay at gmail.com (Bernard Fay)
Date: Mon, 20 Sep 2010 14:28:13 -0400
Subject: [rsyslog] Unable to log somewhere else than /var/log/
In-Reply-To: <alpine.DEB.2.00.1009201118440.22328@asgard.lang.hm>
References: <AANLkTikoYp0DKE8jkqiRAqKZ5Ev_AKP=BwMKqdz3c1rx@mail.gmail.com>
	<alpine.DEB.2.00.1009201118440.22328@asgard.lang.hm>
Message-ID: <AANLkTi=4URMprB2+77aJubfn8xCUAFnHM6RnXLKLKn+h@mail.gmail.com>

To do something else, I stopped rsyslog for a few minutes.  When I restarted
it, it was ok.  Murphy's law... I don't know!  :(


On Mon, Sep 20, 2010 at 2:19 PM, <david at lang.hm> wrote:

> my guess is that it's a permission problem. nothing in rsyslog would
> prevent this.
>
> David Lang
>
> On Mon, 20 Sep 2010, Bernard Fay wrote:
>
>  Date: Mon, 20 Sep 2010 11:39:40 -0400
>> From: Bernard Fay <bernard.fay at gmail.com>
>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>> Subject: [rsyslog] Unable to log somewhere else than /var/log/
>>
>>
>> I tried to setup the following in /etc/rsyslog.conf:
>>
>> local5.* /var/log/httpd/test_logger
>>
>> To help debug I also have this:
>> *.* /var/log/all.log;RSYSLOG_DebugFormat
>>
>> When I restart rsyslog, I can see this in my debug log:
>>
>> Debug line with all properties:
>> FROMHOST: 'QLPRX51P', fromhost-ip: '127.0.0.1', HOSTNAME: 'QLPRX51P', PRI:
>> 43,
>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
>> PROCID: '-', MSGID: '-',
>> TIMESTAMP: 'Sep 20 11:21:26', STRUCTURED-DATA: '-',
>> msg: '/var/log/httpd/test_logger'
>> escaped msg: '/var/log/httpd/test_logger'
>> rawmsg: '/var/log/httpd/test_logger'
>>
>>
>> I tried to log something in '/var/log/httpd/test_logger'  with
>> logger -p local5.debug -- test to log in httpd/test_logger
>>
>> but the content appear in /var/log/messages not
>> in '/var/log/httpd/test_logger'.
>>
>> If I try to write in a directory other than /var/log/ it does not work.
>>
>> Someone has a clue on this?
>>
>> Thanks
>> Bernard
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
>>  _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From joe at joetify.com  Mon Sep 20 21:06:43 2010
From: joe at joetify.com (Joe Williams)
Date: Mon, 20 Sep 2010 12:06:43 -0700
Subject: [rsyslog] Common Performance Gotchas
Message-ID: <D8B3A777-9111-49C3-9299-523F98E5F6E5@joetify.com>


Are there commonly used tuning options for rsyslog, networking stack and kernel? I have found a bit of information (links below) and have made a few changes but I am curious if there are any low hanging fruit to increase my message rate. To that end what are "normal" message rates for the various versions of rsyslog? I know a lot of this is subjective depending on various factors unique to each system but I am curious of commonly hit performance issues that can be tuned around.

Thanks.
-Joe


http://mperedim.wordpress.com/2010/01/21/rsyslog-evaluation/
http://www.rsyslog.com/doc/queues.html
http://www.rsyslog.com/doc/rsyslog_high_database_rate.html
http://www.gossamer-threads.com/lists/rsyslog/users/4029




Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From david at lang.hm  Mon Sep 20 22:44:14 2010
From: david at lang.hm (david at lang.hm)
Date: Mon, 20 Sep 2010 13:44:14 -0700 (PDT)
Subject: [rsyslog] Common Performance Gotchas
In-Reply-To: <D8B3A777-9111-49C3-9299-523F98E5F6E5@joetify.com>
References: <D8B3A777-9111-49C3-9299-523F98E5F6E5@joetify.com>
Message-ID: <alpine.DEB.2.00.1009201322450.22328@asgard.lang.hm>

On Mon, 20 Sep 2010, Joe Williams wrote:

> Are there commonly used tuning options for rsyslog, networking stack and 
> kernel? I have found a bit of information (links below) and have made a 
> few changes but I am curious if there are any low hanging fruit to 
> increase my message rate. To that end what are "normal" message rates 
> for the various versions of rsyslog? I know a lot of this is subjective 
> depending on various factors unique to each system but I am curious of 
> commonly hit performance issues that can be tuned around.

