From openlinuxsource at gmail.com  Tue Mar  1 02:30:29 2011
From: openlinuxsource at gmail.com (Lee Eric)
Date: Tue, 1 Mar 2011 09:30:29 +0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
Message-ID: <AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>

Sorry, mate. As you mentioned the log file /var/log/system-server.log
will be created in the host "server" and throw away its other logs.
But what I want is the logs in the host "server" will write to its
original places in /var/log/messages etc., not recreated a
system-server.log to record logs.

By now, all host "server" logs will write to
/var/log/system-server.log and other original logging places are not
written by using my rules. So I hope there will be a way to fix that.
The host "server" is rsyslog server.

Thanks,

Eric

On Tue, Mar 1, 2011 at 5:38 AM,  <david at lang.hm> wrote:
> On Mon, 28 Feb 2011, Lee Eric wrote:
>
>> Hi,
>>
>> I have a question about separate logs order configuration. I have 4
>> machines with hostnames server, storage, client1 and client2. The
>> rsyslogs is running at server. The configuration looks like that:
>>
>> $ModLoad imuxsock.so ? ?# provides support for local system logging (e.g.
>> via logger command)
>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously done
>> by rklogd)
>> $ModLoad imtcp.so
>> $InputTCPServerRun 514
>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>> :source , !isequal , "localhost" ?DynFile
>> & ~
>> *.info;mail.none;authpriv.none;cron.none ? ? ? ? ? ? ? ?/var/log/messages
>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>> mail.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?-/var/log/maillog
>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>> local7.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/boot.log
>>
>> And in other machines the configuration looks like this:
>>
>>
>> $ModLoad imuxsock.so ? ?# provides support for local system logging (e.g.
>> via logger command)
>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously done
>> by rklogd)
>> $ModLoad imtcp.so
>> $InputTCPServerRun 514
>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> *.* ? ? @@server.herdingcat.internal
>> *.info;mail.none;authpriv.none;cron.none ? ? ? ? ? ? ? ?/var/log/messages
>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>> mail.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?-/var/log/maillog
>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>> local7.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/boot.log
>>
>> /var/log/system-storage.log, /var/log/system-client1.log,
>> /var/log/system-client2.log created successfully and it works well but
>> there's also a log file /var/log/system-server.log created. I hope
>> server's log is still recorded under /var/log/messages not separated.
>> So I'm wondering is there any good method to achieve that function?
>
> I don't really understand your question here.
>
> the second configuration doesn't seem to have any dynafile lines, so it
> sounds like you are asking about the first one.
>
> In the first one you are saying that for any server other than localhost,
> put the logs in a file /var/log/system-name.log and then throw them away
> (don't put them in any other logfile)
>
> so if you get a log entry from a machine called 'server' it would create the
> fiel /var/log/system-server.log and then throw away the log.
>
> could you please try restating your what you think is being done differently
> from what you are wanting?
>
> David Lang4
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From david at lang.hm  Tue Mar  1 02:49:45 2011
From: david at lang.hm (david at lang.hm)
Date: Mon, 28 Feb 2011 17:49:45 -0800 (PST)
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>

On Tue, 1 Mar 2011, Lee Eric wrote:

> Sorry, mate. As you mentioned the log file /var/log/system-server.log
> will be created in the host "server" and throw away its other logs.
> But what I want is the logs in the host "server" will write to its
> original places in /var/log/messages etc., not recreated a
> system-server.log to record logs.
>
> By now, all host "server" logs will write to
> /var/log/system-server.log and other original logging places are not
> written by using my rules. So I hope there will be a way to fix that.
> The host "server" is rsyslog server.

Ok, that's what I missed.

you need to change your test to be something like the following (probably 
slightly incorrect) test

if (%source != 'localhost' or %source != 'server') then ?DynFile

and if you want it in the file system-server.log as well, add an entry 
below that that does

*.* /var/log/system-server.log

David Lang

> Thanks,
>
> Eric
>
> On Tue, Mar 1, 2011 at 5:38 AM,  <david at lang.hm> wrote:
>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>
>>> Hi,
>>>
>>> I have a question about separate logs order configuration. I have 4
>>> machines with hostnames server, storage, client1 and client2. The
>>> rsyslogs is running at server. The configuration looks like that:
>>>
>>> $ModLoad imuxsock.so ? ?# provides support for local system logging (e.g.
>>> via logger command)
>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously done
>>> by rklogd)
>>> $ModLoad imtcp.so
>>> $InputTCPServerRun 514
>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>> :source , !isequal , "localhost" ?DynFile
>>> & ~
>>> *.info;mail.none;authpriv.none;cron.none ? ? ? ? ? ? ? ?/var/log/messages
>>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>>> mail.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?-/var/log/maillog
>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>>> local7.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/boot.log
>>>
>>> And in other machines the configuration looks like this:
>>>
>>>
>>> $ModLoad imuxsock.so ? ?# provides support for local system logging (e.g.
>>> via logger command)
>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously done
>>> by rklogd)
>>> $ModLoad imtcp.so
>>> $InputTCPServerRun 514
>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>> *.* ? ? @@server.herdingcat.internal
>>> *.info;mail.none;authpriv.none;cron.none ? ? ? ? ? ? ? ?/var/log/messages
>>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>>> mail.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?-/var/log/maillog
>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>>> local7.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/boot.log
>>>
>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>> /var/log/system-client2.log created successfully and it works well but
>>> there's also a log file /var/log/system-server.log created. I hope
>>> server's log is still recorded under /var/log/messages not separated.
>>> So I'm wondering is there any good method to achieve that function?
>>
>> I don't really understand your question here.
>>
>> the second configuration doesn't seem to have any dynafile lines, so it
>> sounds like you are asking about the first one.
>>
>> In the first one you are saying that for any server other than localhost,
>> put the logs in a file /var/log/system-name.log and then throw them away
>> (don't put them in any other logfile)
>>
>> so if you get a log entry from a machine called 'server' it would create the
>> fiel /var/log/system-server.log and then throw away the log.
>>
>> could you please try restating your what you think is being done differently
>> from what you are wanting?
>>
>> David Lang4
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From openlinuxsource at gmail.com  Tue Mar  1 03:26:13 2011
From: openlinuxsource at gmail.com (Lee Eric)
Date: Tue, 1 Mar 2011 10:26:13 +0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
Message-ID: <AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>

Hi mate,

I use your conf but I encounter more serious problem:

Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
http://www.rsyslog.com/e/2051 ]
Feb 28 21:22:11 server rsyslogd: the last error occured in
/etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
'server') then ?DynFile"
Feb 28 21:22:11 server rsyslogd: warning: selector line without
actions will be discarded
Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
interpret master config file '/etc/rsyslog.conf'. [try
http://www.rsyslog.com/e/2124 ]

And /var/log/system-server.log won't create but all other machines
logs will write to /var/log/messages in the host "server", not the
separated logs.

Do you have any idea to fix that?

Regards,

Eric

On Tue, Mar 1, 2011 at 9:49 AM,  <david at lang.hm> wrote:
> On Tue, 1 Mar 2011, Lee Eric wrote:
>
>> Sorry, mate. As you mentioned the log file /var/log/system-server.log
>> will be created in the host "server" and throw away its other logs.
>> But what I want is the logs in the host "server" will write to its
>> original places in /var/log/messages etc., not recreated a
>> system-server.log to record logs.
>>
>> By now, all host "server" logs will write to
>> /var/log/system-server.log and other original logging places are not
>> written by using my rules. So I hope there will be a way to fix that.
>> The host "server" is rsyslog server.
>
> Ok, that's what I missed.
>
> you need to change your test to be something like the following (probably
> slightly incorrect) test
>
> if (%source != 'localhost' or %source != 'server') then ?DynFile
>
> and if you want it in the file system-server.log as well, add an entry below
> that that does
>
> *.* /var/log/system-server.log
>
> David Lang
>
>> Thanks,
>>
>> Eric
>>
>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>
>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a question about separate logs order configuration. I have 4
>>>> machines with hostnames server, storage, client1 and client2. The
>>>> rsyslogs is running at server. The configuration looks like that:
>>>>
>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>> (e.g.
>>>> via logger command)
>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>> done
>>>> by rklogd)
>>>> $ModLoad imtcp.so
>>>> $InputTCPServerRun 514
>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>> :source , !isequal , "localhost" ?DynFile
>>>> & ~
>>>> *.info;mail.none;authpriv.none;cron.none
>>>> ?/var/log/messages
>>>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>>>> mail.*
>>>> ?-/var/log/maillog
>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>>>> local7.*
>>>> ?/var/log/boot.log
>>>>
>>>> And in other machines the configuration looks like this:
>>>>
>>>>
>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>> (e.g.
>>>> via logger command)
>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>> done
>>>> by rklogd)
>>>> $ModLoad imtcp.so
>>>> $InputTCPServerRun 514
>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>> *.* ? ? @@server.herdingcat.internal
>>>> *.info;mail.none;authpriv.none;cron.none
>>>> ?/var/log/messages
>>>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>>>> mail.*
>>>> ?-/var/log/maillog
>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>>>> local7.*
>>>> ?/var/log/boot.log
>>>>
>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>> /var/log/system-client2.log created successfully and it works well but
>>>> there's also a log file /var/log/system-server.log created. I hope
>>>> server's log is still recorded under /var/log/messages not separated.
>>>> So I'm wondering is there any good method to achieve that function?
>>>
>>> I don't really understand your question here.
>>>
>>> the second configuration doesn't seem to have any dynafile lines, so it
>>> sounds like you are asking about the first one.
>>>
>>> In the first one you are saying that for any server other than localhost,
>>> put the logs in a file /var/log/system-name.log and then throw them away
>>> (don't put them in any other logfile)
>>>
>>> so if you get a log entry from a machine called 'server' it would create
>>> the
>>> fiel /var/log/system-server.log and then throw away the log.
>>>
>>> could you please try restating your what you think is being done
>>> differently
>>> from what you are wanting?
>>>
>>> David Lang4
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
>

From david at lang.hm  Tue Mar  1 04:15:38 2011
From: david at lang.hm (david at lang.hm)
Date: Mon, 28 Feb 2011 19:15:38 -0800 (PST)
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>

I figured my syntax was not quite right. I didn't take the time to look it 
up exactly.

