From marcin at mejor.pl Mon Aug 1 12:47:35 2011 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Mon, 01 Aug 2011 12:47:35 +0200 Subject: [rsyslog] libestr-0.1.2 is wanted (dead or alive) Message-ID: <4E368447.1060603@mejor.pl> Hi! Rsyslog-git wants libestr-0.1.2 to compile, is such version ready to publish? Regards. From rgerhards at hq.adiscon.com Mon Aug 1 12:56:55 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 1 Aug 2011 12:56:55 +0200 Subject: [rsyslog] libestr-0.1.2 is wanted (dead or alive) In-Reply-To: <4E368447.1060603@mejor.pl> References: <4E368447.1060603@mejor.pl> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810C2@GRFEXC.intern.adiscon.com> Let me check, I thought it was pushed... > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > Sent: Monday, August 01, 2011 12:48 PM > To: rsyslog-users > Subject: [rsyslog] libestr-0.1.2 is wanted (dead or alive) > > Hi! > Rsyslog-git wants libestr-0.1.2 to compile, is such version ready to publish? > Regards. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Mon Aug 1 13:01:20 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 1 Aug 2011 13:01:20 +0200 Subject: [rsyslog] libestr-0.1.2 is wanted (dead or alive) In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72810C2@GRFEXC.intern.adiscon.com> References: <4E368447.1060603@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA72810C2@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810C4@GRFEXC.intern.adiscon.com> Sorry, was not yet released (scheduled alongside new rsyslog version, but it makes no sense to break the git version). Will be available soon on the site. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Monday, August 01, 2011 12:57 PM > To: rsyslog-users > Subject: Re: [rsyslog] libestr-0.1.2 is wanted (dead or alive) > > Let me check, I thought it was pushed... > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > > Sent: Monday, August 01, 2011 12:48 PM > > To: rsyslog-users > > Subject: [rsyslog] libestr-0.1.2 is wanted (dead or alive) > > > > Hi! > > Rsyslog-git wants libestr-0.1.2 to compile, is such version ready to > publish? > > Regards. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From marcin at mejor.pl Mon Aug 1 13:05:24 2011 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Mon, 01 Aug 2011 13:05:24 +0200 Subject: [rsyslog] libestr-0.1.2 is wanted (dead or alive) In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72810C4@GRFEXC.intern.adiscon.com> References: <4E368447.1060603@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA72810C2@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72810C4@GRFEXC.intern.adiscon.com> Message-ID: <4E368874.5090308@mejor.pl> W dniu 01.08.2011 13:01, Rainer Gerhards pisze: > Sorry, was not yet released (scheduled alongside new rsyslog version, but it > makes no sense to break the git version). Will be available soon on the site. Thanks! From friedl at hq.adiscon.com Mon Aug 1 13:13:56 2011 From: friedl at hq.adiscon.com (Florian Riedl) Date: Mon, 1 Aug 2011 13:13:56 +0200 Subject: [rsyslog] libestr-0.1.2 is wanted (dead or alive) In-Reply-To: <4E368874.5090308@mejor.pl> References: <4E368447.1060603@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA72810C2@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA72810C4@GRFEXC.intern.adiscon.com> <4E368874.5090308@mejor.pl> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810C6@GRFEXC.intern.adiscon.com> Hi, version 0.1.2 of libestr has been uploaded to the website. You can download it here: http://libestr.adiscon.com/download/libestr-0-1-2/ Florian -----Urspr?ngliche Nachricht----- Von: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-bounces at lists.adiscon.com] Im Auftrag von Marcin Miroslaw Gesendet: Montag, 1. August 2011 13:05 An: rsyslog at lists.adiscon.com Betreff: Re: [rsyslog] libestr-0.1.2 is wanted (dead or alive) W dniu 01.08.2011 13:01, Rainer Gerhards pisze: > Sorry, was not yet released (scheduled alongside new rsyslog version, > but it makes no sense to break the git version). Will be available soon on the site. Thanks! _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com From up at 3.am Mon Aug 1 15:23:49 2011 From: up at 3.am (up at 3.am) Date: Mon, 1 Aug 2011 09:23:49 -0400 Subject: [rsyslog] sharing (r)syslog facilities Message-ID: > On Sun, Jul 31, 2011 at 5:33 PM, wrote: >> 6.3?? ?Yikes, we're running 3.22...installed on centos via yum a few months ago using standard repositories. ?The only optional repositories we use are rpmforge. >> They prefer I use yum for consistency on so many servers, but should I just yum uninstall these things and re-build 6.latest from source on all clients and the log server, or is there a better repo for this? > > I just built from source and it works well, with many fixes compared to 3.2. However, YMMV again, and make sure you guys don't rely on stuff from 3.2, e.g. do a good research before switching. > > No problem, you're welcome. I don't usually mind building/installing from source, but in the case of rsyslog, the standard CentOS repo version (3.2.2) has been installed via yum on the log server and dozens of clients. Looking at the ryslog docs, version 3 is no longer even mentioned, and 6.3.3 is listed as a development version. There appear to be "stable' versions of both 4 and 5. I would have no idea where to start, or if it is even necessary to use something other than 3.22 for our needs. I imagine you would want the server and clients to use versions somewhat close to each other. I guess the main question is, do I need a newer version of rsyslog (server and/or client side) to do non-facility based remote (central) logging, ie, via property based filters? From rgerhards at hq.adiscon.com Mon Aug 1 15:26:56 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 1 Aug 2011 15:26:56 +0200 Subject: [rsyslog] sharing (r)syslog facilities In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810C7@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of up at 3.am > Sent: Monday, August 01, 2011 3:24 PM > To: rsyslog-users > Subject: Re: [rsyslog] sharing (r)syslog facilities > > > On Sun, Jul 31, 2011 at 5:33 PM, wrote: > >> 6.3?? ?Yikes, we're running 3.22...installed on centos via yum a few > >> months ago > using standard repositories. ?The only optional repositories we use are > rpmforge. > >> They prefer I use yum for consistency on so many servers, but should > >> I just yum > uninstall these things and re-build 6.latest from source on all clients and the > log server, or is there a better repo for this? > > > > I just built from source and it works well, with many fixes compared to 3.2. > However, YMMV again, and make sure you guys don't rely on stuff from 3.2, > e.g. > do a good research before switching. > > > > No problem, you're welcome. > > I don't usually mind building/installing from source, but in the case of rsyslog, > the standard CentOS repo version (3.2.2) has been installed via yum on the > log server and dozens of clients. > > Looking at the ryslog docs, version 3 is no longer even mentioned, and 6.3.3 is > listed as a development version. There appear to be "stable' versions of > both 4 and 5. I would have no idea where to start, or if it is even necessary to > use something other than 3.22 for our needs. I imagine you would want the > server and clients to use versions somewhat close to each other. > > I guess the main question is, do I need a newer version of rsyslog (server > and/or client side) to do non-facility based remote (central) logging, ie, via > property based filters? NO! But there is also a hugh performance difference, if that matters. Also, I'd suggest to check the ChangeLogs if there exists any bugs in v3 that could harm you. Generally, there shouldn't. It's just that you won't get much help and no fixes if you run into issues -- but *then* you can think about changing in any case. BTW: there is no problem running different versions on different machines. Rainer From up at 3.am Mon Aug 1 18:04:13 2011 From: up at 3.am (up at 3.am) Date: Mon, 1 Aug 2011 12:04:13 -0400 Subject: [rsyslog] sharing (r)syslog facilities In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72810C7@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA72810C7@GRFEXC.intern.adiscon.com> Message-ID: <744d01fe4eeaedc00fd3631a501876be.squirrel@ssl.pil.net> >> I guess the main question is, do I need a newer version of rsyslog (server >> and/or client side) to do non-facility based remote (central) logging, ie, > via >> property based filters? > > NO! Ok, just to get this clear in my head, then. When we no longer use facilities, we are no longer really using "syslog", right? So taking apache, for example. You just revert back to the standard apache logging configuration like this: ErrorLog logs/error_log CustomLog logs/access_log combined I assume then that apache logs these files locally like it always did, ie, in /var/log/httpd/ That would be fine, we can rotate those out quickly. Now we also want to keep monthly logs from ALL (dozens) apache servers on a central logging server, with one massive log for each service (ie, error_log, access_log) for all servers, rotated monthly, then compressed and kept for a year via logrotate. The same goes for many other services. What would be a simple filter recipe to have rsyslog (3.22) simply put the entire logs on the log server? http://www.rsyslog.com/doc/rsyslog_conf_filter.html Shows conditions based on facilities and/or error strings, but what if you just want to have the entire logs of each server replicated and consolidated on the central logging server? > But there is also a hugh performance difference, if that matters. Also, I'd Using facilities and a few services on a few dozen servers has shown negligible load (somewhat to my surprise). I imagine filter-based might be quite different? > suggest to check the ChangeLogs if there exists any bugs in v3 that could > harm you. Generally, there shouldn't. It's just that you won't get much help > and no fixes if you run into issues -- but *then* you can think about > changing in any case. BTW: there is no problem running different versions on > different machines. Say we were to uninstall the old (yum) version 3.22 from both the log server and all clients and re-install via source...do you recommend 4.6.7 or 5.8.3 (stable), or even 6.3.3 (devel)? Bear in mind that constantly upgrading them is something we'd like to avoid. TIA (again!) From david at lang.hm Mon Aug 1 23:38:12 2011 From: david at lang.hm (david at lang.hm) Date: Mon, 1 Aug 2011 14:38:12 -0700 (PDT) Subject: [rsyslog] sharing (r)syslog facilities In-Reply-To: <07e4c6213540112bb209bdfc25e918a3.squirrel@ssl.pil.net> References: <07e4c6213540112bb209bdfc25e918a3.squirrel@ssl.pil.net> Message-ID: On Sun, 31 Jul 2011, up at 3.am wrote: > I didn't even know you could do (r)syslog without facilities. Every client app, > when configured to log to syslog, seems to require a facility, even if not a > severity. I'd love to get rid of this albatross. Is this a good start?: > > http://www.rsyslog.com/doc/rsyslog_conf_filter.html > > Are you basically saying that one can ignore true "syslog" and just have a client > server's rsyslogd remotely log any text log file to the log server, based on these > filters? > > Is it safe to assume that Adiscon's own LogAnalyzer can digest these > non-syslog-like logs without much trouble? the over-the-wire protocol still has a facility and severity in it, but if you just ignore it and don't use it to make any decsisions about what to do with the log, it may as well not be there. it's more a case of ignoring the (almost) useless field than it is changing the protocol. David Lang From david at lang.hm Mon Aug 1 23:42:20 2011 From: david at lang.hm (david at lang.hm) Date: Mon, 1 Aug 2011 14:42:20 -0700 (PDT) Subject: [rsyslog] sharing (r)syslog facilities In-Reply-To: References: <56a11b8160af52e3a050019589a83ae9.squirrel@ssl.pil.net> Message-ID: On Sun, 31 Jul 2011, up at 3.am wrote: >> On Sat, 30 Jul 2011, up at 3.am wrote: > >> if $syslogfacility-text == "local7" and $programname == "httpd" >> then/var/log/httpd-error_log >> & ~ >> >> one important thing to note is that current versions of rsyslog don't >> allow strings to be delimited by ' only by " this is being fixed in the >> 6.3 branch, but will not be backported. > > 6.3?? Yikes, we're running 3.22...installed on centos via yum a few months ago > using standard repositories. The only optional repositories we use are rpmforge. > They prefer I use yum for consistency on so many servers, but should I just yum > uninstall these things and re-build 6.latest from source on all clients and the > log server, or is there a better repo for this? the good thing about RHEL is that for the supported lifetime they don't change versions on you. the bad thing about RHEL is that for the supported lifetime they don't change versions on you. in this case, the lifetime of RHEL is longer than the time that version is being supported upstream, and so you either need to switch to a version tha's not supported by Red Hat, or get all your support from Red Hat. given the huge improvements that have taken place, I would compile from source (look into the checkinstall package for help in making a .rpm to install on your systems) I don't know if there is a repository for packages like this that is supported by Red Hat. the odds are fairly good that the Fedora packages will work, but you would need to test them. David Lang From david at lang.hm Mon Aug 1 23:47:38 2011 From: david at lang.hm (david at lang.hm) Date: Mon, 1 Aug 2011 14:47:38 -0700 (PDT) Subject: [rsyslog] sharing (r)syslog facilities In-Reply-To: <744d01fe4eeaedc00fd3631a501876be.squirrel@ssl.pil.net> References: <9B6E2A8877C38245BFB15CC491A11DA72810C7@GRFEXC.intern.adiscon.com> <744d01fe4eeaedc00fd3631a501876be.squirrel@ssl.pil.net> Message-ID: On Mon, 1 Aug 2011, up at 3.am wrote: >>> I guess the main question is, do I need a newer version of rsyslog (server >>> and/or client side) to do non-facility based remote (central) logging, ie, >> via >>> property based filters? >> >> NO! > > Ok, just to get this clear in my head, then. When we no longer use facilities, we > are no longer really using "syslog", right? So taking apache, for example. You > just revert back to the standard apache logging configuration like this: > > ErrorLog logs/error_log > CustomLog logs/access_log combined > > I assume then that apache logs these files locally like it always did, ie, in > /var/log/httpd/ > > That would be fine, we can rotate those out quickly. Now we also want to keep > monthly logs from ALL (dozens) apache servers on a central logging server, with > one massive log for each service (ie, error_log, access_log) for all servers, > rotated monthly, then compressed and kept for a year via logrotate. > > The same goes for many other services. What would be a simple filter recipe to > have rsyslog (3.22) simply put the entire logs on the log server? > > http://www.rsyslog.com/doc/rsyslog_conf_filter.html > > Shows conditions based on facilities and/or error strings, but what if you just > want to have the entire logs of each server replicated and consolidated on the > central logging server? when you send the logs from one machine to another, they will be sent in the syslog format. If they are not sent to rsyslog in that format, it will attempt to 'do the right thing' in converting them to that format, but it's better to get it to rsyslog in a good format to start with. you aren't changing the format, you are just ignoring the facility and making your decisions on where to log things based on other things in the log. >> But there is also a hugh performance difference, if that matters. Also, I'd > > Using facilities and a few services on a few dozen servers has shown negligible > load (somewhat to my surprise). I imagine filter-based might be quite different? it's all filter based logging, it's just different types of filters (filtering on strings vs filtering on severity numbers) yes, other filters are more expensive than facility based ones, but if you don't have a large amount of traffic this may not matter to you. Just keep this in mind in case your log server boggs down. >> suggest to check the ChangeLogs if there exists any bugs in v3 that could >> harm you. Generally, there shouldn't. It's just that you won't get much help >> and no fixes if you run into issues -- but *then* you can think about >> changing in any case. BTW: there is no problem running different versions on >> different machines. > > Say we were to uninstall the old (yum) version 3.22 from both the log server and > all clients and re-install via source...do you recommend 4.6.7 or 5.8.3 (stable), > or even 6.3.3 (devel)? Bear in mind that constantly upgrading them is something > we'd like to avoid. that's a judgement call you will have to make. personally I would not go with 4.x when there is a 5.x stable out there (you are closer to loosing support with 4.x) David Lang From rodney.mckee at gmail.com Mon Aug 1 23:48:15 2011 From: rodney.mckee at gmail.com (Rodney McKee) Date: Tue, 02 Aug 2011 07:48:15 +1000 (EST) Subject: [rsyslog] impstats details In-Reply-To: <2fd47f00-166d-4ff7-8e69-32ece420163d@wsrmckee> Message-ID: <9596c2ec-7a3c-4077-8991-8406018ebc43@wsrmckee> Just wondering if anyone might have any update to this question/request? Just wondering what doco is out their that will let me understand the metrics being emitted by impstats imuxsock: submitted=1140 ratelimit.discarded=0 ratelimit.numratelimiters=432 action 5 queue[DA]: size=0 enqueued=0 full=0 maxqsize=0 action 5 queue: size=0 enqueued=947834 full=0 maxqsize=724 main Q: size=3 enqueued=952342 full=0 maxqsize=5087 imuxsock: submitted= # of log lines submitted via the Unix socket between the given sample period (instant value) ratelimit.discarded= # of log lines discarded due to rate limiting between the given sample period (instant value) ratelimit.numratelimiters= ? Not sure about this one, I'm seeing a steadily increasing value for this. action 5 queue[DA]: or action 5 queue: or main Q: size= enqueued= full= maxqsize= Rgds Rodney From rgerhards at hq.adiscon.com Tue Aug 2 08:47:37 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 2 Aug 2011 08:47:37 +0200 Subject: [rsyslog] sharing (r)syslog facilities In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA72810C7@GRFEXC.intern.adiscon.com><744d01fe4eeaedc00fd3631a501876be.squirrel@ssl.pil.net> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810C8@GRFEXC.intern.adiscon.com> > > Say we were to uninstall the old (yum) version 3.22 from both the log > server and > > all clients and re-install via source...do you recommend 4.6.7 or > 5.8.3 (stable), > > or even 6.3.3 (devel)? Bear in mind that constantly upgrading them > is something > > we'd like to avoid. > > that's a judgement call you will have to make. > > personally I would not go with 4.x when there is a 5.x stable out there > (you are closer to loosing support with 4.x) Yup! Please note that there are some very exotic shutdown problems in v4, which usually are not seen in practice but can not be fixed in v4 because they are design issues. In v5, they don't exist. V5 stable recently has become very stable and I am condfident recommending it as the major version to use. V6 is too fresh to use in production. Rainer From a.chapellon at horoa.net Wed Aug 3 10:10:15 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Wed, 03 Aug 2011 10:10:15 +0200 Subject: [rsyslog] binding rsyslog to network address Message-ID: <4E390267.7020307@horoa.net> Hello, I would like to bind rsyslog RELP or TCP Input server to a specific address of my server. I have found option to do this with UDP but not with TCP or RELP. Is it possible? how? P.S: am running rsyslogd 4.6.4 (Debian stable) -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From claus.westerkamp at raytion.com Wed Aug 3 14:52:39 2011 From: claus.westerkamp at raytion.com (claus westerkamp) Date: Wed, 03 Aug 2011 14:52:39 +0200 Subject: [rsyslog] separate log files by host name In-Reply-To: <9596c2ec-7a3c-4077-8991-8406018ebc43@wsrmckee> References: <9596c2ec-7a3c-4077-8991-8406018ebc43@wsrmckee> Message-ID: <4E394497.30706@raytion.com> Hello list, I followed this guide http://www.rsyslog.com/article60/ to get seperate logs for different hosts (remote-logging of ESX-servers). my /etc/rsyslog.d/networks.conf looks $template DynaFile,"/var/log/rsys/system-%HOSTNAME%.log" *.* -?DynaFile The logs from 5hosts appear in /var/log/syslog AND in /var/log/rsys/system-%HOSTNAME%.log /etc/rsyslog.conf looks http://pastebin.com/zUExraFW What am I missing? My goal is to not have the remote-servers in /var/log/syslog but in seperate files. kind regards claus From claus.westerkamp at raytion.com Wed Aug 3 14:37:17 2011 From: claus.westerkamp at raytion.com (claus westerkamp) Date: Wed, 03 Aug 2011 14:37:17 +0200 Subject: [rsyslog] separate log files by host name In-Reply-To: <9596c2ec-7a3c-4077-8991-8406018ebc43@wsrmckee> References: <9596c2ec-7a3c-4077-8991-8406018ebc43@wsrmckee> Message-ID: <4E3940FD.6090004@raytion.com> Hello list, I followed this guide http://www.rsyslog.com/article60/ to get seperate logs for different hosts (remote-logging of ESX-servers). my /etc/rsyslog.d/networks.conf looks $template DynaFile,"/var/log/rsys/system-%HOSTNAME%.log" *.* -?DynaFile The logs from 5hosts appear in /var/log/syslog AND in /var/log/rsys/system-%HOSTNAME%.log /etc/rsyslog.conf looks http://pastebin.com/zUExraFW What am I missing? My goal is to not have the remote-servers in /var/log/syslog but in seperate files. kind regards claus From a.chapellon at horoa.net Wed Aug 3 19:05:33 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Wed, 03 Aug 2011 19:05:33 +0200 Subject: [rsyslog] separate log files by host name In-Reply-To: <4E3940FD.6090004@raytion.com> References: <9596c2ec-7a3c-4077-8991-8406018ebc43@wsrmckee> <4E3940FD.6090004@raytion.com> Message-ID: <4E397FDD.9040909@horoa.net> Le 03/08/2011 14:37, claus westerkamp a ?crit : > Hello list, > > I followed this guide http://www.rsyslog.com/article60/ to get > seperate logs for different hosts (remote-logging of ESX-servers). > > my /etc/rsyslog.d/networks.conf looks > $template DynaFile,"/var/log/rsys/system-%HOSTNAME%.log" > *.* -?DynaFile > > The logs from 5hosts appear in /var/log/syslog AND in > /var/log/rsys/system-%HOSTNAME%.log > You should place the DynaFile rules before the local rules (/etc/Rsyslog.D/somefile.conf is a good place) followed by some rule to stop processing messages that comes from remote host. e.g: /:fromhost-ip, !isequal, "127.0.0.1" ~/ > /etc/rsyslog.conf looks > http://pastebin.com/zUExraFW > > What am I missing? My goal is to not have the remote-servers in > /var/log/syslog but in seperate files. > > > kind regards > claus > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From up at 3.am Wed Aug 3 18:09:20 2011 From: up at 3.am (up at 3.am) Date: Wed, 3 Aug 2011 12:09:20 -0400 Subject: [rsyslog] sharing (r)syslog facilities In-Reply-To: References: <56a11b8160af52e3a050019589a83ae9.squirrel@ssl.pil.net> Message-ID: <690cd5218500bdef092dd05342a70e98.squirrel@ssl.pil.net> > > a simpler way to do this is: > > if $syslogfacility-text == "local6" and $programname == "httpd" > then/var/log/httpd-access_log > & ~ > if $syslogfacility-text == "local7" and $programname == "httpd" > then/var/log/httpd-error_log > & ~ > > one important thing to note is that current versions of rsyslog don't > allow strings to be delimited by ' only by " this is being fixed in the > 6.3 branch, but will not be backported. I like simple! Ok, I fixed the quotes thing...now all double quotes (I also added a space between "then" and the logfile path): if $syslogfacility-text == "local6" and $programname == "httpd" then /var/log/httpd/access_log & ~ if $syslogfacility-text == "local7" and $programname == "httpd" then /var/log/httpd/error_log & ~ but rsyslog (3.22.1) cannot even read the file now: Aug 3 12:03:00 kernel: imklog 3.22.1, log source = /proc/kmsg started. Aug 3 12:03:00 rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="9395" x-info="http://www.rsyslog.com"] (re)start Aug 3 12:03:00 rsyslogd: the last error occured in /etc/rsyslog.conf, line 48 Aug 3 12:03:00 rsyslogd: the last error occured in /etc/rsyslog.conf, line 50 Aug 3 12:03:00 rsyslogd-2123: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ] What did I miss? TIA! From marcin at mejor.pl Wed Aug 3 22:51:19 2011 From: marcin at mejor.pl (=?ISO-8859-2?Q?Marcin_Miros=B3aw?=) Date: Wed, 03 Aug 2011 22:51:19 +0200 Subject: [rsyslog] imudp activation failure - was: Remote syslogging through a (broken) VPN In-Reply-To: <4E0F4CC9.8070602@mejor.pl> References: <20110627205918.0cc9ce80@mistral.stie> <4E09E1B5.7040704@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F1D@GRFEXC.intern.adiscon.com> <4E0C6228.4000203@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F47@GRFEXC.intern.adiscon.com> <4E0C895A.7010809@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA7280F5C@GRFEXC.intern.adiscon.com> <4E0F4CC9.8070602@mejor.pl> Message-ID: <4E39B4C7.6010403@mejor.pl> Hello! I'm makeing little bump up, because new behavior appears. Rsyslog(git) logs many (about 1000) lines with message: "rsyslogd: Cannot read proc file system: 9 - Bad file descriptor." All logs starts as below: 2011-08-03T21:53:26.185038+02:00 serwerek rsyslogd: [origin software="rsyslogd" swVersion="6.3.4" x-pid="23935" x-info="http://www.rsyslog.com"] start 2011-08-03T21:53:26.139975+02:00 serwerek rsyslogd-2184: action '*' treated as ':omusrmsg:*' - please change syntax, '*' will not be supported in the future [try http://www.rsyslog.com/e/2184 ] 2011-08-03T21:53:26.140977+02:00 serwerek rsyslogd: imklog 6.3.4, log source = /proc/kmsg started. 2011-08-03T21:53:26.141044+02:00 serwerek rsyslogd: imudp: no listeners could be started, input not activated. : No such file or directory 2011-08-03T21:53:26.141051+02:00 serwerek rsyslogd3: activation of module imudp.so failed [try http://www.rsyslog.com/e/-3 ] 2011-08-03T21:53:26.179159+02:00 serwerek rsyslogd-2040: fatal error on disk queue 'action 1 queue[DA]', emergency switch to direct mode [try http://www.rsyslog.com/e/2040 ] 2011-08-03T21:53:26.185922+02:00 serwerek rsyslogd: Cannot read proc file system: 9 - Bad file descriptor. 2011-08-03T21:53:26.185936+02:00 serwerek rsyslogd: Cannot read proc file system: 9 - Bad file descriptor. 2011-08-03T21:53:26.185945+02:00 serwerek rsyslogd: Cannot read proc file system: 9 - Bad file descriptor. [again and again bad file descirptor] But it doesn't happen always, more often while OS is starting. (rsyslog-5.6.5 works ok). I'm attaching log, unfortunatelly this log was created when rsyslog didn't throws messages "cannot read proc". It contains only problem with module UDP. Regards, Marcin. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rsyslog-udp.log URL: From rgerhards at hq.adiscon.com Wed Aug 3 23:31:10 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 03 Aug 2011 23:31:10 +0200 Subject: [rsyslog] imudp activation failure - was: Remote syslogging through a (broken) VPN Message-ID: <004d01cc5224$99bb7131$100013ac@intern.adiscon.com> You seem to have no udp server defined on your conf, thus the error messages. Also, your queue files seem to be corrupt. Rainer Marcin Miros?aw hat geschrieben:Hello! I'm makeing little bump up, because new behavior appears. Rsyslog(git) logs many (about 1000) lines with message: "rsyslogd: Cannot read proc file system: 9 - Bad file descriptor." All logs starts as below: 2011-08-03T21:53:26.185038+02:00 serwerek rsyslogd: [origin software="rsyslogd" swVersion="6.3.4" x-pid="23935" x-info="http://www.rsyslog.com"] start 2011-08-03T21:53:26.139975+02:00 serwerek rsyslogd-2184: action '*' treated as ':omusrmsg:*' - please change syntax, '*' will not be supported in the future [try http://www.rsyslog.com/e/2184 ] 2011-08-03T21:53:26.140977+02:00 serwerek rsyslogd: imklog 6.3.4, log source = /proc/kmsg started. 2011-08-03T21:53:26.141044+02:00 serwerek rsyslogd: imudp: no listeners could be started, input not activated. : No such file or directory 2011-08-03T21:53:26.141051+02:00 serwerek rsyslogd3: activation of module imudp.so failed [try http://www.rsyslog.com/e/-3 ] 2011-08-03T21:53:26.179159+02:00 serwerek rsyslogd-2040: fatal error on disk queue 'action 1 queue[DA]', emergency switch to direct mode [try http://www.rsyslog.com/e/2040 ] 2011-08-03T21:53:26.185922+02:00 serwerek rsyslogd: Cannot read proc file system: 9 - Bad file descriptor. 2011-08-03T21:53:26.185936+02:00 serwerek rsyslogd: Cannot read proc file system: 9 - Bad file descriptor. 2011-08-03T21:53:26.185945+02:00 serwerek rsyslogd: Cannot read proc file system: 9 - Bad file descriptor. [again and again bad file descirptor] But it doesn't happen always, more often while OS is starting. (rsyslog-5.6.5 works ok). I'm attaching log, unfortunatelly this log was created when rsyslog didn't throws messages "cannot read proc". It contains only problem with module UDP. Regards, Marcin. From marcin at mejor.pl Thu Aug 4 14:13:27 2011 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Thu, 04 Aug 2011 14:13:27 +0200 Subject: [rsyslog] imudp activation failure - was: Remote syslogging through a (broken) VPN In-Reply-To: <004d01cc5224$99bb7131$100013ac@intern.adiscon.com> References: <004d01cc5224$99bb7131$100013ac@intern.adiscon.com> Message-ID: <4E3A8CE7.6090803@mejor.pl> W dniu 03.08.2011 23:31, Rainer Gerhards pisze: > You seem to have no udp server defined on your conf, thus the error messages. Yes it is. I didn't ever specified udpserver (or tcpserver) (honestly, i shouldn't load them, they aren't used). Maybe error message should state about it? Btw, on url: http://www.rsyslog.com/doc/rsyslog_conf_modules.html "imudp - udp syslog message input" doesn't link to http://www.rsyslog.com/doc/imudp.html . > Also, your queue files seem to be corrupt. Too frequently i've to use SIGKILL to quit rsyslod :( But it's ease to fix. I'll try to prepare debug log with problem "Cannot read proc...". Thanks! From jonas at bravenet.com Fri Aug 5 01:40:09 2011 From: jonas at bravenet.com (Jonas Courteau) Date: Thu, 04 Aug 2011 16:40:09 -0700 Subject: [rsyslog] Forwarding logs to downed server, not queuing Message-ID: <4E3B2DD9.8010707@bravenet.com> Hello: First of all, apologies if this has been addressed before! We're forwarding our logs to a central server using the following config: $WorkDirectory /var/lib/rsyslog $ActionQueueType LinkedList $ActionQueueFileName remoteq $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on *.* @@172.16.0.75:514 # -- a bunch of rules also logging to local files follow This normally works great; and the queuing works fine when the server rsyslog process is shut down. But, when we reboot the server, or shut it down, huge chunks of forwarded data fail to get queued. Looking at the debug logs, it looks like the client side thinks the server's still around, and isn't queuing the logs: 6939.784970000:42790940: Message from UNIX socket: #3 6939.785145000:42790940: logmsg: flags 4, from 'testclient', msg Aug 4 15:28:59 root: new test message # 47 6939.785236000:42790940: Message has legacy syslog format. 6939.785330000:42790940: main Q: entry added, size now 1 entries 6939.785440000:42790940: wtpAdviseMaxWorkers signals busy 6939.785530000:42790940: main Q: EnqueueMsg advised worker start 6939.785640000:42790940: --------imuxsock calling select, active file descriptors (max 3): 3 6939.786501000:41d8f940: main Q: entry deleted, state 0, size now 0 entries 6939.786616000:41d8f940: testing filter, f_pmask 255 6939.786699000:41d8f940: Called action, logging to builtin-fwd 6939.786793000:41d8f940: action 1 queue: entry added, size now 1 entries 6939.786905000:41d8f940: wtpAdviseMaxWorkers signals busy 6939.786989000:41d8f940: action 1 queue: EnqueueMsg advised worker start 6939.787099000:41d8f940: testing filter, f_pmask 127 6939.787186000:41d8f940: Called action, logging to builtin-file 6939.787274000:41d8f940: file to log to: /var/log/messages 6939.787360000:41d8f940: doWrite, pData->pStrm 0x2b237853a650, lenBuf 65 6939.787445000:41d8f940: strm 0x2b237853a650: file 6(messages) flush, buflen 65 6939.787575000:41d8f940: strm 0x2b237853a650: file 6 write wrote 65 bytes 6939.787690000:41d8f940: testing filter, f_pmask 0 6939.787775000:41d8f940: testing filter, f_pmask 0 6939.787855000:41d8f940: testing filter, f_pmask 0 6939.787934000:41d8f940: testing filter, f_pmask 1 6939.788014000:41d8f940: testing filter, f_pmask 0 6939.788096000:41d8f940: testing filter, f_pmask 0 6939.788195000:41d8f940: main Q:Reg/w0: worker IDLE, waiting for work. 6939.788288000:4138e940: action 1 queue: entry deleted, state 0, size now 0 entries 6939.788401000:4138e940: 172.16.0.75 6939.788481000:4138e940: 172.16.0.75:514/tcp 6939.788571000:4138e940: TCP sent 69 bytes, requested 69 6939.788659000:4138e940: action 1 queue:Reg/w0: worker IDLE, waiting for work. Sending a log message every second from the client, on the server, looking at a combined log, this is what we see during a reboot scenario (only listing remote test messages and logging-related server messages): Aug 4 16:25:49 testclient root: Test message # 5 Aug 4 16:25:50 testclient root: Test message # 6 Aug 4 16:25:51 logserver shutdown[2104]: shutting down for system reboot Aug 4 16:25:51 logserver init: Switching to runlevel: 6 Aug 4 16:25:51 testclient root: Test message # 7 Aug 4 16:25:52 testclient root: Test message # 8 Aug 4 16:25:53 testclient root: Test message # 9 Aug 4 16:25:53 logserver rsyslogd: db error (2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) Aug 4 16:25:54 testclient root: Test message # 10 Aug 4 16:25:55 testclient root: Test message # 11 Aug 4 16:25:56 testclient root: Test message # 12 Aug 4 16:25:57 testclient root: Test message # 13 Aug 4 16:25:58 logserver kernel: Kernel logging (proc) stopped. Aug 4 16:25:58 logserver rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1282" x-info="http://www.rsyslog.com"] exiting on signal 15. Aug 4 16:26:44 logserver kernel: imklog 4.6.2, log source = /proc/kmsg started. Aug 4 16:26:44 logserver rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1282" x-info="http://www.rsyslog.com"] (re)start Aug 4 16:26:44 logserver kernel: Bootdata ok (command line is root=/dev/sys.vg/root.lv ro panic=30 time) Aug 4 16:26:44 logserver kernel: Linux version 2.6.18-194.32.1.1.el5.xen (mockbuild@*****.