version 3 didn't have much in the way of performance tuning knobs (you 
could adjust the message size and count limits)

it's been a long time since I tested v3, but I think it's performance was 
below 10k messages/sec

version 4 is where the performance changes really started, and there are a 
lot of knobs that were created

version 4 could receive messages up to 1Gb wire speed with the correct 
tuning, I could get it to forward or write messages at ~80K messages/sec 
or do both at ~30K messages/sec

version 5 gained a lot more performance and dropped some of the tuning 
knobs, I haven't tested the most recent versions, but reports are that it 
can do >250K messages/sec

the key tuning knobs will vary a bit depending on your source of logs. I 
deal mostly with UDP logs.

one key thing is to reduce the frequency of gettimeofday() calls

$UDPServerTimeRequery 10

lets you say that if you get a continuous stream of messages (i.e., ever 
time rsyslog finishes processing one message there is already another 
waiting) instead of checking the time every message it checks it every 10 
messages and uses the same local timestamp for the messages in between. 
you get most of the benifit even with a small value like 10

another  thing to look at (and I don't remember the config option at the 
moment) is the batch size for processing messages (especially if you are 
doing something like inserting them into a database, but even for much 
simpler configs)

If you can disable DNS lookups, that will make a huge difference (not that 
even with DNS lookups disabled you will have hostnames if the sending 
server puts their name in the message like they are supposed to.

however, for most hardware and uses, it really is going to be fast enough 
out of the box to not need much, if any tuning.

remember 'premature optimization is the root of all evil', get rsyslog 
running, look at the CPU that it's taking (per-thread, not just total 
CPU), and then look at what the threads that are busy are doing. In V3 and 
early V4 it was the thread that was receiving messages that was the 
bottleneck, by the end of V4 it was the threads outputting the messages 
that was the bottleneck (mostly by thrashing the queue locks), in the very 
recent V5 versions most of this locking went away and performance is _way_ 
up, but it means that whatever bottlenecks are left are in different 
places.


one thing you should do is to tune your OS. make sure you have pleanty of 
network buffers (tcp or udp as appropriate for your system) and check your 
disk I/O capibilities (especially if you are doing something other than 
simple buffered writes to files)


the high database link you point to is obsolete now in the face of the 
batch mode of inserts. the key is to tune your batch sizes to be fairly 
large (but you need to watch your database to make sure they don't get so 
large that your database chokes on them)

rsyslog has changes so much and so rapidly that I don't think there are 
really any good documents on tuning. The current version with it's ability 
to ahve subsets of the rules, each with their own queue can be configured 
to spread itself across all the processor cores in your system (although 
the configuration gets very messy) and with that you can do a huge amount 
of processing on the log messages.

what does your environment look like? how many messages of what size do 
you expect to receive, and what do you want to do with them?

David Lang


> Thanks.
> -Joe
>
>
> http://mperedim.wordpress.com/2010/01/21/rsyslog-evaluation/
> http://www.rsyslog.com/doc/queues.html
> http://www.rsyslog.com/doc/rsyslog_high_database_rate.html
> http://www.gossamer-threads.com/lists/rsyslog/users/4029
>
>
>
>
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From joe at joetify.com  Mon Sep 20 23:11:39 2010
From: joe at joetify.com (Joe Williams)
Date: Mon, 20 Sep 2010 14:11:39 -0700
Subject: [rsyslog] Common Performance Gotchas
In-Reply-To: <alpine.DEB.2.00.1009201322450.22328@asgard.lang.hm>
References: <D8B3A777-9111-49C3-9299-523F98E5F6E5@joetify.com>
	<alpine.DEB.2.00.1009201322450.22328@asgard.lang.hm>
Message-ID: <E4B0CFFA-2980-4275-B120-39FB4EE14EE9@joetify.com>


David,

Thanks for the info.

> what does your environment look like? how many messages of what size do you expect to receive, and what do you want to do with them?

I was running v3 until a few hours ago, now that I am on v5 I doubt I am hitting any performance issues from your estimations. I would say that I have a good mix of  message sizes, I ran into the size limit in v3 and adjusted syslogd.h (4k) to get around it. We have stack traces that can be very long. As far as rate I am attempting to determine that, we produce around 50GB of uncompressed logs a day, much of it web server access logs. Similarly I use UDP exclusively.