Ok, looking things up

if ($source != 'localhost' and $source != 'server') then ?DynFile

how does this work.

David Lang

On Tue, 1 Mar 2011, Lee Eric wrote:

> Date: Tue, 1 Mar 2011 10:26:13 +0800
> From: Lee Eric <openlinuxsource at gmail.com>
> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> To: rsyslog-users <rsyslog at lists.adiscon.com>
> Subject: Re: [rsyslog] Help: Separate Logs Order
> 
> Hi mate,
>
> I use your conf but I encounter more serious problem:
>
> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
> http://www.rsyslog.com/e/2051 ]
> Feb 28 21:22:11 server rsyslogd: the last error occured in
> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
> 'server') then ?DynFile"
> Feb 28 21:22:11 server rsyslogd: warning: selector line without
> actions will be discarded
> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
> interpret master config file '/etc/rsyslog.conf'. [try
> http://www.rsyslog.com/e/2124 ]
>
> And /var/log/system-server.log won't create but all other machines
> logs will write to /var/log/messages in the host "server", not the
> separated logs.
>
> Do you have any idea to fix that?
>
> Regards,
>
> Eric
>
> On Tue, Mar 1, 2011 at 9:49 AM,  <david at lang.hm> wrote:
>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>
>>> Sorry, mate. As you mentioned the log file /var/log/system-server.log
>>> will be created in the host "server" and throw away its other logs.
>>> But what I want is the logs in the host "server" will write to its
>>> original places in /var/log/messages etc., not recreated a
>>> system-server.log to record logs.
>>>
>>> By now, all host "server" logs will write to
>>> /var/log/system-server.log and other original logging places are not
>>> written by using my rules. So I hope there will be a way to fix that.
>>> The host "server" is rsyslog server.
>>
>> Ok, that's what I missed.
>>
>> you need to change your test to be something like the following (probably
>> slightly incorrect) test
>>
>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>
>> and if you want it in the file system-server.log as well, add an entry below
>> that that does
>>
>> *.* /var/log/system-server.log
>>
>> David Lang
>>
>>> Thanks,
>>>
>>> Eric
>>>
>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>
>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a question about separate logs order configuration. I have 4
>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>
>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>> (e.g.
>>>>> via logger command)
>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>> done
>>>>> by rklogd)
>>>>> $ModLoad imtcp.so
>>>>> $InputTCPServerRun 514
>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>> :source , !isequal , "localhost" ?DynFile
>>>>> & ~
>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>> ?/var/log/messages
>>>>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>>>>> mail.*
>>>>> ?-/var/log/maillog
>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>>>>> local7.*
>>>>> ?/var/log/boot.log
>>>>>
>>>>> And in other machines the configuration looks like this:
>>>>>
>>>>>
>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>> (e.g.
>>>>> via logger command)
>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>> done
>>>>> by rklogd)
>>>>> $ModLoad imtcp.so
>>>>> $InputTCPServerRun 514
>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>> *.* ? ? @@server.herdingcat.internal
>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>> ?/var/log/messages
>>>>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>>>>> mail.*
>>>>> ?-/var/log/maillog
>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>>>>> local7.*
>>>>> ?/var/log/boot.log
>>>>>
>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>> /var/log/system-client2.log created successfully and it works well but
>>>>> there's also a log file /var/log/system-server.log created. I hope
>>>>> server's log is still recorded under /var/log/messages not separated.
>>>>> So I'm wondering is there any good method to achieve that function?
>>>>
>>>> I don't really understand your question here.
>>>>
>>>> the second configuration doesn't seem to have any dynafile lines, so it
>>>> sounds like you are asking about the first one.
>>>>
>>>> In the first one you are saying that for any server other than localhost,
>>>> put the logs in a file /var/log/system-name.log and then throw them away
>>>> (don't put them in any other logfile)
>>>>
>>>> so if you get a log entry from a machine called 'server' it would create
>>>> the
>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>
>>>> could you please try restating your what you think is being done
>>>> differently
>>>> from what you are wanting?
>>>>
>>>> David Lang4
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From openlinuxsource at gmail.com  Tue Mar  1 04:43:58 2011
From: openlinuxsource at gmail.com (Lee Eric)
Date: Tue, 1 Mar 2011 11:43:58 +0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
	<alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
Message-ID: <AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>

Hi,

No syntax error but still not working. system-server.log still
created, other hosts logs write to the host "server" /var/log/messages
and /var/log/system-hostname.log at the same time.

$template DynFile,"/var/log/system-%HOSTNAME%.log"
if ($source != 'localhost' or $source != 'server') then ?DynFile

Regards,

Eric

On Tue, Mar 1, 2011 at 11:15 AM,  <david at lang.hm> wrote:
> I figured my syntax was not quite right. I didn't take the time to look it
> up exactly.
>
> Ok, looking things up
>
> if ($source != 'localhost' and $source != 'server') then ?DynFile
>
> how does this work.
>
> David Lang
>
> On Tue, 1 Mar 2011, Lee Eric wrote:
>
>> Date: Tue, 1 Mar 2011 10:26:13 +0800
>> From: Lee Eric <openlinuxsource at gmail.com>
>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>
>> Hi mate,
>>
>> I use your conf but I encounter more serious problem:
>>
>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
>> http://www.rsyslog.com/e/2051 ]
>> Feb 28 21:22:11 server rsyslogd: the last error occured in
>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
>> 'server') then ?DynFile"
>> Feb 28 21:22:11 server rsyslogd: warning: selector line without
>> actions will be discarded
>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
>> interpret master config file '/etc/rsyslog.conf'. [try
>> http://www.rsyslog.com/e/2124 ]
>>
>> And /var/log/system-server.log won't create but all other machines
>> logs will write to /var/log/messages in the host "server", not the
>> separated logs.
>>
>> Do you have any idea to fix that?
>>
>> Regards,
>>
>> Eric
>>
>> On Tue, Mar 1, 2011 at 9:49 AM, ?<david at lang.hm> wrote:
>>>
>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>
>>>> Sorry, mate. As you mentioned the log file /var/log/system-server.log
>>>> will be created in the host "server" and throw away its other logs.
>>>> But what I want is the logs in the host "server" will write to its
>>>> original places in /var/log/messages etc., not recreated a
>>>> system-server.log to record logs.
>>>>
>>>> By now, all host "server" logs will write to
>>>> /var/log/system-server.log and other original logging places are not
>>>> written by using my rules. So I hope there will be a way to fix that.
>>>> The host "server" is rsyslog server.
>>>
>>> Ok, that's what I missed.
>>>
>>> you need to change your test to be something like the following (probably
>>> slightly incorrect) test
>>>
>>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>>
>>> and if you want it in the file system-server.log as well, add an entry
>>> below
>>> that that does
>>>
>>> *.* /var/log/system-server.log
>>>
>>> David Lang
>>>
>>>> Thanks,
>>>>
>>>> Eric
>>>>
>>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>>
>>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have a question about separate logs order configuration. I have 4
>>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>>
>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>> (e.g.
>>>>>> via logger command)
>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>>> done
>>>>>> by rklogd)
>>>>>> $ModLoad imtcp.so
>>>>>> $InputTCPServerRun 514
>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>> :source , !isequal , "localhost" ?DynFile
>>>>>> & ~
>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>> ?/var/log/messages
>>>>>> authpriv.*
>>>>>> ?/var/log/secure
>>>>>> mail.*
>>>>>> ?-/var/log/maillog
>>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>> uucp,news.crit
>>>>>> ?/var/log/spooler
>>>>>> local7.*
>>>>>> ?/var/log/boot.log
>>>>>>
>>>>>> And in other machines the configuration looks like this:
>>>>>>
>>>>>>
>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>> (e.g.
>>>>>> via logger command)
>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>>> done
>>>>>> by rklogd)
>>>>>> $ModLoad imtcp.so
>>>>>> $InputTCPServerRun 514
>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>> *.* ? ? @@server.herdingcat.internal
>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>> ?/var/log/messages
>>>>>> authpriv.*
>>>>>> ?/var/log/secure
>>>>>> mail.*
>>>>>> ?-/var/log/maillog
>>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>> uucp,news.crit
>>>>>> ?/var/log/spooler
>>>>>> local7.*
>>>>>> ?/var/log/boot.log
>>>>>>
>>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>>> /var/log/system-client2.log created successfully and it works well but
>>>>>> there's also a log file /var/log/system-server.log created. I hope
>>>>>> server's log is still recorded under /var/log/messages not separated.
>>>>>> So I'm wondering is there any good method to achieve that function?
>>>>>
>>>>> I don't really understand your question here.
>>>>>
>>>>> the second configuration doesn't seem to have any dynafile lines, so it
>>>>> sounds like you are asking about the first one.
>>>>>
>>>>> In the first one you are saying that for any server other than
>>>>> localhost,
>>>>> put the logs in a file /var/log/system-name.log and then throw them
>>>>> away
>>>>> (don't put them in any other logfile)
>>>>>
>>>>> so if you get a log entry from a machine called 'server' it would
>>>>> create
>>>>> the
>>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>>
>>>>> could you please try restating your what you think is being done
>>>>> differently
>>>>> from what you are wanting?
>>>>>
>>>>> David Lang4
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
>

From openlinuxsource at gmail.com  Tue Mar  1 15:22:11 2011
From: openlinuxsource at gmail.com (Lee Eric)
Date: Tue, 1 Mar 2011 22:22:11 +0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
	<alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
	<AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>
Message-ID: <AANLkTimG5rTzrdpDT0OZihkN0UnEk+QoT+cwHjUKvZYs@mail.gmail.com>

Any update?