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Fri May 20 11:57:35 PDT 2011 ---- whole boot process here ---- Aug 4 16:26:44 logserver rsyslogd: db error (2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) Aug 4 16:26:50 testclient root: Test message # 66 Aug 4 16:26:51 testclient root: Test message # 67 ---- back to normal --- The DB errors look fine/unrelated - even with db logging turned off and only spitting logs out to file, we get this problem. Is this just a consequence of using TCP? I don't mind losing a few log entries, but potentially losing a few hundred is another matter. Is the answer to switch to RELP? Or am I missing some key configuration setting? We're using rsyslog 4.6.2 as packaged for RHEL 6, on CentOS 5.6 (we're preparing to move to CentOS 6, hence the version weirdness...). I certainly don't mind running a different version if that's what it takes though. Thanks in advance for any ideas, feedback, etc. -Jonas Courteau From rgerhards at hq.adiscon.com Fri Aug 5 14:58:39 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 5 Aug 2011 14:58:39 +0200 Subject: [rsyslog] imudp activation failure - was: Remote syslogging through a (broken) VPN In-Reply-To: <4E3A8CE7.6090803@mejor.pl> References: <004d01cc5224$99bb7131$100013ac@intern.adiscon.com> <4E3A8CE7.6090803@mejor.pl> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810E8@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > Sent: Thursday, August 04, 2011 2:13 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] imudp activation failure - was: Remote > syslogging through a (broken) VPN > > W dniu 03.08.2011 23:31, Rainer Gerhards pisze: > > You seem to have no udp server defined on your conf, thus the error > messages. > > Yes it is. I didn't ever specified udpserver (or tcpserver) (honestly, > i > shouldn't load them, they aren't used). Maybe error message should > state > about it? Indeed, that's a good idea. I just added it: http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f8342ced6f7c17ecd2f04325 4151c786257b3fbb > > Btw, on url: http://www.rsyslog.com/doc/rsyslog_conf_modules.html > "imudp > - udp syslog message input" doesn't link to > http://www.rsyslog.com/doc/imudp.html . > > > Also, your queue files seem to be corrupt. > > Too frequently i've to use SIGKILL to quit rsyslod :( But it's ease to > fix. > I'll try to prepare debug log with problem "Cannot read proc...". Please send along, I'll have a look when I see it. Rainer > > Thanks! > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Fri Aug 5 15:09:54 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 5 Aug 2011 15:09:54 +0200 Subject: [rsyslog] imudp activation failure - was: Remote sysloggingthrough a (broken) VPN In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72810E8@GRFEXC.intern.adiscon.com> References: <004d01cc5224$99bb7131$100013ac@intern.adiscon.com><4E3A8CE7.6090803@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA72810E8@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810E9@GRFEXC.intern.adiscon.com> Marcin, I have also added a bit more information to status messages. I suggest to apply this patch before doing further testing: http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=77b93c21711c35d5935f3d55 fb74968491cd133a Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Friday, August 05, 2011 2:59 PM > To: rsyslog-users > Subject: Re: [rsyslog] imudp activation failure - was: Remote > sysloggingthrough a (broken) VPN > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > > Sent: Thursday, August 04, 2011 2:13 PM > > To: rsyslog at lists.adiscon.com > > Subject: Re: [rsyslog] imudp activation failure - was: Remote > > syslogging through a (broken) VPN > > > > W dniu 03.08.2011 23:31, Rainer Gerhards pisze: > > > You seem to have no udp server defined on your conf, thus the error > > messages. > > > > Yes it is. I didn't ever specified udpserver (or tcpserver) > (honestly, > > i > > shouldn't load them, they aren't used). Maybe error message should > > state > > about it? > > Indeed, that's a good idea. I just added it: > http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f8342ced6f7c17ecd2 > f04325 > 4151c786257b3fbb > > > > > Btw, on url: http://www.rsyslog.com/doc/rsyslog_conf_modules.html > > "imudp > > - udp syslog message input" doesn't link to > > http://www.rsyslog.com/doc/imudp.html . > > > > > Also, your queue files seem to be corrupt. > > > > Too frequently i've to use SIGKILL to quit rsyslod :( But it's ease > to > > fix. > > I'll try to prepare debug log with problem "Cannot read proc...". > > Please send along, I'll have a look when I see it. > > Rainer > > > > Thanks! > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From marcin at mejor.pl Fri Aug 5 20:26:15 2011 From: marcin at mejor.pl (=?ISO-8859-2?Q?Marcin_Miros=B3aw?=) Date: Fri, 05 Aug 2011 20:26:15 +0200 Subject: [rsyslog] Bad file descriptor (was: imudp activation failure - was: Remote sysloggingthrough a (broken) VPN ) In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72810E9@GRFEXC.intern.adiscon.com> References: <004d01cc5224$99bb7131$100013ac@intern.adiscon.com><4E3A8CE7.6090803@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA72810E8@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72810E9@GRFEXC.intern.adiscon.com> Message-ID: <4E3C35C7.7090601@mejor.pl> W dniu 2011-08-05 15:09, Rainer Gerhards pisze: > Marcin, > > I have also added a bit more information to status messages. I suggest to > apply this patch before doing further testing: > http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=77b93c21711c35d5935f3d55 > fb74968491cd133a Double thanks for both commits. Meseems problem appears while system is starting and rsyslog is started using start-stop-daemon. When i login and i do /etc/init.d/rsyslog restart problem rather doesn't appear. Now in log i've got:"Cannot read proc file system: 9 - Bad file descriptor (fd 3)" I've added 'ls / >>/log' 'ls /proc >>/log' 'mount |grep proc >>/log' to init script, before start-stop-daemon is invoked. /proc exitsts. I've got full debug log but it has 43MB (.xz) , if will it be usefull i can send you offlist. Regards, Marcin. From rgerhards at hq.adiscon.com Fri Aug 5 20:47:31 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 05 Aug 2011 20:47:31 +0200 Subject: [rsyslog] Bad file descriptor (was: imudp activation failure - was: Remote sysloggingthrough a (broken) VPN ) Message-ID: <005001cc53a0$137c6c43$100013ac@intern.adiscon.com> Pls send off-list Marcin Miros?aw hat geschrieben:W dniu 2011-08-05 15:09, Rainer Gerhards pisze: > Marcin, > > I have also added a bit more information to status messages. I suggest to > apply this patch before doing further testing: > http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=77b93c21711c35d5935f3d55 > fb74968491cd133a Double thanks for both commits. Meseems problem appears while system is starting and rsyslog is started using start-stop-daemon. When i login and i do /etc/init.d/rsyslog restart problem rather doesn't appear. Now in log i've got:"Cannot read proc file system: 9 - Bad file descriptor (fd 3)" I've added 'ls / >>/log' 'ls /proc >>/log' 'mount |grep proc >>/log' to init script, before start-stop-daemon is invoked. /proc exitsts. I've got full debug log but it has 43MB (.xz) , if will it be usefull i can send you offlist. Regards, Marcin. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com From rblists at gmail.com Mon Aug 8 13:25:55 2011 From: rblists at gmail.com (Raphael Bauduin) Date: Mon, 8 Aug 2011 13:25:55 +0200 Subject: [rsyslog] multiple groups privileges Message-ID: Hi, is it possible to run rsyslogd so that it is part of multiple groups? I have added the syslog user to multiple groups, and then use $PrivDropToUser syslog without $PrivDropToGroup but to no avail. Thanks Rapha?l -- Web database: http://www.myowndb.com Free Software Developers Meeting: http://www.fosdem.org From Ole.Rahn at t-systems.com Mon Aug 8 13:51:12 2011 From: Ole.Rahn at t-systems.com (Ole.Rahn at t-systems.com) Date: Mon, 8 Aug 2011 13:51:12 +0200 Subject: [rsyslog] rsyslog and SNMP trap input Message-ID: <50CCFFD1B9C6424389383F7A13A034460142CACD6206@HE101451.emea1.cds.t-internal.com> Dear list, we are currently thinking about scenarios in which rsyslog could be used. I know there is an output module which allows rsyslog to send SNMP traps - is there also an approach around which allows rsyslog to receive SNMP traps, e.g. to enable a unified handling of traps and syslogs? Best regards Ole From rgerhards at hq.adiscon.com Mon Aug 8 15:20:09 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 8 Aug 2011 15:20:09 +0200 Subject: [rsyslog] rsyslog and SNMP trap input In-Reply-To: <50CCFFD1B9C6424389383F7A13A034460142CACD6206@HE101451.emea1.cds.t-internal.com> References: <50CCFFD1B9C6424389383F7A13A034460142CACD6206@HE101451.emea1.cds.t-internal.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72810F2@GRFEXC.intern.adiscon.com> There currently is no such module. It would not be too complicated to write one, but there seems to be very slow interest (I think I remember one case where we talked about it for a custom project, but that was it...). As far as I know, many folks use snmptrapd to convert snmp to syslog and then process the so-converted messages. HTH Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ole.Rahn at t-systems.com > Sent: Monday, August 08, 2011 1:51 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] rsyslog and SNMP trap input > > Dear list, > > we are currently thinking about scenarios in which rsyslog could be > used. > I know there is an output module which allows rsyslog to send SNMP > traps - is there also an approach around which allows rsyslog to > receive SNMP traps, e.g. to enable a unified handling of traps and > syslogs? > > Best regards > Ole > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From Ole.Rahn at t-systems.com Mon Aug 8 15:44:49 2011 From: Ole.Rahn at t-systems.com (Ole.Rahn at t-systems.com) Date: Mon, 8 Aug 2011 15:44:49 +0200 Subject: [rsyslog] rsyslog and SNMP trap input In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72810F2@GRFEXC.intern.adiscon.com> References: <50CCFFD1B9C6424389383F7A13A034460142CACD6206@HE101451.emea1.cds.t-internal.com> <9B6E2A8877C38245BFB15CC491A11DA72810F2@GRFEXC.intern.adiscon.com> Message-ID: <50CCFFD1B9C6424389383F7A13A034460142CACD6460@HE101451.emea1.cds.t-internal.com> Hi Rainer, thank you for the quick reply (as usual :-) ) - that sounds like a fair approach! Best regards Ole -----Urspr?ngliche Nachricht----- Von: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-bounces at lists.adiscon.com] Im Auftrag von Rainer Gerhards Gesendet: Montag, 8. August 2011 15:20 An: rsyslog-users Betreff: Re: [rsyslog] rsyslog and SNMP trap input There currently is no such module. It would not be too complicated to write one, but there seems to be very slow interest (I think I remember one case where we talked about it for a custom project, but that was it...). As far as I know, many folks use snmptrapd to convert snmp to syslog and then process the so-converted messages. HTH Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ole.Rahn at t-systems.com > Sent: Monday, August 08, 2011 1:51 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] rsyslog and SNMP trap input > > Dear list, > > we are currently thinking about scenarios in which rsyslog could be > used. > I know there is an output module which allows rsyslog to send SNMP > traps - is there also an approach around which allows rsyslog to > receive SNMP traps, e.g. to enable a unified handling of traps and > syslogs? > > Best regards > Ole > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com From a.chapellon at horoa.net Mon Aug 8 16:02:45 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Mon, 08 Aug 2011 16:02:45 +0200 Subject: [rsyslog] binding rsyslog to network address In-Reply-To: <4E390267.7020307@horoa.net> References: <4E390267.7020307@horoa.net> Message-ID: <4E3FEC85.8080204@horoa.net> Nobody has a clue about this? Le 03/08/2011 10:10, Alexandre Chapellon a ?crit : > Hello, > > I would like to bind rsyslog RELP or TCP Input server to a specific > address of my server. > I have found option to do this with UDP but not with TCP or RELP. > Is it possible? how? > > P.S: am running rsyslogd 4.6.4 (Debian stable) > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From a.chapellon at horoa.net Tue Aug 9 11:19:01 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Tue, 09 Aug 2011 11:19:01 +0200 Subject: [rsyslog] loganalyser Message-ID: <4E40FB85.1070505@horoa.net> Hello, I have a problem with Adiscon loganalyser. Not sure if it's the right place to post... if not please let me know where to. I have a bunch of rsyslog servers doing database logging in pgsql DB using :ompgsql: and the monitorware database schema. Records are inserted in the DB as expected. My problem is that Adiscon loganalyser reports "No syslog records found" when opening the webface. IF I select "Syslog Fields" as "View" in the upper right corner, the events recorded in the database are correctly displayed. Unfortunately the Eventlog View is not what I expect and contains empty fields as the messages in the database are pure syslog messages (mostly generated by sysklogd and relayed by rsyslogd) Is there any explanation for this? Best regards. -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From a.chapellon at horoa.net Tue Aug 9 11:27:41 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Tue, 09 Aug 2011 11:27:41 +0200 Subject: [rsyslog] loganalyser In-Reply-To: <4E40FB85.1070505@horoa.net> References: <4E40FB85.1070505@horoa.net> Message-ID: <4E40FD8D.9040506@horoa.net> I forgot some details sorry, Adiscon LogAnalyzer: Version 3.2.1 Rsyslogd: 4.6.4 Postgres: 9.0 Le 09/08/2011 11:19, Alexandre Chapellon a ?crit : > Hello, > > I have a problem with Adiscon loganalyser. Not sure if it's the right > place to post... if not please let me know where to. > > I have a bunch of rsyslog servers doing database logging in pgsql DB > using :ompgsql: and the monitorware database schema. > Records are inserted in the DB as expected. My problem is that Adiscon > loganalyser reports "No syslog records found" when opening the > webface. IF I select "Syslog Fields" as "View" in the upper right > corner, the events recorded in the database are correctly displayed. > Unfortunately the Eventlog View is not what I expect and contains > empty fields as the messages in the database are pure syslog messages > (mostly generated by sysklogd and relayed by rsyslogd) > > Is there any explanation for this? > > Best regards. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From a.chapellon at horoa.net Tue Aug 9 11:32:26 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Tue, 09 Aug 2011 11:32:26 +0200 Subject: [rsyslog] loganalyser In-Reply-To: <4E40FB85.1070505@horoa.net> References: <4E40FB85.1070505@horoa.net> Message-ID: <4E40FEAA.9010704@horoa.net> I want to add that when I click on a log entry (when in EventLog or webserver view)I get the following error: No syslog records found (code 8 ) - Error Details: Unknown or unhandeled error occured. Extra Error Details: ER_BAD_FIELD_ERROR - SQL Statement: ERREUR: la colonne ?? processid ?? n'existe pas LINE 1: ...mhost, infounitid, facility, priority, syslogtag, processid,... ^ Detail error: 42703;7;ERREUR: la colonne ?? processid ?? n'existe pas LINE 1: ...mhost, infounitid, facility, priority, syslogtag, processid,... ^ Error Code: 42703 -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From alorbach at ro1.adiscon.com Tue Aug 9 11:43:06 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Tue, 9 Aug 2011 11:43:06 +0200 Subject: [rsyslog] loganalyser In-Reply-To: <4E40FB85.1070505@horoa.net> References: <4E40FB85.1070505@horoa.net> Message-ID: Hi, the Eventlog View is meant for Windows Eventlog related messages. Those can be filled into a monitorware schema database using Adiscon EventReporter for example. However this view is not meant for any Syslog related data, that is the reason you are not seeing any data when using this view. Best regards, Andre Lorbach > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > Sent: Dienstag, 9. August 2011 11:19 > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] loganalyser > > Hello, > > I have a problem with Adiscon loganalyser. Not sure if it's the right place to > post... if not please let me know where to. > > I have a bunch of rsyslog servers doing database logging in pgsql DB using > :ompgsql: and the monitorware database schema. > Records are inserted in the DB as expected. My problem is that Adiscon > loganalyser reports "No syslog records found" when opening the webface. > IF I select "Syslog Fields" as "View" in the upper right corner, the events > recorded in the database are correctly displayed. Unfortunately the Eventlog > View is not what I expect and contains empty fields as the messages in the > database are pure syslog messages (mostly generated by sysklogd and relayed > by rsyslogd) > > Is there any explanation for this? > > Best regards. From a.chapellon at horoa.net Tue Aug 9 11:45:45 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Tue, 09 Aug 2011 11:45:45 +0200 Subject: [rsyslog] loganalyser In-Reply-To: References: <4E40FB85.1070505@horoa.net> Message-ID: <4E4101C9.5040409@horoa.net> Thank you for your answer, but i think you missunderstood me. I see records only if I choose EventLog or Webserver view. When I select Syslog I get 'the following messages: No syslog records found That's weird... but that's what I get. Le 09/08/2011 11:43, Andre Lorbach a ?crit : > Hi, > > the Eventlog View is meant for Windows Eventlog related messages. Those can > be filled into a monitorware schema database using Adiscon EventReporter for > example. > However this view is not meant for any Syslog related data, that is the > reason you are not seeing any data when using this view. > > Best regards, > Andre Lorbach > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon >> Sent: Dienstag, 9. August 2011 11:19 >> To: rsyslog at lists.adiscon.com >> Subject: [rsyslog] loganalyser >> >> Hello, >> >> I have a problem with Adiscon loganalyser. Not sure if it's the right place > to >> post... if not please let me know where to. >> >> I have a bunch of rsyslog servers doing database logging in pgsql DB using >> :ompgsql: and the monitorware database schema. >> Records are inserted in the DB as expected. My problem is that Adiscon >> loganalyser reports "No syslog records found" when opening the webface. >> IF I select "Syslog Fields" as "View" in the upper right corner, the events >> recorded in the database are correctly displayed. Unfortunately the > Eventlog >> View is not what I expect and contains empty fields as the messages in the >> database are pure syslog messages (mostly generated by sysklogd and relayed >> by rsyslogd) >> >> Is there any explanation for this? >> >> Best regards. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From alorbach at ro1.adiscon.com Tue Aug 9 11:48:52 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Tue, 9 Aug 2011 11:48:52 +0200 Subject: [rsyslog] loganalyser In-Reply-To: <4E4101C9.5040409@horoa.net> References: <4E40FB85.1070505@horoa.net> <4E4101C9.5040409@horoa.net> Message-ID: Hi, oh I am sorry I indeed misunderstood. Can you post some sample data records from your database? There is an message ID field (InfoUnitID) which LogAnalyzer uses to detect what kind of message the data record has. The only thing I can imagine right now is, that this field is filled with the wrong value. Best regards, Andre Lorbach > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > Sent: Dienstag, 9. August 2011 11:46 > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] loganalyser > > Thank you for your answer, but i think you missunderstood me. > I see records only if I choose EventLog or Webserver view. When I select Syslog > I get 'the following messages: No syslog records found > > That's weird... but that's what I get. > > Le 09/08/2011 11:43, Andre Lorbach a ?crit : > > Hi, > > > > the Eventlog View is meant for Windows Eventlog related messages. > > Those can be filled into a monitorware schema database using Adiscon > > EventReporter for example. > > However this view is not meant for any Syslog related data, that is > > the reason you are not seeing any data when using this view. > > > > Best regards, > > Andre Lorbach > > > >> -----Original Message----- > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > >> Sent: Dienstag, 9. August 2011 11:19 > >> To: rsyslog at lists.adiscon.com > >> Subject: [rsyslog] loganalyser > >> > >> Hello, > >> > >> I have a problem with Adiscon loganalyser. Not sure if it's the right > >> place > > to > >> post... if not please let me know where to. > >> > >> I have a bunch of rsyslog servers doing database logging in pgsql DB > >> using > >> :ompgsql: and the monitorware database schema. > >> Records are inserted in the DB as expected. My problem is that > >> Adiscon loganalyser reports "No syslog records found" when opening the > webface. > >> IF I select "Syslog Fields" as "View" in the upper right corner, the > >> events recorded in the database are correctly displayed. > >> Unfortunately the > > Eventlog > >> View is not what I expect and contains empty fields as the messages > >> in the database are pure syslog messages (mostly generated by > >> sysklogd and relayed by rsyslogd) > >> > >> Is there any explanation for this? > >> > >> Best regards. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > -- > From alorbach at ro1.adiscon.com Tue Aug 9 11:55:10 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Tue, 9 Aug 2011 11:55:10 +0200 Subject: [rsyslog] loganalyser In-Reply-To: <4E40FEAA.9010704@horoa.net> References: <4E40FB85.1070505@horoa.net> <4E40FEAA.9010704@horoa.net> Message-ID: Hi, sorry I didn't read this post before. Ok this could explain why you are not seeing data using the Syslog VIEW. There is a field which was added into LogAnalyzer some time ago. Usually LogAnalyzer will automatically add missing fields into the logstream database, if the database user has sufficient rights to the table. This works of course only if the database user has sufficient rights to the table. You can manually add the field "processid" as varchar(60). Best regards, Andre Lorbach > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > Sent: Dienstag, 9. August 2011 11:32 > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] loganalyser > > I want to add that when I click on a log entry (when in EventLog or webserver > view)I get the following error: > > > No syslog records found (code 8 ) - Error Details: > > Unknown or unhandeled error occured. > > Extra Error Details: > ER_BAD_FIELD_ERROR - SQL Statement: ERREUR: la colonne ?? processid ?? > n'existe pas LINE 1: ...mhost, infounitid, facility, priority, > syslogtag, processid,... ^ > Detail error: 42703;7;ERREUR: la colonne ?? processid ?? n'existe pas > LINE 1: ...mhost, infounitid, facility, priority, syslogtag, > processid,... ^ > Error Code: 42703 From a.chapellon at horoa.net Tue Aug 9 11:55:29 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Tue, 09 Aug 2011 11:55:29 +0200 Subject: [rsyslog] loganalyser In-Reply-To: References: <4E40FB85.1070505@horoa.net> <4E4101C9.5040409@horoa.net> Message-ID: <4E410411.8060103@horoa.net> InfoUnitID is set to '1' for all my records. Checking at the database records I notice that all syslogtags are empty (for some reason, it is like this in the original syslog message) Maybe it can mess the message type detection? Here are samples for the db: id | customerid | receivedat | devicereportedtime | facility | priority | fromhost | message | ntseverity | importance | eventsource | eventuser | eventcategory | eventid | eventbinarydata | maxavailable | currusage | minusage | maxusage | infounitid | syslogtag | eventlogtype | genericfilename | systemid ----+------------+---------------------+---------------------+----------+----------+--------------------------------+------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+-----------+--------------+-----------------+---------- 3 | | 2011-08-06 07:06:30 | 2011-08-06 07:06:24 | 0 | 3 | 223.77.90.202.dial.dyn.mana.pf | (172.17.70.24/Quickspot_26) openvpn[582]: Connection reset, restarting [-1] | | | | | | | | | | | | 1 | | | | 4 | | 2011-08-06 07:06:30 | 2011-08-06 07:06:24 | 0 | 5 | 223.77.90.202.dial.dyn.mana.pf | (172.17.70.24/Quickspot_26) openvpn[582]: /etc/route-down.sh tun0 1500 1543 172.17.70.24 172.17.70.1 init | | | | | | | | | | | | 1 | | | | 5 | | 2011-08-06 07:06:30 | 2011-08-06 07:06:24 | 0 | 5 | 223.77.90.202.dial.dyn.mana.pf | (172.17.70.24/Quickspot_26) openvpn[582]: SIGHUP[soft,connection-reset] received, process restarting | | | | | | | | | | | | 1 | | | | 6 | | 2011-08-06 07:06:30 | 2011-08-06 07:06:24 | 0 | 5 | 223.77.90.202.dial.dyn.mana.pf | (172.17.70.24/Quickspot_26) openvpn[582]: OpenVPN 2.1_rc4 mipsel-linux [SSL] [EPOLL] built on Dec 17 2007 | | | | | | | | | | | | 1 | | | | I hope it will be readable enough. Le 09/08/2011 11:48, Andre Lorbach a ?crit : > Hi, > > oh I am sorry I indeed misunderstood. Can you post some sample data records > from your database? > There is an message ID field (InfoUnitID) which LogAnalyzer uses to detect > what kind of message the data record has. > The only thing I can imagine right now is, that this field is filled with the > wrong value. > > Best regards, > Andre Lorbach > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon >> Sent: Dienstag, 9. August 2011 11:46 >> To: rsyslog at lists.adiscon.com >> Subject: Re: [rsyslog] loganalyser >> >> Thank you for your answer, but i think you missunderstood me. >> I see records only if I choose EventLog or Webserver view. When I select > Syslog >> I get 'the following messages: No syslog records found >> >> That's weird... but that's what I get. >> >> Le 09/08/2011 11:43, Andre Lorbach a ?crit : >>> Hi, >>> >>> the Eventlog View is meant for Windows Eventlog related messages. >>> Those can be filled into a monitorware schema database using Adiscon >>> EventReporter for example. >>> However this view is not meant for any Syslog related data, that is >>> the reason you are not seeing any data when using this view. >>> >>> Best regards, >>> Andre Lorbach >>> >>>> -----Original Message----- >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon >>>> Sent: Dienstag, 9. August 2011 11:19 >>>> To: rsyslog at lists.adiscon.com >>>> Subject: [rsyslog] loganalyser >>>> >>>> Hello, >>>> >>>> I have a problem with Adiscon loganalyser. Not sure if it's the right >>>> place >>> to >>>> post... if not please let me know where to. >>>> >>>> I have a bunch of rsyslog servers doing database logging in pgsql DB >>>> using >>>> :ompgsql: and the monitorware database schema. >>>> Records are inserted in the DB as expected. My problem is that >>>> Adiscon loganalyser reports "No syslog records found" when opening the >> webface. >>>> IF I select "Syslog Fields" as "View" in the upper right corner, the >>>> events recorded in the database are correctly displayed. >>>> Unfortunately the >>> Eventlog >>>> View is not what I expect and contains empty fields as the messages >>>> in the database are pure syslog messages (mostly generated by >>>> sysklogd and relayed by rsyslogd) >>>> >>>> Is there any explanation for this? >>>> >>>> Best regards. >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >> -- >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From a.chapellon at horoa.net Tue Aug 9 12:01:25 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Tue, 09 Aug 2011 12:01:25 +0200 Subject: [rsyslog] loganalyser In-Reply-To: References: <4E40FB85.1070505@horoa.net> <4E40FEAA.9010704@horoa.net> Message-ID: <4E410575.1020704@horoa.net> Great that did the trick! What should be placed in the processid? Is rsyslog sql template natively able the fill this field? regards. Le 09/08/2011 11:55, Andre Lorbach a ?crit : > Hi, > > sorry I didn't read this post before. > Ok this could explain why you are not seeing data using the Syslog VIEW. > There is a field which was added into LogAnalyzer some time ago. Usually > LogAnalyzer will automatically add missing fields into the logstream > database, if the database user has sufficient rights to the table. This works > of course only if the database user has sufficient rights to the table. > > You can manually add the field "processid" as varchar(60). > > Best regards, > Andre Lorbach > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon >> Sent: Dienstag, 9. August 2011 11:32 >> To: rsyslog at lists.adiscon.com >> Subject: Re: [rsyslog] loganalyser >> >> I want to add that when I click on a log entry (when in EventLog or > webserver >> view)I get the following error: >> >> >> No syslog records found (code 8 ) - Error Details: >> >> Unknown or unhandeled error occured. >> >> Extra Error Details: >> ER_BAD_FIELD_ERROR - SQL Statement: ERREUR: la colonne ?? processid ?? >> n'existe pas LINE 1: ...mhost, infounitid, facility, priority, >> syslogtag, processid,... ^ >> Detail error: 42703;7;ERREUR: la colonne ?? processid ?? n'existe pas >> LINE 1: ...mhost, infounitid, facility, priority, syslogtag, >> processid,... ^ >> Error Code: 42703 > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From a.chapellon at horoa.net Tue Aug 9 12:07:08 2011 From: a.chapellon at horoa.net (Alexandre Chapellon) Date: Tue, 09 Aug 2011 12:07:08 +0200 Subject: [rsyslog] loganalyser In-Reply-To: References: <4E40FB85.1070505@horoa.net> <4E40FEAA.9010704@horoa.net> Message-ID: <4E4106CC.8080902@horoa.net> Oops, I have the same with checksum column... what type is that column? More generally, I created the database using the createDb.sql script contained in the rsyslog 4.6.4 tarball. Is there any other fields I need to create? Regards. Le 09/08/2011 11:55, Andre Lorbach a ?crit : > Hi, > > sorry I didn't read this post before. > Ok this could explain why you are not seeing data using the Syslog VIEW. > There is a field which was added into LogAnalyzer some time ago. Usually > LogAnalyzer will automatically add missing fields into the logstream > database, if the database user has sufficient rights to the table. This works > of course only if the database user has sufficient rights to the table. > > You can manually add the field "processid" as varchar(60). > > Best regards, > Andre Lorbach > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon >> Sent: Dienstag, 9. August 2011 11:32 >> To: rsyslog at lists.adiscon.com >> Subject: Re: [rsyslog] loganalyser >> >> I want to add that when I click on a log entry (when in EventLog or > webserver >> view)I get the following error: >> >> >> No syslog records found (code 8 ) - Error Details: >> >> Unknown or unhandeled error occured. >> >> Extra Error Details: >> ER_BAD_FIELD_ERROR - SQL Statement: ERREUR: la colonne ?? processid ?? >> n'existe pas LINE 1: ...mhost, infounitid, facility, priority, >> syslogtag, processid,... ^ >> Detail error: 42703;7;ERREUR: la colonne ?? processid ?? n'existe pas >> LINE 1: ...mhost, infounitid, facility, priority, syslogtag, >> processid,... ^ >> Error Code: 42703 > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- -------------- next part -------------- A non-text attachment was scrubbed... Name: a_chapellon.vcf Type: text/x-vcard Size: 373 bytes Desc: not available URL: From alorbach at ro1.adiscon.com Tue Aug 9 12:17:25 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Tue, 9 Aug 2011 12:17:25 +0200 Subject: [rsyslog] loganalyser In-Reply-To: <4E4106CC.8080902@horoa.net> References: <4E40FB85.1070505@horoa.net> <4E40FEAA.9010704@horoa.net> <4E4106CC.8080902@horoa.net> Message-ID: Checksum is an integer field, there should be no more other new fields > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > Sent: Dienstag, 9. August 2011 12:07 > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] loganalyser > > Oops, I have the same with checksum column... what type is that column? > > More generally, I created the database using the createDb.sql script contained > in the rsyslog 4.6.4 tarball. Is there any other fields I need to create? > > Regards. > > Le 09/08/2011 11:55, Andre Lorbach a ?crit : > > Hi, > > > > sorry I didn't read this post before. > > Ok this could explain why you are not seeing data using the Syslog VIEW. > > There is a field which was added into LogAnalyzer some time ago. > > Usually LogAnalyzer will automatically add missing fields into the > > logstream database, if the database user has sufficient rights to the > > table. This works of course only if the database user has sufficient rights to > the table. > > > > You can manually add the field "processid" as varchar(60). > > > > Best regards, > > Andre Lorbach > > > >> -----Original Message----- > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > >> Sent: Dienstag, 9. August 2011 11:32 > >> To: rsyslog at lists.adiscon.com > >> Subject: Re: [rsyslog] loganalyser > >> > >> I want to add that when I click on a log entry (when in EventLog or > > webserver > >> view)I get the following error: > >> > >> > >> No syslog records found (code 8 ) - Error Details: > >> > >> Unknown or unhandeled error occured. > >> > >> Extra Error Details: > >> ER_BAD_FIELD_ERROR - SQL Statement: ERREUR: la colonne ?? processid > >> ?? n'existe pas LINE 1: ...mhost, infounitid, facility, priority, > >> syslogtag, processid,... ^ Detail error: 42703;7;ERREUR: la colonne > >> ?? processid ?? n'existe pas LINE 1: ...mhost, infounitid, facility, > >> priority, syslogtag, processid,... ^ Error Code: 42703 > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > -- > From alorbach at ro1.adiscon.com Tue Aug 9 12:18:56 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Tue, 9 Aug 2011 12:18:56 +0200 Subject: [rsyslog] loganalyser In-Reply-To: <4E410575.1020704@horoa.net> References: <4E40FB85.1070505@horoa.net> <4E40FEAA.9010704@horoa.net> <4E410575.1020704@horoa.net> Message-ID: This link might be helpful as well, it includes the old name of LogAnalyzer, but this doesn't matter: http://wiki.rsyslog.com/index.php/PhpLogCon_Use_cases#Enabling_the_ProcessID_ column_with_Rsyslog_and_MySQL_logging The template variable you are looking for is %procid%. best regards, Andre Lorbach > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > Sent: Dienstag, 9. August 2011 12:01 > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] loganalyser > > Great that did the trick! > What should be placed in the processid? Is rsyslog sql template natively able > the fill this field? > > regards. > > Le 09/08/2011 11:55, Andre Lorbach a ?crit : > > Hi, > > > > sorry I didn't read this post before. > > Ok this could explain why you are not seeing data using the Syslog VIEW. > > There is a field which was added into LogAnalyzer some time ago. > > Usually LogAnalyzer will automatically add missing fields into the > > logstream database, if the database user has sufficient rights to the > > table. This works of course only if the database user has sufficient rights to > the table. > > > > You can manually add the field "processid" as varchar(60). > > > > Best regards, > > Andre Lorbach > > > >> -----Original Message----- > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> bounces at lists.adiscon.com] On Behalf Of Alexandre Chapellon > >> Sent: Dienstag, 9. August 2011 11:32 > >> To: rsyslog at lists.adiscon.com > >> Subject: Re: [rsyslog] loganalyser > >> > >> I want to add that when I click on a log entry (when in EventLog or > > webserver > >> view)I get the following error: > >> > >> > >> No syslog records found (code 8 ) - Error Details: > >> > >> Unknown or unhandeled error occured. > >> > >> Extra Error Details: > >> ER_BAD_FIELD_ERROR - SQL Statement: ERREUR: la colonne ?? processid > >> ?? n'existe pas LINE 1: ...mhost, infounitid, facility, priority, > >> syslogtag, processid,... ^ Detail error: 42703;7;ERREUR: la colonne > >> ?? processid ?? n'existe pas LINE 1: ...mhost, infounitid, facility, > >> priority, syslogtag, processid,... ^ Error Code: 42703 > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > -- > From ayelet.regev at gmail.com Wed Aug 10 10:00:17 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Wed, 10 Aug 2011 11:00:17 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: References: Message-ID: ** Hi All, Im testing rsyslog 4.7.2 on Solaris 10. You may see below my syslog-client.conf file. Im running the rsyslog with these parameters and I have validated config file.: (I had to comment imklog module loading and listener commands to make it work without errors.) My biggest problem at the moment is that all events are written to /tmp/kuku no matter their severity? Im executing "logger ?p "mail.emerg" "test"" and its written into /tmp/kuku and not to the correct file. Your help is more then apprichiated?. smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog-client.conf smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog-client.conf -N4 rsyslogd: version 4.7.2, config validation run (level 4), master config /etc/rsyslog-client.conf rsyslogd: End of config validation run. Bye # Modules $ModLoad imtcp $ModLoad imudp #$ModLoad imuxsock $ModLoad imsolaris #$ModLoad imklog # Templates # log every host in its own directory #$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" ### Rulesets # Local Logging $RuleSet local ###user,daemon,uucp,cron,mark.notice /var/adm/messages user.notice /tmp/kuku ###kern.debug /var/adm/messages ###*.emerg;mail.none * #Central logging events #Security logs auth,authpriv.debug /var/log/central/auth.debug #MIPS applicaation logs mail.emerg /var/log/central/MIPSlog #Comverse applications events (other than MIPS) local0.debug /var/log/central/local0.debug #Strore local4 events in /var/log/central/traceall local4.debug /var/log/central/traceall local6.debug /var/cti/logs/SDT/SDT_Audit_Information.log # use the local RuleSet as default if not specified otherwise $DefaultRuleset local # Remote Logging $RuleSet remote *.crit @localhost:666 # Send messages we receive to Gremlin ### Listeners # bind ruleset to tcp listener ###$InputTCPServerBindRuleset remote # and activate it: $InputTCPServerRun 50514 ###$InputUDPServerBindRuleset remote $UDPServerRun 514 $UDPServerRun 1514 Ayelet Regev-Dabah System Software Platform TL *Comverse *Office: +972 3 6459362 *ayelet.regev at comverse.com* *www.comverse.com* * ________________________________ * ?This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: security at comverse.com. Thank You.? From rblists at gmail.com Wed Aug 10 10:31:41 2011 From: rblists at gmail.com (Raphael Bauduin) Date: Wed, 10 Aug 2011 10:31:41 +0200 Subject: [rsyslog] multiple groups privileges In-Reply-To: References: Message-ID: On Mon, Aug 8, 2011 at 1:25 PM, Raphael Bauduin wrote: > Hi, > > is it possible to run rsyslogd so that it is part of multiple groups? > I have added the syslog user to multiple groups, and then use > ?