-Joe





> 
>> Thanks.
>> -Joe
>> 
>> 
>> http://mperedim.wordpress.com/2010/01/21/rsyslog-evaluation/
>> http://www.rsyslog.com/doc/queues.html
>> http://www.rsyslog.com/doc/rsyslog_high_database_rate.html
>> http://www.gossamer-threads.com/lists/rsyslog/users/4029
>> 
>> 
>> 
>> 
>> Name: Joseph A. Williams
>> Email: joe at joetify.com
>> Blog: http://www.joeandmotorboat.com/
>> Twitter: http://twitter.com/williamsjoe
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe


From david at lang.hm  Tue Sep 21 00:36:42 2010
From: david at lang.hm (david at lang.hm)
Date: Mon, 20 Sep 2010 15:36:42 -0700 (PDT)
Subject: [rsyslog] Common Performance Gotchas
In-Reply-To: <E4B0CFFA-2980-4275-B120-39FB4EE14EE9@joetify.com>
References: <D8B3A777-9111-49C3-9299-523F98E5F6E5@joetify.com>
	<alpine.DEB.2.00.1009201322450.22328@asgard.lang.hm>
	<E4B0CFFA-2980-4275-B120-39FB4EE14EE9@joetify.com>
Message-ID: <alpine.DEB.2.00.1009201535520.22328@asgard.lang.hm>

On Mon, 20 Sep 2010, Joe Williams wrote:

> David,
>
> Thanks for the info.
>
>> what does your environment look like? how many messages of what size do you expect to receive, and what do you want to do with them?

> I was running v3 until a few hours ago, now that I am on v5 I doubt I am 
> hitting any performance issues from your estimations. I would say that I 
> have a good mix of message sizes, I ran into the size limit in v3 and 
> adjusted syslogd.h (4k) to get around it. We have stack traces that can 
> be very long. As far as rate I am attempting to determine that, we 
> produce around 50GB of uncompressed logs a day, much of it web server 
> access logs. Similarly I use UDP exclusively.

50G per day with UDP should be pretty easy to do.

make sure you aren't doing DNS lookups and set the time lookups to 10 or 
so and you are probably in very good shape.

David Lang

> -Joe
>
>
>
>
>
>>
>>> Thanks.
>>> -Joe
>>>
>>>
>>> http://mperedim.wordpress.com/2010/01/21/rsyslog-evaluation/
>>> http://www.rsyslog.com/doc/queues.html
>>> http://www.rsyslog.com/doc/rsyslog_high_database_rate.html
>>> http://www.gossamer-threads.com/lists/rsyslog/users/4029
>>>
>>>
>>>
>>>
>>> Name: Joseph A. Williams
>>> Email: joe at joetify.com
>>> Blog: http://www.joeandmotorboat.com/
>>> Twitter: http://twitter.com/williamsjoe
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>
> Name: Joseph A. Williams
> Email: joe at joetify.com
> Blog: http://www.joeandmotorboat.com/
> Twitter: http://twitter.com/williamsjoe
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Tue Sep 21 07:25:48 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Tue, 21 Sep 2010 07:25:48 +0200
Subject: [rsyslog] Common Performance Gotchas
References: <D8B3A777-9111-49C3-9299-523F98E5F6E5@joetify.com>
	<alpine.DEB.2.00.1009201322450.22328@asgard.lang.hm>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD3B8@GRFEXC.intern.adiscon.com>

Hi David,

thanks for the long and insightful post. I hope you don't mind if I have it
reproduced on the web site ;)

Some more info: you are right, there are no version specific counters.
Especially performance is being much changed. It must be noted that
configuration has a very, very big impact on configuration. For example, it
is very important to use script filters (if ... then) only if absolutely
necessary. They were quickly hacked in because there was big demand, but the
engine has not yet been optimized at all (and has a really bad performance).
Also, the last round of v5 optimizations was done to perform well in usual
configurations (default parameters!). So config changes can have big impact
here (but in any case late v5 is much better than early v5).

I will give a presentation on the rsyslog tuning effort this firday on Linux
Congress over here in Nuremberg. I am permitted to post the paper after the
conference, and I will do so early next week. It describes the initial effort
(spring 2009), but still provides a lot of insight (though from a developers
PoV).

Also keep in mind that I have scheduled a third tuning phase for the
winter/spring 2010/11 timeframe. I guess I will be able to start with this in
November. But keep in mind that I need to do some research and base testing
first, so I don't expect anything of this to be visible until much later.