Eric

On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <openlinuxsource at gmail.com> wrote:
> Hi,
>
> No syntax error but still not working. system-server.log still
> created, other hosts logs write to the host "server" /var/log/messages
> and /var/log/system-hostname.log at the same time.
>
> $template DynFile,"/var/log/system-%HOSTNAME%.log"
> if ($source != 'localhost' or $source != 'server') then ?DynFile
>
> Regards,
>
> Eric
>
> On Tue, Mar 1, 2011 at 11:15 AM, ?<david at lang.hm> wrote:
>> I figured my syntax was not quite right. I didn't take the time to look it
>> up exactly.
>>
>> Ok, looking things up
>>
>> if ($source != 'localhost' and $source != 'server') then ?DynFile
>>
>> how does this work.
>>
>> David Lang
>>
>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>
>>> Date: Tue, 1 Mar 2011 10:26:13 +0800
>>> From: Lee Eric <openlinuxsource at gmail.com>
>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>
>>> Hi mate,
>>>
>>> I use your conf but I encounter more serious problem:
>>>
>>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
>>> http://www.rsyslog.com/e/2051 ]
>>> Feb 28 21:22:11 server rsyslogd: the last error occured in
>>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
>>> 'server') then ?DynFile"
>>> Feb 28 21:22:11 server rsyslogd: warning: selector line without
>>> actions will be discarded
>>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
>>> interpret master config file '/etc/rsyslog.conf'. [try
>>> http://www.rsyslog.com/e/2124 ]
>>>
>>> And /var/log/system-server.log won't create but all other machines
>>> logs will write to /var/log/messages in the host "server", not the
>>> separated logs.
>>>
>>> Do you have any idea to fix that?
>>>
>>> Regards,
>>>
>>> Eric
>>>
>>> On Tue, Mar 1, 2011 at 9:49 AM, ?<david at lang.hm> wrote:
>>>>
>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>
>>>>> Sorry, mate. As you mentioned the log file /var/log/system-server.log
>>>>> will be created in the host "server" and throw away its other logs.
>>>>> But what I want is the logs in the host "server" will write to its
>>>>> original places in /var/log/messages etc., not recreated a
>>>>> system-server.log to record logs.
>>>>>
>>>>> By now, all host "server" logs will write to
>>>>> /var/log/system-server.log and other original logging places are not
>>>>> written by using my rules. So I hope there will be a way to fix that.
>>>>> The host "server" is rsyslog server.
>>>>
>>>> Ok, that's what I missed.
>>>>
>>>> you need to change your test to be something like the following (probably
>>>> slightly incorrect) test
>>>>
>>>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>>>
>>>> and if you want it in the file system-server.log as well, add an entry
>>>> below
>>>> that that does
>>>>
>>>> *.* /var/log/system-server.log
>>>>
>>>> David Lang
>>>>
>>>>> Thanks,
>>>>>
>>>>> Eric
>>>>>
>>>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>>>
>>>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have a question about separate logs order configuration. I have 4
>>>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>>>
>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>> (e.g.
>>>>>>> via logger command)
>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>>>> done
>>>>>>> by rklogd)
>>>>>>> $ModLoad imtcp.so
>>>>>>> $InputTCPServerRun 514
>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>>> :source , !isequal , "localhost" ?DynFile
>>>>>>> & ~
>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>> ?/var/log/messages
>>>>>>> authpriv.*
>>>>>>> ?/var/log/secure
>>>>>>> mail.*
>>>>>>> ?-/var/log/maillog
>>>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>> uucp,news.crit
>>>>>>> ?/var/log/spooler
>>>>>>> local7.*
>>>>>>> ?/var/log/boot.log
>>>>>>>
>>>>>>> And in other machines the configuration looks like this:
>>>>>>>
>>>>>>>
>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>> (e.g.
>>>>>>> via logger command)
>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>>>> done
>>>>>>> by rklogd)
>>>>>>> $ModLoad imtcp.so
>>>>>>> $InputTCPServerRun 514
>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>> *.* ? ? @@server.herdingcat.internal
>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>> ?/var/log/messages
>>>>>>> authpriv.*
>>>>>>> ?/var/log/secure
>>>>>>> mail.*
>>>>>>> ?-/var/log/maillog
>>>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>> uucp,news.crit
>>>>>>> ?/var/log/spooler
>>>>>>> local7.*
>>>>>>> ?/var/log/boot.log
>>>>>>>
>>>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>>>> /var/log/system-client2.log created successfully and it works well but
>>>>>>> there's also a log file /var/log/system-server.log created. I hope
>>>>>>> server's log is still recorded under /var/log/messages not separated.
>>>>>>> So I'm wondering is there any good method to achieve that function?
>>>>>>
>>>>>> I don't really understand your question here.
>>>>>>
>>>>>> the second configuration doesn't seem to have any dynafile lines, so it
>>>>>> sounds like you are asking about the first one.
>>>>>>
>>>>>> In the first one you are saying that for any server other than
>>>>>> localhost,
>>>>>> put the logs in a file /var/log/system-name.log and then throw them
>>>>>> away
>>>>>> (don't put them in any other logfile)
>>>>>>
>>>>>> so if you get a log entry from a machine called 'server' it would
>>>>>> create
>>>>>> the
>>>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>>>
>>>>>> could you please try restating your what you think is being done
>>>>>> differently
>>>>>> from what you are wanting?
>>>>>>
>>>>>> David Lang4
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>>>
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
>>
>

From david at lang.hm  Wed Mar  2 01:07:43 2011
From: david at lang.hm (david at lang.hm)
Date: Tue, 1 Mar 2011 16:07:43 -0800 (PST)
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTimG5rTzrdpDT0OZihkN0UnEk+QoT+cwHjUKvZYs@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
	<alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
	<AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>
	<AANLkTimG5rTzrdpDT0OZihkN0UnEk+QoT+cwHjUKvZYs@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1103011604510.27057@asgard.lang.hm>

sorry, I hadn't had time to look at this since my last e-mail

the test is for source, but then the file is named from hostname, why the 
difference? wouldn't you want to have the test match what you are using in 
the filename?

David Lang

On Tue, 1 Mar 2011, Lee Eric wrote:

> Date: Tue, 1 Mar 2011 22:22:11 +0800
> From: Lee Eric <openlinuxsource at gmail.com>
> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> To: rsyslog-users <rsyslog at lists.adiscon.com>
> Subject: Re: [rsyslog] Help: Separate Logs Order
> 
> Any update?
>
> Eric
>
> On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <openlinuxsource at gmail.com> wrote:
>> Hi,
>>
>> No syntax error but still not working. system-server.log still
>> created, other hosts logs write to the host "server" /var/log/messages
>> and /var/log/system-hostname.log at the same time.
>>
>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>> if ($source != 'localhost' or $source != 'server') then ?DynFile
>>
>> Regards,
>>
>> Eric
>>
>> On Tue, Mar 1, 2011 at 11:15 AM, ?<david at lang.hm> wrote:
>>> I figured my syntax was not quite right. I didn't take the time to look it
>>> up exactly.
>>>
>>> Ok, looking things up
>>>
>>> if ($source != 'localhost' and $source != 'server') then ?DynFile
>>>
>>> how does this work.
>>>
>>> David Lang
>>>
>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>
>>>> Date: Tue, 1 Mar 2011 10:26:13 +0800
>>>> From: Lee Eric <openlinuxsource at gmail.com>
>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>>
>>>> Hi mate,
>>>>
>>>> I use your conf but I encounter more serious problem:
>>>>
>>>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
>>>> http://www.rsyslog.com/e/2051 ]
>>>> Feb 28 21:22:11 server rsyslogd: the last error occured in
>>>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
>>>> 'server') then ?DynFile"
>>>> Feb 28 21:22:11 server rsyslogd: warning: selector line without
>>>> actions will be discarded
>>>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
>>>> interpret master config file '/etc/rsyslog.conf'. [try
>>>> http://www.rsyslog.com/e/2124 ]
>>>>
>>>> And /var/log/system-server.log won't create but all other machines
>>>> logs will write to /var/log/messages in the host "server", not the
>>>> separated logs.
>>>>
>>>> Do you have any idea to fix that?
>>>>
>>>> Regards,
>>>>
>>>> Eric
>>>>
>>>> On Tue, Mar 1, 2011 at 9:49 AM, ?<david at lang.hm> wrote:
>>>>>
>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>
>>>>>> Sorry, mate. As you mentioned the log file /var/log/system-server.log
>>>>>> will be created in the host "server" and throw away its other logs.
>>>>>> But what I want is the logs in the host "server" will write to its
>>>>>> original places in /var/log/messages etc., not recreated a
>>>>>> system-server.log to record logs.
>>>>>>
>>>>>> By now, all host "server" logs will write to
>>>>>> /var/log/system-server.log and other original logging places are not
>>>>>> written by using my rules. So I hope there will be a way to fix that.
>>>>>> The host "server" is rsyslog server.
>>>>>
>>>>> Ok, that's what I missed.
>>>>>
>>>>> you need to change your test to be something like the following (probably
>>>>> slightly incorrect) test
>>>>>
>>>>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>>>>
>>>>> and if you want it in the file system-server.log as well, add an entry
>>>>> below
>>>>> that that does
>>>>>
>>>>> *.* /var/log/system-server.log
>>>>>
>>>>> David Lang
>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Eric
>>>>>>
>>>>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>>>>
>>>>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have a question about separate logs order configuration. I have 4
>>>>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>>>>
>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>>> (e.g.
>>>>>>>> via logger command)
>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>>>>> done
>>>>>>>> by rklogd)
>>>>>>>> $ModLoad imtcp.so
>>>>>>>> $InputTCPServerRun 514
>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>>>> :source , !isequal , "localhost" ?DynFile
>>>>>>>> & ~
>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>> ?/var/log/messages
>>>>>>>> authpriv.*
>>>>>>>> ?/var/log/secure
>>>>>>>> mail.*
>>>>>>>> ?-/var/log/maillog
>>>>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>> uucp,news.crit
>>>>>>>> ?/var/log/spooler
>>>>>>>> local7.*
>>>>>>>> ?/var/log/boot.log
>>>>>>>>
>>>>>>>> And in other machines the configuration looks like this:
>>>>>>>>
>>>>>>>>
>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>>> (e.g.
>>>>>>>> via logger command)
>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support (previously
>>>>>>>> done
>>>>>>>> by rklogd)
>>>>>>>> $ModLoad imtcp.so
>>>>>>>> $InputTCPServerRun 514
>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>> *.* ? ? @@server.herdingcat.internal
>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>> ?/var/log/messages
>>>>>>>> authpriv.*
>>>>>>>> ?/var/log/secure
>>>>>>>> mail.*
>>>>>>>> ?-/var/log/maillog
>>>>>>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>> uucp,news.crit
>>>>>>>> ?/var/log/spooler
>>>>>>>> local7.*
>>>>>>>> ?/var/log/boot.log
>>>>>>>>
>>>>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>>>>> /var/log/system-client2.log created successfully and it works well but
>>>>>>>> there's also a log file /var/log/system-server.log created. I hope
>>>>>>>> server's log is still recorded under /var/log/messages not separated.
>>>>>>>> So I'm wondering is there any good method to achieve that function?
>>>>>>>
>>>>>>> I don't really understand your question here.
>>>>>>>
>>>>>>> the second configuration doesn't seem to have any dynafile lines, so it
>>>>>>> sounds like you are asking about the first one.
>>>>>>>
>>>>>>> In the first one you are saying that for any server other than
>>>>>>> localhost,
>>>>>>> put the logs in a file /var/log/system-name.log and then throw them
>>>>>>> away
>>>>>>> (don't put them in any other logfile)
>>>>>>>
>>>>>>> so if you get a log entry from a machine called 'server' it would
>>>>>>> create
>>>>>>> the
>>>>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>>>>
>>>>>>> could you please try restating your what you think is being done
>>>>>>> differently
>>>>>>> from what you are wanting?
>>>>>>>
>>>>>>> David Lang4
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com
>>>>>>>
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>>>
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From openlinuxsource at gmail.com  Wed Mar  2 02:01:01 2011
From: openlinuxsource at gmail.com (Lee Eric)
Date: Wed, 2 Mar 2011 09:01:01 +0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <alpine.DEB.2.00.1103011604510.27057@asgard.lang.hm>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
	<alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
	<AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>
	<AANLkTimG5rTzrdpDT0OZihkN0UnEk+QoT+cwHjUKvZYs@mail.gmail.com>
	<alpine.DEB.2.00.1103011604510.27057@asgard.lang.hm>
Message-ID: <AANLkTin85hYFJcmK8i1YVtKa6bBMUaEpYipgOuPDQucE@mail.gmail.com>