$PrivDropToUser syslog > without $PrivDropToGroup but to no avail. Hi, I'm still stuck on this. I'm trying to use the Imfile module to send the content of logfile to another server through rsyslog. I added the syslog user to the group needed to access this log file, and when I su syslog, I indeed have access. The running daemon though does not have access, and I can confirm this is because it does not have the rights of the group I added the syslog user in. Is what I'm trying to do possible? thanks Raph > > Thanks > > Rapha?l > > -- > Web database: http://www.myowndb.com > Free Software Developers Meeting: http://www.fosdem.org > -- Web database: http://www.myowndb.com Free Software Developers Meeting: http://www.fosdem.org From friedl at hq.adiscon.com Wed Aug 10 13:06:07 2011 From: friedl at hq.adiscon.com (Florian Riedl) Date: Wed, 10 Aug 2011 13:06:07 +0200 Subject: [rsyslog] rsyslog 5.8.4 (stable) released Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728110C@GRFEXC.intern.adiscon.com> This release contains several bugfixes for potential misadressing in the property replacer, memcpy overflow in allowed sender checking and more. For more detailed information, please read the changelog. ChangeLog: http://www.rsyslog.com/changelog-for-5-8-4-v5-stable/ Download: http://www.rsyslog.com/rsyslog-5-8-4-v5-stable/ As always, feedback is appreciated. Best regards, Florian Riedl -- Support ======= Improving rsyslog is costly, but you can help! We are looking for organizations that find rsyslog useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for rsyslog are available, and they help finance continued maintenance. Adiscon GmbH, a privately held German company, is currently funding rsyslog development. We are always looking for interesting development projects. For details on how to help, please see http://www.rsyslog.com/doc-how2help.html. From rosenski at wave-computer.de Wed Aug 10 16:43:44 2011 From: rosenski at wave-computer.de (Axel Rosenski) Date: Wed, 10 Aug 2011 16:43:44 +0200 Subject: [rsyslog] problem in remote logging with procid more than 23 characters/digits long Message-ID: <4030750.IC0No060Eo@lxrosenski> Hi all, I'm new to rsyslog, but I do the best to give you all needed informations. I like to log apache2 vhost logfiles to a remote log server. On both servers I use rsyslog 4.2.0 as this is the regular version shipped with Ubuntu. In the vhost config I configured to log with logger like this: ErrorLog "|/usr/bin/logger -p local0.err -t apache2[my.domain.name]" CustomLog "|/usr/bin/logger -p local0.info -t apache2[my.domain.name]" combined To be sure to send out only apache logfiles I set this in the rsyslog.conf if $app-name == 'apache2' and $syslogfacility-text == 'local0' then @@logserver:514 if $app-name == 'apache2' and $syslogfacility-text == 'local0' then ~ On the Logserver I created a template to automatically generate files based on $template ApacheAccessLogFile, "/var/log/%app- name%/%procid%/%procid%_access_log" if $app-name == 'apache2' and $syslogfacility-text == 'local0' and $syslogseverity-text == 'info' then -?ApacheAccessLogFile;ApacheAccessLogFormat So far this works like a charm. But when "my.domain.name" has 23 or more characters/digits no logfile was generated on the logserver and I don't get any error. So, is this a known limitation? I Googled around and read the IETF RFC but found no related information. Can anyone help with this? Kind regards, Axel Rosenski -- Axel Rosenski - Administration - ______________________________ Wave Computersysteme GmbH Philipp-Reis-Str. 1-3 / 9 35440 Linden Gesch?ftsf?hrer: Carsten Kellmann Registergericht Gie?en HRB 1823 Tel.: +49 (0)6403 / 9050 8317 Fax: +49 (0)6403 / 9050 5089 mailto:rosenski at wave-computer.de http://www.wave-computer.de From rosenski at wave-computer.de Wed Aug 10 17:28:55 2011 From: rosenski at wave-computer.de (Axel Rosenski) Date: Wed, 10 Aug 2011 17:28:55 +0200 Subject: [rsyslog] problem with field based property replacement Message-ID: <2704807.0EYNaG0gkS@lxrosenski> Hi, after I ran into some trobles with the number of characters of %procid% as described in my previous mail I tried to use %syslogtag% and field based extraction. In my Apache config I CustomLog "|/usr/bin/logger -p local0.info -t apache2:my.domain.name" combined On the Logserver i defined the following template $template TESTApacheSSLAccessLogFile, "/var/log/test/%syslogtag:F,58:1%/%syslogtag:F,58:2%/%syslogtag:F,58:2%_access_log" In my tests the second field is empty and the generated log files don't have names with "my.domain.name". I only get /var/log/test/apache2/_access_log Can anyone give me a hint? Kind regards, Axel Rosenski -- Axel Rosenski - Administration - ______________________________ Wave Computersysteme GmbH Philipp-Reis-Str. 1-3 / 9 35440 Linden Gesch?ftsf?hrer: Carsten Kellmann Registergericht Gie?en HRB 1823 Tel.: +49 (0)6403 / 9050 8317 Fax: +49 (0)6403 / 9050 5089 mailto:rosenski at wave-computer.de http://www.wave-computer.de From rgerhards at hq.adiscon.com Wed Aug 10 17:46:22 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 10 Aug 2011 17:46:22 +0200 Subject: [rsyslog] problem with field based property replacement In-Reply-To: <2704807.0EYNaG0gkS@lxrosenski> References: <2704807.0EYNaG0gkS@lxrosenski> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281118@GRFEXC.intern.adiscon.com> I have just glimpsed at your mail, but I think I see the problem: colon terminates the tag! HTH Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Axel Rosenski > Sent: Wednesday, August 10, 2011 5:29 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] problem with field based property replacement > > Hi, > > after I ran into some trobles with the number of characters of %procid% > as > described in my previous mail I tried to use %syslogtag% and field > based > extraction. > > In my Apache config I > CustomLog "|/usr/bin/logger -p local0.info -t apache2:my.domain.name" > combined > > On the Logserver i defined the following template > $template TESTApacheSSLAccessLogFile, > "/var/log/test/%syslogtag:F,58:1%/%syslogtag:F,58:2%/%syslogtag:F,58:2% > _access_log" > > In my tests the second field is empty and the generated log files don't > have > names with "my.domain.name". I only get > /var/log/test/apache2/_access_log > > Can anyone give me a hint? > > Kind regards, > Axel Rosenski > > -- > Axel Rosenski > - Administration - > ______________________________ > Wave Computersysteme GmbH > Philipp-Reis-Str. 1-3 / 9 > 35440 Linden > > Gesch?ftsf?hrer: Carsten Kellmann > Registergericht Gie?en HRB 1823 > > Tel.: +49 (0)6403 / 9050 8317 > Fax: +49 (0)6403 / 9050 5089 > mailto:rosenski at wave-computer.de > http://www.wave-computer.de > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Wed Aug 10 17:51:03 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 10 Aug 2011 17:51:03 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> Can you provide a debug log that contains an occurence of this problem? This helps us understand what happens. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Wednesday, August 10, 2011 10:00 AM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > ** > > Hi All, > > Im testing rsyslog 4.7.2 on Solaris 10. > > You may see below my syslog-client.conf file. > > Im running the rsyslog with these parameters and I have validated > config > file.: > (I had to comment imklog module loading and listener commands to make > it > work without errors.) > My biggest problem at the moment is that all events are written to > /tmp/kuku > no matter their severity... > Im executing "logger -p "mail.emerg" "test"" and its written into > /tmp/kuku > and not to the correct file. > > Your help is more then apprichiated.... > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > client.conf > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > client.conf -N4 > rsyslogd: version 4.7.2, config validation run (level 4), master config > /etc/rsyslog-client.conf > rsyslogd: End of config validation run. Bye > > > > # Modules > > $ModLoad imtcp > $ModLoad imudp > #$ModLoad imuxsock > $ModLoad imsolaris > #$ModLoad imklog > > # Templates > # log every host in its own directory > #$template > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > .log" > ### Rulesets > # Local Logging > $RuleSet local > ###user,daemon,uucp,cron,mark.notice /var/adm/messages > user.notice /tmp/kuku > ###kern.debug /var/adm/messages > ###*.emerg;mail.none * > #Central logging events > #Security logs > auth,authpriv.debug /var/log/central/auth.debug > #MIPS applicaation logs > mail.emerg /var/log/central/MIPSlog > #Comverse applications events (other than MIPS) > local0.debug /var/log/central/local0.debug > #Strore local4 events in /var/log/central/traceall > local4.debug /var/log/central/traceall > local6.debug > /var/cti/logs/SDT/SDT_Audit_Information.log > # use the local RuleSet as default if not specified otherwise > $DefaultRuleset local > # Remote Logging > $RuleSet remote > *.crit @localhost:666 > # Send messages we receive to Gremlin > ### Listeners > # bind ruleset to tcp listener > ###$InputTCPServerBindRuleset remote > # and activate it: > $InputTCPServerRun 50514 > ###$InputUDPServerBindRuleset remote > $UDPServerRun 514 > $UDPServerRun 1514 > > > Ayelet Regev-Dabah > System Software Platform TL > *Comverse > *Office: +972 3 6459362 > *ayelet.regev at comverse.com* > *www.comverse.com* > > > > * ________________________________ * > "This e-mail message may contain confidential, commercial or privileged > information that constitutes proprietary information of Comverse > Technology > or its subsidiaries. If you are not the intended recipient of this > message, > you are hereby notified that any review, use or distribution of this > information is absolutely prohibited and we request that you delete all > copies and contact us by e-mailing to: security at comverse.com. Thank > You." > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From ayelet.regev at gmail.com Wed Aug 10 18:15:14 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Wed, 10 Aug 2011 19:15:14 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> Message-ID: Hi, For now im only testing local ruleset. im sending local4.debug event and i want it to log in /var/log/central/traceall , but all my events are sent to /var/adm/messages. smu15a:/ ROOT > logger -p "local4.debug" "RSYSLOG test" smu15a:/ ROOT > tail -1 /var/adm/messages 2011-08-10T19:12:10+03:00 smu15a root: [ID 702911 local4.debug] RSYSLOG test smu15a:/ ROOT > tail -10 /var/log/central/traceall smu15a:/ ROOT > more /etc/rsyslog-client.conf | grep -v ^# $ModLoad imtcp $ModLoad imudp $ModLoad imsolaris $RuleSet local user,daemon,uucp,cron,mark.notice /var/adm/messages *.emerg;mail.none * kern.debug /var/adm/messages auth.debug /var/log/central/auth.debug mail.emerg /var/log/central/MIPSlog local0.debug /var/log/central/local0.debug local4.debug /var/log/central/traceall local6.debug /var/cti/logs/SDT/SDT_Audit_Information.log $DefaultRuleset local $RuleSet remote local0.debug @remoteserver:50514 $InputTCPServerRun 50514 $UDPServerRun 514 $UDPServerRun 1514 On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards wrote: > Can you provide a debug log that contains an occurence of this problem? > This > helps us understand what happens. > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Wednesday, August 10, 2011 10:00 AM > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > ** > > > > Hi All, > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > You may see below my syslog-client.conf file. > > > > Im running the rsyslog with these parameters and I have validated > > config > > file.: > > (I had to comment imklog module loading and listener commands to make > > it > > work without errors.) > > My biggest problem at the moment is that all events are written to > > /tmp/kuku > > no matter their severity... > > Im executing "logger -p "mail.emerg" "test"" and its written into > > /tmp/kuku > > and not to the correct file. > > > > Your help is more then apprichiated.... > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > client.conf > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > client.conf -N4 > > rsyslogd: version 4.7.2, config validation run (level 4), master config > > /etc/rsyslog-client.conf > > rsyslogd: End of config validation run. Bye > > > > > > > > # Modules > > > > $ModLoad imtcp > > $ModLoad imudp > > #$ModLoad imuxsock > > $ModLoad imsolaris > > #$ModLoad imklog > > > > # Templates > > # log every host in its own directory > > #$template > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > .log" > > ### Rulesets > > # Local Logging > > $RuleSet local > > ###user,daemon,uucp,cron,mark.notice /var/adm/messages > > user.notice /tmp/kuku > > ###kern.debug /var/adm/messages > > ###*.emerg;mail.none * > > #Central logging events > > #Security logs > > auth,authpriv.debug /var/log/central/auth.debug > > #MIPS applicaation logs > > mail.emerg /var/log/central/MIPSlog > > #Comverse applications events (other than MIPS) > > local0.debug /var/log/central/local0.debug > > #Strore local4 events in /var/log/central/traceall > > local4.debug /var/log/central/traceall > > local6.debug > > /var/cti/logs/SDT/SDT_Audit_Information.log > > # use the local RuleSet as default if not specified otherwise > > $DefaultRuleset local > > # Remote Logging > > $RuleSet remote > > *.crit @localhost:666 > > # Send messages we receive to Gremlin > > ### Listeners > > # bind ruleset to tcp listener > > ###$InputTCPServerBindRuleset remote > > # and activate it: > > $InputTCPServerRun 50514 > > ###$InputUDPServerBindRuleset remote > > $UDPServerRun 514 > > $UDPServerRun 1514 > > > > > > Ayelet Regev-Dabah > > System Software Platform TL > > *Comverse > > *Office: +972 3 6459362 > > *ayelet.regev at comverse.com* > > *www.comverse.com* > > > > > > > > * ________________________________ * > > "This e-mail message may contain confidential, commercial or privileged > > information that constitutes proprietary information of Comverse > > Technology > > or its subsidiaries. If you are not the intended recipient of this > > message, > > you are hereby notified that any review, use or distribution of this > > information is absolutely prohibited and we request that you delete all > > copies and contact us by e-mailing to: security at comverse.com. Thank > > You." > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: debug-rsyslog.log Type: application/octet-stream Size: 63462 bytes Desc: not available URL: From rosenski at wave-computer.de Wed Aug 10 18:17:35 2011 From: rosenski at wave-computer.de (Axel Rosenski) Date: Wed, 10 Aug 2011 18:17:35 +0200 Subject: [rsyslog] problem with field based property replacement In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281118@GRFEXC.intern.adiscon.com> References: <2704807.0EYNaG0gkS@lxrosenski> <9B6E2A8877C38245BFB15CC491A11DA7281118@GRFEXC.intern.adiscon.com> Message-ID: <2736848.t69XHVsSB9@lxrosenski> Hi Rainer, thanks for your quick reply. Your hint helped me and I replaced the colon by a hash (#, 35) sign Now I get the logfile names, but they get truncated after 24 characters. Thats better, but that does not really help. Do you have any other idea? Regards, Axel Am Mittwoch, 10. Aug. 11, 17:46:22 schrieb Rainer Gerhards: > I have just glimpsed at your mail, but I think I see the problem: colon > terminates the tag! > > HTH > Rainer > > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Axel Rosenski > > Sent: Wednesday, August 10, 2011 5:29 PM > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] problem with field based property replacement > > > > Hi, > > > > after I ran into some trobles with the number of characters of %procid% > > as > > described in my previous mail I tried to use %syslogtag% and field > > based > > extraction. > > > > In my Apache config I > > CustomLog "|/usr/bin/logger -p local0.info -t apache2:my.domain.name" > > combined > > > > On the Logserver i defined the following template > > $template TESTApacheSSLAccessLogFile, > > "/var/log/test/%syslogtag:F,58:1%/%syslogtag:F,58:2%/%syslogtag:F,58:2% > > _access_log" > > > > In my tests the second field is empty and the generated log files don't > > have > > names with "my.domain.name". I only get > > /var/log/test/apache2/_access_log > > > > Can anyone give me a hint? > > > > Kind regards, > > Axel Rosenski > > > > -- > > Axel Rosenski > > - Administration - > > ______________________________ > > Wave Computersysteme GmbH > > Philipp-Reis-Str. 1-3 / 9 > > 35440 Linden > > > > Gesch?ftsf?hrer: Carsten Kellmann > > Registergericht Gie?en HRB 1823 > > > > Tel.: +49 (0)6403 / 9050 8317 > > Fax: +49 (0)6403 / 9050 5089 > > mailto:rosenski at wave-computer.de > > http://www.wave-computer.de > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- Axel Rosenski - Administration - ______________________________ Wave Computersysteme GmbH Philipp-Reis-Str. 1-3 / 9 35440 Linden Gesch?ftsf?hrer: Carsten Kellmann Registergericht Gie?en HRB 1823 Tel.: +49 (0)6403 / 9050 8317 Fax: +49 (0)6403 / 9050 5089 mailto:rosenski at wave-computer.de http://www.wave-computer.de From rgerhards at hq.adiscon.com Wed Aug 10 18:18:44 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 10 Aug 2011 18:18:44 +0200 Subject: [rsyslog] problem with field based property replacement In-Reply-To: <2736848.t69XHVsSB9@lxrosenski> References: <2704807.0EYNaG0gkS@lxrosenski><9B6E2A8877C38245BFB15CC491A11DA7281118@GRFEXC.intern.adiscon.com> <2736848.t69XHVsSB9@lxrosenski> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728111B@GRFEXC.intern.adiscon.com> As of rfc3164, tags are limited to 32 characters. I think there is an option to turn this limit off, but don'T know out of my head... > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Axel Rosenski > Sent: Wednesday, August 10, 2011 6:18 PM > To: rsyslog-users > Subject: Re: [rsyslog] problem with field based property replacement > > Hi Rainer, > > thanks for your quick reply. > Your hint helped me and I replaced the colon by a hash (#, 35) sign > > Now I get the logfile names, but they get truncated after 24 > characters. > > Thats better, but that does not really help. Do you have any other > idea? > > > Regards, Axel > > > Am Mittwoch, 10. Aug. 11, 17:46:22 schrieb Rainer Gerhards: > > I have just glimpsed at your mail, but I think I see the problem: > colon > > terminates the tag! > > > > HTH > > Rainer > > > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Axel Rosenski > > > Sent: Wednesday, August 10, 2011 5:29 PM > > > To: rsyslog at lists.adiscon.com > > > Subject: [rsyslog] problem with field based property replacement > > > > > > Hi, > > > > > > after I ran into some trobles with the number of characters of > %procid% > > > as > > > described in my previous mail I tried to use %syslogtag% and field > > > based > > > extraction. > > > > > > In my Apache config I > > > CustomLog "|/usr/bin/logger -p local0.info -t > apache2:my.domain.name" > > > combined > > > > > > On the Logserver i defined the following template > > > $template TESTApacheSSLAccessLogFile, > > > > "/var/log/test/%syslogtag:F,58:1%/%syslogtag:F,58:2%/%syslogtag:F,58:2% > > > _access_log" > > > > > > In my tests the second field is empty and the generated log files > don't > > > have > > > names with "my.domain.name". I only get > > > /var/log/test/apache2/_access_log > > > > > > Can anyone give me a hint? > > > > > > Kind regards, > > > Axel Rosenski > > > > > > -- > > > Axel Rosenski > > > - Administration - > > > ______________________________ > > > Wave Computersysteme GmbH > > > Philipp-Reis-Str. 1-3 / 9 > > > 35440 Linden > > > > > > Gesch?ftsf?hrer: Carsten Kellmann > > > Registergericht Gie?en HRB 1823 > > > > > > Tel.: +49 (0)6403 / 9050 8317 > > > Fax: +49 (0)6403 / 9050 5089 > > > mailto:rosenski at wave-computer.de > > > http://www.wave-computer.de > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > -- > Axel Rosenski > - Administration - > ______________________________ > Wave Computersysteme GmbH > Philipp-Reis-Str. 1-3 / 9 > 35440 Linden > > Gesch?ftsf?hrer: Carsten Kellmann > Registergericht Gie?en HRB 1823 > > Tel.: +49 (0)6403 / 9050 8317 > Fax: +49 (0)6403 / 9050 5089 > mailto:rosenski at wave-computer.de > http://www.wave-computer.de > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Wed Aug 10 18:45:49 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 10 Aug 2011 18:45:49 +0200 Subject: [rsyslog] imudp activation failure - was: Remote syslogging through a (broken) VPN In-Reply-To: <4E39B4C7.6010403@mejor.pl> References: <20110627205918.0cc9ce80@mistral.stie> <4E09E1B5.7040704@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F1D@GRFEXC.intern.adiscon.com> <4E0C6228.4000203@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F47@GRFEXC.intern.adiscon.com><4E0C895A.7010809@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F5C@GRFEXC.intern.adiscon.com><4E0F4CC9.8070602@mejor.pl> <4E39B4C7.6010403@mejor.pl> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728111C@GRFEXC.intern.adiscon.com> Marcin, I just had a look at the debug log you sent, but this file looks strange. Is it a combination from a log file and a partial debug log? In any case, can you send me just a plain debug log, right from the startup. The startup part - where I assume the problems show up - seems to be missing in the file you sent. Also, I don't see where the message in question is emitted in the debug log. I'd say that I need only the startup portion up until where the message first occurs and then, let's say, 10,000 more lines. That makes handling the debug log hopefully a bit easier. Thanks, Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > Sent: Wednesday, August 03, 2011 10:51 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] imudp activation failure - was: Remote > syslogging through a (broken) VPN > > Hello! > I'm makeing little bump up, because new behavior appears. Rsyslog(git) > logs many (about 1000) lines with message: > "rsyslogd: Cannot read proc file system: 9 - Bad file descriptor." > > All logs starts as below: > 2011-08-03T21:53:26.185038+02:00 serwerek rsyslogd: [origin > software="rsyslogd" swVersion="6.3.4" x-pid="23935" > x-info="http://www.rsyslog.com"] start > 2011-08-03T21:53:26.139975+02:00 serwerek rsyslogd-2184: action '*' > treated as ':omusrmsg:*' - please change syntax, '*' will not be > supported in the future [try http://www.rsyslog.com/e/2184 ] > 2011-08-03T21:53:26.140977+02:00 serwerek rsyslogd: imklog 6.3.4, log > source = /proc/kmsg started. > 2011-08-03T21:53:26.141044+02:00 serwerek rsyslogd: imudp: no listeners > could be started, input not activated. > : No such file or directory > 2011-08-03T21:53:26.141051+02:00 serwerek rsyslogd3: activation of > module imudp.so failed [try http://www.rsyslog.com/e/-3 ] > 2011-08-03T21:53:26.179159+02:00 serwerek rsyslogd-2040: fatal error on > disk queue 'action 1 queue[DA]', emergency switch to direct mode [try > http://www.rsyslog.com/e/2040 ] > 2011-08-03T21:53:26.185922+02:00 serwerek rsyslogd: Cannot read proc > file system: 9 - Bad file descriptor. > 2011-08-03T21:53:26.185936+02:00 serwerek rsyslogd: Cannot read proc > file system: 9 - Bad file descriptor. > 2011-08-03T21:53:26.185945+02:00 serwerek rsyslogd: Cannot read proc > file system: 9 - Bad file descriptor. > [again and again bad file descirptor] > > But it doesn't happen always, more often while OS is starting. > (rsyslog-5.6.5 works ok). I'm attaching log, unfortunatelly this log > was > created when rsyslog didn't throws messages "cannot read proc". It > contains only problem with module UDP. > > Regards, > Marcin. From rgerhards at hq.adiscon.com Wed Aug 10 18:48:19 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 10 Aug 2011 18:48:19 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728111D@GRFEXC.intern.adiscon.com> Sorry, I wasn't clear enough on that: I need to see the processing of a message (Experiencing the problem) inside the debug log. The one you attached stops after rsyslogd init, but before any message is processed. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Wednesday, August 10, 2011 6:15 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > Hi, > > For now im only testing local ruleset. > > im sending local4.debug event and i want it to log in > /var/log/central/traceall , but all my events are sent to > /var/adm/messages. > > smu15a:/ ROOT > logger -p "local4.debug" "RSYSLOG test" > > smu15a:/ ROOT > tail -1 /var/adm/messages > 2011-08-10T19:12:10+03:00 smu15a root: [ID 702911 local4.debug] RSYSLOG > test > > smu15a:/ ROOT > tail -10 /var/log/central/traceall > > smu15a:/ ROOT > more /etc/rsyslog-client.conf | grep -v ^# > > $ModLoad imtcp > $ModLoad imudp > $ModLoad imsolaris > > $RuleSet local > user,daemon,uucp,cron,mark.notice /var/adm/messages > *.emerg;mail.none * > kern.debug /var/adm/messages > auth.debug /var/log/central/auth.debug > mail.emerg /var/log/central/MIPSlog > local0.debug /var/log/central/local0.debug > local4.debug /var/log/central/traceall > local6.debug > /var/cti/logs/SDT/SDT_Audit_Information.log > $DefaultRuleset local > $RuleSet remote > local0.debug @remoteserver:50514 > $InputTCPServerRun 50514 > $UDPServerRun 514 > $UDPServerRun 1514 > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > wrote: > > > Can you provide a debug log that contains an occurence of this > problem? > > This > > helps us understand what happens. > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > Sent: Wednesday, August 10, 2011 10:00 AM > > > To: rsyslog at lists.adiscon.com > > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > ** > > > > > > Hi All, > > > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > > > You may see below my syslog-client.conf file. > > > > > > Im running the rsyslog with these parameters and I have validated > > > config > > > file.: > > > (I had to comment imklog module loading and listener commands to > make > > > it > > > work without errors.) > > > My biggest problem at the moment is that all events are written to > > > /tmp/kuku > > > no matter their severity... > > > Im executing "logger -p "mail.emerg" "test"" and its written into > > > /tmp/kuku > > > and not to the correct file. > > > > > > Your help is more then apprichiated.... > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > client.conf > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > client.conf -N4 > > > rsyslogd: version 4.7.2, config validation run (level 4), master > config > > > /etc/rsyslog-client.conf > > > rsyslogd: End of config validation run. Bye > > > > > > > > > > > > # Modules > > > > > > $ModLoad imtcp > > > $ModLoad imudp > > > #$ModLoad imuxsock > > > $ModLoad imsolaris > > > #$ModLoad imklog > > > > > > # Templates > > > # log every host in its own directory > > > #$template > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > > .log" > > > ### Rulesets > > > # Local Logging > > > $RuleSet local > > > ###user,daemon,uucp,cron,mark.notice /var/adm/messages > > > user.notice /tmp/kuku > > > ###kern.debug /var/adm/messages > > > ###*.emerg;mail.none * > > > #Central logging events > > > #Security logs > > > auth,authpriv.debug /var/log/central/auth.debug > > > #MIPS applicaation logs > > > mail.emerg /var/log/central/MIPSlog > > > #Comverse applications events (other than MIPS) > > > local0.debug /var/log/central/local0.debug > > > #Strore local4 events in /var/log/central/traceall > > > local4.debug /var/log/central/traceall > > > local6.debug > > > /var/cti/logs/SDT/SDT_Audit_Information.log > > > # use the local RuleSet as default if not specified otherwise > > > $DefaultRuleset local > > > # Remote Logging > > > $RuleSet remote > > > *.crit @localhost:666 > > > # Send messages we receive to Gremlin > > > ### Listeners > > > # bind ruleset to tcp listener > > > ###$InputTCPServerBindRuleset remote > > > # and activate it: > > > $InputTCPServerRun 50514 > > > ###$InputUDPServerBindRuleset remote > > > $UDPServerRun 514 > > > $UDPServerRun 1514 > > > > > > > > > Ayelet Regev-Dabah > > > System Software Platform TL > > > *Comverse > > > *Office: +972 3 6459362 > > > *ayelet.regev at comverse.com* > > > *www.comverse.com* > > > > > > > > > > > > * ________________________________ * > > > "This e-mail message may contain confidential, commercial or > privileged > > > information that constitutes proprietary information of Comverse > > > Technology > > > or its subsidiaries. If you are not the intended recipient of this > > > message, > > > you are hereby notified that any review, use or distribution of > this > > > information is absolutely prohibited and we request that you delete > all > > > copies and contact us by e-mailing to: security at comverse.com. Thank > > > You." > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > From ayelet.regev at gmail.com Wed Aug 10 19:05:14 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Wed, 10 Aug 2011 20:05:14 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> Message-ID: Hi Rainer, Thanks for the quick response. Attched. On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards wrote: > Can you provide a debug log that contains an occurence of this problem? > This > helps us understand what happens. > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Wednesday, August 10, 2011 10:00 AM > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > ** > > > > Hi All, > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > You may see below my syslog-client.conf file. > > > > Im running the rsyslog with these parameters and I have validated > > config > > file.: > > (I had to comment imklog module loading and listener commands to make > > it > > work without errors.) > > My biggest problem at the moment is that all events are written to > > /tmp/kuku > > no matter their severity... > > Im executing "logger -p "mail.emerg" "test"" and its written into > > /tmp/kuku > > and not to the correct file. > > > > Your help is more then apprichiated.... > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > client.conf > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > client.conf -N4 > > rsyslogd: version 4.7.2, config validation run (level 4), master config > > /etc/rsyslog-client.conf > > rsyslogd: End of config validation run. Bye > > > > > > > > # Modules > > > > $ModLoad imtcp > > $ModLoad imudp > > #$ModLoad imuxsock > > $ModLoad imsolaris > > #$ModLoad imklog > > > > # Templates > > # log every host in its own directory > > #$template > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > .log" > > ### Rulesets > > # Local Logging > > $RuleSet local > > ###user,daemon,uucp,cron,mark.notice /var/adm/messages > > user.notice /tmp/kuku > > ###kern.debug /var/adm/messages > > ###*.emerg;mail.none * > > #Central logging events > > #Security logs > > auth,authpriv.debug /var/log/central/auth.debug > > #MIPS applicaation logs > > mail.emerg /var/log/central/MIPSlog > > #Comverse applications events (other than MIPS) > > local0.debug /var/log/central/local0.debug > > #Strore local4 events in /var/log/central/traceall > > local4.debug /var/log/central/traceall > > local6.debug > > /var/cti/logs/SDT/SDT_Audit_Information.log > > # use the local RuleSet as default if not specified otherwise > > $DefaultRuleset local > > # Remote Logging > > $RuleSet remote > > *.crit @localhost:666 > > # Send messages we receive to Gremlin > > ### Listeners > > # bind ruleset to tcp listener > > ###$InputTCPServerBindRuleset remote > > # and activate it: > > $InputTCPServerRun 50514 > > ###$InputUDPServerBindRuleset remote > > $UDPServerRun 514 > > $UDPServerRun 1514 > > > > > > Ayelet Regev-Dabah > > System Software Platform TL > > *Comverse > > *Office: +972 3 6459362 > > *ayelet.regev at comverse.com* > > *www.comverse.com* > > > > > > > > * ________________________________ * > > "This e-mail message may contain confidential, commercial or privileged > > information that constitutes proprietary information of Comverse > > Technology > > or its subsidiaries. If you are not the intended recipient of this > > message, > > you are hereby notified that any review, use or distribution of this > > information is absolutely prohibited and we request that you delete all > > copies and contact us by e-mailing to: security at comverse.com. Thank > > You." > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: debug-rsyslog2.log Type: application/octet-stream Size: 73309 bytes Desc: not available URL: From rgerhards at hq.adiscon.com Thu Aug 11 09:04:11 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 11 Aug 2011 09:04:11 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> OK, I should remind myself not to check for bugs in older versions ;) This one is fixed in 4.7.4... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Wednesday, August 10, 2011 7:05 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > Hi Rainer, > > Thanks for the quick response. > Attched. > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > wrote: > > > Can you provide a debug log that contains an occurence of this > problem? > > This > > helps us understand what happens. > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > Sent: Wednesday, August 10, 2011 10:00 AM > > > To: rsyslog at lists.adiscon.com > > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > ** > > > > > > Hi All, > > > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > > > You may see below my syslog-client.conf file. > > > > > > Im running the rsyslog with these parameters and I have validated > > > config > > > file.: > > > (I had to comment imklog module loading and listener commands to > make > > > it > > > work without errors.) > > > My biggest problem at the moment is that all events are written to > > > /tmp/kuku > > > no matter their severity... > > > Im executing "logger -p "mail.emerg" "test"" and its written into > > > /tmp/kuku > > > and not to the correct file. > > > > > > Your help is more then apprichiated.... > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > client.conf > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > client.conf -N4 > > > rsyslogd: version 4.7.2, config validation run (level 4), master > config > > > /etc/rsyslog-client.conf > > > rsyslogd: End of config validation run. Bye > > > > > > > > > > > > # Modules > > > > > > $ModLoad imtcp > > > $ModLoad imudp > > > #$ModLoad imuxsock > > > $ModLoad imsolaris > > > #$ModLoad imklog > > > > > > # Templates > > > # log every host in its own directory > > > #$template > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > > .log" > > > ### Rulesets > > > # Local Logging > > > $RuleSet local > > > ###user,daemon,uucp,cron,mark.notice /var/adm/messages > > > user.notice /tmp/kuku > > > ###kern.debug /var/adm/messages > > > ###*.emerg;mail.none * > > > #Central logging events > > > #Security logs > > > auth,authpriv.debug /var/log/central/auth.debug > > > #MIPS applicaation logs > > > mail.emerg /var/log/central/MIPSlog > > > #Comverse applications events (other than MIPS) > > > local0.debug /var/log/central/local0.debug > > > #Strore local4 events in /var/log/central/traceall > > > local4.debug /var/log/central/traceall > > > local6.debug > > > /var/cti/logs/SDT/SDT_Audit_Information.log > > > # use the local RuleSet as default if not specified otherwise > > > $DefaultRuleset local > > > # Remote Logging > > > $RuleSet remote > > > *.crit @localhost:666 > > > # Send messages we receive to Gremlin > > > ### Listeners > > > # bind ruleset to tcp listener > > > ###$InputTCPServerBindRuleset remote > > > # and activate it: > > > $InputTCPServerRun 50514 > > > ###$InputUDPServerBindRuleset remote > > > $UDPServerRun 514 > > > $UDPServerRun 1514 > > > > > > > > > Ayelet Regev-Dabah > > > System Software Platform TL > > > *Comverse > > > *Office: +972 3 6459362 > > > *ayelet.regev at comverse.com* > > > *www.comverse.com* > > > > > > > > > > > > * ________________________________ * > > > "This e-mail message may contain confidential, commercial or > privileged > > > information that constitutes proprietary information of Comverse > > > Technology > > > or its subsidiaries. If you are not the intended recipient of this > > > message, > > > you are hereby notified that any review, use or distribution of > this > > > information is absolutely prohibited and we request that you delete > all > > > copies and contact us by e-mailing to: security at comverse.com. Thank > > > You." > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > From ayelet.regev at gmail.com Thu Aug 11 11:28:11 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Thu, 11 Aug 2011 12:28:11 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> Message-ID: Having the same issue on 4.7.4 )-: attached debug log. On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards wrote: > OK, I should remind myself not to check for bugs in older versions ;) This > one is fixed in 4.7.4... > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Wednesday, August 10, 2011 7:05 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > Hi Rainer, > > > > Thanks for the quick response. > > Attched. > > > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > > wrote: > > > > > Can you provide a debug log that contains an occurence of this > > problem? > > > This > > > helps us understand what happens. > > > > > > Rainer > > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > Sent: Wednesday, August 10, 2011 10:00 AM > > > > To: rsyslog at lists.adiscon.com > > > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > > > ** > > > > > > > > Hi All, > > > > > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > > > > > You may see below my syslog-client.conf file. > > > > > > > > Im running the rsyslog with these parameters and I have validated > > > > config > > > > file.: > > > > (I had to comment imklog module loading and listener commands to > > make > > > > it > > > > work without errors.) > > > > My biggest problem at the moment is that all events are written to > > > > /tmp/kuku > > > > no matter their severity... > > > > Im executing "logger -p "mail.emerg" "test"" and its written into > > > > /tmp/kuku > > > > and not to the correct file. > > > > > > > > Your help is more then apprichiated.... > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > client.conf > > > > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > client.conf -N4 > > > > rsyslogd: version 4.7.2, config validation run (level 4), master > > config > > > > /etc/rsyslog-client.conf > > > > rsyslogd: End of config validation run. Bye > > > > > > > > > > > > > > > > # Modules > > > > > > > > $ModLoad imtcp > > > > $ModLoad imudp > > > > #$ModLoad imuxsock > > > > $ModLoad imsolaris > > > > #$ModLoad imklog > > > > > > > > # Templates > > > > # log every host in its own directory > > > > #$template > > > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > > > .log" > > > > ### Rulesets > > > > # Local Logging > > > > $RuleSet local > > > > ###user,daemon,uucp,cron,mark.notice /var/adm/messages > > > > user.notice /tmp/kuku > > > > ###kern.debug /var/adm/messages > > > > ###*.emerg;mail.none * > > > > #Central logging events > > > > #Security logs > > > > auth,authpriv.debug /var/log/central/auth.debug > > > > #MIPS applicaation logs > > > > mail.emerg /var/log/central/MIPSlog > > > > #Comverse applications events (other than MIPS) > > > > local0.debug /var/log/central/local0.debug > > > > #Strore local4 events in /var/log/central/traceall > > > > local4.debug /var/log/central/traceall > > > > local6.debug > > > > /var/cti/logs/SDT/SDT_Audit_Information.log > > > > # use the local RuleSet as default if not specified otherwise > > > > $DefaultRuleset local > > > > # Remote Logging > > > > $RuleSet remote > > > > *.crit @localhost:666 > > > > # Send messages we receive to Gremlin > > > > ### Listeners > > > > # bind ruleset to tcp listener > > > > ###$InputTCPServerBindRuleset remote > > > > # and activate it: > > > > $InputTCPServerRun 50514 > > > > ###$InputUDPServerBindRuleset remote > > > > $UDPServerRun 514 > > > > $UDPServerRun 1514 > > > > > > > > > > > > Ayelet Regev-Dabah > > > > System Software Platform TL > > > > *Comverse > > > > *Office: +972 3 6459362 > > > > *ayelet.regev at comverse.com* > > > > *www.comverse.com* > > > > > > > > > > > > > > > > * ________________________________ * > > > > "This e-mail message may contain confidential, commercial or > > privileged > > > > information that constitutes proprietary information of Comverse > > > > Technology > > > > or its subsidiaries. If you are not the intended recipient of this > > > > message, > > > > you are hereby notified that any review, use or distribution of > > this > > > > information is absolutely prohibited and we request that you delete > > all > > > > copies and contact us by e-mailing to: security at comverse.com. Thank > > > > You." > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: debug-rsyslog3.log Type: application/octet-stream Size: 76685 bytes Desc: not available URL: From ayelet.regev at gmail.com Thu Aug 11 11:35:53 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Thu, 11 Aug 2011 12:35:53 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> Message-ID: Sorry, this time my event dosnt log anywhere... On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards wrote: > OK, I should remind myself not to check for bugs in older versions ;) This > one is fixed in 4.7.4... > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Wednesday, August 10, 2011 7:05 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > Hi Rainer, > > > > Thanks for the quick response. > > Attched. > > > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > > wrote: > > > > > Can you provide a debug log that contains an occurence of this > > problem? > > > This > > > helps us understand what happens. > > > > > > Rainer > > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > Sent: Wednesday, August 10, 2011 10:00 AM > > > > To: rsyslog at lists.adiscon.com > > > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > > > ** > > > > > > > > Hi All, > > > > > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > > > > > You may see below my syslog-client.conf file. > > > > > > > > Im running the rsyslog with these parameters and I have validated > > > > config > > > > file.: > > > > (I had to comment imklog module loading and listener commands to > > make > > > > it > > > > work without errors.) > > > > My biggest problem at the moment is that all events are written to > > > > /tmp/kuku > > > > no matter their severity... > > > > Im executing "logger -p "mail.emerg" "test"" and its written into > > > > /tmp/kuku > > > > and not to the correct file. > > > > > > > > Your help is more then apprichiated.... > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > client.conf > > > > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > client.conf -N4 > > > > rsyslogd: version 4.7.2, config validation run (level 4), master > > config > > > > /etc/rsyslog-client.conf > > > > rsyslogd: End of config validation run. Bye > > > > > > > > > > > > > > > > # Modules > > > > > > > > $ModLoad imtcp > > > > $ModLoad imudp > > > > #$ModLoad imuxsock > > > > $ModLoad imsolaris > > > > #$ModLoad imklog > > > > > > > > # Templates > > > > # log every host in its own directory > > > > #$template > > > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > > > .log" > > > > ### Rulesets > > > > # Local Logging > > > > $RuleSet local > > > > ###user,daemon,uucp,cron,mark.notice /var/adm/messages > > > > user.notice /tmp/kuku > > > > ###kern.debug /var/adm/messages > > > > ###*.emerg;mail.none * > > > > #Central logging events > > > > #Security logs > > > > auth,authpriv.debug /var/log/central/auth.debug > > > > #MIPS applicaation logs > > > > mail.emerg /var/log/central/MIPSlog > > > > #Comverse applications events (other than MIPS) > > > > local0.debug /var/log/central/local0.debug > > > > #Strore local4 events in /var/log/central/traceall > > > > local4.debug /var/log/central/traceall > > > > local6.debug > > > > /var/cti/logs/SDT/SDT_Audit_Information.log > > > > # use the local RuleSet as default if not specified otherwise > > > > $DefaultRuleset local > > > > # Remote Logging > > > > $RuleSet remote > > > > *.crit @localhost:666 > > > > # Send messages we receive to Gremlin > > > > ### Listeners > > > > # bind ruleset to tcp listener > > > > ###$InputTCPServerBindRuleset remote > > > > # and activate it: > > > > $InputTCPServerRun 50514 > > > > ###$InputUDPServerBindRuleset remote > > > > $UDPServerRun 514 > > > > $UDPServerRun 1514 > > > > > > > > > > > > Ayelet Regev-Dabah > > > > System Software Platform TL > > > > *Comverse > > > > *Office: +972 3 6459362 > > > > *ayelet.regev at comverse.com* > > > > *www.comverse.com* > > > > > > > > > > > > > > > > * ________________________________ * > > > > "This e-mail message may contain confidential, commercial or > > privileged > > > > information that constitutes proprietary information of Comverse > > > > Technology > > > > or its subsidiaries. If you are not the intended recipient of this > > > > message, > > > > you are hereby notified that any review, use or distribution of > > this > > > > information is absolutely prohibited and we request that you delete > > all > > > > copies and contact us by e-mailing to: security at comverse.com. Thank > > > > You." > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > From rgerhards at hq.adiscon.com Thu Aug 11 12:13:43 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 11 Aug 2011 12:13:43 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Thursday, August 11, 2011 11:36 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > Sorry, this time my event dosnt log anywhere... Does that mean the original problem is solved? If not, I'll create a patch for you, as I don't see the PRI in the current debug log... RAiner > > On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards > wrote: > > > OK, I should remind myself not to check for bugs in older versions ;) > This > > one is fixed in 4.7.4... > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > Sent: Wednesday, August 10, 2011 7:05 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > Hi Rainer, > > > > > > Thanks for the quick response. > > > Attched. > > > > > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > > > wrote: > > > > > > > Can you provide a debug log that contains an occurence of this > > > problem? > > > > This > > > > helps us understand what happens. > > > > > > > > Rainer > > > > > > > > > -----Original Message----- > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > > Sent: Wednesday, August 10, 2011 10:00 AM > > > > > To: rsyslog at lists.adiscon.com > > > > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > > > > > ** > > > > > > > > > > Hi All, > > > > > > > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > > > > > > > You may see below my syslog-client.conf file. > > > > > > > > > > Im running the rsyslog with these parameters and I have > validated > > > > > config > > > > > file.: > > > > > (I had to comment imklog module loading and listener commands > to > > > make > > > > > it > > > > > work without errors.) > > > > > My biggest problem at the moment is that all events are written > to > > > > > /tmp/kuku > > > > > no matter their severity... > > > > > Im executing "logger -p "mail.emerg" "test"" and its written > into > > > > > /tmp/kuku > > > > > and not to the correct file. > > > > > > > > > > Your help is more then apprichiated.... > > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > > client.conf > > > > > > > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > > client.conf -N4 > > > > > rsyslogd: version 4.7.2, config validation run (level 4), > master > > > config > > > > > /etc/rsyslog-client.conf > > > > > rsyslogd: End of config validation run. Bye > > > > > > > > > > > > > > > > > > > > # Modules > > > > > > > > > > $ModLoad imtcp > > > > > $ModLoad imudp > > > > > #$ModLoad imuxsock > > > > > $ModLoad imsolaris > > > > > #$ModLoad imklog > > > > > > > > > > # Templates > > > > > # log every host in its own directory > > > > > #$template > > > > > > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > > > > .log" > > > > > ### Rulesets > > > > > # Local Logging > > > > > $RuleSet local > > > > > ###user,daemon,uucp,cron,mark.notice > /var/adm/messages > > > > > user.notice /tmp/kuku > > > > > ###kern.debug > /var/adm/messages > > > > > ###*.emerg;mail.none * > > > > > #Central logging events > > > > > #Security logs > > > > > auth,authpriv.debug /var/log/central/auth.debug > > > > > #MIPS applicaation logs > > > > > mail.emerg /var/log/central/MIPSlog > > > > > #Comverse applications events (other than MIPS) > > > > > local0.debug /var/log/central/local0.debug > > > > > #Strore local4 events in /var/log/central/traceall > > > > > local4.debug /var/log/central/traceall > > > > > local6.debug > > > > > /var/cti/logs/SDT/SDT_Audit_Information.log > > > > > # use the local RuleSet as default if not specified otherwise > > > > > $DefaultRuleset local > > > > > # Remote Logging > > > > > $RuleSet remote > > > > > *.crit @localhost:666 > > > > > # Send messages we receive to Gremlin > > > > > ### Listeners > > > > > # bind ruleset to tcp listener > > > > > ###$InputTCPServerBindRuleset remote > > > > > # and activate it: > > > > > $InputTCPServerRun 50514 > > > > > ###$InputUDPServerBindRuleset remote > > > > > $UDPServerRun 514 > > > > > $UDPServerRun 1514 > > > > > > > > > > > > > > > Ayelet Regev-Dabah > > > > > System Software Platform TL > > > > > *Comverse > > > > > *Office: +972 3 6459362 > > > > > *ayelet.regev at comverse.com* > > > > > *www.comverse.com* > > > > > > > > > > > > > > > > > > > > * ________________________________ * > > > > > "This e-mail message may contain confidential, commercial or > > > privileged > > > > > information that constitutes proprietary information of > Comverse > > > > > Technology > > > > > or its subsidiaries. If you are not the intended recipient of > this > > > > > message, > > > > > you are hereby notified that any review, use or distribution of > > > this > > > > > information is absolutely prohibited and we request that you > delete > > > all > > > > > copies and contact us by e-mailing to: security at comverse.com. > Thank > > > > > You." > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From ayelet.regev at gmail.com Thu Aug 11 12:21:28 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Thu, 11 Aug 2011 13:21:28 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com> Message-ID: <5908639733496524317@unknownmsgid> No, now it worse events are not logged anywhere. Ayelet Regev-Dabah Sent from my iPhone On 11 ???? 2011, at 13:13, "Rainer Gerhards" wrote: -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Ayelet Regev Sent: Thursday, August 11, 2011 11:36 AM To: rsyslog-users Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 Sorry, this time my event dosnt log anywhere... Does that mean the original problem is solved? If not, I'll create a patch for you, as I don't see the PRI in the current debug log... RAiner On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards wrote: OK, I should remind myself not to check for bugs in older versions ;) This one is fixed in 4.7.4... Rainer -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Ayelet Regev Sent: Wednesday, August 10, 2011 7:05 PM To: rsyslog-users Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 Hi Rainer, Thanks for the quick response. Attched. On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards wrote: Can you provide a debug log that contains an occurence of this problem? This helps us understand what happens. Rainer -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Ayelet Regev Sent: Wednesday, August 10, 2011 10:00 AM To: rsyslog at lists.adiscon.com Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 ** Hi All, Im testing rsyslog 4.7.2 on Solaris 10. You may see below my syslog-client.conf file. Im running the rsyslog with these parameters and I have validated config file.: (I had to comment imklog module loading and listener commands to make it work without errors.) My biggest problem at the moment is that all events are written to /tmp/kuku no matter their severity... Im executing "logger -p "mail.emerg" "test"" and its written into /tmp/kuku and not to the correct file. Your help is more then apprichiated.... smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- client.conf smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- client.conf -N4 rsyslogd: version 4.7.2, config validation run (level 4), master config /etc/rsyslog-client.conf rsyslogd: End of config validation run. Bye # Modules $ModLoad imtcp $ModLoad imudp #$ModLoad imuxsock $ModLoad imsolaris #$ModLoad imklog # Templates # log every host in its own directory #$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog .log" ### Rulesets # Local Logging $RuleSet local ###user,daemon,uucp,cron,mark.notice /var/adm/messages user.notice /tmp/kuku ###kern.debug /var/adm/messages ###*.emerg;mail.none * #Central logging events #Security logs auth,authpriv.debug /var/log/central/auth.debug #MIPS applicaation logs mail.emerg /var/log/central/MIPSlog #Comverse applications events (other than MIPS) local0.debug /var/log/central/local0.debug #Strore local4 events in /var/log/central/traceall local4.debug /var/log/central/traceall local6.debug /var/cti/logs/SDT/SDT_Audit_Information.log # use the local RuleSet as default if not specified otherwise $DefaultRuleset local # Remote Logging $RuleSet remote *.crit @localhost:666 # Send messages we receive to Gremlin ### Listeners # bind ruleset to tcp listener ###$InputTCPServerBindRuleset remote # and activate it: $InputTCPServerRun 50514 ###$InputUDPServerBindRuleset remote $UDPServerRun 514 $UDPServerRun 1514 Ayelet Regev-Dabah System Software Platform TL *Comverse *Office: +972 3 6459362 *ayelet.regev at comverse.com* *www.comverse.com* * ________________________________ * "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: security at comverse.com. Thank You." _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com From ayelet.regev at gmail.com Thu Aug 11 12:22:48 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Thu, 11 Aug 2011 13:22:48 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <5908639733496524317@unknownmsgid> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com> <5908639733496524317@unknownmsgid> Message-ID: No, now it worse events are not logged anywhere... On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev wrote: > No, now it worse events are not logged anywhere. > > Ayelet Regev-Dabah > Sent from my iPhone > > > On 11 ???? 2011, at 13:13, "Rainer Gerhards" > wrote: > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Thursday, August 11, 2011 11:36 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > Sorry, this time my event dosnt log anywhere... > > > Does that mean the original problem is solved? If not, I'll create a patch > for you, as I don't see the PRI in the current debug log... > RAiner > > > On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards > > wrote: > > > OK, I should remind myself not to check for bugs in older versions ;) > > This > > one is fixed in 4.7.4... > > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Wednesday, August 10, 2011 7:05 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > Hi Rainer, > > > Thanks for the quick response. > > Attched. > > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > > wrote: > > > Can you provide a debug log that contains an occurence of this > > problem? > > This > > helps us understand what happens. > > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Wednesday, August 10, 2011 10:00 AM > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > ** > > > Hi All, > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > You may see below my syslog-client.conf file. > > > Im running the rsyslog with these parameters and I have > > validated > > config > > file.: > > (I had to comment imklog module loading and listener commands > > to > > make > > it > > work without errors.) > > My biggest problem at the moment is that all events are written > > to > > /tmp/kuku > > no matter their severity... > > Im executing "logger -p "mail.emerg" "test"" and its written > > into > > /tmp/kuku > > and not to the correct file. > > > Your help is more then apprichiated.... > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > client.conf > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > client.conf -N4 > > rsyslogd: version 4.7.2, config validation run (level 4), > > master > > config > > /etc/rsyslog-client.conf > > rsyslogd: End of config validation run. Bye > > > > > # Modules > > > $ModLoad imtcp > > $ModLoad imudp > > #$ModLoad imuxsock > > $ModLoad imsolaris > > #$ModLoad imklog > > > # Templates > > # log every host in its own directory > > #$template > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > .log" > > ### Rulesets > > # Local Logging > > $RuleSet local > > ###user,daemon,uucp,cron,mark.notice > > /var/adm/messages > > user.notice /tmp/kuku > > ###kern.debug > > /var/adm/messages > > ###*.emerg;mail.none * > > #Central logging events > > #Security logs > > auth,authpriv.debug /var/log/central/auth.debug > > #MIPS applicaation logs > > mail.emerg /var/log/central/MIPSlog > > #Comverse applications events (other than MIPS) > > local0.debug /var/log/central/local0.debug > > #Strore local4 events in /var/log/central/traceall > > local4.debug /var/log/central/traceall > > local6.debug > > /var/cti/logs/SDT/SDT_Audit_Information.log > > # use the local RuleSet as default if not specified otherwise > > $DefaultRuleset local > > # Remote Logging > > $RuleSet remote > > *.crit @localhost:666 > > # Send messages we receive to Gremlin > > ### Listeners > > # bind ruleset to tcp listener > > ###$InputTCPServerBindRuleset remote > > # and activate it: > > $InputTCPServerRun 50514 > > ###$InputUDPServerBindRuleset remote > > $UDPServerRun 514 > > $UDPServerRun 1514 > > > > Ayelet Regev-Dabah > > System Software Platform TL > > *Comverse > > *Office: +972 3 6459362 > > *ayelet.regev at comverse.com* > > *www.comverse.com* > > > > > * ________________________________ * > > "This e-mail message may contain confidential, commercial or > > privileged > > information that constitutes proprietary information of > > Comverse > > Technology > > or its subsidiaries. If you are not the intended recipient of > > this > > message, > > you are hereby notified that any review, use or distribution of > > this > > information is absolutely prohibited and we request that you > > delete > > all > > copies and contact us by e-mailing to: security at comverse.com. > > Thank > > You." > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > > From rgerhards at hq.adiscon.com Thu Aug 11 12:25:16 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 11 Aug 2011 12:25:16 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com><5908639733496524317@unknownmsgid> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Thursday, August 11, 2011 12:23 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > No, now it worse events are not logged anywhere... OK, I see if I can craft a patch quickly so that weg et more info. I don't see the actual PRI as it comes in. But I see that none of the filters match. RAiner > > On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev > wrote: > > > No, now it worse events are not logged anywhere. > > > > Ayelet Regev-Dabah > > Sent from my iPhone > > > > > > On 11 ???? 2011, at 13:13, "Rainer Gerhards" > > > wrote: > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > Sent: Thursday, August 11, 2011 11:36 AM > > > > To: rsyslog-users > > > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > Sorry, this time my event dosnt log anywhere... > > > > > > Does that mean the original problem is solved? If not, I'll create a > patch > > for you, as I don't see the PRI in the current debug log... > > RAiner > > > > > > On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards > > > > wrote: > > > > > > OK, I should remind myself not to check for bugs in older versions ;) > > > > This > > > > one is fixed in 4.7.4... > > > > > > Rainer > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > Sent: Wednesday, August 10, 2011 7:05 PM > > > > To: rsyslog-users > > > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > Hi Rainer, > > > > > > Thanks for the quick response. > > > > Attched. > > > > > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > > > > wrote: > > > > > > Can you provide a debug log that contains an occurence of this > > > > problem? > > > > This > > > > helps us understand what happens. > > > > > > Rainer > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > Sent: Wednesday, August 10, 2011 10:00 AM > > > > To: rsyslog at lists.adiscon.com > > > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > ** > > > > > > Hi All, > > > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > > > You may see below my syslog-client.conf file. > > > > > > Im running the rsyslog with these parameters and I have > > > > validated > > > > config > > > > file.: > > > > (I had to comment imklog module loading and listener commands > > > > to > > > > make > > > > it > > > > work without errors.) > > > > My biggest problem at the moment is that all events are written > > > > to > > > > /tmp/kuku > > > > no matter their severity... > > > > Im executing "logger -p "mail.emerg" "test"" and its written > > > > into > > > > /tmp/kuku > > > > and not to the correct file. > > > > > > Your help is more then apprichiated.... > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > client.conf > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > client.conf -N4 > > > > rsyslogd: version 4.7.2, config validation run (level 4), > > > > master > > > > config > > > > /etc/rsyslog-client.conf > > > > rsyslogd: End of config validation run. Bye > > > > > > > > > > # Modules > > > > > > $ModLoad imtcp > > > > $ModLoad imudp > > > > #$ModLoad imuxsock > > > > $ModLoad imsolaris > > > > #$ModLoad imklog > > > > > > # Templates > > > > # log every host in its own directory > > > > #$template > > > > > > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > > > .log" > > > > ### Rulesets > > > > # Local Logging > > > > $RuleSet local > > > > ###user,daemon,uucp,cron,mark.notice > > > > /var/adm/messages > > > > user.notice /tmp/kuku > > > > ###kern.debug > > > > /var/adm/messages > > > > ###*.emerg;mail.none * > > > > #Central logging events > > > > #Security logs > > > > auth,authpriv.debug /var/log/central/auth.debug > > > > #MIPS applicaation logs > > > > mail.emerg /var/log/central/MIPSlog > > > > #Comverse applications events (other than MIPS) > > > > local0.debug /var/log/central/local0.debug > > > > #Strore local4 events in /var/log/central/traceall > > > > local4.debug /var/log/central/traceall > > > > local6.debug > > > > /var/cti/logs/SDT/SDT_Audit_Information.log > > > > # use the local RuleSet as default if not specified otherwise > > > > $DefaultRuleset local > > > > # Remote Logging > > > > $RuleSet remote > > > > *.crit @localhost:666 > > > > # Send messages we receive to Gremlin > > > > ### Listeners > > > > # bind ruleset to tcp listener > > > > ###$InputTCPServerBindRuleset remote > > > > # and activate it: > > > > $InputTCPServerRun 50514 > > > > ###$InputUDPServerBindRuleset remote > > > > $UDPServerRun 514 > > > > $UDPServerRun 1514 > > > > > > > > Ayelet Regev-Dabah > > > > System Software Platform TL > > > > *Comverse > > > > *Office: +972 3 6459362 > > > > *ayelet.regev at comverse.com* > > > > *www.comverse.com* > > > > > > > > > > * ________________________________ * > > > > "This e-mail message may contain confidential, commercial or > > > > privileged > > > > information that constitutes proprietary information of > > > > Comverse > > > > Technology > > > > or its subsidiaries. If you are not the intended recipient of > > > > this > > > > message, > > > > you are hereby notified that any review, use or distribution of > > > > this > > > > information is absolutely prohibited and we request that you > > > > delete > > > > all > > > > copies and contact us by e-mailing to: security at comverse.com. > > > > Thank > > > > You." > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Thu Aug 11 12:33:09 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 11 Aug 2011 12:33:09 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com><5908639733496524317@unknownmsgid> <9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281127@GRFEXC.intern.adiscon.com> Pls try attached patch and send debug log. Note that I currently do not have solaris at hand, so I could not compile-test the patch. Expect minor quircks, should be easy to fix. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Thursday, August 11, 2011 12:25 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > Sent: Thursday, August 11, 2011 12:23 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > No, now it worse events are not logged anywhere... > > OK, I see if I can craft a patch quickly so that weg et more info. I > don't > see the actual PRI as it comes in. But I see that none of the filters > match. > > RAiner > > > > On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev > > wrote: > > > > > No, now it worse events are not logged anywhere. > > > > > > Ayelet Regev-Dabah > > > Sent from my iPhone > > > > > > > > > On 11 ???? 2011, at 13:13, "Rainer Gerhards" > > > > > wrote: > > > > > > -----Original Message----- > > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > > > Sent: Thursday, August 11, 2011 11:36 AM > > > > > > To: rsyslog-users > > > > > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > > > > Sorry, this time my event dosnt log anywhere... > > > > > > > > > Does that mean the original problem is solved? If not, I'll create > a > > patch > > > for you, as I don't see the PRI in the current debug log... > > > RAiner > > > > > > > > > On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards > > > > > > wrote: > > > > > > > > > OK, I should remind myself not to check for bugs in older versions > ;) > > > > > > This > > > > > > one is fixed in 4.7.4... > > > > > > > > > Rainer > > > > > > > > > -----Original Message----- > > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > > > Sent: Wednesday, August 10, 2011 7:05 PM > > > > > > To: rsyslog-users > > > > > > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > > > > Hi Rainer, > > > > > > > > > Thanks for the quick response. > > > > > > Attched. > > > > > > > > > On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > > > > > > wrote: > > > > > > > > > Can you provide a debug log that contains an occurence of this > > > > > > problem? > > > > > > This > > > > > > helps us understand what happens. > > > > > > > > > Rainer > > > > > > > > > -----Original Message----- > > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > > > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > > > > > Sent: Wednesday, August 10, 2011 10:00 AM > > > > > > To: rsyslog at lists.adiscon.com > > > > > > Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > > > > > > > > ** > > > > > > > > > Hi All, > > > > > > > > > Im testing rsyslog 4.7.2 on Solaris 10. > > > > > > > > > You may see below my syslog-client.conf file. > > > > > > > > > Im running the rsyslog with these parameters and I have > > > > > > validated > > > > > > config > > > > > > file.: > > > > > > (I had to comment imklog module loading and listener commands > > > > > > to > > > > > > make > > > > > > it > > > > > > work without errors.) > > > > > > My biggest problem at the moment is that all events are written > > > > > > to > > > > > > /tmp/kuku > > > > > > no matter their severity... > > > > > > Im executing "logger -p "mail.emerg" "test"" and its written > > > > > > into > > > > > > /tmp/kuku > > > > > > and not to the correct file. > > > > > > > > > Your help is more then apprichiated.... > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > > > client.conf > > > > > > > > > > > > smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > > > > > client.conf -N4 > > > > > > rsyslogd: version 4.7.2, config validation run (level 4), > > > > > > master > > > > > > config > > > > > > /etc/rsyslog-client.conf > > > > > > rsyslogd: End of config validation run. Bye > > > > > > > > > > > > > > > # Modules > > > > > > > > > $ModLoad imtcp > > > > > > $ModLoad imudp > > > > > > #$ModLoad imuxsock > > > > > > $ModLoad imsolaris > > > > > > #$ModLoad imklog > > > > > > > > > # Templates > > > > > > # log every host in its own directory > > > > > > #$template > > > > > > > > > > > > > > > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > > > > > .log" > > > > > > ### Rulesets > > > > > > # Local Logging > > > > > > $RuleSet local > > > > > > ###user,daemon,uucp,cron,mark.notice > > > > > > /var/adm/messages > > > > > > user.notice /tmp/kuku > > > > > > ###kern.debug > > > > > > /var/adm/messages > > > > > > ###*.emerg;mail.none * > > > > > > #Central logging events > > > > > > #Security logs > > > > > > auth,authpriv.debug /var/log/central/auth.debug > > > > > > #MIPS applicaation logs > > > > > > mail.emerg /var/log/central/MIPSlog > > > > > > #Comverse applications events (other than MIPS) > > > > > > local0.debug /var/log/central/local0.debug > > > > > > #Strore local4 events in /var/log/central/traceall > > > > > > local4.debug /var/log/central/traceall > > > > > > local6.debug > > > > > > /var/cti/logs/SDT/SDT_Audit_Information.log > > > > > > # use the local RuleSet as default if not specified otherwise > > > > > > $DefaultRuleset local > > > > > > # Remote Logging > > > > > > $RuleSet remote > > > > > > *.crit @localhost:666 > > > > > > # Send messages we receive to Gremlin > > > > > > ### Listeners > > > > > > # bind ruleset to tcp listener > > > > > > ###$InputTCPServerBindRuleset remote > > > > > > # and activate it: > > > > > > $InputTCPServerRun 50514 > > > > > > ###$InputUDPServerBindRuleset remote > > > > > > $UDPServerRun 514 > > > > > > $UDPServerRun 1514 > > > > > > > > > > > > Ayelet Regev-Dabah > > > > > > System Software Platform TL > > > > > > *Comverse > > > > > > *Office: +972 3 6459362 > > > > > > *ayelet.regev at comverse.com* > > > > > > *www.comverse.com* > > > > > > > > > > > > > > > * ________________________________ * > > > > > > "This e-mail message may contain confidential, commercial or > > > > > > privileged > > > > > > information that constitutes proprietary information of > > > > > > Comverse > > > > > > Technology > > > > > > or its subsidiaries. If you are not the intended recipient of > > > > > > this > > > > > > message, > > > > > > you are hereby notified that any review, use or distribution of > > > > > > this > > > > > > information is absolutely prohibited and we request that you > > > > > > delete > > > > > > all > > > > > > copies and contact us by e-mailing to: security at comverse.com. > > > > > > Thank > > > > > > You." > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -------------- next part -------------- A non-text attachment was scrubbed... Name: solaris.patch Type: application/octet-stream Size: 991 bytes Desc: solaris.patch URL: From ayelet.regev at gmail.com Thu Aug 11 12:34:16 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Thu, 11 Aug 2011 13:34:16 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281127@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com> <5908639733496524317@unknownmsgid> <9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281127@GRFEXC.intern.adiscon.com> Message-ID: <7622665368885676544@unknownmsgid> How do I apply this patch? Ayelet Regev-Dabah Sent from my iPhone On 11 ???? 2011, at 13:33, Rainer Gerhards wrote: > Pls try attached patch and send debug log. Note that I currently do not have > solaris at hand, so I could not compile-test the patch. Expect minor quircks, > should be easy to fix. > > Rainer > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards >> Sent: Thursday, August 11, 2011 12:25 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >> >>> -----Original Message----- >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>> Sent: Thursday, August 11, 2011 12:23 PM >>> To: rsyslog-users >>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>> >>> No, now it worse events are not logged anywhere... >> >> OK, I see if I can craft a patch quickly so that weg et more info. I >> don't >> see the actual PRI as it comes in. But I see that none of the filters >> match. >> >> RAiner >>> >>> On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev >>> wrote: >>> >>>> No, now it worse events are not logged anywhere. >>>> >>>> Ayelet Regev-Dabah >>>> Sent from my iPhone >>>> >>>> >>>> On 11 ???? 