Rainer


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Monday, September 20, 2010 10:44 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Common Performance Gotchas
> 
> On Mon, 20 Sep 2010, Joe Williams wrote:
> 
> > Are there commonly used tuning options for rsyslog, networking stack
> and
> > kernel? I have found a bit of information (links below) and have made
> a
> > few changes but I am curious if there are any low hanging fruit to
> > increase my message rate. To that end what are "normal" message rates
> > for the various versions of rsyslog? I know a lot of this is
> subjective
> > depending on various factors unique to each system but I am curious
> of
> > commonly hit performance issues that can be tuned around.
> 
> version 3 didn't have much in the way of performance tuning knobs (you
> could adjust the message size and count limits)
> 
> it's been a long time since I tested v3, but I think it's performance
> was
> below 10k messages/sec
> 
> version 4 is where the performance changes really started, and there
> are a
> lot of knobs that were created
> 
> version 4 could receive messages up to 1Gb wire speed with the correct
> tuning, I could get it to forward or write messages at ~80K
> messages/sec
> or do both at ~30K messages/sec
> 
> version 5 gained a lot more performance and dropped some of the tuning
> knobs, I haven't tested the most recent versions, but reports are that
> it
> can do >250K messages/sec
> 
> the key tuning knobs will vary a bit depending on your source of logs.
> I
> deal mostly with UDP logs.
> 
> one key thing is to reduce the frequency of gettimeofday() calls
> 
> $UDPServerTimeRequery 10
> 
> lets you say that if you get a continuous stream of messages (i.e.,
> ever
> time rsyslog finishes processing one message there is already another
> waiting) instead of checking the time every message it checks it every
> 10
> messages and uses the same local timestamp for the messages in between.
> you get most of the benifit even with a small value like 10
> 
> another  thing to look at (and I don't remember the config option at
> the
> moment) is the batch size for processing messages (especially if you
> are
> doing something like inserting them into a database, but even for much
> simpler configs)
> 
> If you can disable DNS lookups, that will make a huge difference (not
> that
> even with DNS lookups disabled you will have hostnames if the sending
> server puts their name in the message like they are supposed to.
> 
> however, for most hardware and uses, it really is going to be fast
> enough
> out of the box to not need much, if any tuning.
> 
> remember 'premature optimization is the root of all evil', get rsyslog
> running, look at the CPU that it's taking (per-thread, not just total
> CPU), and then look at what the threads that are busy are doing. In V3
> and
> early V4 it was the thread that was receiving messages that was the
> bottleneck, by the end of V4 it was the threads outputting the messages
> that was the bottleneck (mostly by thrashing the queue locks), in the
> very
> recent V5 versions most of this locking went away and performance is
> _way_
> up, but it means that whatever bottlenecks are left are in different
> places.
> 
> 
> one thing you should do is to tune your OS. make sure you have pleanty
> of
> network buffers (tcp or udp as appropriate for your system) and check
> your
> disk I/O capibilities (especially if you are doing something other than
> simple buffered writes to files)
> 
> 
> the high database link you point to is obsolete now in the face of the
> batch mode of inserts. the key is to tune your batch sizes to be fairly
> large (but you need to watch your database to make sure they don't get
> so
> large that your database chokes on them)
> 
> rsyslog has changes so much and so rapidly that I don't think there are
> really any good documents on tuning. The current version with it's
> ability
> to ahve subsets of the rules, each with their own queue can be
> configured
> to spread itself across all the processor cores in your system
> (although
> the configuration gets very messy) and with that you can do a huge
> amount
> of processing on the log messages.
> 
> what does your environment look like? how many messages of what size do
> you expect to receive, and what do you want to do with them?
> 
> David Lang
> 
> 
> > Thanks.
> > -Joe
> >
> >
> > http://mperedim.wordpress.com/2010/01/21/rsyslog-evaluation/
> > http://www.rsyslog.com/doc/queues.html
> > http://www.rsyslog.com/doc/rsyslog_high_database_rate.html
> > http://www.gossamer-threads.com/lists/rsyslog/users/4029
> >
> >
> >
> >
> > Name: Joseph A. Williams
> > Email: joe at joetify.com
> > Blog: http://www.joeandmotorboat.com/
> > Twitter: http://twitter.com/williamsjoe
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From david at lang.hm  Tue Sep 21 08:43:38 2010
From: david at lang.hm (david at lang.hm)
Date: Mon, 20 Sep 2010 23:43:38 -0700 (PDT)
Subject: [rsyslog] Common Performance Gotchas
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD3B8@GRFEXC.intern.adiscon.com>
References: <D8B3A777-9111-49C3-9299-523F98E5F6E5@joetify.com>
	<alpine.DEB.2.00.1009201322450.22328@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DD3B8@GRFEXC.intern.adiscon.com>
Message-ID: <alpine.DEB.2.00.1009202334160.30234@asgard.lang.hm>

On Tue, 21 Sep 2010, Rainer Gerhards wrote:

> thanks for the long and insightful post. I hope you don't mind if I have it
> reproduced on the web site ;)

no problem, anything sent to the list is public, and if something I sent 
to the list can be reformatted (and/or corrected) to become documentation 
for others, it just saves me from having to answer again sometime in the 
future ;-)

> Some more info: you are right, there are no version specific counters.

it would be handy to have a condensed changelog that just showed what new 
features (as opposed to bugfixes) are in each version. it doesn't _need_ 
to show each release (for example, you may just show all the changes 
between 5.4 and 5.6 in one batch rather than showing 5.4.0, 5.4.1, etc)

This would give people who are trying to decide if they should stick with 
the vendor provided version or upgrade to something newer more information 
about what they gain with the newer version (not to mention prodding said 
vendors to test and ship the more recent versions)

> Especially performance is being much changed. It must be noted that
> configuration has a very, very big impact on configuration. For example, it
> is very important to use script filters (if ... then) only if absolutely
> necessary. They were quickly hacked in because there was big demand, but the
> engine has not yet been optimized at all (and has a really bad performance).
> Also, the last round of v5 optimizations was done to perform well in usual
> configurations (default parameters!). So config changes can have big impact
> here (but in any case late v5 is much better than early v5).

you've mentioned before that there is a significant speed difference 
between the three methods of doing the same test. I would be interested in 
learning the relative costs of the various tests (including, for example 
the difference between startswith (anchored regex) and contains 
(unanchored regex)

with the new ruleset feature, things that once required the multipart 
script filters can (with difficulty) be implemented with more, simpler 
filters and multiple rulesets. At what point does this extra complexity 
become worthwhile?

i don't know if there are any debug options that could be turned on to 
learn this info without turning them all on (which affects things so much 
that the test may not be valid anymore)

> I will give a presentation on the rsyslog tuning effort this firday on Linux
> Congress over here in Nuremberg. I am permitted to post the paper after the
> conference, and I will do so early next week. It describes the initial effort
> (spring 2009), but still provides a lot of insight (though from a developers
> PoV).

I'm definatly interested in seeing that.