Hey mate,

Because I still wanna use the host "server" default logs location
/var/log/messages. I'm just thinking if the syntax of rsyslog is
complex that should indicate it is flexible. But I didn't notice that.
Do you have any good idea?

Thanks.

Eric

On Wed, Mar 2, 2011 at 8:07 AM,  <david at lang.hm> wrote:
> sorry, I hadn't had time to look at this since my last e-mail
>
> the test is for source, but then the file is named from hostname, why the
> difference? wouldn't you want to have the test match what you are using in
> the filename?
>
> David Lang
>
> On Tue, 1 Mar 2011, Lee Eric wrote:
>
>> Date: Tue, 1 Mar 2011 22:22:11 +0800
>> From: Lee Eric <openlinuxsource at gmail.com>
>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>
>> Any update?
>>
>> Eric
>>
>> On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <openlinuxsource at gmail.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> No syntax error but still not working. system-server.log still
>>> created, other hosts logs write to the host "server" /var/log/messages
>>> and /var/log/system-hostname.log at the same time.
>>>
>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>> if ($source != 'localhost' or $source != 'server') then ?DynFile
>>>
>>> Regards,
>>>
>>> Eric
>>>
>>> On Tue, Mar 1, 2011 at 11:15 AM, ?<david at lang.hm> wrote:
>>>>
>>>> I figured my syntax was not quite right. I didn't take the time to look
>>>> it
>>>> up exactly.
>>>>
>>>> Ok, looking things up
>>>>
>>>> if ($source != 'localhost' and $source != 'server') then ?DynFile
>>>>
>>>> how does this work.
>>>>
>>>> David Lang
>>>>
>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>
>>>>> Date: Tue, 1 Mar 2011 10:26:13 +0800
>>>>> From: Lee Eric <openlinuxsource at gmail.com>
>>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>>>
>>>>> Hi mate,
>>>>>
>>>>> I use your conf but I encounter more serious problem:
>>>>>
>>>>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
>>>>> http://www.rsyslog.com/e/2051 ]
>>>>> Feb 28 21:22:11 server rsyslogd: the last error occured in
>>>>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
>>>>> 'server') then ?DynFile"
>>>>> Feb 28 21:22:11 server rsyslogd: warning: selector line without
>>>>> actions will be discarded
>>>>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
>>>>> interpret master config file '/etc/rsyslog.conf'. [try
>>>>> http://www.rsyslog.com/e/2124 ]
>>>>>
>>>>> And /var/log/system-server.log won't create but all other machines
>>>>> logs will write to /var/log/messages in the host "server", not the
>>>>> separated logs.
>>>>>
>>>>> Do you have any idea to fix that?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Eric
>>>>>
>>>>> On Tue, Mar 1, 2011 at 9:49 AM, ?<david at lang.hm> wrote:
>>>>>>
>>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>>
>>>>>>> Sorry, mate. As you mentioned the log file /var/log/system-server.log
>>>>>>> will be created in the host "server" and throw away its other logs.
>>>>>>> But what I want is the logs in the host "server" will write to its
>>>>>>> original places in /var/log/messages etc., not recreated a
>>>>>>> system-server.log to record logs.
>>>>>>>
>>>>>>> By now, all host "server" logs will write to
>>>>>>> /var/log/system-server.log and other original logging places are not
>>>>>>> written by using my rules. So I hope there will be a way to fix that.
>>>>>>> The host "server" is rsyslog server.
>>>>>>
>>>>>> Ok, that's what I missed.
>>>>>>
>>>>>> you need to change your test to be something like the following
>>>>>> (probably
>>>>>> slightly incorrect) test
>>>>>>
>>>>>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>>>>>
>>>>>> and if you want it in the file system-server.log as well, add an entry
>>>>>> below
>>>>>> that that does
>>>>>>
>>>>>> *.* /var/log/system-server.log
>>>>>>
>>>>>> David Lang
>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Eric
>>>>>>>
>>>>>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>>>>>
>>>>>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have a question about separate logs order configuration. I have 4
>>>>>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>>>>>
>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>>>> (e.g.
>>>>>>>>> via logger command)
>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>> (previously
>>>>>>>>> done
>>>>>>>>> by rklogd)
>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>>>>> :source , !isequal , "localhost" ?DynFile
>>>>>>>>> & ~
>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>> ?/var/log/messages
>>>>>>>>> authpriv.*
>>>>>>>>> ?/var/log/secure
>>>>>>>>> mail.*
>>>>>>>>> ?-/var/log/maillog
>>>>>>>>> cron.*
>>>>>>>>> ?/var/log/cron
>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>> uucp,news.crit
>>>>>>>>> ?/var/log/spooler
>>>>>>>>> local7.*
>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>
>>>>>>>>> And in other machines the configuration looks like this:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>>>> (e.g.
>>>>>>>>> via logger command)
>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>> (previously
>>>>>>>>> done
>>>>>>>>> by rklogd)
>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>> *.* ? ? @@server.herdingcat.internal
>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>> ?/var/log/messages
>>>>>>>>> authpriv.*
>>>>>>>>> ?/var/log/secure
>>>>>>>>> mail.*
>>>>>>>>> ?-/var/log/maillog
>>>>>>>>> cron.*
>>>>>>>>> ?/var/log/cron
>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>> uucp,news.crit
>>>>>>>>> ?/var/log/spooler
>>>>>>>>> local7.*
>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>
>>>>>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>>>>>> /var/log/system-client2.log created successfully and it works well
>>>>>>>>> but
>>>>>>>>> there's also a log file /var/log/system-server.log created. I hope
>>>>>>>>> server's log is still recorded under /var/log/messages not
>>>>>>>>> separated.
>>>>>>>>> So I'm wondering is there any good method to achieve that function?
>>>>>>>>
>>>>>>>> I don't really understand your question here.
>>>>>>>>
>>>>>>>> the second configuration doesn't seem to have any dynafile lines, so
>>>>>>>> it
>>>>>>>> sounds like you are asking about the first one.
>>>>>>>>
>>>>>>>> In the first one you are saying that for any server other than
>>>>>>>> localhost,
>>>>>>>> put the logs in a file /var/log/system-name.log and then throw them
>>>>>>>> away
>>>>>>>> (don't put them in any other logfile)
>>>>>>>>
>>>>>>>> so if you get a log entry from a machine called 'server' it would
>>>>>>>> create
>>>>>>>> the
>>>>>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>>>>>
>>>>>>>> could you please try restating your what you think is being done
>>>>>>>> differently
>>>>>>>> from what you are wanting?
>>>>>>>>
>>>>>>>> David Lang4
>>>>>>>> _______________________________________________
>>>>>>>> rsyslog mailing list
>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>> http://www.rsyslog.com
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com
>>>>>>
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>>>
>>>>
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
>

From david at lang.hm  Wed Mar  2 02:21:23 2011
From: david at lang.hm (david at lang.hm)
Date: Tue, 1 Mar 2011 17:21:23 -0800 (PST)
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTin85hYFJcmK8i1YVtKa6bBMUaEpYipgOuPDQucE@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
	<alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
	<AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>
	<AANLkTimG5rTzrdpDT0OZihkN0UnEk+QoT+cwHjUKvZYs@mail.gmail.com>
	<alpine.DEB.2.00.1103011604510.27057@asgard.lang.hm>
	<AANLkTin85hYFJcmK8i1YVtKa6bBMUaEpYipgOuPDQucE@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1103011712260.27057@asgard.lang.hm>

rsyslog is very flexible, but it seems like you are testing one thing and 
then complaining because of something else.

if you test to see if the source is localhost (or server) why don't you 
use source in your DynaFile definition? if you did, I would be _very_ 
surprised if you had any files named -server show up.

but you are testing the source and then setting your filename by hostname, 
the fact that you are getting files named -server indicates that you have 
some logs that are showing up where the source is not 'localhost' or 
'server' but that hostname _is_ 'server'.

we could go down the path of looking at individual log entries to figure 
out why this is the case and then tailoring the rules to fix those cases, 
but it seems to me that the problem is at a higher level. It seems like 
it's probably a mistake to test for source and then log by hostname, but 
you may have a reason to do so. I've already missed an obvious thing in 
this thread (i.e. that the central machine is named 'server'), so I'm 
trying not to assume that you are doing this wrong, but instead am asking 
why you are doing this.