2011, at 13:13, "Rainer Gerhards" >>> >>>> wrote: >>>> >>>> -----Original Message----- >>>> >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>> >>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>>> >>>> Sent: Thursday, August 11, 2011 11:36 AM >>>> >>>> To: rsyslog-users >>>> >>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>> >>>> >>>> Sorry, this time my event dosnt log anywhere... >>>> >>>> >>>> Does that mean the original problem is solved? If not, I'll create >> a >>> patch >>>> for you, as I don't see the PRI in the current debug log... >>>> RAiner >>>> >>>> >>>> On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards >>>> >>>> wrote: >>>> >>>> >>>> OK, I should remind myself not to check for bugs in older versions >> ;) >>>> >>>> This >>>> >>>> one is fixed in 4.7.4... >>>> >>>> >>>> Rainer >>>> >>>> >>>> -----Original Message----- >>>> >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>> >>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>>> >>>> Sent: Wednesday, August 10, 2011 7:05 PM >>>> >>>> To: rsyslog-users >>>> >>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>> >>>> >>>> Hi Rainer, >>>> >>>> >>>> Thanks for the quick response. >>>> >>>> Attched. >>>> >>>> >>>> On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards >>>> >>>> wrote: >>>> >>>> >>>> Can you provide a debug log that contains an occurence of this >>>> >>>> problem? >>>> >>>> This >>>> >>>> helps us understand what happens. >>>> >>>> >>>> Rainer >>>> >>>> >>>> -----Original Message----- >>>> >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>> >>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>>> >>>> Sent: Wednesday, August 10, 2011 10:00 AM >>>> >>>> To: rsyslog at lists.adiscon.com >>>> >>>> Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>> >>>> >>>> ** >>>> >>>> >>>> Hi All, >>>> >>>> >>>> Im testing rsyslog 4.7.2 on Solaris 10. >>>> >>>> >>>> You may see below my syslog-client.conf file. >>>> >>>> >>>> Im running the rsyslog with these parameters and I have >>>> >>>> validated >>>> >>>> config >>>> >>>> file.: >>>> >>>> (I had to comment imklog module loading and listener commands >>>> >>>> to >>>> >>>> make >>>> >>>> it >>>> >>>> work without errors.) >>>> >>>> My biggest problem at the moment is that all events are written >>>> >>>> to >>>> >>>> /tmp/kuku >>>> >>>> no matter their severity... >>>> >>>> Im executing "logger -p "mail.emerg" "test"" and its written >>>> >>>> into >>>> >>>> /tmp/kuku >>>> >>>> and not to the correct file. >>>> >>>> >>>> Your help is more then apprichiated.... >>>> >>>> >>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- >>>> >>>> client.conf >>>> >>>> >>>> >>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- >>>> >>>> client.conf -N4 >>>> >>>> rsyslogd: version 4.7.2, config validation run (level 4), >>>> >>>> master >>>> >>>> config >>>> >>>> /etc/rsyslog-client.conf >>>> >>>> rsyslogd: End of config validation run. Bye >>>> >>>> >>>> >>>> >>>> # Modules >>>> >>>> >>>> $ModLoad imtcp >>>> >>>> $ModLoad imudp >>>> >>>> #$ModLoad imuxsock >>>> >>>> $ModLoad imsolaris >>>> >>>> #$ModLoad imklog >>>> >>>> >>>> # Templates >>>> >>>> # log every host in its own directory >>>> >>>> #$template >>>> >>>> >>>> >>>> >>> >> RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog >>>> >>>> .log" >>>> >>>> ### Rulesets >>>> >>>> # Local Logging >>>> >>>> $RuleSet local >>>> >>>> ###user,daemon,uucp,cron,mark.notice >>>> >>>> /var/adm/messages >>>> >>>> user.notice /tmp/kuku >>>> >>>> ###kern.debug >>>> >>>> /var/adm/messages >>>> >>>> ###*.emerg;mail.none * >>>> >>>> #Central logging events >>>> >>>> #Security logs >>>> >>>> auth,authpriv.debug /var/log/central/auth.debug >>>> >>>> #MIPS applicaation logs >>>> >>>> mail.emerg /var/log/central/MIPSlog >>>> >>>> #Comverse applications events (other than MIPS) >>>> >>>> local0.debug /var/log/central/local0.debug >>>> >>>> #Strore local4 events in /var/log/central/traceall >>>> >>>> local4.debug /var/log/central/traceall >>>> >>>> local6.debug >>>> >>>> /var/cti/logs/SDT/SDT_Audit_Information.log >>>> >>>> # use the local RuleSet as default if not specified otherwise >>>> >>>> $DefaultRuleset local >>>> >>>> # Remote Logging >>>> >>>> $RuleSet remote >>>> >>>> *.crit @localhost:666 >>>> >>>> # Send messages we receive to Gremlin >>>> >>>> ### Listeners >>>> >>>> # bind ruleset to tcp listener >>>> >>>> ###$InputTCPServerBindRuleset remote >>>> >>>> # and activate it: >>>> >>>> $InputTCPServerRun 50514 >>>> >>>> ###$InputUDPServerBindRuleset remote >>>> >>>> $UDPServerRun 514 >>>> >>>> $UDPServerRun 1514 >>>> >>>> >>>> >>>> Ayelet Regev-Dabah >>>> >>>> System Software Platform TL >>>> >>>> *Comverse >>>> >>>> *Office: +972 3 6459362 >>>> >>>> *ayelet.regev at comverse.com* >>>> >>>> *www.comverse.com* >>>> >>>> >>>> >>>> >>>> * ________________________________ * >>>> >>>> "This e-mail message may contain confidential, commercial or >>>> >>>> privileged >>>> >>>> information that constitutes proprietary information of >>>> >>>> Comverse >>>> >>>> Technology >>>> >>>> or its subsidiaries. If you are not the intended recipient of >>>> >>>> this >>>> >>>> message, >>>> >>>> you are hereby notified that any review, use or distribution of >>>> >>>> this >>>> >>>> information is absolutely prohibited and we request that you >>>> >>>> delete >>>> >>>> all >>>> >>>> copies and contact us by e-mailing to: security at comverse.com. >>>> >>>> Thank >>>> >>>> You." >>>> >>>> _______________________________________________ >>>> >>>> rsyslog mailing list >>>> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> >>>> http://www.rsyslog.com >>>> >>>> _______________________________________________ >>>> >>>> rsyslog mailing list >>>> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> >>>> http://www.rsyslog.com >>>> >>>> >>>> _______________________________________________ >>>> >>>> rsyslog mailing list >>>> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> >>>> http://www.rsyslog.com >>>> >>>> >>>> _______________________________________________ >>>> >>>> rsyslog mailing list >>>> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> >>>> http://www.rsyslog.com >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>>> >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Thu Aug 11 12:34:57 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 11 Aug 2011 12:34:57 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <7622665368885676544@unknownmsgid> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com><5908639733496524317@unknownmsgid><9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281127@GRFEXC.intern.adiscon.com> <7622665368885676544@unknownmsgid> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281128@GRFEXC.intern.adiscon.com> As usual, patch -p1 < patchfile > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Thursday, August 11, 2011 12:34 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > How do I apply this patch? > > Ayelet Regev-Dabah > Sent from my iPhone > > > On 11 ???? 2011, at 13:33, Rainer Gerhards > wrote: > > > Pls try attached patch and send debug log. Note that I currently do > not have > > solaris at hand, so I could not compile-test the patch. Expect minor > quircks, > > should be easy to fix. > > > > Rainer > > > >> -----Original Message----- > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > >> Sent: Thursday, August 11, 2011 12:25 PM > >> To: rsyslog-users > >> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >> > >>> -----Original Message----- > >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>> Sent: Thursday, August 11, 2011 12:23 PM > >>> To: rsyslog-users > >>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>> > >>> No, now it worse events are not logged anywhere... > >> > >> OK, I see if I can craft a patch quickly so that weg et more info. I > >> don't > >> see the actual PRI as it comes in. But I see that none of the > filters > >> match. > >> > >> RAiner > >>> > >>> On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev > >>> wrote: > >>> > >>>> No, now it worse events are not logged anywhere. > >>>> > >>>> Ayelet Regev-Dabah > >>>> Sent from my iPhone > >>>> > >>>> > >>>> On 11 ???? 2011, at 13:13, "Rainer Gerhards" > >>> > >>>> wrote: > >>>> > >>>> -----Original Message----- > >>>> > >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>> > >>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>>> > >>>> Sent: Thursday, August 11, 2011 11:36 AM > >>>> > >>>> To: rsyslog-users > >>>> > >>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>> > >>>> > >>>> Sorry, this time my event dosnt log anywhere... > >>>> > >>>> > >>>> Does that mean the original problem is solved? If not, I'll create > >> a > >>> patch > >>>> for you, as I don't see the PRI in the current debug log... > >>>> RAiner > >>>> > >>>> > >>>> On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards > >>>> > >>>> wrote: > >>>> > >>>> > >>>> OK, I should remind myself not to check for bugs in older versions > >> ;) > >>>> > >>>> This > >>>> > >>>> one is fixed in 4.7.4... > >>>> > >>>> > >>>> Rainer > >>>> > >>>> > >>>> -----Original Message----- > >>>> > >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>> > >>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>>> > >>>> Sent: Wednesday, August 10, 2011 7:05 PM > >>>> > >>>> To: rsyslog-users > >>>> > >>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>> > >>>> > >>>> Hi Rainer, > >>>> > >>>> > >>>> Thanks for the quick response. > >>>> > >>>> Attched. > >>>> > >>>> > >>>> On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > >>>> > >>>> wrote: > >>>> > >>>> > >>>> Can you provide a debug log that contains an occurence of this > >>>> > >>>> problem? > >>>> > >>>> This > >>>> > >>>> helps us understand what happens. > >>>> > >>>> > >>>> Rainer > >>>> > >>>> > >>>> -----Original Message----- > >>>> > >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>> > >>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>>> > >>>> Sent: Wednesday, August 10, 2011 10:00 AM > >>>> > >>>> To: rsyslog at lists.adiscon.com > >>>> > >>>> Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>> > >>>> > >>>> ** > >>>> > >>>> > >>>> Hi All, > >>>> > >>>> > >>>> Im testing rsyslog 4.7.2 on Solaris 10. > >>>> > >>>> > >>>> You may see below my syslog-client.conf file. > >>>> > >>>> > >>>> Im running the rsyslog with these parameters and I have > >>>> > >>>> validated > >>>> > >>>> config > >>>> > >>>> file.: > >>>> > >>>> (I had to comment imklog module loading and listener commands > >>>> > >>>> to > >>>> > >>>> make > >>>> > >>>> it > >>>> > >>>> work without errors.) > >>>> > >>>> My biggest problem at the moment is that all events are written > >>>> > >>>> to > >>>> > >>>> /tmp/kuku > >>>> > >>>> no matter their severity... > >>>> > >>>> Im executing "logger -p "mail.emerg" "test"" and its written > >>>> > >>>> into > >>>> > >>>> /tmp/kuku > >>>> > >>>> and not to the correct file. > >>>> > >>>> > >>>> Your help is more then apprichiated.... > >>>> > >>>> > >>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > >>>> > >>>> client.conf > >>>> > >>>> > >>>> > >>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > >>>> > >>>> client.conf -N4 > >>>> > >>>> rsyslogd: version 4.7.2, config validation run (level 4), > >>>> > >>>> master > >>>> > >>>> config > >>>> > >>>> /etc/rsyslog-client.conf > >>>> > >>>> rsyslogd: End of config validation run. Bye > >>>> > >>>> > >>>> > >>>> > >>>> # Modules > >>>> > >>>> > >>>> $ModLoad imtcp > >>>> > >>>> $ModLoad imudp > >>>> > >>>> #$ModLoad imuxsock > >>>> > >>>> $ModLoad imsolaris > >>>> > >>>> #$ModLoad imklog > >>>> > >>>> > >>>> # Templates > >>>> > >>>> # log every host in its own directory > >>>> > >>>> #$template > >>>> > >>>> > >>>> > >>>> > >>> > >> > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > >>>> > >>>> .log" > >>>> > >>>> ### Rulesets > >>>> > >>>> # Local Logging > >>>> > >>>> $RuleSet local > >>>> > >>>> ###user,daemon,uucp,cron,mark.notice > >>>> > >>>> /var/adm/messages > >>>> > >>>> user.notice /tmp/kuku > >>>> > >>>> ###kern.debug > >>>> > >>>> /var/adm/messages > >>>> > >>>> ###*.emerg;mail.none * > >>>> > >>>> #Central logging events > >>>> > >>>> #Security logs > >>>> > >>>> auth,authpriv.debug /var/log/central/auth.debug > >>>> > >>>> #MIPS applicaation logs > >>>> > >>>> mail.emerg /var/log/central/MIPSlog > >>>> > >>>> #Comverse applications events (other than MIPS) > >>>> > >>>> local0.debug /var/log/central/local0.debug > >>>> > >>>> #Strore local4 events in /var/log/central/traceall > >>>> > >>>> local4.debug /var/log/central/traceall > >>>> > >>>> local6.debug > >>>> > >>>> /var/cti/logs/SDT/SDT_Audit_Information.log > >>>> > >>>> # use the local RuleSet as default if not specified otherwise > >>>> > >>>> $DefaultRuleset local > >>>> > >>>> # Remote Logging > >>>> > >>>> $RuleSet remote > >>>> > >>>> *.crit @localhost:666 > >>>> > >>>> # Send messages we receive to Gremlin > >>>> > >>>> ### Listeners > >>>> > >>>> # bind ruleset to tcp listener > >>>> > >>>> ###$InputTCPServerBindRuleset remote > >>>> > >>>> # and activate it: > >>>> > >>>> $InputTCPServerRun 50514 > >>>> > >>>> ###$InputUDPServerBindRuleset remote > >>>> > >>>> $UDPServerRun 514 > >>>> > >>>> $UDPServerRun 1514 > >>>> > >>>> > >>>> > >>>> Ayelet Regev-Dabah > >>>> > >>>> System Software Platform TL > >>>> > >>>> *Comverse > >>>> > >>>> *Office: +972 3 6459362 > >>>> > >>>> *ayelet.regev at comverse.com* > >>>> > >>>> *www.comverse.com* > >>>> > >>>> > >>>> > >>>> > >>>> * ________________________________ * > >>>> > >>>> "This e-mail message may contain confidential, commercial or > >>>> > >>>> privileged > >>>> > >>>> information that constitutes proprietary information of > >>>> > >>>> Comverse > >>>> > >>>> Technology > >>>> > >>>> or its subsidiaries. If you are not the intended recipient of > >>>> > >>>> this > >>>> > >>>> message, > >>>> > >>>> you are hereby notified that any review, use or distribution of > >>>> > >>>> this > >>>> > >>>> information is absolutely prohibited and we request that you > >>>> > >>>> delete > >>>> > >>>> all > >>>> > >>>> copies and contact us by e-mailing to: security at comverse.com. > >>>> > >>>> Thank > >>>> > >>>> You." > >>>> > >>>> _______________________________________________ > >>>> > >>>> rsyslog mailing list > >>>> > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> > >>>> http://www.rsyslog.com > >>>> > >>>> _______________________________________________ > >>>> > >>>> rsyslog mailing list > >>>> > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> > >>>> http://www.rsyslog.com > >>>> > >>>> > >>>> _______________________________________________ > >>>> > >>>> rsyslog mailing list > >>>> > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> > >>>> http://www.rsyslog.com > >>>> > >>>> > >>>> _______________________________________________ > >>>> > >>>> rsyslog mailing list > >>>> > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> > >>>> http://www.rsyslog.com > >>>> > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com > >>>> > >>>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From marcin at mejor.pl Thu Aug 11 12:41:32 2011 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Thu, 11 Aug 2011 12:41:32 +0200 Subject: [rsyslog] Bad file descriptor (was: imudp activation failure - was: Remote syslogging through a (broken) VPN) In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728111C@GRFEXC.intern.adiscon.com> References: <20110627205918.0cc9ce80@mistral.stie> <4E09E1B5.7040704@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F1D@GRFEXC.intern.adiscon.com> <4E0C6228.4000203@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F47@GRFEXC.intern.adiscon.com><4E0C895A.7010809@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F5C@GRFEXC.intern.adiscon.com><4E0F4CC9.8070602@mejor.pl> <4E39B4C7.6010403@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA728111C@GRFEXC.intern.adiscon.com> Message-ID: <4E43B1DC.4090208@mejor.pl> W dniu 10.08.2011 18:45, Rainer Gerhards pisze: > Marcin, > > I just had a look at the debug log you sent, but this file looks strange. Is > it a combination from a log file and a partial debug log? In any case, can > you send me just a plain debug log, right from the startup. The startup part > - where I assume the problems show up - seems to be missing in the file you > sent. Also, I don't see where the message in question is emitted in the debug > log. I'd say that I need only the startup portion up until where the message > first occurs and then, let's say, 10,000 more lines. That makes handling the > debug log hopefully a bit easier. Rainer, Thank you for taking look at it. I've send message.log which (i believed) contained both messages - debug and system logs. I did it in this way because problem appears (or i can ease reproduce) when rsyslog is started by init script. Init script uses start-stop-daemon to do it. I can't simply redirect output ( 2>&1 >file) because it would redirect output of start-stop-daemon. I tried use simply bash wrapper which was started by start-stop-daemon instead rsyslogd binary but in this case i couldn't reproduce problem. Is posibble rsyslogd throws all debug messages to file instead stdout/stderr ? Regards, Marcin From rgerhards at hq.adiscon.com Thu Aug 11 12:43:27 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 11 Aug 2011 12:43:27 +0200 Subject: [rsyslog] Bad file descriptor (was: imudp activation failure - was: Remote syslogging through a (broken) VPN) In-Reply-To: <4E43B1DC.4090208@mejor.pl> References: <20110627205918.0cc9ce80@mistral.stie> <4E09E1B5.7040704@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F1D@GRFEXC.intern.adiscon.com> <4E0C6228.4000203@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F47@GRFEXC.intern.adiscon.com><4E0C895A.7010809@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F5C@GRFEXC.intern.adiscon.com><4E0F4CC9.8070602@mejor.pl><4E39B4C7.6010403@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA728111C@GRFEXC.intern.adiscon.com> <4E43B1DC.4090208@mejor.pl> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281129@GRFEXC.intern.adiscon.com> You can control this via environment variables, see here: http://www.rsyslog.com/doc/debug.html Raienr > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > Sent: Thursday, August 11, 2011 12:42 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] Bad file descriptor (was: imudp activation > failure - was: Remote syslogging through a (broken) VPN) > > W dniu 10.08.2011 18:45, Rainer Gerhards pisze: > > Marcin, > > > > I just had a look at the debug log you sent, but this file looks > strange. Is > > it a combination from a log file and a partial debug log? In any > case, can > > you send me just a plain debug log, right from the startup. The > startup part > > - where I assume the problems show up - seems to be missing in the > file you > > sent. Also, I don't see where the message in question is emitted in > the debug > > log. I'd say that I need only the startup portion up until where the > message > > first occurs and then, let's say, 10,000 more lines. That makes > handling the > > debug log hopefully a bit easier. > > Rainer, > Thank you for taking look at it. I've send message.log which (i > believed) contained both messages - debug and system logs. I did it in > this way because problem appears (or i can ease reproduce) when rsyslog > is started by init script. Init script uses start-stop-daemon to do it. > I can't simply redirect output ( 2>&1 >file) because it would redirect > output of start-stop-daemon. I tried use simply bash wrapper which was > started by start-stop-daemon instead rsyslogd binary but in this case i > couldn't reproduce problem. > Is posibble rsyslogd throws all debug messages to file instead > stdout/stderr ? > > Regards, > Marcin > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From marcin at mejor.pl Thu Aug 11 12:46:06 2011 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Thu, 11 Aug 2011 12:46:06 +0200 Subject: [rsyslog] Bad file descriptor In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281129@GRFEXC.intern.adiscon.com> References: <20110627205918.0cc9ce80@mistral.stie> <4E09E1B5.7040704@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F1D@GRFEXC.intern.adiscon.com> <4E0C6228.4000203@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F47@GRFEXC.intern.adiscon.com><4E0C895A.7010809@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F5C@GRFEXC.intern.adiscon.com><4E0F4CC9.8070602@mejor.pl><4E39B4C7.6010403@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA728111C@GRFEXC.intern.adiscon.com> <4E43B1DC.4090208@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA7281129@GRFEXC.intern.adiscon.com> Message-ID: <4E43B2EE.6000904@mejor.pl> W dniu 11.08.2011 12:43, Rainer Gerhards pisze: > You can control this via environment variables, see here: > > http://www.rsyslog.com/doc/debug.html Great! From marcin at mejor.pl Thu Aug 11 14:15:58 2011 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Thu, 11 Aug 2011 14:15:58 +0200 Subject: [rsyslog] Bad file descriptor In-Reply-To: <4E43B2EE.6000904@mejor.pl> References: <20110627205918.0cc9ce80@mistral.stie> <4E09E1B5.7040704@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F1D@GRFEXC.intern.adiscon.com> <4E0C6228.4000203@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F47@GRFEXC.intern.adiscon.com><4E0C895A.7010809@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA7280F5C@GRFEXC.intern.adiscon.com><4E0F4CC9.8070602@mejor.pl><4E39B4C7.6010403@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA728111C@GRFEXC.intern.adiscon.com> <4E43B1DC.4090208@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA7281129@GRFEXC.intern.adiscon.com> <4E43B2EE.6000904@mejor.pl> Message-ID: <4E43C7FE.8050004@mejor.pl> W dniu 11.08.2011 12:46, Marcin Miros?aw pisze: > W dniu 11.08.2011 12:43, Rainer Gerhards pisze: >> You can control this via environment variables, see here: >> >> http://www.rsyslog.com/doc/debug.html > > Great! Oops, another problem, when i've set variables in enviroment ( RSYSLOG_DEBUGLOG="/rsysl.log" RSYSLOG_DEBUG="Debug NoStdOut" ) rsyslogd didn't backrogund. So i've added option to start-stop-daemon to do backgrounding rsyslogd internally. In this situation rsyslogd works without any problem. It seems problem appears when rsyslogd do backgrouning itself. Next step, i've added "DebugOnDemand". Rsyslogd worked correctly... And again, i have no idea how to generate debug log. Regards, Marcin From rosenski at wave-computer.de Thu Aug 11 14:30:29 2011 From: rosenski at wave-computer.de (Axel Rosenski) Date: Thu, 11 Aug 2011 14:30:29 +0200 Subject: [rsyslog] problem with field based property replacement In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728111B@GRFEXC.intern.adiscon.com> References: <2704807.0EYNaG0gkS@lxrosenski> <2736848.t69XHVsSB9@lxrosenski> <9B6E2A8877C38245BFB15CC491A11DA728111B@GRFEXC.intern.adiscon.com> Message-ID: <3555959.9i7N34G4td@lxrosenski> Am Mittwoch, 10. Aug. 11, 18:18:44 schrieb Rainer Gerhards: > As of rfc3164, tags are limited to 32 characters. I think there is an > option to turn this limit off, but don'T know out of my head... Thanks, I'll think about a solution for this. Axel -- Axel Rosenski - Administration - ______________________________ Wave Computersysteme GmbH Philipp-Reis-Str. 1-3 / 9 35440 Linden Gesch?ftsf?hrer: Carsten Kellmann Registergericht Gie?en HRB 1823 Tel.: +49 (0)6403 / 9050 8317 Fax: +49 (0)6403 / 9050 5089 mailto:rosenski at wave-computer.de http://www.wave-computer.de From ayelet.regev at gmail.com Thu Aug 11 14:45:07 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Thu, 11 Aug 2011 15:45:07 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281128@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com> <5908639733496524317@unknownmsgid> <9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281127@GRFEXC.intern.adiscon.com> <7622665368885676544@unknownmsgid> <9B6E2A8877C38245BFB15CC491A11DA7281128@GRFEXC.intern.adiscon.com> Message-ID: <-2807318110512162237@unknownmsgid> All ok. I didn't compile with imsolaris. Ayelet Regev-Dabah Sent from my iPhone On 11 ???? 2011, at 13:34, Rainer Gerhards wrote: > As usual, patch -p1 < patchfile > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >> Sent: Thursday, August 11, 2011 12:34 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >> >> How do I apply this patch? >> >> Ayelet Regev-Dabah >> Sent from my iPhone >> >> >> On 11 ???? 2011, at 13:33, Rainer Gerhards >> wrote: >> >>> Pls try attached patch and send debug log. Note that I currently do >> not have >>> solaris at hand, so I could not compile-test the patch. Expect minor >> quircks, >>> should be easy to fix. >>> >>> Rainer >>> >>>> -----Original Message----- >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards >>>> Sent: Thursday, August 11, 2011 12:25 PM >>>> To: rsyslog-users >>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>> >>>>> -----Original Message----- >>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>>>> Sent: Thursday, August 11, 2011 12:23 PM >>>>> To: rsyslog-users >>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>>> >>>>> No, now it worse events are not logged anywhere... >>>> >>>> OK, I see if I can craft a patch quickly so that weg et more info. I >>>> don't >>>> see the actual PRI as it comes in. But I see that none of the >> filters >>>> match. >>>> >>>> RAiner >>>>> >>>>> On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev >>>>> wrote: >>>>> >>>>>> No, now it worse events are not logged anywhere. >>>>>> >>>>>> Ayelet Regev-Dabah >>>>>> Sent from my iPhone >>>>>> >>>>>> >>>>>> On 11 ???? 2011, at 13:13, "Rainer Gerhards" >>>>> >>>>>> wrote: >>>>>> >>>>>> -----Original Message----- >>>>>> >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>>>> >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>>>>> >>>>>> Sent: Thursday, August 11, 2011 11:36 AM >>>>>> >>>>>> To: rsyslog-users >>>>>> >>>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>>>> >>>>>> >>>>>> Sorry, this time my event dosnt log anywhere... >>>>>> >>>>>> >>>>>> Does that mean the original problem is solved? If not, I'll create >>>> a >>>>> patch >>>>>> for you, as I don't see the PRI in the current debug log... >>>>>> RAiner >>>>>> >>>>>> >>>>>> On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards >>>>>> >>>>>> wrote: >>>>>> >>>>>> >>>>>> OK, I should remind myself not to check for bugs in older versions >>>> ;) >>>>>> >>>>>> This >>>>>> >>>>>> one is fixed in 4.7.4... >>>>>> >>>>>> >>>>>> Rainer >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>>>> >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>>>>> >>>>>> Sent: Wednesday, August 10, 2011 7:05 PM >>>>>> >>>>>> To: rsyslog-users >>>>>> >>>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>>>> >>>>>> >>>>>> Hi Rainer, >>>>>> >>>>>> >>>>>> Thanks for the quick response. >>>>>> >>>>>> Attched. >>>>>> >>>>>> >>>>>> On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards >>>>>> >>>>>> wrote: >>>>>> >>>>>> >>>>>> Can you provide a debug log that contains an occurence of this >>>>>> >>>>>> problem? >>>>>> >>>>>> This >>>>>> >>>>>> helps us understand what happens. >>>>>> >>>>>> >>>>>> Rainer >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>>>> >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev >>>>>> >>>>>> Sent: Wednesday, August 10, 2011 10:00 AM >>>>>> >>>>>> To: rsyslog at lists.adiscon.com >>>>>> >>>>>> Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 >>>>>> >>>>>> >>>>>> ** >>>>>> >>>>>> >>>>>> Hi All, >>>>>> >>>>>> >>>>>> Im testing rsyslog 4.7.2 on Solaris 10. >>>>>> >>>>>> >>>>>> You may see below my syslog-client.conf file. >>>>>> >>>>>> >>>>>> Im running the rsyslog with these parameters and I have >>>>>> >>>>>> validated >>>>>> >>>>>> config >>>>>> >>>>>> file.: >>>>>> >>>>>> (I had to comment imklog module loading and listener commands >>>>>> >>>>>> to >>>>>> >>>>>> make >>>>>> >>>>>> it >>>>>> >>>>>> work without errors.) >>>>>> >>>>>> My biggest problem at the moment is that all events are written >>>>>> >>>>>> to >>>>>> >>>>>> /tmp/kuku >>>>>> >>>>>> no matter their severity... >>>>>> >>>>>> Im executing "logger -p "mail.emerg" "test"" and its written >>>>>> >>>>>> into >>>>>> >>>>>> /tmp/kuku >>>>>> >>>>>> and not to the correct file. >>>>>> >>>>>> >>>>>> Your help is more then apprichiated.... >>>>>> >>>>>> >>>>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- >>>>>> >>>>>> client.conf >>>>>> >>>>>> >>>>>> >>>>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- >>>>>> >>>>>> client.conf -N4 >>>>>> >>>>>> rsyslogd: version 4.7.2, config validation run (level 4), >>>>>> >>>>>> master >>>>>> >>>>>> config >>>>>> >>>>>> /etc/rsyslog-client.conf >>>>>> >>>>>> rsyslogd: End of config validation run. Bye >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> # Modules >>>>>> >>>>>> >>>>>> $ModLoad imtcp >>>>>> >>>>>> $ModLoad imudp >>>>>> >>>>>> #$ModLoad imuxsock >>>>>> >>>>>> $ModLoad imsolaris >>>>>> >>>>>> #$ModLoad imklog >>>>>> >>>>>> >>>>>> # Templates >>>>>> >>>>>> # log every host in its own directory >>>>>> >>>>>> #$template >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >> RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog >>>>>> >>>>>> .log" >>>>>> >>>>>> ### Rulesets >>>>>> >>>>>> # Local Logging >>>>>> >>>>>> $RuleSet local >>>>>> >>>>>> ###user,daemon,uucp,cron,mark.notice >>>>>> >>>>>> /var/adm/messages >>>>>> >>>>>> user.notice /tmp/kuku >>>>>> >>>>>> ###kern.debug >>>>>> >>>>>> /var/adm/messages >>>>>> >>>>>> ###*.emerg;mail.none * >>>>>> >>>>>> #Central logging events >>>>>> >>>>>> #Security logs >>>>>> >>>>>> auth,authpriv.debug /var/log/central/auth.debug >>>>>> >>>>>> #MIPS applicaation logs >>>>>> >>>>>> mail.emerg /var/log/central/MIPSlog >>>>>> >>>>>> #Comverse applications events (other than MIPS) >>>>>> >>>>>> local0.debug /var/log/central/local0.debug >>>>>> >>>>>> #Strore local4 events in /var/log/central/traceall >>>>>> >>>>>> local4.debug /var/log/central/traceall >>>>>> >>>>>> local6.debug >>>>>> >>>>>> /var/cti/logs/SDT/SDT_Audit_Information.log >>>>>> >>>>>> # use the local RuleSet as default if not specified otherwise >>>>>> >>>>>> $DefaultRuleset local >>>>>> >>>>>> # Remote Logging >>>>>> >>>>>> $RuleSet remote >>>>>> >>>>>> *.crit @localhost:666 >>>>>> >>>>>> # Send messages we receive to Gremlin >>>>>> >>>>>> ### Listeners >>>>>> >>>>>> # bind ruleset to tcp listener >>>>>> >>>>>> ###$InputTCPServerBindRuleset remote >>>>>> >>>>>> # and activate it: >>>>>> >>>>>> $InputTCPServerRun 50514 >>>>>> >>>>>> ###$InputUDPServerBindRuleset remote >>>>>> >>>>>> $UDPServerRun 514 >>>>>> >>>>>> $UDPServerRun 1514 >>>>>> >>>>>> >>>>>> >>>>>> Ayelet Regev-Dabah >>>>>> >>>>>> System Software Platform TL >>>>>> >>>>>> *Comverse >>>>>> >>>>>> *Office: +972 3 6459362 >>>>>> >>>>>> *ayelet.regev at comverse.com* >>>>>> >>>>>> *www.comverse.com* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> * ________________________________ * >>>>>> >>>>>> "This e-mail message may contain confidential, commercial or >>>>>> >>>>>> privileged >>>>>> >>>>>> information that constitutes proprietary information of >>>>>> >>>>>> Comverse >>>>>> >>>>>> Technology >>>>>> >>>>>> or its subsidiaries. If you are not the intended recipient of >>>>>> >>>>>> this >>>>>> >>>>>> message, >>>>>> >>>>>> you are hereby notified that any review, use or distribution of >>>>>> >>>>>> this >>>>>> >>>>>> information is absolutely prohibited and we request that you >>>>>> >>>>>> delete >>>>>> >>>>>> all >>>>>> >>>>>> copies and contact us by e-mailing to: security at comverse.com. >>>>>> >>>>>> Thank >>>>>> >>>>>> You." >>>>>> >>>>>> _______________________________________________ >>>>>> >>>>>> rsyslog mailing list >>>>>> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> >>>>>> http://www.rsyslog.com >>>>>> >>>>>> _______________________________________________ >>>>>> >>>>>> rsyslog mailing list >>>>>> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> >>>>>> rsyslog mailing list >>>>>> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> >>>>>> rsyslog mailing list >>>>>> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> >>>>>> http://www.rsyslog.com >>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From gkra at unnerving.org Mon Aug 15 00:04:04 2011 From: gkra at unnerving.org (Gregory K. Ruiz-Ade) Date: Sun, 14 Aug 2011 15:04:04 -0700 Subject: [rsyslog] filter expression condition negation (!) failing in 4.6.5? In-Reply-To: Message-ID: I'm using the IUS-repository rsyslog 4.6.5 packages on CentOS 5.6. While trying to set up expression-based filters for logging, I am getting the following error in my messages.log when I start rsyslog: ---->8---- Aug 12 12:43:01 logtest rsyslogd-2051: syntax error in expression [try http://www.rsyslog.com/e/2051 ] Aug 12 12:43:01 logtest rsyslogd: the last error occured in /etc/rsyslog.conf, line 208:"then ?ApacheErrorLog;SiteIDTaggedMsg" ---->8---- Looking through my config file, that error points me at this filter expression: ---->8---- # Non-production CustomLogs are in per-site/per-server logs if (($syslogfacility-text == 'local0') \ and ($syslogpriority-text != 'error') \ and ($msg startswith '[SITE:nonprod]' \ or $msg !startswith '[SITE:')) \ then ?ApacheAccessLog;ApacheAccessLogSiteIDFormat ---->8---- After a few iterations of testing, I discovered that if I removed the negation (so, replacing "!startswith" with "startswith" for testing) the server would start up just fine without complaining about any errors. A little more experimentation revealed that negating any of the conditional expressions (as listed at http://www.rsyslog.com/doc/rsyslog_conf_filter.html) would generate the same error (2501). Am I doing something wrong, or is there a bug in this version of rsyslog? Is there a better way to match messages than the expression above? As you can guess by the templates being used, I'm trying to split up apache access log streams to different locations based partially on whether or not the sending host has prepended a '[SITE:]' tag to $msg (done via rsyslog on the sending host). This particular expression is supposed to handle our "nonprod" site as well as any hosts that are not prepending the tag to $msg. Many thanks, Gregory -- Gregory K. Ruiz-Ade OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu From nathans at aconex.com Mon Aug 15 14:21:58 2011 From: nathans at aconex.com (Nathan Scott) Date: Mon, 15 Aug 2011 22:21:58 +1000 (EST) Subject: [rsyslog] [patch 0/2] rsyslog support for elasticsearch In-Reply-To: <1421390631.185128.1313409236271.JavaMail.root@acxmail-au2.aconex.com> Message-ID: <683095888.185153.1313410918619.JavaMail.root@acxmail-au2.aconex.com> Hi Rainer, everyone, The following couple of patches add rsyslog support for sending log messages into an elasticsearch cluster. http://www.elasticsearch.org/ This uses a REST API and requires messages to be output in JSON format - as described at http://www.json.org/ . We are using the stable (5.8.x series, currently on 5.8.4) versions only; I'm not sure as to how difficult a task porting this to the 6.x series would present, I have not attempted that at this stage. We are using rsyslog to provide distributed reliable log message delivery from servers in several (worldwide) data centres to a centralised log repository for problem triage. I also wrote up our deployment and monitoring of it, here: http://oss.sgi.com/projects/pcp/pcp-gui.git/man/html/howto.systemlog.html Enjoy! I'm keen to hear if others find this useful too - feel free to send me a note should you make use of these patches, or if you have any questions about them - thanks! cheers. -- Nathan From nathans at aconex.com Mon Aug 15 14:22:05 2011 From: nathans at aconex.com (Nathan Scott) Date: Mon, 15 Aug 2011 22:22:05 +1000 (EST) Subject: [rsyslog] [patch 1/2] add JSON escaping option In-Reply-To: <1480136787.185131.1313409293495.JavaMail.root@acxmail-au2.aconex.com> Message-ID: <519004076.185156.1313410925447.JavaMail.root@acxmail-au2.aconex.com> Following the path taken by the two SQL formatting options, which escape single quotes with double quotes (amongst other things), this patch adds a JSON quoting option. JSON is the opposite to the SQL options, requiring double quotes to be quoted within a string. This patch provides a formatting option implementing this requirement, while piggy-backing on the existing code as much as possible. Signed-off-by: Nathan Scott -------------- next part -------------- A non-text attachment was scrubbed... Name: rsyslog-json-escape.patch Type: text/x-patch Size: 9185 bytes Desc: not available URL: From nathans at aconex.com Mon Aug 15 14:22:13 2011 From: nathans at aconex.com (Nathan Scott) Date: Mon, 15 Aug 2011 22:22:13 +1000 (EST) Subject: [rsyslog] [patch 2/2] add elasticsearch output module In-Reply-To: <1080292631.185134.1313409312466.JavaMail.root@acxmail-au2.aconex.com> Message-ID: <510427857.185159.1313410933469.JavaMail.root@acxmail-au2.aconex.com> Add support for sending events to elasticsearch - a distributed, RESTful, search engine built on Lucene (www.elasticsearch.org). The output module is enabled via a configure option, and uses libcurl to send the messages from rsyslog to elasticsearch. This patch makes use of the earlier JSON quoting patch to ensure valid JSON strings are sent to the server. Signed-off-by: Nathan Scott -------------- next part -------------- A non-text attachment was scrubbed... Name: rsyslog-elasticsearch.patch Type: text/x-patch Size: 13525 bytes Desc: not available URL: From ayelet.regev at gmail.com Mon Aug 15 14:39:24 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Mon, 15 Aug 2011 15:39:24 +0300 Subject: [rsyslog] problem to have 2 rsyslog instances on Solaris (rsyslog 7.4.7) Message-ID: I want to have multiple instances of rsyslog on Solaris 10. Currently my "Client" instance is running, when trying to start the "server" instance i get these errors: 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 smu15a:/ ROOT > ps -ef | grep -i ryslog root 25275 1 0 15:35:29 pts/1 0:00 /usr/local/Rsyslog/sbin/rsyslogd -i /var/run/rsyslog-client.pid -f /etc/rsyslog smu15a:/ ROOT > /usr/local/Rsyslog/sbin/rsyslogd-server -c4 -i /var/run/rsyslog-server.pid -f /etc/rsyslog-server.conf -dn 2334.011338550:1: logmsg: flags 1, from 'smu15a', msg [origin software="rsyslogd" swVersion="4.7.4" x-pid="2059" x-info=" http://www.rsyslog.com"] (re)start 2334.011406966:1: Message has legacy syslog format. 