David Lang

> Also keep in mind that I have scheduled a third tuning phase for the
> winter/spring 2010/11 timeframe. I guess I will be able to start with this in
> November. But keep in mind that I need to do some research and base testing
> first, so I don't expect anything of this to be visible until much later.
>
> Rainer
>
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
>> Sent: Monday, September 20, 2010 10:44 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Common Performance Gotchas
>>
>> On Mon, 20 Sep 2010, Joe Williams wrote:
>>
>>> Are there commonly used tuning options for rsyslog, networking stack
>> and
>>> kernel? I have found a bit of information (links below) and have made
>> a
>>> few changes but I am curious if there are any low hanging fruit to
>>> increase my message rate. To that end what are "normal" message rates
>>> for the various versions of rsyslog? I know a lot of this is
>> subjective
>>> depending on various factors unique to each system but I am curious
>> of
>>> commonly hit performance issues that can be tuned around.
>>
>> version 3 didn't have much in the way of performance tuning knobs (you
>> could adjust the message size and count limits)
>>
>> it's been a long time since I tested v3, but I think it's performance
>> was
>> below 10k messages/sec
>>
>> version 4 is where the performance changes really started, and there
>> are a
>> lot of knobs that were created
>>
>> version 4 could receive messages up to 1Gb wire speed with the correct
>> tuning, I could get it to forward or write messages at ~80K
>> messages/sec
>> or do both at ~30K messages/sec
>>
>> version 5 gained a lot more performance and dropped some of the tuning
>> knobs, I haven't tested the most recent versions, but reports are that
>> it
>> can do >250K messages/sec
>>
>> the key tuning knobs will vary a bit depending on your source of logs.
>> I
>> deal mostly with UDP logs.
>>
>> one key thing is to reduce the frequency of gettimeofday() calls
>>
>> $UDPServerTimeRequery 10
>>
>> lets you say that if you get a continuous stream of messages (i.e.,
>> ever
>> time rsyslog finishes processing one message there is already another
>> waiting) instead of checking the time every message it checks it every
>> 10
>> messages and uses the same local timestamp for the messages in between.
>> you get most of the benifit even with a small value like 10
>>
>> another  thing to look at (and I don't remember the config option at
>> the
>> moment) is the batch size for processing messages (especially if you
>> are
>> doing something like inserting them into a database, but even for much
>> simpler configs)
>>
>> If you can disable DNS lookups, that will make a huge difference (not
>> that
>> even with DNS lookups disabled you will have hostnames if the sending
>> server puts their name in the message like they are supposed to.
>>
>> however, for most hardware and uses, it really is going to be fast
>> enough
>> out of the box to not need much, if any tuning.
>>
>> remember 'premature optimization is the root of all evil', get rsyslog
>> running, look at the CPU that it's taking (per-thread, not just total
>> CPU), and then look at what the threads that are busy are doing. In V3
>> and
>> early V4 it was the thread that was receiving messages that was the
>> bottleneck, by the end of V4 it was the threads outputting the messages
>> that was the bottleneck (mostly by thrashing the queue locks), in the
>> very
>> recent V5 versions most of this locking went away and performance is
>> _way_
>> up, but it means that whatever bottlenecks are left are in different
>> places.
>>
>>
>> one thing you should do is to tune your OS. make sure you have pleanty
>> of
>> network buffers (tcp or udp as appropriate for your system) and check
>> your
>> disk I/O capibilities (especially if you are doing something other than
>> simple buffered writes to files)
>>
>>
>> the high database link you point to is obsolete now in the face of the
>> batch mode of inserts. the key is to tune your batch sizes to be fairly
>> large (but you need to watch your database to make sure they don't get
>> so
>> large that your database chokes on them)
>>
>> rsyslog has changes so much and so rapidly that I don't think there are
>> really any good documents on tuning. The current version with it's
>> ability
>> to ahve subsets of the rules, each with their own queue can be
>> configured
>> to spread itself across all the processor cores in your system
>> (although
>> the configuration gets very messy) and with that you can do a huge
>> amount
>> of processing on the log messages.
>>
>> what does your environment look like? how many messages of what size do
>> you expect to receive, and what do you want to do with them?
>>
>> David Lang
>>
>>
>>> Thanks.
>>> -Joe
>>>
>>>
>>> http://mperedim.wordpress.com/2010/01/21/rsyslog-evaluation/
>>> http://www.rsyslog.com/doc/queues.html
>>> http://www.rsyslog.com/doc/rsyslog_high_database_rate.html
>>> http://www.gossamer-threads.com/lists/rsyslog/users/4029
>>>
>>>
>>>
>>>
>>> Name: Joseph A. Williams
>>> Email: joe at joetify.com
>>> Blog: http://www.joeandmotorboat.com/
>>> Twitter: http://twitter.com/williamsjoe
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From sivan at omniqueue.com  Tue Sep 21 17:03:23 2010
From: sivan at omniqueue.com (Sivan Greenberg)
Date: Tue, 21 Sep 2010 17:03:23 +0200
Subject: [rsyslog] RELP with fail over?
Message-ID: <AANLkTi=LSZBMB-XfEvkAjOoXu6oET0Ud7WhnPhpDSyD+@mail.gmail.com>

Hi List,

  Is this[0] applicable when using RELP?

Thanks,

-Sivan

[0]: http://wiki.rsyslog.com/index.php/FailoverSyslogServer

From sean at conman.org  Tue Sep 21 23:02:23 2010
From: sean at conman.org (Sean Conner)
Date: Tue, 21 Sep 2010 17:02:23 -0400
Subject: [rsyslog] Apache and /bin/logger
In-Reply-To: <AANLkTi=UYCjBf12b8an-QWy4ZW+xtJ1x3ixPRUb9Y-J+@mail.gmail.com>
References: <AANLkTiny0-APBziCTiL_uOt8R_d2CVXM7GGxKoqX2JVO@mail.gmail.com>
	<20100918005949.GA29725@brevard.conman.org>
	<AANLkTi=UYCjBf12b8an-QWy4ZW+xtJ1x3ixPRUb9Y-J+@mail.gmail.com>
Message-ID: <20100921210223.GC20264@brevard.conman.org>

It was thus said that the Great Bernard Fay once stated:
> That's exactly what I do and it does not work.  I tried this on CentOS and
> Debian without success.
> 
> Someone has a trick to debug this?

  Are you sure the facility you are using for the Apache logs are actually
being sent somewhere?  So double check the rsyslog.conf file.

  -spc


From marcin at mejor.pl  Wed Sep 22 00:00:42 2010
From: marcin at mejor.pl (=?ISO-8859-2?Q?Marcin_Miros=B3aw?=)
Date: Wed, 22 Sep 2010 00:00:42 +0200
Subject: [rsyslog] Dropping non UTF8 messages
In-Reply-To: <20100914122838.GA30581@uu.nl>
References: <20100914122838.GA30581@uu.nl>
Message-ID: <4C992B0A.50609@mejor.pl>

W dniu 2010-09-14 14:28, Henk van Lingen pisze:
> 
> Hi,
> 
> Is it possible to drop messages in rsyslog containing non UTF8
> characters?
> 
> I've the problem that I'm writing messages to a PostgreSQL database
> with UTF8 encoding, and because off 
> 
> #$ActionResumeRetryCount -1    # infinite retries if host is down
> 
> this results in blocking all processing when the database rejects
> the input.
> 
> I looked into thinks as the 'property replacer', but can find a clue.