If you want to start down the path of why the logs are showing up in 
-server.log instead of falling through, then you need to change the 
logging format to include %source% somewhere so that we can see what the 
source is of the logs that you are seeing as being misfiled.


It seems like what you probably want to do is to change the test to test 
for $hostname instead of $source to keep the logs from 'server' from going 
to the destination of the first rule.

then the second rule will throw away any logs matched by the first rule

then the remainder of the rules will be applied to what's left.

David Lang



  On Wed, 2 Mar 2011, Lee Eric wrote:

> Hey mate,
>
> Because I still wanna use the host "server" default logs location
> /var/log/messages. I'm just thinking if the syntax of rsyslog is
> complex that should indicate it is flexible. But I didn't notice that.
> Do you have any good idea?
>
> Thanks.
>
> Eric
>
> On Wed, Mar 2, 2011 at 8:07 AM,  <david at lang.hm> wrote:
>> sorry, I hadn't had time to look at this since my last e-mail
>>
>> the test is for source, but then the file is named from hostname, why the
>> difference? wouldn't you want to have the test match what you are using in
>> the filename?
>>
>> David Lang
>>
>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>
>>> Date: Tue, 1 Mar 2011 22:22:11 +0800
>>> From: Lee Eric <openlinuxsource at gmail.com>
>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>
>>> Any update?
>>>
>>> Eric
>>>
>>> On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <openlinuxsource at gmail.com>
>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> No syntax error but still not working. system-server.log still
>>>> created, other hosts logs write to the host "server" /var/log/messages
>>>> and /var/log/system-hostname.log at the same time.
>>>>
>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>> if ($source != 'localhost' or $source != 'server') then ?DynFile
>>>>
>>>> Regards,
>>>>
>>>> Eric
>>>>
>>>> On Tue, Mar 1, 2011 at 11:15 AM, ?<david at lang.hm> wrote:
>>>>>
>>>>> I figured my syntax was not quite right. I didn't take the time to look
>>>>> it
>>>>> up exactly.
>>>>>
>>>>> Ok, looking things up
>>>>>
>>>>> if ($source != 'localhost' and $source != 'server') then ?DynFile
>>>>>
>>>>> how does this work.
>>>>>
>>>>> David Lang
>>>>>
>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>
>>>>>> Date: Tue, 1 Mar 2011 10:26:13 +0800
>>>>>> From: Lee Eric <openlinuxsource at gmail.com>
>>>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>>>>
>>>>>> Hi mate,
>>>>>>
>>>>>> I use your conf but I encounter more serious problem:
>>>>>>
>>>>>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
>>>>>> http://www.rsyslog.com/e/2051 ]
>>>>>> Feb 28 21:22:11 server rsyslogd: the last error occured in
>>>>>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
>>>>>> 'server') then ?DynFile"
>>>>>> Feb 28 21:22:11 server rsyslogd: warning: selector line without
>>>>>> actions will be discarded
>>>>>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
>>>>>> interpret master config file '/etc/rsyslog.conf'. [try
>>>>>> http://www.rsyslog.com/e/2124 ]
>>>>>>
>>>>>> And /var/log/system-server.log won't create but all other machines
>>>>>> logs will write to /var/log/messages in the host "server", not the
>>>>>> separated logs.
>>>>>>
>>>>>> Do you have any idea to fix that?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Eric
>>>>>>
>>>>>> On Tue, Mar 1, 2011 at 9:49 AM, ?<david at lang.hm> wrote:
>>>>>>>
>>>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>>>
>>>>>>>> Sorry, mate. As you mentioned the log file /var/log/system-server.log
>>>>>>>> will be created in the host "server" and throw away its other logs.
>>>>>>>> But what I want is the logs in the host "server" will write to its
>>>>>>>> original places in /var/log/messages etc., not recreated a
>>>>>>>> system-server.log to record logs.
>>>>>>>>
>>>>>>>> By now, all host "server" logs will write to
>>>>>>>> /var/log/system-server.log and other original logging places are not
>>>>>>>> written by using my rules. So I hope there will be a way to fix that.
>>>>>>>> The host "server" is rsyslog server.
>>>>>>>
>>>>>>> Ok, that's what I missed.
>>>>>>>
>>>>>>> you need to change your test to be something like the following
>>>>>>> (probably
>>>>>>> slightly incorrect) test
>>>>>>>
>>>>>>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>>>>>>
>>>>>>> and if you want it in the file system-server.log as well, add an entry
>>>>>>> below
>>>>>>> that that does
>>>>>>>
>>>>>>> *.* /var/log/system-server.log
>>>>>>>
>>>>>>> David Lang
>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Eric
>>>>>>>>
>>>>>>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>>>>>>
>>>>>>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I have a question about separate logs order configuration. I have 4
>>>>>>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>>>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>>>>>>
>>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>>>>> (e.g.
>>>>>>>>>> via logger command)
>>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>>> (previously
>>>>>>>>>> done
>>>>>>>>>> by rklogd)
>>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>>>>>> :source , !isequal , "localhost" ?DynFile
>>>>>>>>>> & ~
>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>>> ?/var/log/messages
>>>>>>>>>> authpriv.*
>>>>>>>>>> ?/var/log/secure
>>>>>>>>>> mail.*
>>>>>>>>>> ?-/var/log/maillog
>>>>>>>>>> cron.*
>>>>>>>>>> ?/var/log/cron
>>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>>> uucp,news.crit
>>>>>>>>>> ?/var/log/spooler
>>>>>>>>>> local7.*
>>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>>
>>>>>>>>>> And in other machines the configuration looks like this:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system logging
>>>>>>>>>> (e.g.
>>>>>>>>>> via logger command)
>>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>>> (previously
>>>>>>>>>> done
>>>>>>>>>> by rklogd)
>>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>>> *.* ? ? @@server.herdingcat.internal
>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>>> ?/var/log/messages
>>>>>>>>>> authpriv.*
>>>>>>>>>> ?/var/log/secure
>>>>>>>>>> mail.*
>>>>>>>>>> ?-/var/log/maillog
>>>>>>>>>> cron.*
>>>>>>>>>> ?/var/log/cron
>>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>>> uucp,news.crit
>>>>>>>>>> ?/var/log/spooler
>>>>>>>>>> local7.*
>>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>>
>>>>>>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>>>>>>> /var/log/system-client2.log created successfully and it works well
>>>>>>>>>> but
>>>>>>>>>> there's also a log file /var/log/system-server.log created. I hope
>>>>>>>>>> server's log is still recorded under /var/log/messages not
>>>>>>>>>> separated.
>>>>>>>>>> So I'm wondering is there any good method to achieve that function?
>>>>>>>>>
>>>>>>>>> I don't really understand your question here.
>>>>>>>>>
>>>>>>>>> the second configuration doesn't seem to have any dynafile lines, so
>>>>>>>>> it
>>>>>>>>> sounds like you are asking about the first one.
>>>>>>>>>
>>>>>>>>> In the first one you are saying that for any server other than
>>>>>>>>> localhost,
>>>>>>>>> put the logs in a file /var/log/system-name.log and then throw them
>>>>>>>>> away
>>>>>>>>> (don't put them in any other logfile)
>>>>>>>>>
>>>>>>>>> so if you get a log entry from a machine called 'server' it would
>>>>>>>>> create
>>>>>>>>> the
>>>>>>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>>>>>>
>>>>>>>>> could you please try restating your what you think is being done
>>>>>>>>> differently
>>>>>>>>> from what you are wanting?
>>>>>>>>>
>>>>>>>>> David Lang4
>>>>>>>>> _______________________________________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>> http://www.rsyslog.com
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> rsyslog mailing list
>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>> http://www.rsyslog.com
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From openlinuxsource at gmail.com  Wed Mar  2 04:24:29 2011
From: openlinuxsource at gmail.com (Lee Eric)
Date: Wed, 2 Mar 2011 11:24:29 +0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <alpine.DEB.2.00.1103011712260.27057@asgard.lang.hm>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
	<alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
	<AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>
	<AANLkTimG5rTzrdpDT0OZihkN0UnEk+QoT+cwHjUKvZYs@mail.gmail.com>
	<alpine.DEB.2.00.1103011604510.27057@asgard.lang.hm>
	<AANLkTin85hYFJcmK8i1YVtKa6bBMUaEpYipgOuPDQucE@mail.gmail.com>
	<alpine.DEB.2.00.1103011712260.27057@asgard.lang.hm>
Message-ID: <AANLkTim+fn7UGq=D5iHCP5XugZ7ixUdFHHYHk7yJ+k9p@mail.gmail.com>

Thanks mate. You mean my match pattern may be wrong or bad rules?