2334.011507680:1: main Q: entry added, size now 1 entries 2334.011581950:1: wtpAdviseMaxWorkers signals busy 2334.011675143:1: main Q: EnqueueMsg advised worker start 2334.043650492:1: (re)started. 2334.043746746:1: Debugging enabled, SIGUSR1 to turn off debugging. 2334.043833149:2: main Q: entry deleted, state 0, size now 0 entries 2334.043961439:2: testing filter, f_pmask 0 2334.044045312:2: testing filter, f_pmask 0 2334.044171036:2: testing filter, f_pmask 0 2334.044256129:2: testing filter, f_pmask 0 2334.044334439:2: testing filter, f_pmask 0 2334.044449766:2: main Q:Reg/w0: worker IDLE, waiting for work. 2334.044615812:5: Listening on UDP syslogd socket 5 (IPv6/port 514). 2334.044727969:5: Listening on UDP syslogd socket 6 (IPv4/port 514). 2334.044828376:6: caller requested object 'nsd_ptcp', not found (iRet -3003) 2334.044930106:6: Requested to load module 'lmnsd_ptcp' 2334.045030006:5: Listening on UDP syslogd socket 7 (IPv6/port 1514). 2334.045136246:6: loading module '/usr/local/Rsyslog/lib/rsyslog/lmnsd_ptcp.so' 2334.045240239:5: Listening on UDP syslogd socket 8 (IPv4/port 1514). 2334.045341399:5: --------imUDP calling select, active file descriptors (max 8): 5 6 7 8 2334.045639822:4: imsolaris: doing startup poll before openeing door() 2334.045740942:4: imsolaris: waiting for next message (timeout 0)... 2334.045855769:1: initialization completed, transitioning to regular run mode 2334.045974162:4: imsolaris: no more messages, getMsgs() terminates 2334.046107179:4: open_door: /var/run/syslog_door opened successfully 2334.046200922:4: open_door: door_info:info.di_target = 2000 2334.046289506:4: open_door: error: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046367409:6: source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 4 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046605986:6: rsyslogd: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] module of type 2 being loaded. 2334.046728132:6: source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1 2334.046833796:4: logmsg: flags 1, from 'smu15a', msg syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] 2334.046932806:4: Message has legacy syslog format. 2334.047029329:6: creating tcp listen socket on port 50514 2334.047134849:4: main Q: entry added, size now 1 entries 2334.047243859:4: wtpAdviseMaxWorkers signals busy 2334.047323739:6: error 125 while binding tcp socket 2334.047440136:2: main Q: entry deleted, state 0, size now 0 entries 2334.047552799:6: error 125 while binding tcp socket 2334.047688889:2: testing filter, f_pmask 0 2334.047782922:2: testing filter, f_pmask 0 2334.047874212:2: testing filter, f_pmask 0 2334.047964582:2: testing filter, f_pmask 0 2334.048056012:2: testing filter, f_pmask 0 2334.048154126:4: main Q: EnqueueMsg advised worker start 2334.048285092:2: main Q:Reg/w0: worker IDLE, waiting for work. From ayelet.regev at gmail.com Mon Aug 15 15:05:08 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Mon, 15 Aug 2011 16:05:08 +0300 Subject: [rsyslog] Fwd: problem to have 2 rsyslog instances on Solaris (rsyslog 7.4.7) References: Message-ID: <4980432574057418190@unknownmsgid> Hi, I want to have multiple instances of rsyslog on Solaris 10. Currently my "Client" instance is running, when trying to start the "server" instance i get these errors: 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 smu15a:/ ROOT > ps -ef | grep -i ryslog root 25275 1 0 15:35:29 pts/1 0:00 /usr/local/Rsyslog/sbin/rsyslogd -i /var/run/rsyslog-client.pid -f /etc/rsyslog smu15a:/ ROOT > /usr/local/Rsyslog/sbin/rsyslogd-server -c4 -i /var/run/rsyslog-server.pid -f /etc/rsyslog-server.conf -dn 2334.011338550:1: logmsg: flags 1, from 'smu15a', msg [origin software="rsyslogd" swVersion="4.7.4" x-pid="2059" x-info=" http://www.rsyslog.com"] (re)start 2334.011406966:1: Message has legacy syslog format. 2334.011507680:1: main Q: entry added, size now 1 entries 2334.011581950:1: wtpAdviseMaxWorkers signals busy 2334.011675143:1: main Q: EnqueueMsg advised worker start 2334.043650492:1: (re)started. 2334.043746746:1: Debugging enabled, SIGUSR1 to turn off debugging. 2334.043833149:2: main Q: entry deleted, state 0, size now 0 entries 2334.043961439:2: testing filter, f_pmask 0 2334.044045312:2: testing filter, f_pmask 0 2334.044171036:2: testing filter, f_pmask 0 2334.044256129:2: testing filter, f_pmask 0 2334.044334439:2: testing filter, f_pmask 0 2334.044449766:2: main Q:Reg/w0: worker IDLE, waiting for work. 2334.044615812:5: Listening on UDP syslogd socket 5 (IPv6/port 514). 2334.044727969:5: Listening on UDP syslogd socket 6 (IPv4/port 514). 2334.044828376:6: caller requested object 'nsd_ptcp', not found (iRet -3003) 2334.044930106:6: Requested to load module 'lmnsd_ptcp' 2334.045030006:5: Listening on UDP syslogd socket 7 (IPv6/port 1514). 2334.045136246:6: loading module '/usr/local/Rsyslog/lib/rsyslog/lmnsd_ptcp.so' 2334.045240239:5: Listening on UDP syslogd socket 8 (IPv4/port 1514). 2334.045341399:5: --------imUDP calling select, active file descriptors (max 8): 5 6 7 8 2334.045639822:4: imsolaris: doing startup poll before openeing door() 2334.045740942:4: imsolaris: waiting for next message (timeout 0)... 2334.045855769:1: initialization completed, transitioning to regular run mode 2334.045974162:4: imsolaris: no more messages, getMsgs() terminates 2334.046107179:4: open_door: /var/run/syslog_door opened successfully 2334.046200922:4: open_door: door_info:info.di_target = 2000 2334.046289506:4: open_door: error: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046367409:6: source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 4 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046605986:6: rsyslogd: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] module of type 2 being loaded. 2334.046728132:6: source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1 2334.046833796:4: logmsg: flags 1, from 'smu15a', msg syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] 2334.046932806:4: Message has legacy syslog format. 2334.047029329:6: creating tcp listen socket on port 50514 2334.047134849:4: main Q: entry added, size now 1 entries 2334.047243859:4: wtpAdviseMaxWorkers signals busy 2334.047323739:6: error 125 while binding tcp socket 2334.047440136:2: main Q: entry deleted, state 0, size now 0 entries 2334.047552799:6: error 125 while binding tcp socket 2334.047688889:2: testing filter, f_pmask 0 2334.047782922:2: testing filter, f_pmask 0 2334.047874212:2: testing filter, f_pmask 0 2334.047964582:2: testing filter, f_pmask 0 2334.048056012:2: testing filter, f_pmask 0 2334.048154126:4: main Q: EnqueueMsg advised worker start 2334.048285092:2: main Q:Reg/w0: worker IDLE, waiting for work. From ayelet.regev at gmail.com Mon Aug 15 16:01:22 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Mon, 15 Aug 2011 17:01:22 +0300 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: <-2807318110512162237@unknownmsgid> References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com> <5908639733496524317@unknownmsgid> <9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281127@GRFEXC.intern.adiscon.com> <7622665368885676544@unknownmsgid> <9B6E2A8877C38245BFB15CC491A11DA7281128@GRFEXC.intern.adiscon.com> <-2807318110512162237@unknownmsgid> Message-ID: want to have multiple instances of rsyslog on Solaris 10. (rsyslog 7.4.7) Currently my "Client" instance is running, when trying to start the "server" instance i get these errors: 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 smu15a:/ ROOT > ps -ef | grep -i ryslog root 25275 1 0 15:35:29 pts/1 0:00 /usr/local/Rsyslog/sbin/ rsyslogd -i /var/run/rsyslog-client.pid -f /etc/rsyslog smu15a:/ ROOT > /usr/local/Rsyslog/sbin/rsyslogd-server -c4 -i /var/run/rsyslog-server.pid -f /etc/rsyslog-server.conf -dn 2334.011338550:1: logmsg: flags 1, from 'smu15a', msg [origin software="rsyslogd" swVersion="4.7.4" x-pid="2059" x-info=" http://www.rsyslog.com"] (re)start 2334.011406966:1: Message has legacy syslog format. 2334.011507680:1: main Q: entry added, size now 1 entries 2334.011581950:1: wtpAdviseMaxWorkers signals busy 2334.011675143:1: main Q: EnqueueMsg advised worker start 2334.043650492:1: (re)started. 2334.043746746:1: Debugging enabled, SIGUSR1 to turn off debugging. 2334.043833149:2: main Q: entry deleted, state 0, size now 0 entries 2334.043961439:2: testing filter, f_pmask 0 2334.044045312:2: testing filter, f_pmask 0 2334.044171036:2: testing filter, f_pmask 0 2334.044256129:2: testing filter, f_pmask 0 2334.044334439:2: testing filter, f_pmask 0 2334.044449766:2: main Q:Reg/w0: worker IDLE, waiting for work. 2334.044615812:5: Listening on UDP syslogd socket 5 (IPv6/port 514). 2334.044727969:5: Listening on UDP syslogd socket 6 (IPv4/port 514). 2334.044828376:6: caller requested object 'nsd_ptcp', not found (iRet -3003) 2334.044930106:6: Requested to load module 'lmnsd_ptcp' 2334.045030006:5: Listening on UDP syslogd socket 7 (IPv6/port 1514). 2334.045136246:6: loading module '/usr/local/Rsyslog/lib/rsyslog/lmnsd_ptcp.so' 2334.045240239:5: Listening on UDP syslogd socket 8 (IPv4/port 1514). 2334.045341399:5: --------imUDP calling select, active file descriptors (max 8): 5 6 7 8 2334.045639822:4: imsolaris: doing startup poll before openeing door() 2334.045740942:4: imsolaris: waiting for next message (timeout 0)... 2334.045855769:1: initialization completed, transitioning to regular run mode 2334.045974162:4: imsolaris: no more messages, getMsgs() terminates 2334.046107179:4: open_door: /var/run/syslog_door opened successfully 2334.046200922:4: open_door: door_info:info.di_target = 2000 2334.046289506:4: open_door: error: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046367409:6: source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 4 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046605986:6: rsyslogd: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] module of type 2 being loaded. 2334.046728132:6: source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1 2334.046833796:4: logmsg: flags 1, from 'smu15a', msg syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] 2334.046932806:4: Message has legacy syslog format. 2334.047029329:6: creating tcp listen socket on port 50514 2334.047134849:4: main Q: entry added, size now 1 entries 2334.047243859:4: wtpAdviseMaxWorkers signals busy 2334.047323739:6: error 125 while binding tcp socket 2334.047440136:2: main Q: entry deleted, state 0, size now 0 entries 2334.047552799:6: error 125 while binding tcp socket 2334.047688889:2: testing filter, f_pmask 0 2334.047782922:2: testing filter, f_pmask 0 2334.047874212:2: testing filter, f_pmask 0 2334.047964582:2: testing filter, f_pmask 0 2334.048056012:2: testing filter, f_pmask 0 2334.048154126:4: main Q: EnqueueMsg advised worker start 2334.048285092:2: main Q:Reg/w0: worker IDLE, waiting for work. On Thu, Aug 11, 2011 at 3:45 PM, Ayelet Regev wrote: > All ok. > I didn't compile with imsolaris. > > Ayelet Regev-Dabah > Sent from my iPhone > > > On 11 ???? 2011, at 13:34, Rainer Gerhards > wrote: > > > As usual, patch -p1 < patchfile > > > >> -----Original Message----- > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >> Sent: Thursday, August 11, 2011 12:34 PM > >> To: rsyslog-users > >> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >> > >> How do I apply this patch? > >> > >> Ayelet Regev-Dabah > >> Sent from my iPhone > >> > >> > >> On 11 ???? 2011, at 13:33, Rainer Gerhards > >> wrote: > >> > >>> Pls try attached patch and send debug log. Note that I currently do > >> not have > >>> solaris at hand, so I could not compile-test the patch. Expect minor > >> quircks, > >>> should be easy to fix. > >>> > >>> Rainer > >>> > >>>> -----Original Message----- > >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > >>>> Sent: Thursday, August 11, 2011 12:25 PM > >>>> To: rsyslog-users > >>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>> > >>>>> -----Original Message----- > >>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>>>> Sent: Thursday, August 11, 2011 12:23 PM > >>>>> To: rsyslog-users > >>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>>> > >>>>> No, now it worse events are not logged anywhere... > >>>> > >>>> OK, I see if I can craft a patch quickly so that weg et more info. I > >>>> don't > >>>> see the actual PRI as it comes in. But I see that none of the > >> filters > >>>> match. > >>>> > >>>> RAiner > >>>>> > >>>>> On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev > >>>>> wrote: > >>>>> > >>>>>> No, now it worse events are not logged anywhere. > >>>>>> > >>>>>> Ayelet Regev-Dabah > >>>>>> Sent from my iPhone > >>>>>> > >>>>>> > >>>>>> On 11 ???? 2011, at 13:13, "Rainer Gerhards" > >>>>> > >>>>>> wrote: > >>>>>> > >>>>>> -----Original Message----- > >>>>>> > >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>>>> > >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>>>>> > >>>>>> Sent: Thursday, August 11, 2011 11:36 AM > >>>>>> > >>>>>> To: rsyslog-users > >>>>>> > >>>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>>>> > >>>>>> > >>>>>> Sorry, this time my event dosnt log anywhere... > >>>>>> > >>>>>> > >>>>>> Does that mean the original problem is solved? If not, I'll create > >>>> a > >>>>> patch > >>>>>> for you, as I don't see the PRI in the current debug log... > >>>>>> RAiner > >>>>>> > >>>>>> > >>>>>> On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards > >>>>>> > >>>>>> wrote: > >>>>>> > >>>>>> > >>>>>> OK, I should remind myself not to check for bugs in older versions > >>>> ;) > >>>>>> > >>>>>> This > >>>>>> > >>>>>> one is fixed in 4.7.4... > >>>>>> > >>>>>> > >>>>>> Rainer > >>>>>> > >>>>>> > >>>>>> -----Original Message----- > >>>>>> > >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>>>> > >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>>>>> > >>>>>> Sent: Wednesday, August 10, 2011 7:05 PM > >>>>>> > >>>>>> To: rsyslog-users > >>>>>> > >>>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>>>> > >>>>>> > >>>>>> Hi Rainer, > >>>>>> > >>>>>> > >>>>>> Thanks for the quick response. > >>>>>> > >>>>>> Attched. > >>>>>> > >>>>>> > >>>>>> On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > >>>>>> > >>>>>> wrote: > >>>>>> > >>>>>> > >>>>>> Can you provide a debug log that contains an occurence of this > >>>>>> > >>>>>> problem? > >>>>>> > >>>>>> This > >>>>>> > >>>>>> helps us understand what happens. > >>>>>> > >>>>>> > >>>>>> Rainer > >>>>>> > >>>>>> > >>>>>> -----Original Message----- > >>>>>> > >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>>>>> > >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > >>>>>> > >>>>>> Sent: Wednesday, August 10, 2011 10:00 AM > >>>>>> > >>>>>> To: rsyslog at lists.adiscon.com > >>>>>> > >>>>>> Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > >>>>>> > >>>>>> > >>>>>> ** > >>>>>> > >>>>>> > >>>>>> Hi All, > >>>>>> > >>>>>> > >>>>>> Im testing rsyslog 4.7.2 on Solaris 10. > >>>>>> > >>>>>> > >>>>>> You may see below my syslog-client.conf file. > >>>>>> > >>>>>> > >>>>>> Im running the rsyslog with these parameters and I have > >>>>>> > >>>>>> validated > >>>>>> > >>>>>> config > >>>>>> > >>>>>> file.: > >>>>>> > >>>>>> (I had to comment imklog module loading and listener commands > >>>>>> > >>>>>> to > >>>>>> > >>>>>> make > >>>>>> > >>>>>> it > >>>>>> > >>>>>> work without errors.) > >>>>>> > >>>>>> My biggest problem at the moment is that all events are written > >>>>>> > >>>>>> to > >>>>>> > >>>>>> /tmp/kuku > >>>>>> > >>>>>> no matter their severity... > >>>>>> > >>>>>> Im executing "logger -p "mail.emerg" "test"" and its written > >>>>>> > >>>>>> into > >>>>>> > >>>>>> /tmp/kuku > >>>>>> > >>>>>> and not to the correct file. > >>>>>> > >>>>>> > >>>>>> Your help is more then apprichiated.... > >>>>>> > >>>>>> > >>>>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > >>>>>> > >>>>>> client.conf > >>>>>> > >>>>>> > >>>>>> > >>>>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > >>>>>> > >>>>>> client.conf -N4 > >>>>>> > >>>>>> rsyslogd: version 4.7.2, config validation run (level 4), > >>>>>> > >>>>>> master > >>>>>> > >>>>>> config > >>>>>> > >>>>>> /etc/rsyslog-client.conf > >>>>>> > >>>>>> rsyslogd: End of config validation run. Bye > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> # Modules > >>>>>> > >>>>>> > >>>>>> $ModLoad imtcp > >>>>>> > >>>>>> $ModLoad imudp > >>>>>> > >>>>>> #$ModLoad imuxsock > >>>>>> > >>>>>> $ModLoad imsolaris > >>>>>> > >>>>>> #$ModLoad imklog > >>>>>> > >>>>>> > >>>>>> # Templates > >>>>>> > >>>>>> # log every host in its own directory > >>>>>> > >>>>>> #$template > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>> > >> RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > >>>>>> > >>>>>> .log" > >>>>>> > >>>>>> ### Rulesets > >>>>>> > >>>>>> # Local Logging > >>>>>> > >>>>>> $RuleSet local > >>>>>> > >>>>>> ###user,daemon,uucp,cron,mark.notice > >>>>>> > >>>>>> /var/adm/messages > >>>>>> > >>>>>> user.notice /tmp/kuku > >>>>>> > >>>>>> ###kern.debug > >>>>>> > >>>>>> /var/adm/messages > >>>>>> > >>>>>> ###*.emerg;mail.none * > >>>>>> > >>>>>> #Central logging events > >>>>>> > >>>>>> #Security logs > >>>>>> > >>>>>> auth,authpriv.debug /var/log/central/auth.debug > >>>>>> > >>>>>> #MIPS applicaation logs > >>>>>> > >>>>>> mail.emerg /var/log/central/MIPSlog > >>>>>> > >>>>>> #Comverse applications events (other than MIPS) > >>>>>> > >>>>>> local0.debug /var/log/central/local0.debug > >>>>>> > >>>>>> #Strore local4 events in /var/log/central/traceall > >>>>>> > >>>>>> local4.debug /var/log/central/traceall > >>>>>> > >>>>>> local6.debug > >>>>>> > >>>>>> /var/cti/logs/SDT/SDT_Audit_Information.log > >>>>>> > >>>>>> # use the local RuleSet as default if not specified otherwise > >>>>>> > >>>>>> $DefaultRuleset local > >>>>>> > >>>>>> # Remote Logging > >>>>>> > >>>>>> $RuleSet remote > >>>>>> > >>>>>> *.crit @localhost:666 > >>>>>> > >>>>>> # Send messages we receive to Gremlin > >>>>>> > >>>>>> ### Listeners > >>>>>> > >>>>>> # bind ruleset to tcp listener > >>>>>> > >>>>>> ###$InputTCPServerBindRuleset remote > >>>>>> > >>>>>> # and activate it: > >>>>>> > >>>>>> $InputTCPServerRun 50514 > >>>>>> > >>>>>> ###$InputUDPServerBindRuleset remote > >>>>>> > >>>>>> $UDPServerRun 514 > >>>>>> > >>>>>> $UDPServerRun 1514 > >>>>>> > >>>>>> > >>>>>> > >>>>>> Ayelet Regev-Dabah > >>>>>> > >>>>>> System Software Platform TL > >>>>>> > >>>>>> *Comverse > >>>>>> > >>>>>> *Office: +972 3 6459362 > >>>>>> > >>>>>> *ayelet.regev at comverse.com* > >>>>>> > >>>>>> *www.comverse.com* > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> * ________________________________ * > >>>>>> > >>>>>> "This e-mail message may contain confidential, commercial or > >>>>>> > >>>>>> privileged > >>>>>> > >>>>>> information that constitutes proprietary information of > >>>>>> > >>>>>> Comverse > >>>>>> > >>>>>> Technology > >>>>>> > >>>>>> or its subsidiaries. If you are not the intended recipient of > >>>>>> > >>>>>> this > >>>>>> > >>>>>> message, > >>>>>> > >>>>>> you are hereby notified that any review, use or distribution of > >>>>>> > >>>>>> this > >>>>>> > >>>>>> information is absolutely prohibited and we request that you > >>>>>> > >>>>>> delete > >>>>>> > >>>>>> all > >>>>>> > >>>>>> copies and contact us by e-mailing to: security at comverse.com. > >>>>>> > >>>>>> Thank > >>>>>> > >>>>>> You." > >>>>>> > >>>>>> _______________________________________________ > >>>>>> > >>>>>> rsyslog mailing list > >>>>>> > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> > >>>>>> http://www.rsyslog.com > >>>>>> > >>>>>> _______________________________________________ > >>>>>> > >>>>>> rsyslog mailing list > >>>>>> > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> > >>>>>> http://www.rsyslog.com > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> > >>>>>> rsyslog mailing list > >>>>>> > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> > >>>>>> http://www.rsyslog.com > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> > >>>>>> rsyslog mailing list > >>>>>> > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> > >>>>>> http://www.rsyslog.com > >>>>>> > >>>>>> _______________________________________________ > >>>>>> rsyslog mailing list > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com > >>>>>> > >>>>>> > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com > >>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > From rgerhards at hq.adiscon.com Mon Aug 15 19:01:59 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 15 Aug 2011 19:01:59 +0200 Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728111A@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728111F@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281125@GRFEXC.intern.adiscon.com><5908639733496524317@unknownmsgid><9B6E2A8877C38245BFB15CC491A11DA7281126@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281127@GRFEXC.intern.adiscon.com><7622665368885676544@unknownmsgid><9B6E2A8877C38245BFB15CC491A11DA7281128@GRFEXC.intern.adiscon.com><-2807318110512162237@unknownmsgid> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728113C@GRFEXC.intern.adiscon.com> Have you used a different pidfile? > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Monday, August 15, 2011 4:01 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > want to have multiple instances of rsyslog on Solaris 10. (rsyslog > 7.4.7) > > Currently my "Client" instance is running, when trying to start the > "server" > instance i get these errors: > > 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already > running. > Cannot start another syslogd pid 2059 > > > > > > > > > > > smu15a:/ ROOT > ps -ef | grep -i ryslog > root 25275 1 0 15:35:29 pts/1 0:00 > /usr/local/Rsyslog/sbin/ > rsyslogd -i /var/run/rsyslog-client.pid -f /etc/rsyslog > > > > > smu15a:/ ROOT > /usr/local/Rsyslog/sbin/rsyslogd-server -c4 -i > /var/run/rsyslog-server.pid -f /etc/rsyslog-server.conf -dn > > 2334.011338550:1: logmsg: flags 1, from 'smu15a', msg [origin > software="rsyslogd" swVersion="4.7.4" x-pid="2059" x-info=" > http://www.rsyslog.com"] (re)start > 2334.011406966:1: Message has legacy syslog format. > 2334.011507680:1: main Q: entry added, size now 1 entries > 2334.011581950:1: wtpAdviseMaxWorkers signals busy > 2334.011675143:1: main Q: EnqueueMsg advised worker start > 2334.043650492:1: (re)started. > 2334.043746746:1: Debugging enabled, SIGUSR1 to turn off debugging. > 2334.043833149:2: main Q: entry deleted, state 0, size now 0 entries > 2334.043961439:2: testing filter, f_pmask 0 > 2334.044045312:2: testing filter, f_pmask 0 > 2334.044171036:2: testing filter, f_pmask 0 > 2334.044256129:2: testing filter, f_pmask 0 > 2334.044334439:2: testing filter, f_pmask 0 > 2334.044449766:2: main Q:Reg/w0: worker IDLE, waiting for work. > 2334.044615812:5: Listening on UDP syslogd socket 5 (IPv6/port 514). > 2334.044727969:5: Listening on UDP syslogd socket 6 (IPv4/port 514). > 2334.044828376:6: caller requested object 'nsd_ptcp', not found (iRet - > 3003) > 2334.044930106:6: Requested to load module 'lmnsd_ptcp' > 2334.045030006:5: Listening on UDP syslogd socket 7 (IPv6/port 1514). > 2334.045136246:6: loading module > '/usr/local/Rsyslog/lib/rsyslog/lmnsd_ptcp.so' > 2334.045240239:5: Listening on UDP syslogd socket 8 (IPv4/port 1514). > 2334.045341399:5: --------imUDP calling select, active file descriptors > (max > 8): 5 6 7 8 > 2334.045639822:4: imsolaris: doing startup poll before openeing door() > 2334.045740942:4: imsolaris: waiting for next message (timeout 0)... > 2334.045855769:1: initialization completed, transitioning to regular > run > mode > 2334.045974162:4: imsolaris: no more messages, getMsgs() terminates > 2334.046107179:4: open_door: /var/run/syslog_door opened successfully > 2334.046200922:4: open_door: door_info:info.di_target = 2000 > 2334.046289506:4: open_door: error: syslogd pid 2000 already running. > Cannot > start another syslogd pid 2059 > 2334.046367409:6: source file nsd_ptcp.c requested reference for module > 'lmnetstrms', reference count now 4 > 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already > running. > Cannot start another syslogd pid 2059 > 2334.046605986:6: rsyslogd: syslogd pid 2000 already running. Cannot > start > another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] > module of type 2 being loaded. > 2334.046728132:6: source file netstrms.c requested reference for module > 'lmnsd_ptcp', reference count now 1 > 2334.046833796:4: logmsg: flags 1, from 'smu15a', msg syslogd pid 2000 > already running. Cannot start another syslogd pid 2059 [try > http://www.rsyslog.com/e/2147 ] > 2334.046932806:4: Message has legacy syslog format. > 2334.047029329:6: creating tcp listen socket on port 50514 > 2334.047134849:4: main Q: entry added, size now 1 entries > 2334.047243859:4: wtpAdviseMaxWorkers signals busy > 2334.047323739:6: error 125 while binding tcp socket > 2334.047440136:2: main Q: entry deleted, state 0, size now 0 entries > 2334.047552799:6: error 125 while binding tcp socket > 2334.047688889:2: testing filter, f_pmask 0 > 2334.047782922:2: testing filter, f_pmask 0 > 2334.047874212:2: testing filter, f_pmask 0 > 2334.047964582:2: testing filter, f_pmask 0 > 2334.048056012:2: testing filter, f_pmask 0 > 2334.048154126:4: main Q: EnqueueMsg advised worker start > 2334.048285092:2: main Q:Reg/w0: worker IDLE, waiting for work. > > > On Thu, Aug 11, 2011 at 3:45 PM, Ayelet Regev > wrote: > > > All ok. > > I didn't compile with imsolaris. > > > > Ayelet Regev-Dabah > > Sent from my iPhone > > > > > > On 11 ???? 2011, at 13:34, Rainer Gerhards > > wrote: > > > > > As usual, patch -p1 < patchfile > > > > > >> -----Original Message----- > > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > >> Sent: Thursday, August 11, 2011 12:34 PM > > >> To: rsyslog-users > > >> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > >> > > >> How do I apply this patch? > > >> > > >> Ayelet Regev-Dabah > > >> Sent from my iPhone > > >> > > >> > > >> On 11 ???? 2011, at 13:33, Rainer Gerhards > > > >> wrote: > > >> > > >>> Pls try attached patch and send debug log. Note that I currently > do > > >> not have > > >>> solaris at hand, so I could not compile-test the patch. Expect > minor > > >> quircks, > > >>> should be easy to fix. > > >>> > > >>> Rainer > > >>> > > >>>> -----Original Message----- > > >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > > >>>> Sent: Thursday, August 11, 2011 12:25 PM > > >>>> To: rsyslog-users > > >>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris > 10 > > >>>> > > >>>>> -----Original Message----- > > >>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > >>>>> Sent: Thursday, August 11, 2011 12:23 PM > > >>>>> To: rsyslog-users > > >>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris > 10 > > >>>>> > > >>>>> No, now it worse events are not logged anywhere... > > >>>> > > >>>> OK, I see if I can craft a patch quickly so that weg et more > info. I > > >>>> don't > > >>>> see the actual PRI as it comes in. But I see that none of the > > >> filters > > >>>> match. > > >>>> > > >>>> RAiner > > >>>>> > > >>>>> On Thu, Aug 11, 2011 at 1:21 PM, Ayelet Regev > > >>>>> wrote: > > >>>>> > > >>>>>> No, now it worse events are not logged anywhere. > > >>>>>> > > >>>>>> Ayelet Regev-Dabah > > >>>>>> Sent from my iPhone > > >>>>>> > > >>>>>> > > >>>>>> On 11 ???? 2011, at 13:13, "Rainer Gerhards" > > >>>>> > > >>>>>> wrote: > > >>>>>> > > >>>>>> -----Original Message----- > > >>>>>> > > >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >>>>>> > > >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > >>>>>> > > >>>>>> Sent: Thursday, August 11, 2011 11:36 AM > > >>>>>> > > >>>>>> To: rsyslog-users > > >>>>>> > > >>>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on > Solaris 10 > > >>>>>> > > >>>>>> > > >>>>>> Sorry, this time my event dosnt log anywhere... > > >>>>>> > > >>>>>> > > >>>>>> Does that mean the original problem is solved? If not, I'll > create > > >>>> a > > >>>>> patch > > >>>>>> for you, as I don't see the PRI in the current debug log... > > >>>>>> RAiner > > >>>>>> > > >>>>>> > > >>>>>> On Thu, Aug 11, 2011 at 10:04 AM, Rainer Gerhards > > >>>>>> > > >>>>>> wrote: > > >>>>>> > > >>>>>> > > >>>>>> OK, I should remind myself not to check for bugs in older > versions > > >>>> ;) > > >>>>>> > > >>>>>> This > > >>>>>> > > >>>>>> one is fixed in 4.7.4... > > >>>>>> > > >>>>>> > > >>>>>> Rainer > > >>>>>> > > >>>>>> > > >>>>>> -----Original Message----- > > >>>>>> > > >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >>>>>> > > >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > >>>>>> > > >>>>>> Sent: Wednesday, August 10, 2011 7:05 PM > > >>>>>> > > >>>>>> To: rsyslog-users > > >>>>>> > > >>>>>> Subject: Re: [rsyslog] rsyslog 4.7.2 weird bahaviour on > Solaris 10 > > >>>>>> > > >>>>>> > > >>>>>> Hi Rainer, > > >>>>>> > > >>>>>> > > >>>>>> Thanks for the quick response. > > >>>>>> > > >>>>>> Attched. > > >>>>>> > > >>>>>> > > >>>>>> On Wed, Aug 10, 2011 at 6:51 PM, Rainer Gerhards > > >>>>>> > > >>>>>> wrote: > > >>>>>> > > >>>>>> > > >>>>>> Can you provide a debug log that contains an occurence of this > > >>>>>> > > >>>>>> problem? > > >>>>>> > > >>>>>> This > > >>>>>> > > >>>>>> helps us understand what happens. > > >>>>>> > > >>>>>> > > >>>>>> Rainer > > >>>>>> > > >>>>>> > > >>>>>> -----Original Message----- > > >>>>>> > > >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >>>>>> > > >>>>>> bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > > >>>>>> > > >>>>>> Sent: Wednesday, August 10, 2011 10:00 AM > > >>>>>> > > >>>>>> To: rsyslog at lists.adiscon.com > > >>>>>> > > >>>>>> Subject: [rsyslog] rsyslog 4.7.2 weird bahaviour on Solaris 10 > > >>>>>> > > >>>>>> > > >>>>>> ** > > >>>>>> > > >>>>>> > > >>>>>> Hi All, > > >>>>>> > > >>>>>> > > >>>>>> Im testing rsyslog 4.7.2 on Solaris 10. > > >>>>>> > > >>>>>> > > >>>>>> You may see below my syslog-client.conf file. > > >>>>>> > > >>>>>> > > >>>>>> Im running the rsyslog with these parameters and I have > > >>>>>> > > >>>>>> validated > > >>>>>> > > >>>>>> config > > >>>>>> > > >>>>>> file.: > > >>>>>> > > >>>>>> (I had to comment imklog module loading and listener commands > > >>>>>> > > >>>>>> to > > >>>>>> > > >>>>>> make > > >>>>>> > > >>>>>> it > > >>>>>> > > >>>>>> work without errors.) > > >>>>>> > > >>>>>> My biggest problem at the moment is that all events are > written > > >>>>>> > > >>>>>> to > > >>>>>> > > >>>>>> /tmp/kuku > > >>>>>> > > >>>>>> no matter their severity... > > >>>>>> > > >>>>>> Im executing "logger -p "mail.emerg" "test"" and its written > > >>>>>> > > >>>>>> into > > >>>>>> > > >>>>>> /tmp/kuku > > >>>>>> > > >>>>>> and not to the correct file. > > >>>>>> > > >>>>>> > > >>>>>> Your help is more then apprichiated.... > > >>>>>> > > >>>>>> > > >>>>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > >>>>>> > > >>>>>> client.conf > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> smu15a:/ ROOT > /usr/local/sbin/rsyslogd -c4 -f /etc/rsyslog- > > >>>>>> > > >>>>>> client.conf -N4 > > >>>>>> > > >>>>>> rsyslogd: version 4.7.2, config validation run (level 4), > > >>>>>> > > >>>>>> master > > >>>>>> > > >>>>>> config > > >>>>>> > > >>>>>> /etc/rsyslog-client.conf > > >>>>>> > > >>>>>> rsyslogd: End of config validation run. Bye > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> # Modules > > >>>>>> > > >>>>>> > > >>>>>> $ModLoad imtcp > > >>>>>> > > >>>>>> $ModLoad imudp > > >>>>>> > > >>>>>> #$ModLoad imuxsock > > >>>>>> > > >>>>>> $ModLoad imsolaris > > >>>>>> > > >>>>>> #$ModLoad imklog > > >>>>>> > > >>>>>> > > >>>>>> # Templates > > >>>>>> > > >>>>>> # log every host in its own directory > > >>>>>> > > >>>>>> #$template > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>> > > >>>> > > >> > RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog > > >>>>>> > > >>>>>> .log" > > >>>>>> > > >>>>>> ### Rulesets > > >>>>>> > > >>>>>> # Local Logging > > >>>>>> > > >>>>>> $RuleSet local > > >>>>>> > > >>>>>> ###user,daemon,uucp,cron,mark.notice > > >>>>>> > > >>>>>> /var/adm/messages > > >>>>>> > > >>>>>> user.notice /tmp/kuku > > >>>>>> > > >>>>>> ###kern.debug > > >>>>>> > > >>>>>> /var/adm/messages > > >>>>>> > > >>>>>> ###*.emerg;mail.none * > > >>>>>> > > >>>>>> #Central logging events > > >>>>>> > > >>>>>> #Security logs > > >>>>>> > > >>>>>> auth,authpriv.debug /var/log/central/auth.debug > > >>>>>> > > >>>>>> #MIPS applicaation logs > > >>>>>> > > >>>>>> mail.emerg /var/log/central/MIPSlog > > >>>>>> > > >>>>>> #Comverse applications events (other than MIPS) > > >>>>>> > > >>>>>> local0.debug /var/log/central/local0.debug > > >>>>>> > > >>>>>> #Strore local4 events in /var/log/central/traceall > > >>>>>> > > >>>>>> local4.debug /var/log/central/traceall > > >>>>>> > > >>>>>> local6.debug > > >>>>>> > > >>>>>> /var/cti/logs/SDT/SDT_Audit_Information.log > > >>>>>> > > >>>>>> # use the local RuleSet as default if not specified otherwise > > >>>>>> > > >>>>>> $DefaultRuleset local > > >>>>>> > > >>>>>> # Remote Logging > > >>>>>> > > >>>>>> $RuleSet remote > > >>>>>> > > >>>>>> *.crit @localhost:666 > > >>>>>> > > >>>>>> # Send messages we receive to Gremlin > > >>>>>> > > >>>>>> ### Listeners > > >>>>>> > > >>>>>> # bind ruleset to tcp listener > > >>>>>> > > >>>>>> ###$InputTCPServerBindRuleset remote > > >>>>>> > > >>>>>> # and activate it: > > >>>>>> > > >>>>>> $InputTCPServerRun 50514 > > >>>>>> > > >>>>>> ###$InputUDPServerBindRuleset remote > > >>>>>> > > >>>>>> $UDPServerRun 514 > > >>>>>> > > >>>>>> $UDPServerRun 1514 > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> Ayelet Regev-Dabah > > >>>>>> > > >>>>>> System Software Platform TL > > >>>>>> > > >>>>>> *Comverse > > >>>>>> > > >>>>>> *Office: +972 3 6459362 > > >>>>>> > > >>>>>> *ayelet.regev at comverse.com* > > >>>>>> > > >>>>>> *www.comverse.com* > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> * ________________________________ * > > >>>>>> > > >>>>>> "This e-mail message may contain confidential, commercial or > > >>>>>> > > >>>>>> privileged > > >>>>>> > > >>>>>> information that constitutes proprietary information of > > >>>>>> > > >>>>>> Comverse > > >>>>>> > > >>>>>> Technology > > >>>>>> > > >>>>>> or its subsidiaries. If you are not the intended recipient of > > >>>>>> > > >>>>>> this > > >>>>>> > > >>>>>> message, > > >>>>>> > > >>>>>> you are hereby notified that any review, use or distribution > of > > >>>>>> > > >>>>>> this > > >>>>>> > > >>>>>> information is absolutely prohibited and we request that you > > >>>>>> > > >>>>>> delete > > >>>>>> > > >>>>>> all > > >>>>>> > > >>>>>> copies and contact us by e-mailing to: security at comverse.com. > > >>>>>> > > >>>>>> Thank > > >>>>>> > > >>>>>> You." > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> > > >>>>>> rsyslog mailing list > > >>>>>> > > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>>>> > > >>>>>> http://www.rsyslog.com > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> > > >>>>>> rsyslog mailing list > > >>>>>> > > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>>>> > > >>>>>> http://www.rsyslog.com > > >>>>>> > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> > > >>>>>> rsyslog mailing list > > >>>>>> > > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>>>> > > >>>>>> http://www.rsyslog.com > > >>>>>> > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> > > >>>>>> rsyslog mailing list > > >>>>>> > > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>>>> > > >>>>>> http://www.rsyslog.com > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> rsyslog mailing list > > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>>>> http://www.rsyslog.com > > >>>>>> > > >>>>>> > > >>>>> _______________________________________________ > > >>>>> rsyslog mailing list > > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>>> http://www.rsyslog.com > > >>>> _______________________________________________ > > >>>> rsyslog mailing list > > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>>> http://www.rsyslog.com > > >>> > > >>> _______________________________________________ > > >>> rsyslog mailing list > > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>> http://www.rsyslog.com > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Mon Aug 15 19:03:30 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 15 Aug 2011 19:03:30 +0200 Subject: [rsyslog] Fwd: problem to have 2 rsyslog instances on Solaris(rsyslog 7.4.7) In-Reply-To: <4980432574057418190@unknownmsgid> References: <4980432574057418190@unknownmsgid> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728113D@GRFEXC.intern.adiscon.com> I see the door api. There can only be one system logger. You must not load the solaris system logger module on the other instance. > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Ayelet Regev > Sent: Monday, August 15, 2011 3:05 PM > To: rsyslog-users > Subject: [rsyslog] Fwd: problem to have 2 rsyslog instances on > Solaris(rsyslog 7.4.7) > > Hi, > > > I want to have multiple instances of rsyslog on Solaris 10. > > Currently my "Client" instance is running, when trying to start the > "server" > instance i get these errors: > > 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already > running. > Cannot start another syslogd pid 2059 > > > > > > > > > > > smu15a:/ ROOT > ps -ef | grep -i ryslog > root 25275 1 0 15:35:29 pts/1 0:00 > /usr/local/Rsyslog/sbin/rsyslogd -i /var/run/rsyslog-client.pid -f > /etc/rsyslog > > > > > smu15a:/ ROOT > /usr/local/Rsyslog/sbin/rsyslogd-server -c4 -i > /var/run/rsyslog-server.pid -f /etc/rsyslog-server.conf -dn > > 2334.011338550:1: logmsg: flags 1, from 'smu15a', msg [origin > software="rsyslogd" swVersion="4.7.4" x-pid="2059" x-info=" > http://www.rsyslog.com"] (re)start > 2334.011406966:1: Message has legacy syslog format. > 2334.011507680:1: main Q: entry added, size now 1 entries > 2334.011581950:1: wtpAdviseMaxWorkers signals busy > 2334.011675143:1: main Q: EnqueueMsg advised worker start > 2334.043650492:1: (re)started. > 2334.043746746:1: Debugging enabled, SIGUSR1 to turn off debugging. > 2334.043833149:2: main Q: entry deleted, state 0, size now 0 entries > 2334.043961439:2: testing filter, f_pmask 0 > 2334.044045312:2: testing filter, f_pmask 0 > 2334.044171036:2: testing filter, f_pmask 0 > 2334.044256129:2: testing filter, f_pmask 0 > 2334.044334439:2: testing filter, f_pmask 0 > 2334.044449766:2: main Q:Reg/w0: worker IDLE, waiting for work. > 2334.044615812:5: Listening on UDP syslogd socket 5 (IPv6/port 514). > 2334.044727969:5: Listening on UDP syslogd socket 6 (IPv4/port 514). > 2334.044828376:6: caller requested object 'nsd_ptcp', not found (iRet - > 3003) > 2334.044930106:6: Requested to load module 'lmnsd_ptcp' > 2334.045030006:5: Listening on UDP syslogd socket 7 (IPv6/port 1514). > 2334.045136246:6: loading module > '/usr/local/Rsyslog/lib/rsyslog/lmnsd_ptcp.so' > 2334.045240239:5: Listening on UDP syslogd socket 8 (IPv4/port 1514). > 2334.045341399:5: --------imUDP calling select, active file descriptors > (max > 8): 5 6 7 8 > 2334.045639822:4: imsolaris: doing startup poll before openeing door() > 2334.045740942:4: imsolaris: waiting for next message (timeout 0)... > 2334.045855769:1: initialization completed, transitioning to regular > run > mode > 2334.045974162:4: imsolaris: no more messages, getMsgs() terminates > 2334.046107179:4: open_door: /var/run/syslog_door opened successfully > 2334.046200922:4: open_door: door_info:info.di_target = 2000 > 2334.046289506:4: open_door: error: syslogd pid 2000 already running. > Cannot > start another syslogd pid 2059 > 2334.046367409:6: source file nsd_ptcp.c requested reference for module > 'lmnetstrms', reference count now 4 > 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already > running. > Cannot start another syslogd pid 2059 > 2334.046605986:6: rsyslogd: syslogd pid 2000 already running. Cannot > start > another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] > module of type 2 being loaded. > 2334.046728132:6: source file netstrms.c requested reference for module > 'lmnsd_ptcp', reference count now 1 > 2334.046833796:4: logmsg: flags 1, from 'smu15a', msg syslogd pid 2000 > already running. Cannot start another syslogd pid 2059 [try > http://www.rsyslog.com/e/2147 ] > 2334.046932806:4: Message has legacy syslog format. > 2334.047029329:6: creating tcp listen socket on port 50514 > 2334.047134849:4: main Q: entry added, size now 1 entries > 2334.047243859:4: wtpAdviseMaxWorkers signals busy > 2334.047323739:6: error 125 while binding tcp socket > 2334.047440136:2: main Q: entry deleted, state 0, size now 0 entries > 2334.047552799:6: error 125 while binding tcp socket > 2334.047688889:2: testing filter, f_pmask 0 > 2334.047782922:2: testing filter, f_pmask 0 > 2334.047874212:2: testing filter, f_pmask 0 > 2334.047964582:2: testing filter, f_pmask 0 > 2334.048056012:2: testing filter, f_pmask 0 > 2334.048154126:4: main Q: EnqueueMsg advised worker start > 2334.048285092:2: main Q:Reg/w0: worker IDLE, waiting for work. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From ayelet.regev at gmail.com Mon Aug 15 19:12:37 2011 From: ayelet.regev at gmail.com (Ayelet Regev) Date: Mon, 15 Aug 2011 20:12:37 +0300 Subject: [rsyslog] Fwd: problem to have 2 rsyslog instances on Solaris(rsyslog 7.4.7) In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728113D@GRFEXC.intern.adiscon.com> References: <4980432574057418190@unknownmsgid> <9B6E2A8877C38245BFB15CC491A11DA728113D@GRFEXC.intern.adiscon.com> Message-ID: <3625909528375724394@unknownmsgid> But then messages do not arrive... Ayelet Regev-Dabah Sent from my iPhone On 15 ???? 2011, at 20:03, Rainer Gerhards wrote: I see the door api. There can only be one system logger. You must not load the solaris system logger module on the other instance. -----Original Message----- From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Ayelet Regev Sent: Monday, August 15, 2011 3:05 PM To: rsyslog-users Subject: [rsyslog] Fwd: problem to have 2 rsyslog instances on Solaris(rsyslog 7.4.7) Hi, I want to have multiple instances of rsyslog on Solaris 10. Currently my "Client" instance is running, when trying to start the "server" instance i get these errors: 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 smu15a:/ ROOT > ps -ef | grep -i ryslog root 25275 1 0 15:35:29 pts/1 0:00 /usr/local/Rsyslog/sbin/rsyslogd -i /var/run/rsyslog-client.pid -f /etc/rsyslog smu15a:/ ROOT > /usr/local/Rsyslog/sbin/rsyslogd-server -c4 -i /var/run/rsyslog-server.pid -f /etc/rsyslog-server.conf -dn 2334.011338550:1: logmsg: flags 1, from 'smu15a', msg [origin software="rsyslogd" swVersion="4.7.4" x-pid="2059" x-info=" http://www.rsyslog.com"] (re)start 2334.011406966:1: Message has legacy syslog format. 2334.011507680:1: main Q: entry added, size now 1 entries 2334.011581950:1: wtpAdviseMaxWorkers signals busy 2334.011675143:1: main Q: EnqueueMsg advised worker start 2334.043650492:1: (re)started. 2334.043746746:1: Debugging enabled, SIGUSR1 to turn off debugging. 2334.043833149:2: main Q: entry deleted, state 0, size now 0 entries 2334.043961439:2: testing filter, f_pmask 0 2334.044045312:2: testing filter, f_pmask 0 2334.044171036:2: testing filter, f_pmask 0 2334.044256129:2: testing filter, f_pmask 0 2334.044334439:2: testing filter, f_pmask 0 2334.044449766:2: main Q:Reg/w0: worker IDLE, waiting for work. 2334.044615812:5: Listening on UDP syslogd socket 5 (IPv6/port 514). 2334.044727969:5: Listening on UDP syslogd socket 6 (IPv4/port 514). 2334.044828376:6: caller requested object 'nsd_ptcp', not found (iRet - 3003) 2334.044930106:6: Requested to load module 'lmnsd_ptcp' 2334.045030006:5: Listening on UDP syslogd socket 7 (IPv6/port 1514). 2334.045136246:6: loading module '/usr/local/Rsyslog/lib/rsyslog/lmnsd_ptcp.so' 2334.045240239:5: Listening on UDP syslogd socket 8 (IPv4/port 1514). 2334.045341399:5: --------imUDP calling select, active file descriptors (max 8): 5 6 7 8 2334.045639822:4: imsolaris: doing startup poll before openeing door() 2334.045740942:4: imsolaris: waiting for next message (timeout 0)... 2334.045855769:1: initialization completed, transitioning to regular run mode 2334.045974162:4: imsolaris: no more messages, getMsgs() terminates 2334.046107179:4: open_door: /var/run/syslog_door opened successfully 2334.046200922:4: open_door: door_info:info.di_target = 2000 2334.046289506:4: open_door: error: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046367409:6: source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 4 2334.046496319:4: Called LogError, msg: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 2334.046605986:6: rsyslogd: syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] module of type 2 being loaded. 2334.046728132:6: source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1 2334.046833796:4: logmsg: flags 1, from 'smu15a', msg syslogd pid 2000 already running. Cannot start another syslogd pid 2059 [try http://www.rsyslog.com/e/2147 ] 2334.046932806:4: Message has legacy syslog format. 2334.047029329:6: creating tcp listen socket on port 50514 2334.047134849:4: main Q: entry added, size now 1 entries 2334.047243859:4: wtpAdviseMaxWorkers signals busy 2334.047323739:6: error 125 while binding tcp socket 2334.047440136:2: main Q: entry deleted, state 0, size now 0 entries 2334.047552799:6: error 125 while binding tcp socket 2334.047688889:2: testing filter, f_pmask 0 2334.047782922:2: testing filter, f_pmask 0 2334.047874212:2: testing filter, f_pmask 0 2334.047964582:2: testing filter, f_pmask 0 2334.048056012:2: testing filter, f_pmask 0 2334.048154126:4: main Q: EnqueueMsg advised worker start 2334.048285092:2: main Q:Reg/w0: worker IDLE, waiting for work. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com From oliver at obeattie.com Wed Aug 17 16:17:40 2011 From: oliver at obeattie.com (Oliver Beattie) Date: Wed, 17 Aug 2011 15:17:40 +0100 Subject: [rsyslog] Filtering logs from imrelp Message-ID: Hi, I'm having a bit of difficulty getting logs received via imrelp to be written to the location I want them to be. Here's my server configuration: $ModLoad imrelp $InputRELPServerRun 20514 # When receiving logs from clients, put them in respective per-host, per-day directories # at /var/log/rsyslog/-YYYY-MM-DD $template ShippedLogs,"/var/log/rsyslog/%source%-%$now%" :inputname, isequal, "imrelp" ??ShippedLogs ...and here's the client config: ? ? $ModLoad omrelp ? ? *.* :omrelp:10.214.99.138:20514 The logging appears to work as I expect; the logs from the clients do end up on the remote system, but they don't seem to get logged to the /var/log/rsyslog/ files I would expect based on the template -- they instead are appearing in the server's /var/log/syslog. Am I missing something? From the manual, I can't see anything obvious I'm doing too wrong? Any help would be very much appreciated. Many thanks, Oliver Beattie From gkra at unnerving.org Wed Aug 17 20:26:50 2011 From: gkra at unnerving.org (Gregory K. Ruiz-Ade) Date: Wed, 17 Aug 2011 11:26:50 -0700 Subject: [rsyslog] filter expression condition negation (!) failing in 4.6.5? In-Reply-To: References: Message-ID: <20110817182650.GB14106@izetta.home.unnerving.org> On Sun, Aug 14, 2011 at 03:04:04PM -0700, Gregory K. Ruiz-Ade wrote: > ---->8---- > # Non-production CustomLogs are in per-site/per-server logs > if (($syslogfacility-text == 'local0') \ > and ($syslogpriority-text != 'error') \ > and ($msg startswith '[SITE:nonprod]' \ > or $msg !startswith '[SITE:')) \ > then ?ApacheAccessLog;ApacheAccessLogSiteIDFormat > ---->8---- Thanks to taotetek on the irc channel for setting me straight on using: or not $msg startswith '[SITE;' I had apparently been confusing the methods for property selector rules with expression filter rules. Thanks, Gregory -- Gregory K. Ruiz-Ade OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu From sandeep.sukhija at mithi.com Thu Aug 18 12:55:46 2011 From: sandeep.sukhija at mithi.com (Sandeep Sukhija) Date: Thu, 18 Aug 2011 16:25:46 +0530 (IST) Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version Message-ID: <30238935.1929.1313664946862.JavaMail.root@127.0.0.1> I was using rsyslog-5.6.5 earlier, where i wanted to make a postgresql db entry. It worked perfectly with the following entry in rsyslog.conf $template tpl_DB_raw_data,"insert into raw_data(data) VALUES('%msg%')",SQL if $msg contains 'smtpstage1' then :ompgsql:localhost,MAILFLOWREPORTS,root,password;tpl_DB_raw_data later, i upgraded to latest version 5.8.3 on the same setup, but this rule doesn't apply. It always throws a database connection exception as follows : rsyslogd: db error (1): server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. Are there any changes to be made to the rules or something is being missed in all the stuff. Please help. ------ Sandeep Sukhija From rblists at gmail.com Thu Aug 18 13:49:48 2011 From: rblists at gmail.com (Raphael Bauduin) Date: Thu, 18 Aug 2011 13:49:48 +0200 Subject: [rsyslog] multiple groups privileges In-Reply-To: References: Message-ID: On Wed, Aug 10, 2011 at 10:31 AM, Raphael Bauduin wrote: > On Mon, Aug 8, 2011 at 1:25 PM, Raphael Bauduin wrote: >> Hi, >> >> is it possible to run rsyslogd so that it is part of multiple groups? >> I have added the syslog user to multiple groups, and then use >> ?$PrivDropToUser syslog >> without $PrivDropToGroup but to no avail. > > > Hi, > > I'm still stuck on this. I'm trying to use the Imfile module to send > the content of logfile to another server through rsyslog. I added the > syslog user to the group needed to access this log file, and when I su > syslog, I indeed have access. The running daemon though does not have > access, and I can confirm this is because it does not have the rights > of the group I added the syslog user in. > > Is what I'm trying to do possible? Still interested in a reaction about this. Maybe I'm missing something obvious but in that case I'd be especially interested to hear about it so I can learn. thanks rapha?l > > thanks > > Raph > > >> >> Thanks >> >> Rapha?l >> >> -- >> Web database: http://www.myowndb.com >> Free Software Developers Meeting: http://www.fosdem.org >> > > > > -- > Web database: http://www.myowndb.com > Free Software Developers Meeting: http://www.fosdem.org > -- Web database: http://www.myowndb.com Free Software Developers Meeting: http://www.fosdem.org From alorbach at ro1.adiscon.com Thu Aug 18 17:20:33 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Thu, 18 Aug 2011 17:20:33 +0200 Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version In-Reply-To: <30238935.1929.1313664946862.JavaMail.root@127.0.0.1> References: <30238935.1929.1313664946862.JavaMail.root@127.0.0.1> Message-ID: Hi, Can you provide a debug log that contains an occurrence of this error? This helps us understand what happens. Best regards, Andre > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Sandeep Sukhija > Sent: Donnerstag, 18. August 2011 12:56 > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version > > I was using rsyslog-5.6.5 earlier, where i wanted to make a postgresql db > entry. It worked perfectly with the following entry in rsyslog.conf > > > $template tpl_DB_raw_data,"insert into raw_data(data) > VALUES('%msg%')",SQL > > if $msg contains 'smtpstage1' then > :ompgsql:localhost,MAILFLOWREPORTS,root,password;tpl_DB_raw_data > > > later, i upgraded to latest version 5.8.3 on the same setup, but this rule > doesn't apply. It always throws a database connection exception as follows : > > > rsyslogd: db error (1): server closed the connection unexpectedly > > This probably means the server terminated abnormally > > before or while processing the request. > > > Are there any changes to be made to the rules or something is being missed > in all the stuff. Please help. > > > ------ > > Sandeep Sukhija > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From darix at opensu.se Fri Aug 19 17:25:19 2011 From: darix at opensu.se (Marcus Rueckert) Date: Fri, 19 Aug 2011 17:25:19 +0200 Subject: [rsyslog] some build issues + fixes with 6.3.4 Message-ID: <20110819152519.GA2414@nordisch.org> hi, 1. http://git.adiscon.com/?p=rsyslog.git;a=commit;h=9bea045e60fa612336ae6a78267284bcec2e9e25 still needs to be merged to v6-devel maybe also to v6-beta. 2. runtime/glbl.c:glblCheckCnf() triggers a compiler warning because it is a non void function without a return statement. for now i just commented the stub out. 3. it seems the CFLAGS are not complete for some source files. they couldnt find rainerscript.h. i worked around with with adding "-I../grammar -I../../grammar" to the CFLAGS 3. the configure script mentions mongodb support. but could it be the actual files implementing it are missing in the tarball? (grep only shows hits in configure and configure.ac) hth darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org From philr at jaspers.co.nz Tue Aug 23 05:17:48 2011 From: philr at jaspers.co.nz (Phil Reilly) Date: Tue, 23 Aug 2011 15:17:48 +1200 Subject: [rsyslog] Fwd: Fwd: Problem with ompgsql component in 5.8.3 version In-Reply-To: <4E531B3D.9020705@jaspers.co.nz> References: <4E531B3D.9020705@jaspers.co.nz> Message-ID: <4E531BDC.4010801@jaspers.co.nz> Hi Sandeep I saw this on my setup. I was using 5.4.0 but could not use 5.8.4. After debugging I eventually tracked down the following on the plugins/omphsql.c file. 5.4.0 <-> 5.8.4 > /* Force PostgreSQL to use ANSI-SQL conforming strings, otherwise we may > * get all sorts of side effects (e.g.: backslash escapes) and warnings > */ > const char *PgConnectionOptions = "-c standard_conforming_strings=on"; > 152c158 < if((pData->f_hpgsql=PQsetdbLogin(pData->f_dbsrv, NULL, NULL, NULL, --- > if((pData->f_hpgsql=PQsetdbLogin(pData->f_dbsrv, NULL, PgConnectionOptions, NULL, So I commented out the PgConnectionOptions option on the PQsetdbLogin call. /* const char *PgConnectionOptions = "-c standard_conforming_strings=on"; */ /* Connect to database */ /* if((pData->f_hpgsql=PQsetdbLogin(pData->f_dbsrv, NULL, PgConnectionOptions, NULL, */ if((pData->f_hpgsql=PQsetdbLogin(pData->f_dbsrv, NULL, NULL, NULL, After that 5.8.4 worked fine. Not sure why it got stuck on "standard_conforming_strings=on" but it seemed to hang on the first insert. As if it could not log in correctly. I haven't looked into why the API is stuck. The purpose of ASCI-SQL conformity is to ensure strings are properly quoted for ANSI-SQL. I've created my DB with SQL_ASCII encoding. I also have $EscapeControlCharactersOnReceive on. The pg_log occasionally complains about non compliant strings, but its from the front end not the rsyslog side. I'm using postgresql 9.0 on Suse 10Sp2 X86_64. Cheers, Phil Reilly -------------------------------- I was using rsyslog-5.6.5 earlier, where i wanted to make a postgresql db entry. It worked perfectly with the following entry in rsyslog.conf $template tpl_DB_raw_data,"insert into raw_data(data) VALUES('%msg%')",SQL if $msg contains 'smtpstage1' then :ompgsql:localhost,MAILFLOWREPORTS,root,password;tpl_DB_raw_data later, i upgraded to latest version 5.8.3 on the same setup, but this rule doesn't apply. It always throws a database connection exception as follows : rsyslogd: db error (1): server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. Are there any changes to be made to the rules or something is being missed in all the stuff. Please help. ------ Sandeep Sukhija _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com From sandeep.sukhija at mithi.com Tue Aug 23 08:50:15 2011 From: sandeep.sukhija at mithi.com (Sandeep Sukhija) Date: Tue, 23 Aug 2011 12:20:15 +0530 Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version Message-ID: <000401cc6161$491ad900$2200a8c0@MITHIVMnew123> attached the log file. -------- Thanks, Sandeep Sukhija Hi, Can you provide a debug log that contains an occurrence of this error? This helps us understand what happens. Best regards, Andre > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Sandeep Sukhija > Sent: Donnerstag, 18. August 2011 12:56 > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version > > I was using rsyslog-5.6.5 earlier, where i wanted to make a postgresql db > entry. It worked perfectly with the following entry in rsyslog.conf > > > $template tpl_DB_raw_data,"insert into raw_data(data) > VALUES('%msg%')",SQL > > if $msg contains 'smtpstage1' then > :ompgsql:localhost,MAILFLOWREPORTS,root,password;tpl_DB_raw_data > > > later, i upgraded to latest version 5.8.3 on the same setup, but this rule > doesn't apply. It always throws a database connection exception as follows : > > > rsyslogd: db error (1): server closed the connection unexpectedly > > This probably means the server terminated abnormally > > before or while processing the request. > > > Are there any changes to be made to the rules or something is being missed > in all the stuff. Please help. > > > ------ > > Sandeep Sukhija > > _______________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: rsyslog.log Type: application/octet-stream Size: 219401 bytes Desc: not available URL: From sandeep.sukhija at mithi.com Tue Aug 23 09:02:00 2011 From: sandeep.sukhija at mithi.com (Sandeep Sukhija) Date: Tue, 23 Aug 2011 12:32:00 +0530 Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version Message-ID: <002501cc6162$b627c250$2200a8c0@MITHIVMnew123> pls find the attached log file. ---------------- Thanks, Sandeep Sukhija Hi, Can you provide a debug log that contains an occurrence of this error? This helps us understand what happens. Best regards, Andre > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Sandeep Sukhija > Sent: Donnerstag, 18. August 2011 12:56 > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version > > I was using rsyslog-5.6.5 earlier, where i wanted to make a postgresql db > entry. It worked perfectly with the following entry in rsyslog.conf > > > $template tpl_DB_raw_data,"insert into raw_data(data) > VALUES('%msg%')",SQL > > if $msg contains 'smtpstage1' then > :ompgsql:localhost,MAILFLOWREPORTS,root,password;tpl_DB_raw_data > > > later, i upgraded to latest version 5.8.3 on the same setup, but this rule > doesn't apply. It always throws a database connection exception as follows : > > > rsyslogd: db error (1): server closed the connection unexpectedly > > This probably means the server terminated abnormally > > before or while processing the request. > > > Are there any changes to be made to the rules or something is being missed > in all the stuff. Please help. > > > ------ > > Sandeep Sukhija -------------- next part -------------- A non-text attachment was scrubbed... Name: rsyslog.log Type: application/octet-stream Size: 219401 bytes Desc: not available URL: From vladg at illinois.edu Tue Aug 23 15:47:21 2011 From: vladg at illinois.edu (Grigorescu, Vlad) Date: Tue, 23 Aug 2011 13:47:21 +0000 Subject: [rsyslog] help : CPU high load of rsyslog writing to Oracle Message-ID: First off, I apologize for resurrecting old threads (original thread here: http://lists.adiscon.net/pipermail/rsyslog/2011-May/013266.html), but it looks like activity on that thread stopped. I'm experiencing the same issues ? I have rsyslog logging to Oracle, and after a couple of successful database inserts, omoracle seems to stop accepting new messages. The queue then fills up, and it never gets emptied. Please note that I have to censor the actual log contents for privacy reasons. Config: http://pastebin.com/jBZhQhwP rsyslog invocation: TNS_ADMIN=/opt/rsyslog/etc /opt/rsyslog/local/rsyslog/sbin/rsyslogd -x -c5 -f /opt/rsyslog/etc/rsyslog.conf -i /opt/rsyslog/var/run/rsyslogd.pid The omoracle-related messages that I see are: http://pastebin.com/KU64ZKRC After this first batch, nothing else happens with omoracle. The queue just fills up, and never empties. The shutdown log is available here: http://pastebin.com/jG3BhS2K Messages are being written to that database, at first. I can't tell if the CPU usage spikes to 100% due to omoracle, or due to the queue being full. >From what I can tell, omoracle simply never transitions back to itx from rdy. I'm not sure why this happens. Any help would be great; please let me know if you need any more information or debugging. Thank you, -- Vlad Grigorescu | IT Security Engineer Office of Privacy and Information Assurance University of Illinois at Urbana-Champaign PGP: 0x365B36B4 | 217.244.1922 From rodney.mckee at gmail.com Wed Aug 24 04:24:59 2011 From: rodney.mckee at gmail.com (Rodney McKee) Date: Wed, 24 Aug 2011 12:24:59 +1000 (EST) Subject: [rsyslog] loosing logs during network degradation In-Reply-To: Message-ID: We run RELP over a VPN tunnel from several sites into a central collection point. I've noticed during a period of network degradation that we are loosing logs. The ActionQueueMaxDiskSpace is set at 4g and the current disk usage is at 291M. Any ideas where I can looks for reasons why this is occurring. The queue size for action 5 queue is currently climbing above 350,000. Remote relay config: #### MODULES #### $MaxMessageSize 65536 $PreserveFQDN on $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) # Provides UDP syslog reception $ModLoad imudp.so $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerRun 514 # Provide TCP relp reception $ModLoad imrelp $InputRELPServerRun 20514 # Provide rsyslog statistics $ModLoad impstats $PStatsInterval 5 *.*;local0.none;syslog.!=info /var/log/messages;RSYSLOG_FileFormat # Performance instrumentation local0.* |/var/log/pcp/logger/applog;RSYSLOG_ForwardFormat *.*;local0.none;syslog.!=info |/var/log/pcp/logger/syslog;RSYSLOG_ForwardFormat syslog.info |/var/log/pcp/rsyslog/stats # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. $WorkDirectory /var/spool/rsyslog # where to place spool files $ActionQueueType LinkedList # run asynchronously $ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 4g # 4gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionResumeRetryCount -1 # infinite retries if host is down # forward messages to the remote server logs1.drp on port 20514 $ModLoad omrelp *.*;syslog.!=info :omrelp:log1.drp:20514;RSYSLOG_ForwardFormat Rgds Rodney From alorbach at ro1.adiscon.com Wed Aug 24 11:25:40 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Wed, 24 Aug 2011 11:25:40 +0200 Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version In-Reply-To: <000401cc6161$491ad900$2200a8c0@MITHIVMnew123> References: <000401cc6161$491ad900$2200a8c0@MITHIVMnew123> Message-ID: Hi, thanks for the debug log. Unfortunately, it doesn't give any more details on the error. I would guess that the pgsql server has a problem with the template somehow. Have you tried to run the a test sql command manually to see what happens? Like: "insert into raw_data(data) VALUES('Test mgs')" Best regards, Andre Lorbach > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Sandeep Sukhija > Sent: Dienstag, 23. August 2011 08:50 > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] Problem with ompgsql component in 5.8.3 version > > attached the log file. > > -------- > Thanks, > Sandeep Sukhija > > > Hi, > > Can you provide a debug log that contains an occurrence of this error? > This helps us understand what happens. > > Best regards, > Andre > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- bounces at > > lists.adiscon.com] On Behalf Of Sandeep Sukhija > > Sent: Donnerstag, 18. August 2011 12:56 > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] Problem with ompgsql component in 5.8.3 version > > > > I was using rsyslog-5.6.5 earlier, where i wanted to make a postgresql > > db entry. It worked perfectly with the following entry in rsyslog.conf > > > > > > $template tpl_DB_raw_data,"insert into raw_data(data) > > VALUES('%msg%')",SQL > > > > if $msg contains 'smtpstage1' then > > :ompgsql:localhost,MAILFLOWREPORTS,root,password;tpl_DB_raw_data > > > > > > later, i upgraded to latest version 5.8.3 on the same setup, but this > > rule doesn't apply. It always throws a database connection exception > > as follows > : > > > > > > rsyslogd: db error (1): server closed the connection unexpectedly > > > > This probably means the server terminated abnormally > > > > before or while processing the request. > > > > > > Are there any changes to be made to the rules or something is being > > missed in all the stuff. Please help. > > > > > > ------ > > > > Sandeep Sukhija > > > > _______________________________________________ From freehsophia at gmail.com Fri Aug 26 16:54:20 2011 From: freehsophia at gmail.com (Freeh Sophia) Date: Fri, 26 Aug 2011 17:54:20 +0300 Subject: [rsyslog] FW: libestr-0.1.2 is wanted (dead or alive) Message-ID: Hi! Rsyslog-git wants libestr-0.1.2 to compile, is such version ready to publish? Regards. Freeh Sophia Marketing GmbH Emanuelstr. 3, 10317 Berlin Deutschland Telefon: +49 (33) 5310967 Email: freehsophia at gmail.com Site: http://flug.airego.de/ From alorbach at ro1.adiscon.com Fri Aug 26 19:51:33 2011 From: alorbach at ro1.adiscon.com (Andre Lorbach) Date: Fri, 26 Aug 2011 19:51:33 +0200 Subject: [rsyslog] FW: libestr-0.1.2 is wanted (dead or alive) In-Reply-To: References: Message-ID: You can obtain the source from here: http://libestr.adiscon.com/ best regards, Andre Lorbach > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Freeh Sophia > Sent: Freitag, 26. August 2011 16:54 > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] FW: libestr-0.1.2 is wanted (dead or alive) > > Hi! > Rsyslog-git wants libestr-0.1.2 to compile, is such version ready to publish? > Regards. > > > Freeh Sophia > Marketing GmbH > Emanuelstr. 3, > 10317 Berlin > Deutschland > Telefon: +49 (33) 5310967 > Email: freehsophia at gmail.com > Site: http://flug.airego.de/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From andrew at andrewloe.com Mon Aug 29 20:38:19 2011 From: andrew at andrewloe.com (W. Andrew Loe III) Date: Mon, 29 Aug 2011 11:38:19 -0700 Subject: [rsyslog] Configuration Sanity Check Message-ID: I would appreciate a sanity check of my configuration that will log my application messages and then relay them over a TLS connection to a logging service. I have had problems in the past with my application being throttled, causing it to be unavailable. If the messages are not able to be handled, I would rather drop them on the floor and allow my application to continue processing. I had started with Rsyslog 4.2.0 (Ships by default on Ubuntu 10.04 LTS), but have upgraded to 5.6.3, thinking I was running into the TLS bug from last fall. I have set MainMsgQueueTimeoutEnqueue and ActionQueueTimeoutEnqueue to 1ms, I cannot determine from the documentation if 0 disables the timeout or blocks the producer indefinitely, but I never want to block my application. Main Configuration: # /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf # Support big messages (from Rails). $MaxMessageSize 5m ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability #$ModLoad imfile # provides support for reading text log files $KLogPath /proc/kmsg # provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 $MainMsgQueueSize 100000 $MainMsgQueueDiscardMark 97500 $MainMsgQueueHighWaterMark 80000 $MainMsgQueueType LinkedList $MainMsgQueueFileName mainqueue $mainMsgCheckpointInterval 100 $MainMsgQueueMaxDiskSpace 2g $MainMsgQueueTimeoutEnqueue 1 $MainMsgQueueDiscardSeverity 0 ########################### #### GLOBAL DIRECTIVES #### ########################### $WorkDirectory /var/spool/rsyslog # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup adm # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf Local Logging: # Default rules for rsyslog. # # For more information see rsyslog.conf(5) and /etc/rsyslog.conf # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Logging for INN news system. # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Some "catch-all" log files. # #*.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug #*.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # #daemon.*;mail.*;\ # news.err;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole Logging to remote service: $DefaultNetstreamDriverCAFile /etc/rsyslog.d/syslog.papertrail.crt # trust these CAs $DefaultNetstreamDriver gtls # use gtls netstream driver $ActionSendStreamDriverMode 1 # require TLS $ActionSendStreamDriverAuthMode x509/name # authenticate by hostname $ActionResumeInterval 10 $ActionMsgQueueSize 100000 $ActionQueueDiscardMark 97500 $ActionQueueHighWaterMark 80000 $ActionQueueType LinkedList $ActionQueueFileName papertrailqueue $ActionCheckpointInterval 100 $ActionQueueMaxDiskSpace 2g $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on $ActionQueueTimeoutEnqueue 1 $ActionQueueDiscardSeverity 0 *.* @@logs.papertrailapp.com:1234 From malte.forkel at berlin.de Mon Aug 29 22:34:43 2011 From: malte.forkel at berlin.de (Malte Forkel) Date: Mon, 29 Aug 2011 22:34:43 +0200 Subject: [rsyslog] Time constraint for rule execution Message-ID: Hello, I'm running rsyslog 4.6.4 on Debian Lenny. Using the onmail module, I have written a rule to notify me if a specific syslog entry occurs. This works fine. Now I would like to add a time constraint to this rule. I want to send the nofication only if the syslog entry occurs 60 seconds or more after another syslog entry. I guess in a rule for that other syslog event I could write a timestamp to a file using a shell script. But how could I check that timestamp in the rule for my monitored syslog entries? Or may be there's a much better way to achieve the desired behavior? Thanks, Malte From david at lang.hm Tue Aug 30 00:04:09 2011 From: david at lang.hm (david at lang.hm) Date: Mon, 29 Aug 2011 15:04:09 -0700 (PDT) Subject: [rsyslog] Time constraint for rule execution In-Reply-To: References: Message-ID: you can throttle the output to not send more than one line every 60 seconds. I'm not sure of the details, but search the rsyslog documentation for 'throttle' Is this what you are looking for? David Lang On Mon, 29 Aug 2011, Malte Forkel wrote: > Hello, > > I'm running rsyslog 4.6.4 on Debian Lenny. Using the onmail module, I > have written a rule to notify me if a specific syslog entry occurs. This > works fine. > > Now I would like to add a time constraint to this rule. I want to send > the nofication only if the syslog entry occurs 60 seconds or more after > another syslog entry. > > I guess in a rule for that other syslog event I could write a timestamp > to a file using a shell script. But how could I check that timestamp in > the rule for my monitored syslog entries? Or may be there's a much > better way to achieve the desired behavior? > > Thanks, > Malte > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > From malte.forkel at berlin.de Tue Aug 30 10:07:10 2011 From: malte.forkel at berlin.de (Malte Forkel) Date: Tue, 30 Aug 2011 10:07:10 +0200 Subject: [rsyslog] Time constraint for rule execution In-Reply-To: References: Message-ID: Am 30.08.2011 00:04, schrieb david at lang.hm: > you can throttle the output to not send more than one line every 60 > seconds. I'm not sure of the details, but search the rsyslog > documentation for 'throttle' > > Is this what you are looking for? > > David Lang > Unfortenately, that's not quite what I'm looking for. I have a sofware that issues a couple of warnings during startup. They are ok and I'd like to ignore them. If those same warnings are issued later on during normal operations, they are not ok I'd like to catch them. So its not the number of entries per minute but rather all entries after the first minute that I'm interested in. I thought I could write a timestamp when one of the software's startup messages (not one of the warnings) is issued. Laster, when a warning is detected, I then wanted to check how much time had passed since the timestamp. Only if enough time had passed, I would want to send a notification. I'm just not sure if and how this (or something more appropriate) can be done with rsyslog. Malte From rgerhards at hq.adiscon.com Tue Aug 30 10:15:12 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 30 Aug 2011 10:15:12 +0200 Subject: [rsyslog] Time constraint for rule execution In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281160@GRFEXC.intern.adiscon.com> I think there is no code that allows you to do what you want. However, you can code a module in C that does what you wants. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Malte Forkel > Sent: Tuesday, August 30, 2011 10:07 AM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] Time constraint for rule execution > > Am 30.08.2011 00:04, schrieb david at lang.hm: > > you can throttle the output to not send more than one line every 60 > > seconds. I'm not sure of the details, but search the rsyslog > > documentation for 'throttle' > > > > Is this what you are looking for? > > > > David Lang > > > > Unfortenately, that's not quite what I'm looking for. > > I have a sofware that issues a couple of warnings during startup. They > are ok and I'd like to ignore them. If those same warnings are issued > later on during normal operations, they are not ok I'd like to catch > them. So its not the number of entries per minute but rather all > entries > after the first minute that I'm interested in. > > I thought I could write a timestamp when one of the software's startup > messages (not one of the warnings) is issued. Laster, when a warning is > detected, I then wanted to check how much time had passed since the > timestamp. Only if enough time had passed, I would want to send a > notification. > > I'm just not sure if and how this (or something more appropriate) can > be > done with rsyslog. > > Malte > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From malte.forkel at berlin.de Tue Aug 30 11:49:04 2011 From: malte.forkel at berlin.de (Malte Forkel) Date: Tue, 30 Aug 2011 11:49:04 +0200 Subject: [rsyslog] Time constraint for rule execution In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281160@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA7281160@GRFEXC.intern.adiscon.com> Message-ID: Any chance to utilize a shell escape as an expression in RainerScript (and compare its return value to something else)? I probably don't know enough about rsyslog's module concept yet. What kind of module do you mean: input or output? Is there any documentation on writing modules? Malte Am 30.08.2011 10:15, schrieb Rainer Gerhards: > I think there is no code that allows you to do what you want. However, you > can code a module in C that does what you wants. > > Rainer > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Malte Forkel >> Sent: Tuesday, August 30, 2011 10:07 AM >> To: rsyslog at lists.adiscon.com >> Subject: Re: [rsyslog] Time constraint for rule execution >> >> Am 30.08.2011 00:04, schrieb david at lang.hm: >>> you can throttle the output to not send more than one line every 60 >>> seconds. I'm not sure of the details, but search the rsyslog >>> documentation for 'throttle' >>> >>> Is this what you are looking for? >>> >>> David Lang >>> >> >> Unfortenately, that's not quite what I'm looking for. >> >> I have a sofware that issues a couple of warnings during startup. They >> are ok and I'd like to ignore them. If those same warnings are issued >> later on during normal operations, they are not ok I'd like to catch >> them. So its not the number of entries per minute but rather all >> entries >> after the first minute that I'm interested in. >> >> I thought I could write a timestamp when one of the software's startup >> messages (not one of the warnings) is issued. Laster, when a warning is >> detected, I then wanted to check how much time had passed since the >> timestamp. Only if enough time had passed, I would want to send a >> notification. >> >> I'm just not sure if and how this (or something more appropriate) can >> be >> done with rsyslog. >> >> Malte >> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com From rgerhards at hq.adiscon.com Tue Aug 30 12:01:51 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 30 Aug 2011 12:01:51 +0200 Subject: [rsyslog] Time constraint for rule execution In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA7281160@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281162@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Malte Forkel > Sent: Tuesday, August 30, 2011 11:49 AM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] Time constraint for rule execution > > Any chance to utilize a shell escape as an expression in RainerScript > (and compare its return value to something else)? Unfortunately not (yet) > > I probably don't know enough about rsyslog's module concept yet. What > kind of module do you mean: input or output? Is there any documentation > on writing modules? There are template modules, imtemplate and omtemplate. Or you can use an existing module as basis. There is also a "rsyslog design" pdf document (google for that string). That would probably best be a message modification module. There is one (along the lines of *cdr*), which you could probably utilize best as a copy template. This was created as part of a paid contract and contributed. HTH Rainer > > Malte > > Am 30.08.2011 10:15, schrieb Rainer Gerhards: > > I think there is no code that allows you to do what you want. > However, you > > can code a module in C that does what you wants. > > > > Rainer > > > >> -----Original Message----- > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> bounces at lists.adiscon.com] On Behalf Of Malte Forkel > >> Sent: Tuesday, August 30, 2011 10:07 AM > >> To: rsyslog at lists.adiscon.com > >> Subject: Re: [rsyslog] Time constraint for rule execution > >> > >> Am 30.08.2011 00:04, schrieb david at lang.hm: > >>> you can throttle the output to not send more than one line every 60 > >>> seconds. I'm not sure of the details, but search the rsyslog > >>> documentation for 'throttle' > >>> > >>> Is this what you are looking for? > >>> > >>> David Lang > >>> > >> > >> Unfortenately, that's not quite what I'm looking for. > >> > >> I have a sofware that issues a couple of warnings during startup. > They > >> are ok and I'd like to ignore them. If those same warnings are > issued > >> later on during normal operations, they are not ok I'd like to catch > >> them. So its not the number of entries per minute but rather all > >> entries > >> after the first minute that I'm interested in. > >> > >> I thought I could write a timestamp when one of the software's > startup > >> messages (not one of the warnings) is issued. Laster, when a warning > is > >> detected, I then wanted to check how much time had passed since the > >> timestamp. Only if enough time had passed, I would want to send a > >> notification. > >> > >> I'm just not sure if and how this (or something more appropriate) > can > >> be > >> done with rsyslog. > >> > >> Malte > >> > >> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From david at lang.hm Tue Aug 30 16:33:55 2011 From: david at lang.hm (david at lang.hm) Date: Tue, 30 Aug 2011 07:33:55 -0700 (PDT) Subject: [rsyslog] Time constraint for rule execution In-Reply-To: References: Message-ID: In that case you need additional tools, take a look at SEC (Simple Event Correlator), feed the appropriate logs from rsyslog into a named pipe and have SEC read from the named pipe. In SEC you can create a timer at startup that lasts for 1 minute, then configure to not alert if this timer is running, but to alert any other time it sees the log entries. David Lang On Tue, 30 Aug 2011, Malte Forkel wrote: > Am 30.08.2011 00:04, schrieb david at lang.hm: >> you can throttle the output to not send more than one line every 60 >> seconds. I'm not sure of the details, but search the rsyslog >> documentation for 'throttle' >> >> Is this what you are looking for? >> >> David Lang >> > > Unfortenately, that's not quite what I'm looking for. > > I have a sofware that issues a couple of warnings during startup. They > are ok and I'd like to ignore them. If those same warnings are issued > later on during normal operations, they are not ok I'd like to catch > them. So its not the number of entries per minute but rather all entries > after the first minute that I'm interested in. > > I thought I could write a timestamp when one of the software's startup > messages (not one of the warnings) is issued. Laster, when a warning is > detected, I then wanted to check how much time had passed since the > timestamp. Only if enough time had passed, I would want to send a > notification. > > I'm just not sure if and how this (or something more appropriate) can be > done with rsyslog. > > Malte > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > From rgerhards at hq.adiscon.com Tue Aug 30 17:00:10 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 30 Aug 2011 17:00:10 +0200 Subject: [rsyslog] some build issues + fixes with 6.3.4 In-Reply-To: <20110819152519.GA2414@nordisch.org> References: <20110819152519.GA2414@nordisch.org> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728116C@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Marcus Rueckert > Sent: Friday, August 19, 2011 5:25 PM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] some build issues + fixes with 6.3.4 > > hi, > > 1. > http://git.adiscon.com/?p=rsyslog.git;a=commit;h=9bea045e60fa612336ae6a > 78267284bcec2e9e25 > > still needs to be merged to v6-devel maybe also to v6-beta. > I sometimes merge intentionally late to keep the overhead managable. But a big merge over all versions is underway now :) > 2. runtime/glbl.c:glblCheckCnf() triggers a compiler warning because > it is a non void function without a return statement. > That's by intension: It's an ugly reminder for me and that seems to work ;) > for now i just commented the stub out. > > 3. it seems the CFLAGS are not complete for some source files. they > couldnt find rainerscript.h. i worked around with with adding > "-I../grammar -I../../grammar" to the CFLAGS Interesting... I had no problems in this regard. Will check. Maybe you can provide me a build log? > > 3. the configure script mentions mongodb support. but could it be the > actual files implementing it are missing in the tarball? Oh, I may have overlooked that. On the other hand, feedback was that the mongodb module is in its very, very infancy and needs to be considerably changed in order to become mainstream. Maybe it is better to leave it in git only? Thanks, Rainer > > (grep only shows hits in configure and configure.ac) > > hth > > darix > > -- > openSUSE - SUSE Linux is my linux > openSUSE is good for you > www.opensuse.org > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From a.piesk at gmx.net Tue Aug 30 21:26:20 2011 From: a.piesk at gmx.net (Andreas Piesk) Date: Tue, 30 Aug 2011 21:26:20 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages Message-ID: <4E5D395C.2070603@gmx.net> i've a problem with rsyslog 5.8.4. i need MARK messages to check if rsyslog is still sending messages to the central logserver. here's the config: rsyslog.conf: # Loading modules $ModLoad imuxsock $ModLoad imklog $ModLoad immark $MarkMessagePeriod 1200 *.* @@logserver:514;RSYSLOG_ForwardFormat i expect to see a MARK messages if no messages have been forwarded for 20 minutes but there's not a single MARK. after 60 minutes the log analyting engine on the central logserver issues an alert because it didn't see anything the the monitored host. my current workaround is to force rsyslog to send MARK messages: $ActionWriteAllMarkMessages on *.* @@logserver:514;RSYSLOG_ForwardFormat this seems to work. why doesn't rsyslog send MARKs in the first place? $RepeatedMsgReduction is always off. can anybody help? regards, -ap From a.piesk at gmx.net Tue Aug 30 21:35:09 2011 From: a.piesk at gmx.net (Andreas Piesk) Date: Tue, 30 Aug 2011 21:35:09 +0200 Subject: [rsyslog] message if rsyslog spools to disk due connection loss? Message-ID: <4E5D3B6D.5080904@gmx.net> in the near future i will have 150-200 clients with rsyslog sending their messages to central logservers which inspect the messages. one thing i think is crucial for such setups is the monitoring if a client has lost its connection to the central logserver, even temporary. so, is it possible that rsyslog logs a message if it can't reach the remote logserver? even if this message will be spooled onto disk and transmitted later, it would help identifying temporary connection losses. is there a configuration option i overlooked? regards, -ap From a.piesk at gmx.net Tue Aug 30 21:43:39 2011 From: a.piesk at gmx.net (Andreas Piesk) Date: Tue, 30 Aug 2011 21:43:39 +0200 Subject: [rsyslog] rsyslog 5.8.4 hangs at startup Message-ID: <4E5D3D6B.2020009@gmx.net> sometimes one of the servers hangs at reboot because of rsyslog. the version in use is 5.8.4 64bit. i beieve, the hangs are caused by 0-length spool files. as soon as i remove these files and restart again, rsyslog starts normally. my current workaround is an additional check in the start skript to remove and 0-length spool files because a server hanging in the boot process for ever is a nasty thing. the config uses DA queues and forwards all messages to central logservers. has anyone had this problem too? regards, -ap From david at lang.hm Tue Aug 30 21:57:34 2011 From: david at lang.hm (david at lang.hm) Date: Tue, 30 Aug 2011 12:57:34 -0700 (PDT) Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D395C.2070603@gmx.net> References: <4E5D395C.2070603@gmx.net> Message-ID: were there really _no_ messages of any sort during those 20 mintues? not even a debug level message from CRON when it runs? remember that MARK will only fire if there are no messages at all. David Lang On Tue, 30 Aug 2011, Andreas Piesk wrote: > i've a problem with rsyslog 5.8.4. i need MARK messages to check if rsyslog is still sending > messages to the central logserver. here's the config: > > rsyslog.conf: > # Loading modules > $ModLoad imuxsock > $ModLoad imklog > $ModLoad immark > > $MarkMessagePeriod 1200 > > > > *.* @@logserver:514;RSYSLOG_ForwardFormat > > i expect to see a MARK messages if no messages have been forwarded for 20 minutes but there's not a > single MARK. after 60 minutes the log analyting engine on the central logserver issues an alert > because it didn't see anything the the monitored host. my current workaround is to force rsyslog to > send MARK messages: > > $ActionWriteAllMarkMessages on > *.* @@logserver:514;RSYSLOG_ForwardFormat > > this seems to work. why doesn't rsyslog send MARKs in the first place? $RepeatedMsgReduction is > always off. can anybody help? > > regards, > -ap > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > From a.piesk at gmx.net Tue Aug 30 22:22:14 2011 From: a.piesk at gmx.net (Andreas Piesk) Date: Tue, 30 Aug 2011 22:22:14 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: References: <4E5D395C.2070603@gmx.net> Message-ID: <4E5D4676.3080502@gmx.net> On 30.08.2011 21:57, david at lang.hm wrote: > were there really _no_ messages of any sort during those 20 mintues? not even a debug level message > from CRON when it runs? > > remember that MARK will only fire if there are no messages at all. > yes i know but there were absolutely no messages, checked with wireshark: 16:36:48.231520 10.2.122.90 -> 10.2.146.7 RSH <30>2011-08-30T16:36:48+02:00 server1 ntpd[4975]: synchronized to 10.1.0.200, stratum 2\n 16:36:48.231842 10.2.146.7 -> 10.2.122.90 TCP 514 > 47156 [ACK] Seq=1 Ack=860 Win=71 Len=0 TSV=3458217482 TSER=82188663 16:46:48.230337 10.2.146.7 -> 10.2.122.90 TCP [TCP Keep-Alive] 514 > 47156 [ACK] Seq=0 Ack=860 Win=71 Len=0 TSV=3458817482 TSER=82188663 16:46:48.230347 10.2.122.90 -> 10.2.146.7 TCP [TCP Keep-Alive ACK] 47156 > 514 [ACK] Seq=860 Ack=1 Win=46 Len=0 TSV=82788669 TSER=3458217482 16:56:48.228824 10.2.146.7 -> 10.2.122.90 TCP [TCP Keep-Alive] 514 > 47156 [ACK] Seq=0 Ack=860 Win=71 Len=0 TSV=3459417482 TSER=82788669 16:56:48.228835 10.2.122.90 -> 10.2.146.7 TCP [TCP Keep-Alive ACK] 47156 > 514 [ACK] Seq=860 Ack=1 Win=46 Len=0 TSV=83388674 TSER=3458217482 16:59:29.231075 10.2.122.90 -> 10.2.146.7 RSH <30>2011-08-30T16:59:29+02:00 server1 ntpd[4975]: synchronized to 10.2.0.200, stratum 2\n 16:59:29.231414 10.2.146.7 -> 10.2.122.90 TCP 514 > 47156 [ACK] Seq=1 Ack=950 Win=71 Len=0 TSV=3459578485 TSER=83549678 you see, 16:36 - 16:59 no messages, just some TCP keep-alive packets. i decreased MarkMessagePeriod down to 5mins and rerun the test, no MARK messages, not a single one. regards, -ap From marcin at mejor.pl Tue Aug 30 22:31:02 2011 From: marcin at mejor.pl (=?ISO-8859-2?Q?Marcin_Miros=B3aw?=) Date: Tue, 30 Aug 2011 22:31:02 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D395C.2070603@gmx.net> References: <4E5D395C.2070603@gmx.net> Message-ID: <4E5D4886.1040205@mejor.pl> W dniu 30.08.2011 21:26, Andreas Piesk pisze: > i've a problem with rsyslog 5.8.4. i need MARK messages to check if rsyslog is still sending > messages to the central logserver. here's the config: I've got similar observation. Mark messages disappear some time ago. Regards, Marcin From david at lang.hm Tue Aug 30 22:31:27 2011 From: david at lang.hm (david at lang.hm) Date: Tue, 30 Aug 2011 13:31:27 -0700 (PDT) Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D4676.3080502@gmx.net> References: <4E5D395C.2070603@gmx.net> <4E5D4676.3080502@gmx.net> Message-ID: do any of your local selectors throw away messages? (i.e. the ~ destination) if you put a *.* /var/log/testfile before any of the local selectors does it also show now messages? the immark module is an input module, as such it only produces a mark message if there is no input of any kind for the time period. If there are any input messages, even if they are thrown away before your forwarding selector, they will prevent the immark module from creating mark messages. note that immark is not used very frequently, so it's very possible that there is a bug in it. I actually wouldn't suggest using immark. Instead I would create a process that sends useful information out every minute, something like nohup vmstat 60 |logger -t vmstat >/dev/null 2>&1 & this runs vmstat every minute, spitting it's output into the log. it means you will have something every minute, and as a bonus, if something goes wrong on the box you have the vmstat output to see what was happening. I do the same thing with iostat -x, but that's substantially more verbose. vmstat outputs one line per minute, plus a hearder line every half hour or so. iostat -x outputs 5 lines plus one line per mounted partition every minute. I find the iostat info useful enough when troubleshooting to do it, but you may not. David Lang On Tue, 30 Aug 2011, Andreas Piesk wrote: > On 30.08.2011 21:57, david at lang.hm wrote: >> were there really _no_ messages of any sort during those 20 mintues? not even a debug level message >> from CRON when it runs? >> >> remember that MARK will only fire if there are no messages at all. >> > > yes i know but there were absolutely no messages, checked with wireshark: > > 16:36:48.231520 10.2.122.90 -> 10.2.146.7 RSH <30>2011-08-30T16:36:48+02:00 server1 ntpd[4975]: > synchronized to 10.1.0.200, stratum 2\n > 16:36:48.231842 10.2.146.7 -> 10.2.122.90 TCP 514 > 47156 [ACK] Seq=1 Ack=860 Win=71 Len=0 > TSV=3458217482 TSER=82188663 > > 16:46:48.230337 10.2.146.7 -> 10.2.122.90 TCP [TCP Keep-Alive] 514 > 47156 [ACK] Seq=0 Ack=860 > Win=71 Len=0 TSV=3458817482 TSER=82188663 > 16:46:48.230347 10.2.122.90 -> 10.2.146.7 TCP [TCP Keep-Alive ACK] 47156 > 514 [ACK] Seq=860 > Ack=1 Win=46 Len=0 TSV=82788669 TSER=3458217482 > > 16:56:48.228824 10.2.146.7 -> 10.2.122.90 TCP [TCP Keep-Alive] 514 > 47156 [ACK] Seq=0 Ack=860 > Win=71 Len=0 TSV=3459417482 TSER=82788669 > 16:56:48.228835 10.2.122.90 -> 10.2.146.7 TCP [TCP Keep-Alive ACK] 47156 > 514 [ACK] Seq=860 > Ack=1 Win=46 Len=0 TSV=83388674 TSER=3458217482 > > 16:59:29.231075 10.2.122.90 -> 10.2.146.7 RSH <30>2011-08-30T16:59:29+02:00 server1 ntpd[4975]: > synchronized to 10.2.0.200, stratum 2\n > 16:59:29.231414 10.2.146.7 -> 10.2.122.90 TCP 514 > 47156 [ACK] Seq=1 Ack=950 Win=71 Len=0 > TSV=3459578485 TSER=83549678 > > you see, 16:36 - 16:59 no messages, just some TCP keep-alive packets. i decreased MarkMessagePeriod > down to 5mins and rerun the test, no MARK messages, not a single one. > > regards, > -ap > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > From a.piesk at gmx.net Tue Aug 30 22:57:06 2011 From: a.piesk at gmx.net (Andreas Piesk) Date: Tue, 30 Aug 2011 22:57:06 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: References: <4E5D395C.2070603@gmx.net> <4E5D4676.3080502@gmx.net> Message-ID: <4E5D4EA2.8030809@gmx.net> On 30.08.2011 22:31, david at lang.hm wrote: > do any of your local selectors throw away messages? (i.e. the ~ destination) > > if you put a *.* /var/log/testfile before any of the local selectors does it also show now messages? > > the immark module is an input module, as such it only produces a mark message if there is no input > of any kind for the time period. > > If there are any input messages, even if they are thrown away before your forwarding selector, they > will prevent the immark module from creating mark messages. there are no input messages. i've quiet the system to easy the checking. nothing is logged locally, nothing thrown away and all messages, if there are any, are forwarded to central logservers. i have a workaround by using $ActionWriteAllMarkMessages, i just want to check if there's something wrong with the setup or if it's really a bug. for now it seems to be a bug to me. regards, -ap From a.piesk at gmx.net Tue Aug 30 22:58:37 2011 From: a.piesk at gmx.net (Andreas Piesk) Date: Tue, 30 Aug 2011 22:58:37 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D4886.1040205@mejor.pl> References: <4E5D395C.2070603@gmx.net> <4E5D4886.1040205@mejor.pl> Message-ID: <4E5D4EFD.5070400@gmx.net> On 30.08.2011 22:31, Marcin Miros?aw wrote: > W dniu 30.08.2011 21:26, Andreas Piesk pisze: >> i've a problem with rsyslog 5.8.4. i need MARK messages to check if rsyslog is still sending >> messages to the central logserver. here's the config: > > I've got similar observation. Mark messages disappear some time ago. do you know at which version immark stops to working properly? regards, -ap From david at lang.hm Tue Aug 30 23:02:44 2011 From: david at lang.hm (david at lang.hm) Date: Tue, 30 Aug 2011 14:02:44 -0700 (PDT) Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D4EA2.8030809@gmx.net> References: <4E5D395C.2070603@gmx.net> <4E5D4676.3080502@gmx.net> <4E5D4EA2.8030809@gmx.net> Message-ID: On Tue, 30 Aug 2011, Andreas Piesk wrote: > On 30.08.2011 22:31, david at lang.hm wrote: >> do any of your local selectors throw away messages? (i.e. the ~ destination) >> >> if you put a *.* /var/log/testfile before any of the local selectors does it also show now messages? >> >> the immark module is an input module, as such it only produces a mark message if there is no input >> of any kind for the time period. >> >> If there are any input messages, even if they are thrown away before your forwarding selector, they >> will prevent the immark module from creating mark messages. > > there are no input messages. i've quiet the system to easy the checking. nothing is logged locally, > nothing thrown away and all messages, if there are any, are forwarded to central logservers. > > i have a workaround by using $ActionWriteAllMarkMessages, i just want to check if there's something > wrong with the setup or if it's really a bug. for now it seems to be a bug to me. I agree, I was just trying to make sure that it wasn't something else. David Lang From malte.forkel at berlin.de Tue Aug 30 23:07:05 2011 From: malte.forkel at berlin.de (Malte Forkel) Date: Tue, 30 Aug 2011 23:07:05 +0200 Subject: [rsyslog] Time constraint for rule execution In-Reply-To: References: Message-ID: Thanks to both of you for your help! I have been able to solve my problem using SEC. I create a context with a lifetime of 60 seconds on the startup message. Only when that context is not active anymore, notifations are triggered by the warnings I'm interested in. Malte Am 30.08.2011 16:33, schrieb david at lang.hm: > In that case you need additional tools, take a look at SEC (Simple Event > Correlator), feed the appropriate logs from rsyslog into a named pipe > and have SEC read from the named pipe. > > > In SEC you can create a timer at startup that lasts for 1 minute, then > configure to not alert if this timer is running, but to alert any other > time it sees the log entries. > > David Lang > > On Tue, 30 Aug 2011, Malte Forkel wrote: > >> Am 30.08.2011 00:04, schrieb david at lang.hm: >>> you can throttle the output to not send more than one line every 60 >>> seconds. I'm not sure of the details, but search the rsyslog >>> documentation for 'throttle' >>> >>> Is this what you are looking for? >>> >>> David Lang >>> >> >> Unfortenately, that's not quite what I'm looking for. >> >> I have a sofware that issues a couple of warnings during startup. They >> are ok and I'd like to ignore them. If those same warnings are issued >> later on during normal operations, they are not ok I'd like to catch >> them. So its not the number of entries per minute but rather all entries >> after the first minute that I'm interested in. >> >> I thought I could write a timestamp when one of the software's startup >> messages (not one of the warnings) is issued. Laster, when a warning is >> detected, I then wanted to check how much time had passed since the >> timestamp. Only if enough time had passed, I would want to send a >> notification. >> >> I'm just not sure if and how this (or something more appropriate) can be >> done with rsyslog. >> >> Malte >> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> From marcin at mejor.pl Tue Aug 30 23:32:19 2011 From: marcin at mejor.pl (=?ISO-8859-2?Q?Marcin_Miros=B3aw?=) Date: Tue, 30 Aug 2011 23:32:19 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D4EFD.5070400@gmx.net> References: <4E5D395C.2070603@gmx.net> <4E5D4886.1040205@mejor.pl> <4E5D4EFD.5070400@gmx.net> Message-ID: <4E5D56E3.9060801@mejor.pl> W dniu 30.08.2011 22:58, Andreas Piesk pisze: > On 30.08.2011 22:31, Marcin Miros?aw wrote: >> W dniu 30.08.2011 21:26, Andreas Piesk pisze: >>> i've a problem with rsyslog 5.8.4. i need MARK messages to check if rsyslog is still sending >>> messages to the central logserver. here's the config: >> >> I've got similar observation. Mark messages disappear some time ago. > > do you know at which version immark stops to working properly? It looks it works in: - 3.22.1 :) - 5.5.2 - 5.5.3 - 5.5.4 - 5.5.5 It doesn't work in - 5.6.6 - 6.1.1 and later Probably MARK disappear beetwen 5.5.5 and 5.6.6. Most of them was compiled form git. I took version from swVersion field. Regards, Marcin From marcin at mejor.pl Tue Aug 30 23:50:48 2011 From: marcin at mejor.pl (=?ISO-8859-2?Q?Marcin_Miros=B3aw?=) Date: Tue, 30 Aug 2011 23:50:48 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D56E3.9060801@mejor.pl> References: <4E5D395C.2070603@gmx.net> <4E5D4886.1040205@mejor.pl> <4E5D4EFD.5070400@gmx.net> <4E5D56E3.9060801@mejor.pl> Message-ID: <4E5D5B38.6010807@mejor.pl> W dniu 30.08.2011 22:31, david at lang.hm pisze: > do any of your local selectors throw away messages? (i.e. the ~ > destination) > > if you put a *.* /var/log/testfile before any of the local selectors > does it also show now messages? > > the immark module is an input module, as such it only produces a mark > message if there is no input of any kind for the time period. > > If there are any input messages, even if they are thrown away before > your forwarding selector, they will prevent the immark module from > creating mark messages. Hi, it looks i'm hitted by such situation. Imrelp receives messages, next i'm forwarding them to another host. So my previous email can be misleading. Regards From rgerhards at hq.adiscon.com Wed Aug 31 09:59:20 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 31 Aug 2011 09:59:20 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5D5B38.6010807@mejor.pl> References: <4E5D395C.2070603@gmx.net> <4E5D4886.1040205@mejor.pl><4E5D4EFD.5070400@gmx.net> <4E5D56E3.9060801@mejor.pl> <4E5D5B38.6010807@mejor.pl> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728116E@GRFEXC.intern.adiscon.com> Standby, I'll try to repro with 5.8.4... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > Sent: Tuesday, August 30, 2011 11:51 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 5.8.4: no MARK messages > > W dniu 30.08.2011 22:31, david at lang.hm pisze: > > do any of your local selectors throw away messages? (i.e. the ~ > > destination) > > > > if you put a *.* /var/log/testfile before any of the local selectors > > does it also show now messages? > > > > the immark module is an input module, as such it only produces a mark > > message if there is no input of any kind for the time period. > > > > If there are any input messages, even if they are thrown away before > > your forwarding selector, they will prevent the immark module from > > creating mark messages. > > Hi, > it looks i'm hitted by such situation. Imrelp receives messages, next > i'm forwarding them to another host. > So my previous email can be misleading. > > Regards > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Wed Aug 31 10:06:10 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 31 Aug 2011 10:06:10 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728116E@GRFEXC.intern.adiscon.com> References: <4E5D395C.2070603@gmx.net><4E5D4886.1040205@mejor.pl><4E5D4EFD.5070400@gmx.net><4E5D56E3.9060801@mejor.pl> <4E5D5B38.6010807@mejor.pl> <9B6E2A8877C38245BFB15CC491A11DA728116E@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728116F@GRFEXC.intern.adiscon.com> I thik I can reproduce it... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Wednesday, August 31, 2011 9:59 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 5.8.4: no MARK messages > > Standby, I'll try to repro with 5.8.4... > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > > Sent: Tuesday, August 30, 2011 11:51 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog 5.8.4: no MARK messages > > > > W dniu 30.08.2011 22:31, david at lang.hm pisze: > > > do any of your local selectors throw away messages? (i.e. the ~ > > > destination) > > > > > > if you put a *.* /var/log/testfile before any of the local > selectors > > > does it also show now messages? > > > > > > the immark module is an input module, as such it only produces a > mark > > > message if there is no input of any kind for the time period. > > > > > > If there are any input messages, even if they are thrown away > before > > > your forwarding selector, they will prevent the immark module from > > > creating mark messages. > > > > Hi, > > it looks i'm hitted by such situation. Imrelp receives messages, next > > i'm forwarding them to another host. > > So my previous email can be misleading. > > > > Regards > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com From rgerhards at hq.adiscon.com Wed Aug 31 11:13:17 2011 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 31 Aug 2011 11:13:17 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728116F@GRFEXC.intern.adiscon.com> References: <4E5D395C.2070603@gmx.net><4E5D4886.1040205@mejor.pl><4E5D4EFD.5070400@gmx.net><4E5D56E3.9060801@mejor.pl><4E5D5B38.6010807@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA728116E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728116F@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281170@GRFEXC.intern.adiscon.com> Please try out the attached patch. For me, it fixes the issue in 5.8.4. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Wednesday, August 31, 2011 10:06 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog 5.8.4: no MARK messages > > I thik I can reproduce it... > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > > Sent: Wednesday, August 31, 2011 9:59 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog 5.8.4: no MARK messages > > > > Standby, I'll try to repro with 5.8.4... > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw > > > Sent: Tuesday, August 30, 2011 11:51 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] rsyslog 5.8.4: no MARK messages > > > > > > W dniu 30.08.2011 22:31, david at lang.hm pisze: > > > > do any of your local selectors throw away messages? (i.e. the ~ > > > > destination) > > > > > > > > if you put a *.* /var/log/testfile before any of the local > > selectors > > > > does it also show now messages? > > > > > > > > the immark module is an input module, as such it only produces a > > mark > > > > message if there is no input of any kind for the time period. > > > > > > > > If there are any input messages, even if they are thrown away > > before > > > > your forwarding selector, they will prevent the immark module > from > > > > creating mark messages. > > > > > > Hi, > > > it looks i'm hitted by such situation. Imrelp receives messages, > next > > > i'm forwarding them to another host. > > > So my previous email can be misleading. > > > > > > Regards > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -------------- next part -------------- A non-text attachment was scrubbed... Name: markmsg.patch Type: application/octet-stream Size: 3523 bytes Desc: markmsg.patch URL: From marcin at mejor.pl Wed Aug 31 11:28:28 2011 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Wed, 31 Aug 2011 11:28:28 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281170@GRFEXC.intern.adiscon.com> References: <4E5D395C.2070603@gmx.net><4E5D4886.1040205@mejor.pl><4E5D4EFD.5070400@gmx.net><4E5D56E3.9060801@mejor.pl><4E5D5B38.6010807@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA728116E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728116F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281170@GRFEXC.intern.adiscon.com> Message-ID: <4E5DFEBC.7010007@mejor.pl> W dniu 31.08.2011 11:13, Rainer Gerhards pisze: > Please try out the attached patch. For me, it fixes the issue in 5.8.4. I can't try it. I've stuck in a version 5.6.5 (and this patch doesn't aplly). From a.piesk at gmx.net Wed Aug 31 16:26:29 2011 From: a.piesk at gmx.net (Andreas Piesk) Date: Wed, 31 Aug 2011 16:26:29 +0200 Subject: [rsyslog] rsyslog 5.8.4: no MARK messages In-Reply-To: <4E5DFEBC.7010007@mejor.pl> References: <4E5D395C.2070603@gmx.net><4E5D4886.1040205@mejor.pl><4E5D4EFD.5070400@gmx.net><4E5D56E3.9060801@mejor.pl><4E5D5B38.6010807@mejor.pl><9B6E2A8877C38245BFB15CC491A11DA728116E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728116F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281170@GRFEXC.intern.adiscon.com> <4E5DFEBC.7010007@mejor.pl> Message-ID: <4E5E4495.4090607@gmx.net> On 31.08.2011 11:28, Marcin Miros?aw wrote: > W dniu 31.08.2011 11:13, Rainer Gerhards pisze: >> Please try out the attached patch. For me, it fixes the issue in 5.8.4. > > I can't try it. I've stuck in a version 5.6.5 (and this patch doesn't aplly). > _______________________________________________ OK, i' ll try it and report back. thanks. -ap From andrew at andrewloe.com Wed Aug 31 20:42:26 2011 From: andrew at andrewloe.com (W. Andrew Loe III) Date: Wed, 31 Aug 2011 11:42:26 -0700 Subject: [rsyslog] MainMsgQueueTimeoutEnqueue / ActionQueueTimeoutEnqueue Message-ID: I find the documentation for these two settings to be unclear. Does setting them to 0 mean blocking the producer (in the case of MainMsg, my application) indefinitely or does it disable this time and cause messages to be dropped immediately when the queue is full (my desired behavior). I have currently set both to 1ms, but I would actually like to disable this. "$MainMsgQueueTimeoutEnqueue [number is timeout in ms (1000ms is 1sec!), default 2000, 0 means indefinite]"