Hi!
I think you have problem simillar to mine:
http://kb.monitorware.com/missing-commit-end-transaction-t10355.html
and
http://kb.monitorware.com/problem-with-createdb-sql-script-t10222.html

Imho, in connection to Db should be set proper "character_encoding", but
charset depends on source from logs are received. So it must be defined
per source not once, when we are defining connection to db.
Regards


From rgerhards at hq.adiscon.com  Wed Sep 22 11:46:39 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 22 Sep 2010 11:46:39 +0200
Subject: [rsyslog] FYI: Linux Kongress Nuremberg
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD3D4@GRFEXC.intern.adiscon.com>

Hi all,

I am heading out to Linux Kongress N?rnberg soon. I will be there Thursday
and Friday. Should someone be there as well and interested in meeting, please
let me know! For the same reason, I'll probably be very silent on the mailing
list.

Rainer

From rgerhards at hq.adiscon.com  Mon Sep 27 15:24:48 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 27 Sep 2010 15:24:48 +0200
Subject: [rsyslog] help request: hashtable library?
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD3EE@GRFEXC.intern.adiscon.com>

Hi all,

I am about to implement input rate limiting for imuxsock. This will be done
on a per-pid (or per-cgroup) basis. I now have almost all plumbing done, but
now need to implement a hash table to lookup the rate limiter objects. Before
I go ahead and do my own implementation, I wanted to ask if you can recommend
a small and lightweight hashtable "library".

Doing some limited search myself, I found

http://www.cl.cam.ac.uk/~cwc22/hashtable/

which looks quite usable to me. But I thought I ask if you can recommend some
other good libs.

Feedback is appreciated,
Rainer

From epiphani at gmail.com  Mon Sep 27 15:40:09 2010
From: epiphani at gmail.com (Aaron Wiebe)
Date: Mon, 27 Sep 2010 09:40:09 -0400
Subject: [rsyslog] help request: hashtable library?
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DD3EE@GRFEXC.intern.adiscon.com>
References: <9B6E2A8877C38245BFB15CC491A11DA71DD3EE@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTinnnVQWhTfmMXFLu5d25AeWNfdNnoBLTtAiqUQL@mail.gmail.com>

Hash table algorithms are usually very dependent on what you're using
as a key.  What are you planning to use as a key?

If you're looking for something generic, I'm generally a fan of perl's
hashing algorithm:

    if (!len)
        len = strlen(rkey);
    else if (table->flags & HASH_FL_STRING)
    {
        len = strlen(rkey);
        if (len > table->keylen)
            len = table->keylen;
    }
    if (table->flags & HASH_FL_NOCASE)
        while (len--)
            hash = hash * 33 + ToLower(*rkey++);
    else
        while (len--)
            hash = hash * 33 + *rkey++;

    return hash % table->size;

That should be fairly self-explanatory... but feel free to ask
questions.  I pulled that out of Bahamut's src/throttle.c where we use
a generic hashing mechanism for throttling connections.  You may want
to take a look at that code.

-Aaron

On Mon, Sep 27, 2010 at 9:24 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> Hi all,
>
> I am about to implement input rate limiting for imuxsock. This will be done
> on a per-pid (or per-cgroup) basis. I now have almost all plumbing done, but
> now need to implement a hash table to lookup the rate limiter objects. Before
> I go ahead and do my own implementation, I wanted to ask if you can recommend
> a small and lightweight hashtable "library".
>
> Doing some limited search myself, I found
>
> http://www.cl.cam.ac.uk/~cwc22/hashtable/
>
> which looks quite usable to me. But I thought I ask if you can recommend some
> other good libs.
>
> Feedback is appreciated,
> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Mon Sep 27 15:45:01 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 27 Sep 2010 15:45:01 +0200
Subject: [rsyslog] help request: hashtable library?
References: <9B6E2A8877C38245BFB15CC491A11DA71DD3EE@GRFEXC.intern.adiscon.com>
	<AANLkTinnnVQWhTfmMXFLu5d25AeWNfdNnoBLTtAiqUQL@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD3EF@GRFEXC.intern.adiscon.com>

Hi Aaron,

sorry if my question was confusing. I am not after the hash function (I
stored your suggestion already ;)) but of the complete plumbing for a hash
table (like create, collision handling, delete). It's not an awful lot of
code, but I'd prefer to use some existing thing if there is a good enough one
available.