Eric

On Wed, Mar 2, 2011 at 9:21 AM,  <david at lang.hm> wrote:
> rsyslog is very flexible, but it seems like you are testing one thing and
> then complaining because of something else.
>
> if you test to see if the source is localhost (or server) why don't you use
> source in your DynaFile definition? if you did, I would be _very_ surprised
> if you had any files named -server show up.
>
> but you are testing the source and then setting your filename by hostname,
> the fact that you are getting files named -server indicates that you have
> some logs that are showing up where the source is not 'localhost' or
> 'server' but that hostname _is_ 'server'.
>
> we could go down the path of looking at individual log entries to figure out
> why this is the case and then tailoring the rules to fix those cases, but it
> seems to me that the problem is at a higher level. It seems like it's
> probably a mistake to test for source and then log by hostname, but you may
> have a reason to do so. I've already missed an obvious thing in this thread
> (i.e. that the central machine is named 'server'), so I'm trying not to
> assume that you are doing this wrong, but instead am asking why you are
> doing this.
>
>
> If you want to start down the path of why the logs are showing up in
> -server.log instead of falling through, then you need to change the logging
> format to include %source% somewhere so that we can see what the source is
> of the logs that you are seeing as being misfiled.
>
>
> It seems like what you probably want to do is to change the test to test for
> $hostname instead of $source to keep the logs from 'server' from going to
> the destination of the first rule.
>
> then the second rule will throw away any logs matched by the first rule
>
> then the remainder of the rules will be applied to what's left.
>
> David Lang
>
>
>
> ?On Wed, 2 Mar 2011, Lee Eric wrote:
>
>> Hey mate,
>>
>> Because I still wanna use the host "server" default logs location
>> /var/log/messages. I'm just thinking if the syntax of rsyslog is
>> complex that should indicate it is flexible. But I didn't notice that.
>> Do you have any good idea?
>>
>> Thanks.
>>
>> Eric
>>
>> On Wed, Mar 2, 2011 at 8:07 AM, ?<david at lang.hm> wrote:
>>>
>>> sorry, I hadn't had time to look at this since my last e-mail
>>>
>>> the test is for source, but then the file is named from hostname, why the
>>> difference? wouldn't you want to have the test match what you are using
>>> in
>>> the filename?
>>>
>>> David Lang
>>>
>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>
>>>> Date: Tue, 1 Mar 2011 22:22:11 +0800
>>>> From: Lee Eric <openlinuxsource at gmail.com>
>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>>
>>>> Any update?
>>>>
>>>> Eric
>>>>
>>>> On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <openlinuxsource at gmail.com>
>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> No syntax error but still not working. system-server.log still
>>>>> created, other hosts logs write to the host "server" /var/log/messages
>>>>> and /var/log/system-hostname.log at the same time.
>>>>>
>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>> if ($source != 'localhost' or $source != 'server') then ?DynFile
>>>>>
>>>>> Regards,
>>>>>
>>>>> Eric
>>>>>
>>>>> On Tue, Mar 1, 2011 at 11:15 AM, ?<david at lang.hm> wrote:
>>>>>>
>>>>>> I figured my syntax was not quite right. I didn't take the time to
>>>>>> look
>>>>>> it
>>>>>> up exactly.
>>>>>>
>>>>>> Ok, looking things up
>>>>>>
>>>>>> if ($source != 'localhost' and $source != 'server') then ?DynFile
>>>>>>
>>>>>> how does this work.
>>>>>>
>>>>>> David Lang
>>>>>>
>>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>>
>>>>>>> Date: Tue, 1 Mar 2011 10:26:13 +0800
>>>>>>> From: Lee Eric <openlinuxsource at gmail.com>
>>>>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>>>>>
>>>>>>> Hi mate,
>>>>>>>
>>>>>>> I use your conf but I encounter more serious problem:
>>>>>>>
>>>>>>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
>>>>>>> http://www.rsyslog.com/e/2051 ]
>>>>>>> Feb 28 21:22:11 server rsyslogd: the last error occured in
>>>>>>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
>>>>>>> 'server') then ?DynFile"
>>>>>>> Feb 28 21:22:11 server rsyslogd: warning: selector line without
>>>>>>> actions will be discarded
>>>>>>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
>>>>>>> interpret master config file '/etc/rsyslog.conf'. [try
>>>>>>> http://www.rsyslog.com/e/2124 ]
>>>>>>>
>>>>>>> And /var/log/system-server.log won't create but all other machines
>>>>>>> logs will write to /var/log/messages in the host "server", not the
>>>>>>> separated logs.
>>>>>>>
>>>>>>> Do you have any idea to fix that?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Eric
>>>>>>>
>>>>>>> On Tue, Mar 1, 2011 at 9:49 AM, ?<david at lang.hm> wrote:
>>>>>>>>
>>>>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>>>>
>>>>>>>>> Sorry, mate. As you mentioned the log file
>>>>>>>>> /var/log/system-server.log
>>>>>>>>> will be created in the host "server" and throw away its other logs.
>>>>>>>>> But what I want is the logs in the host "server" will write to its
>>>>>>>>> original places in /var/log/messages etc., not recreated a
>>>>>>>>> system-server.log to record logs.
>>>>>>>>>
>>>>>>>>> By now, all host "server" logs will write to
>>>>>>>>> /var/log/system-server.log and other original logging places are
>>>>>>>>> not
>>>>>>>>> written by using my rules. So I hope there will be a way to fix
>>>>>>>>> that.
>>>>>>>>> The host "server" is rsyslog server.
>>>>>>>>
>>>>>>>> Ok, that's what I missed.
>>>>>>>>
>>>>>>>> you need to change your test to be something like the following
>>>>>>>> (probably
>>>>>>>> slightly incorrect) test
>>>>>>>>
>>>>>>>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>>>>>>>
>>>>>>>> and if you want it in the file system-server.log as well, add an
>>>>>>>> entry
>>>>>>>> below
>>>>>>>> that that does
>>>>>>>>
>>>>>>>> *.* /var/log/system-server.log
>>>>>>>>
>>>>>>>> David Lang
>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Eric
>>>>>>>>>
>>>>>>>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>>>>>>>
>>>>>>>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I have a question about separate logs order configuration. I have
>>>>>>>>>>> 4
>>>>>>>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>>>>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>>>>>>>
>>>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system
>>>>>>>>>>> logging
>>>>>>>>>>> (e.g.
>>>>>>>>>>> via logger command)
>>>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>>>> (previously
>>>>>>>>>>> done
>>>>>>>>>>> by rklogd)
>>>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>>>>>>> :source , !isequal , "localhost" ?DynFile
>>>>>>>>>>> & ~
>>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>>>> ?/var/log/messages
>>>>>>>>>>> authpriv.*
>>>>>>>>>>> ?/var/log/secure
>>>>>>>>>>> mail.*
>>>>>>>>>>> ?-/var/log/maillog
>>>>>>>>>>> cron.*
>>>>>>>>>>> ?/var/log/cron
>>>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>>>> uucp,news.crit
>>>>>>>>>>> ?/var/log/spooler
>>>>>>>>>>> local7.*
>>>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>>>
>>>>>>>>>>> And in other machines the configuration looks like this:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system
>>>>>>>>>>> logging
>>>>>>>>>>> (e.g.
>>>>>>>>>>> via logger command)
>>>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>>>> (previously
>>>>>>>>>>> done
>>>>>>>>>>> by rklogd)
>>>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>>>> *.* ? ? @@server.herdingcat.internal
>>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>>>> ?/var/log/messages
>>>>>>>>>>> authpriv.*
>>>>>>>>>>> ?/var/log/secure
>>>>>>>>>>> mail.*
>>>>>>>>>>> ?-/var/log/maillog
>>>>>>>>>>> cron.*
>>>>>>>>>>> ?/var/log/cron
>>>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>>>> uucp,news.crit
>>>>>>>>>>> ?/var/log/spooler
>>>>>>>>>>> local7.*
>>>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>>>
>>>>>>>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>>>>>>>> /var/log/system-client2.log created successfully and it works
>>>>>>>>>>> well
>>>>>>>>>>> but
>>>>>>>>>>> there's also a log file /var/log/system-server.log created. I
>>>>>>>>>>> hope
>>>>>>>>>>> server's log is still recorded under /var/log/messages not
>>>>>>>>>>> separated.
>>>>>>>>>>> So I'm wondering is there any good method to achieve that
>>>>>>>>>>> function?
>>>>>>>>>>
>>>>>>>>>> I don't really understand your question here.
>>>>>>>>>>
>>>>>>>>>> the second configuration doesn't seem to have any dynafile lines,
>>>>>>>>>> so
>>>>>>>>>> it
>>>>>>>>>> sounds like you are asking about the first one.
>>>>>>>>>>
>>>>>>>>>> In the first one you are saying that for any server other than
>>>>>>>>>> localhost,
>>>>>>>>>> put the logs in a file /var/log/system-name.log and then throw
>>>>>>>>>> them
>>>>>>>>>> away
>>>>>>>>>> (don't put them in any other logfile)
>>>>>>>>>>
>>>>>>>>>> so if you get a log entry from a machine called 'server' it would
>>>>>>>>>> create
>>>>>>>>>> the
>>>>>>>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>>>>>>>
>>>>>>>>>> could you please try restating your what you think is being done
>>>>>>>>>> differently
>>>>>>>>>> from what you are wanting?
>>>>>>>>>>
>>>>>>>>>> David Lang4
>>>>>>>>>> _______________________________________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>> http://www.rsyslog.com
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>> http://www.rsyslog.com
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> rsyslog mailing list
>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>> http://www.rsyslog.com
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com
>>>>>>
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>>>
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
>

From david at lang.hm  Wed Mar  2 04:46:20 2011
From: david at lang.hm (david at lang.hm)
Date: Tue, 1 Mar 2011 19:46:20 -0800 (PST)
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTim+fn7UGq=D5iHCP5XugZ7ixUdFHHYHk7yJ+k9p@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<alpine.DEB.2.00.1102281335090.27057@asgard.lang.hm>
	<AANLkTines-7ObRXi22tL7Mgp2QHHv_+eZQhnenA1OZPE@mail.gmail.com>
	<alpine.DEB.2.00.1102281744310.27057@asgard.lang.hm>
	<AANLkTiknP4Arbk+x3YxUB=pk56xjJHy3BT-VKEktjaiZ@mail.gmail.com>
	<alpine.DEB.2.00.1102281911560.5703@asgard.lang.hm>
	<AANLkTimHF3q01ykMYCVK6t8HoEXGnLGVrGHgFDCZfu4j@mail.gmail.com>
	<AANLkTimG5rTzrdpDT0OZihkN0UnEk+QoT+cwHjUKvZYs@mail.gmail.com>
	<alpine.DEB.2.00.1103011604510.27057@asgard.lang.hm>
	<AANLkTin85hYFJcmK8i1YVtKa6bBMUaEpYipgOuPDQucE@mail.gmail.com>
	<alpine.DEB.2.00.1103011712260.27057@asgard.lang.hm>
	<AANLkTim+fn7UGq=D5iHCP5XugZ7ixUdFHHYHk7yJ+k9p@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1103011945530.5703@asgard.lang.hm>

On Wed, 2 Mar 2011, Lee Eric wrote:

> Thanks mate. You mean my match pattern may be wrong or bad rules?

try changing the match from $server to $hostname and see if that does what 
you are wanting to do.

David Lang

> Eric
>
> On Wed, Mar 2, 2011 at 9:21 AM,  <david at lang.hm> wrote:
>> rsyslog is very flexible, but it seems like you are testing one thing and
>> then complaining because of something else.
>>
>> if you test to see if the source is localhost (or server) why don't you use
>> source in your DynaFile definition? if you did, I would be _very_ surprised
>> if you had any files named -server show up.
>>
>> but you are testing the source and then setting your filename by hostname,
>> the fact that you are getting files named -server indicates that you have
>> some logs that are showing up where the source is not 'localhost' or
>> 'server' but that hostname _is_ 'server'.
>>
>> we could go down the path of looking at individual log entries to figure out
>> why this is the case and then tailoring the rules to fix those cases, but it
>> seems to me that the problem is at a higher level. It seems like it's
>> probably a mistake to test for source and then log by hostname, but you may
>> have a reason to do so. I've already missed an obvious thing in this thread
>> (i.e. that the central machine is named 'server'), so I'm trying not to
>> assume that you are doing this wrong, but instead am asking why you are
>> doing this.
>>
>>
>> If you want to start down the path of why the logs are showing up in
>> -server.log instead of falling through, then you need to change the logging
>> format to include %source% somewhere so that we can see what the source is
>> of the logs that you are seeing as being misfiled.
>>
>>
>> It seems like what you probably want to do is to change the test to test for
>> $hostname instead of $source to keep the logs from 'server' from going to
>> the destination of the first rule.
>>
>> then the second rule will throw away any logs matched by the first rule
>>
>> then the remainder of the rules will be applied to what's left.
>>
>> David Lang
>>
>>
>>
>> ?On Wed, 2 Mar 2011, Lee Eric wrote:
>>
>>> Hey mate,
>>>
>>> Because I still wanna use the host "server" default logs location
>>> /var/log/messages. I'm just thinking if the syntax of rsyslog is
>>> complex that should indicate it is flexible. But I didn't notice that.
>>> Do you have any good idea?
>>>
>>> Thanks.
>>>
>>> Eric
>>>
>>> On Wed, Mar 2, 2011 at 8:07 AM, ?<david at lang.hm> wrote:
>>>>
>>>> sorry, I hadn't had time to look at this since my last e-mail
>>>>
>>>> the test is for source, but then the file is named from hostname, why the
>>>> difference? wouldn't you want to have the test match what you are using
>>>> in
>>>> the filename?
>>>>
>>>> David Lang
>>>>
>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>
>>>>> Date: Tue, 1 Mar 2011 22:22:11 +0800
>>>>> From: Lee Eric <openlinuxsource at gmail.com>
>>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>>>
>>>>> Any update?
>>>>>
>>>>> Eric
>>>>>
>>>>> On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <openlinuxsource at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> No syntax error but still not working. system-server.log still
>>>>>> created, other hosts logs write to the host "server" /var/log/messages
>>>>>> and /var/log/system-hostname.log at the same time.
>>>>>>
>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>> if ($source != 'localhost' or $source != 'server') then ?DynFile
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Eric
>>>>>>
>>>>>> On Tue, Mar 1, 2011 at 11:15 AM, ?<david at lang.hm> wrote:
>>>>>>>
>>>>>>> I figured my syntax was not quite right. I didn't take the time to
>>>>>>> look
>>>>>>> it
>>>>>>> up exactly.
>>>>>>>
>>>>>>> Ok, looking things up
>>>>>>>
>>>>>>> if ($source != 'localhost' and $source != 'server') then ?DynFile
>>>>>>>
>>>>>>> how does this work.
>>>>>>>
>>>>>>> David Lang
>>>>>>>
>>>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>>>
>>>>>>>> Date: Tue, 1 Mar 2011 10:26:13 +0800
>>>>>>>> From: Lee Eric <openlinuxsource at gmail.com>
>>>>>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>>>>>>>> Subject: Re: [rsyslog] Help: Separate Logs Order
>>>>>>>>
>>>>>>>> Hi mate,
>>>>>>>>
>>>>>>>> I use your conf but I encounter more serious problem:
>>>>>>>>
>>>>>>>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
>>>>>>>> http://www.rsyslog.com/e/2051 ]
>>>>>>>> Feb 28 21:22:11 server rsyslogd: the last error occured in
>>>>>>>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
>>>>>>>> 'server') then ?DynFile"
>>>>>>>> Feb 28 21:22:11 server rsyslogd: warning: selector line without
>>>>>>>> actions will be discarded
>>>>>>>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
>>>>>>>> interpret master config file '/etc/rsyslog.conf'. [try
>>>>>>>> http://www.rsyslog.com/e/2124 ]
>>>>>>>>
>>>>>>>> And /var/log/system-server.log won't create but all other machines
>>>>>>>> logs will write to /var/log/messages in the host "server", not the
>>>>>>>> separated logs.
>>>>>>>>
>>>>>>>> Do you have any idea to fix that?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Eric
>>>>>>>>
>>>>>>>> On Tue, Mar 1, 2011 at 9:49 AM, ?<david at lang.hm> wrote:
>>>>>>>>>
>>>>>>>>> On Tue, 1 Mar 2011, Lee Eric wrote:
>>>>>>>>>
>>>>>>>>>> Sorry, mate. As you mentioned the log file
>>>>>>>>>> /var/log/system-server.log
>>>>>>>>>> will be created in the host "server" and throw away its other logs.
>>>>>>>>>> But what I want is the logs in the host "server" will write to its
>>>>>>>>>> original places in /var/log/messages etc., not recreated a
>>>>>>>>>> system-server.log to record logs.
>>>>>>>>>>
>>>>>>>>>> By now, all host "server" logs will write to
>>>>>>>>>> /var/log/system-server.log and other original logging places are
>>>>>>>>>> not
>>>>>>>>>> written by using my rules. So I hope there will be a way to fix
>>>>>>>>>> that.
>>>>>>>>>> The host "server" is rsyslog server.
>>>>>>>>>
>>>>>>>>> Ok, that's what I missed.
>>>>>>>>>
>>>>>>>>> you need to change your test to be something like the following
>>>>>>>>> (probably
>>>>>>>>> slightly incorrect) test
>>>>>>>>>
>>>>>>>>> if (%source != 'localhost' or %source != 'server') then ?DynFile
>>>>>>>>>
>>>>>>>>> and if you want it in the file system-server.log as well, add an
>>>>>>>>> entry
>>>>>>>>> below
>>>>>>>>> that that does
>>>>>>>>>
>>>>>>>>> *.* /var/log/system-server.log
>>>>>>>>>
>>>>>>>>> David Lang
>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Eric
>>>>>>>>>>
>>>>>>>>>> On Tue, Mar 1, 2011 at 5:38 AM, ?<david at lang.hm> wrote:
>>>>>>>>>>>
>>>>>>>>>>> On Mon, 28 Feb 2011, Lee Eric wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I have a question about separate logs order configuration. I have
>>>>>>>>>>>> 4
>>>>>>>>>>>> machines with hostnames server, storage, client1 and client2. The
>>>>>>>>>>>> rsyslogs is running at server. The configuration looks like that:
>>>>>>>>>>>>
>>>>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system
>>>>>>>>>>>> logging
>>>>>>>>>>>> (e.g.
>>>>>>>>>>>> via logger command)
>>>>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>>>>> (previously
>>>>>>>>>>>> done
>>>>>>>>>>>> by rklogd)
>>>>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>>>>>>>>>>> :source , !isequal , "localhost" ?DynFile
>>>>>>>>>>>> & ~
>>>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>>>>> ?/var/log/messages
>>>>>>>>>>>> authpriv.*
>>>>>>>>>>>> ?/var/log/secure
>>>>>>>>>>>> mail.*
>>>>>>>>>>>> ?-/var/log/maillog
>>>>>>>>>>>> cron.*
>>>>>>>>>>>> ?/var/log/cron
>>>>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>>>>> uucp,news.crit
>>>>>>>>>>>> ?/var/log/spooler
>>>>>>>>>>>> local7.*
>>>>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>>>>
>>>>>>>>>>>> And in other machines the configuration looks like this:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> $ModLoad imuxsock.so ? ?# provides support for local system
>>>>>>>>>>>> logging
>>>>>>>>>>>> (e.g.
>>>>>>>>>>>> via logger command)
>>>>>>>>>>>> $ModLoad imklog.so ? ? ?# provides kernel logging support
>>>>>>>>>>>> (previously
>>>>>>>>>>>> done
>>>>>>>>>>>> by rklogd)
>>>>>>>>>>>> $ModLoad imtcp.so
>>>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>>>>>>>>> *.* ? ? @@server.herdingcat.internal
>>>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none
>>>>>>>>>>>> ?/var/log/messages
>>>>>>>>>>>> authpriv.*
>>>>>>>>>>>> ?/var/log/secure
>>>>>>>>>>>> mail.*
>>>>>>>>>>>> ?-/var/log/maillog
>>>>>>>>>>>> cron.*
>>>>>>>>>>>> ?/var/log/cron
>>>>>>>>>>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>>>>>>>>>>> uucp,news.crit
>>>>>>>>>>>> ?/var/log/spooler
>>>>>>>>>>>> local7.*
>>>>>>>>>>>> ?/var/log/boot.log
>>>>>>>>>>>>
>>>>>>>>>>>> /var/log/system-storage.log, /var/log/system-client1.log,
>>>>>>>>>>>> /var/log/system-client2.log created successfully and it works
>>>>>>>>>>>> well
>>>>>>>>>>>> but
>>>>>>>>>>>> there's also a log file /var/log/system-server.log created. I
>>>>>>>>>>>> hope
>>>>>>>>>>>> server's log is still recorded under /var/log/messages not
>>>>>>>>>>>> separated.
>>>>>>>>>>>> So I'm wondering is there any good method to achieve that
>>>>>>>>>>>> function?
>>>>>>>>>>>
>>>>>>>>>>> I don't really understand your question here.
>>>>>>>>>>>
>>>>>>>>>>> the second configuration doesn't seem to have any dynafile lines,
>>>>>>>>>>> so
>>>>>>>>>>> it
>>>>>>>>>>> sounds like you are asking about the first one.
>>>>>>>>>>>
>>>>>>>>>>> In the first one you are saying that for any server other than
>>>>>>>>>>> localhost,
>>>>>>>>>>> put the logs in a file /var/log/system-name.log and then throw
>>>>>>>>>>> them
>>>>>>>>>>> away
>>>>>>>>>>> (don't put them in any other logfile)
>>>>>>>>>>>
>>>>>>>>>>> so if you get a log entry from a machine called 'server' it would
>>>>>>>>>>> create
>>>>>>>>>>> the
>>>>>>>>>>> fiel /var/log/system-server.log and then throw away the log.
>>>>>>>>>>>
>>>>>>>>>>> could you please try restating your what you think is being done
>>>>>>>>>>> differently
>>>>>>>>>>> from what you are wanting?
>>>>>>>>>>>
>>>>>>>>>>> David Lang4
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> rsyslog mailing list
>>>>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>>> http://www.rsyslog.com
>>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>> http://www.rsyslog.com
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>> http://www.rsyslog.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> rsyslog mailing list
>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>> http://www.rsyslog.com
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>>>
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From friedl at hq.adiscon.com  Wed Mar  2 17:36:53 2011
From: friedl at hq.adiscon.com (Florian Riedl)
Date: Wed, 2 Mar 2011 17:36:53 +0100
Subject: [rsyslog] rsyslog 5.7.7 (v5-beta) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDD6E@GRFEXC.intern.adiscon.com>