The actual use case will be pid_t (I need a hash table because the max value
can change at runtime, else I'd simply taken a "static" table) and cgroup
names.

I'll definitely look at Bahamut! In case you are interested in what I've
done, here is the first shot at it:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b5da6352830e9841dd367b84
90d79461adb5cb22

This is based on the kernel rate limiter and thus pretty efficient (though a
bit limited in what it can do).

Thanks for all suggestions.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Aaron Wiebe
> Sent: Monday, September 27, 2010 3:40 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] help request: hashtable library?
> 
> Hash table algorithms are usually very dependent on what you're using
> as a key.  What are you planning to use as a key?
> 
> If you're looking for something generic, I'm generally a fan of perl's
> hashing algorithm:
> 
>     if (!len)
>         len = strlen(rkey);
>     else if (table->flags & HASH_FL_STRING)
>     {
>         len = strlen(rkey);
>         if (len > table->keylen)
>             len = table->keylen;
>     }
>     if (table->flags & HASH_FL_NOCASE)
>         while (len--)
>             hash = hash * 33 + ToLower(*rkey++);
>     else
>         while (len--)
>             hash = hash * 33 + *rkey++;
> 
>     return hash % table->size;
> 
> That should be fairly self-explanatory... but feel free to ask
> questions.  I pulled that out of Bahamut's src/throttle.c where we use
> a generic hashing mechanism for throttling connections.  You may want
> to take a look at that code.
> 
> -Aaron
> 
> On Mon, Sep 27, 2010 at 9:24 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > Hi all,
> >
> > I am about to implement input rate limiting for imuxsock. This will
> be done
> > on a per-pid (or per-cgroup) basis. I now have almost all plumbing
> done, but
> > now need to implement a hash table to lookup the rate limiter
> objects. Before
> > I go ahead and do my own implementation, I wanted to ask if you can
> recommend
> > a small and lightweight hashtable "library".
> >
> > Doing some limited search myself, I found
> >
> > http://www.cl.cam.ac.uk/~cwc22/hashtable/
> >
> > which looks quite usable to me. But I thought I ask if you can
> recommend some
> > other good libs.
> >
> > Feedback is appreciated,
> > Rainer
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Mon Sep 27 15:51:32 2010
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 27 Sep 2010 15:51:32 +0200
Subject: [rsyslog] help request: hashtable library?
References: <9B6E2A8877C38245BFB15CC491A11DA71DD3EE@GRFEXC.intern.adiscon.com><AANLkTinnnVQWhTfmMXFLu5d25AeWNfdNnoBLTtAiqUQL@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DD3EF@GRFEXC.intern.adiscon.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD3F0@GRFEXC.intern.adiscon.com>

> I'll definitely look at Bahamut! 

Yeah, it has the necessary plumbing, too. I begin to think that this is
probably not much enough code to build its own library around this ;)

Rainer

From nicolas.even at aznetwork.eu  Tue Sep 28 11:59:39 2010
From: nicolas.even at aznetwork.eu (Nicolas Even)
Date: Tue, 28 Sep 2010 11:59:39 +0200 (CEST)
Subject: [rsyslog] Notify by mail only if received X times
In-Reply-To: <33249609.1021285667289538.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <22597344.1041285667978823.JavaMail.VOYAGER$@VOYAGER>


Hello, 

I would like to be notified when I receive X times a special log (security logs). 
Today, each time someone enters a wrong password, I receive this log from ssh. 


pam_unix(sshd:auth): check pass; user unknown 

It's not interesting but in case of X failures. 

So, Is there a way to count logs and proceed an action when the counter reach a specified number ? 

Regards, 
Nicolas Even 

From bosse at met.no  Tue Sep 28 16:24:25 2010
From: bosse at met.no (Bosse Klykken)
Date: Tue, 28 Sep 2010 14:24:25 +0000 (UTC)
Subject: [rsyslog] Notify by mail only if received X times
In-Reply-To: <22597344.1041285667978823.JavaMail.VOYAGER$@VOYAGER>
Message-ID: <762422268.223122.1285683865238.JavaMail.root@imap1b>

> So, Is there a way to count logs and proceed an action when the
> counter reach a specified number ?

I don't believe rsyslog will do this as-is, but you may achieve what you need with rsyslog in combination with an event correlator like SEC (http://simple-evcorr.sourceforge.net). It can trigger an action if there's a number of hits of a rule within a specified timeframe.

.../Bosse