Hi all,

We have just released rsyslog 5.7.7, the new v5-beta.

This release contains a single, but important patch. It is a recommended
update for all users.

Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-5-7-7-v5-beta/

Download:

http://www.rsyslog.com/rsyslog-5-7-7-v5-beta/

As always, feedback is appreciated.

Best regards,
Florian Riedl
--

Support

=======

Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.


Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From ephemeric at gmail.com  Wed Mar  2 17:43:43 2011
From: ephemeric at gmail.com (Robert Gabriel)
Date: Wed, 2 Mar 2011 18:43:43 +0200
Subject: [rsyslog] PCRE possible as a POSIX ERE?
Message-ID: <AANLkTi=1G_pKQMco4xCJt_ExyTjEC_1DVm0B+DqHwd-C@mail.gmail.com>

Hello all,

Is this possible:

grep -P "cat\s(?!(dog|bird)).*"

to be matched using a POSIX ERE?

I tried the generator/checker but no joy.

Thanks.

From lists at laubenheimer.net  Wed Mar  2 03:59:55 2011
From: lists at laubenheimer.net (lists at laubenheimer.net)
Date: Tue, 1 Mar 2011 18:59:55 -0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
Message-ID: <41621b5c909b6c6e48fe772667abd4f8.squirrel@webmail.laubenheimer.net>

> Hi,
>
> I have a question about separate logs order configuration. I have 4
> machines with hostnames server, storage, client1 and client2. The
> rsyslogs is running at server. The configuration looks like that:
>
> $ModLoad imuxsock.so	# provides support for local system logging (e.g.
> via logger command)
> $ModLoad imklog.so	# provides kernel logging support (previously done by
> rklogd)
> $ModLoad imtcp.so
> $InputTCPServerRun 514
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $template DynFile,"/var/log/system-%HOSTNAME%.log"
> :source , !isequal , "localhost" ?DynFile
> & ~

I have found that

:source, condition, "localhost" action

doesn't work.  The "localhost" part is not functional, at least on my system.

Try replacing the lines with

:fromhost-ip, !isequal, "127.0.0.1" ?DynFile
& ~

The fromhost-ip ... 127.0.0.1 works on CentOS 5 with rsyslog 5.6

> *.info;mail.none;authpriv.none;cron.none                /var/log/messages
> authpriv.*                                              /var/log/secure
> mail.*                                                  -/var/log/maillog
> cron.*                                                  /var/log/cron
> *.emerg                                                 *
> uucp,news.crit                                          /var/log/spooler
> local7.*                                                /var/log/boot.log

ljl, new to the list


From openlinuxsource at gmail.com  Thu Mar  3 02:25:06 2011
From: openlinuxsource at gmail.com (Lee Eric)
Date: Thu, 3 Mar 2011 09:25:06 +0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <41621b5c909b6c6e48fe772667abd4f8.squirrel@webmail.laubenheimer.net>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<41621b5c909b6c6e48fe772667abd4f8.squirrel@webmail.laubenheimer.net>
Message-ID: <AANLkTiks5d5T6JQiiz7GN4S5MUDF5FARnkbMAx67CpXa@mail.gmail.com>

Thanks mate. I just cannot understand the rules in rsyslog clearly. Is
there any doc about the rules order or anything related? It looks like
the logical part is strange.

Regards,

Eric

On Wed, Mar 2, 2011 at 10:59 AM,  <lists at laubenheimer.net> wrote:
>> Hi,
>>
>> I have a question about separate logs order configuration. I have 4
>> machines with hostnames server, storage, client1 and client2. The
>> rsyslogs is running at server. The configuration looks like that:
>>
>> $ModLoad imuxsock.so ?# provides support for local system logging (e.g.
>> via logger command)
>> $ModLoad imklog.so ? ?# provides kernel logging support (previously done by
>> rklogd)
>> $ModLoad imtcp.so
>> $InputTCPServerRun 514
>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>> :source , !isequal , "localhost" ?DynFile
>> & ~
>
> I have found that
>
> :source, condition, "localhost" action
>
> doesn't work. ?The "localhost" part is not functional, at least on my system.
>
> Try replacing the lines with
>
> :fromhost-ip, !isequal, "127.0.0.1" ?DynFile
> & ~
>
> The fromhost-ip ... 127.0.0.1 works on CentOS 5 with rsyslog 5.6
>
>> *.info;mail.none;authpriv.none;cron.none ? ? ? ? ? ? ? ?/var/log/messages
>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>> mail.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?-/var/log/maillog
>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/spooler
>> local7.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/boot.log
>
> ljl, new to the list
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From rgerhards at hq.adiscon.com  Wed Mar  2 18:55:15 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 2 Mar 2011 18:55:15 +0100
Subject: [rsyslog] PCRE possible as a POSIX ERE?
In-Reply-To: <AANLkTi=1G_pKQMco4xCJt_ExyTjEC_1DVm0B+DqHwd-C@mail.gmail.com>
References: <AANLkTi=1G_pKQMco4xCJt_ExyTjEC_1DVm0B+DqHwd-C@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDD70@GRFEXC.intern.adiscon.com>

To the best of my knowledge: no. But some regex guru may tell you the
replacement...
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Robert Gabriel
> Sent: Wednesday, March 02, 2011 5:44 PM
> To: rsyslog-users
> Subject: [rsyslog] PCRE possible as a POSIX ERE?
> 
> Hello all,
> 
> Is this possible:
> 
> grep -P "cat\s(?!(dog|bird)).*"
> 
> to be matched using a POSIX ERE?
> 
> I tried the generator/checker but no joy.
> 
> Thanks.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From tbergfeld at hq.adiscon.com  Thu Mar  3 15:53:21 2011
From: tbergfeld at hq.adiscon.com (Tom Bergfeld)
Date: Thu, 3 Mar 2011 15:53:21 +0100
Subject: [rsyslog] rsyslog 5.6.4 (v5-stable) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDD73@GRFEXC.intern.adiscon.com>

We have just released rsyslog 5.6.4, the new v5-stable.

This is a maintenance release for the current v5-stable branch. It contains
some important bug fixes. It is highly recommended to upgrade to this
version.

Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-5-6-4-v5-stable/

Download:

http://www.rsyslog.com/rsyslog-5-6-4-v5-stable/

As always, feedback is appreciated.

Best regards,
Tom Bergfeld

--

Support

=======
 

Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.


Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From lists at laubenheimer.net  Thu Mar  3 19:33:42 2011
From: lists at laubenheimer.net (lists at laubenheimer.net)
Date: Thu, 3 Mar 2011 10:33:42 -0800
Subject: [rsyslog] Help: Separate Logs Order
In-Reply-To: <AANLkTiks5d5T6JQiiz7GN4S5MUDF5FARnkbMAx67CpXa@mail.gmail.com>
References: <AANLkTimKejqzbUieA-p1E-6WqUStS9pRAaNAgfgRsc9n@mail.gmail.com>
	<41621b5c909b6c6e48fe772667abd4f8.squirrel@webmail.laubenheimer.net>
	<AANLkTiks5d5T6JQiiz7GN4S5MUDF5FARnkbMAx67CpXa@mail.gmail.com>
Message-ID: <8480975b1f2c9cd922dfe30ef4ad68e4.squirrel@webmail.laubenheimer.net>

Unfortunately, the docs about the order of rules are unclear.  The germane
part is that the "localhost" keyword doesn't work on many
systems,apparently, but the "fromhost-ip isequal "127.0.0.1" (the loopback
address for the local host) does.  Quirky.

In general,?the config language has some very frustrating holes in it
still, IMO.

ljl

> Thanks mate. I just cannot understand the rules in rsyslog clearly. Is
> there any doc about the rules order or anything related? It looks like
> the logical part is strange.
>
> Regards,
>
> Eric
>
> On Wed, Mar 2, 2011 at 10:59 AM,  <lists at laubenheimer.net> wrote:
>>> Hi,
>>>
>>> I have a question about separate logs order configuration. I have 4
>>> machines with hostnames server, storage, client1 and client2. The
>>> rsyslogs is running at server. The configuration looks like that:
>>>
>>> $ModLoad imuxsock.so ?# provides support for local system logging (e.g.
>>> via logger command)
>>> $ModLoad imklog.so ? ?# provides kernel logging support (previously
>>> done by
>>> rklogd)
>>> $ModLoad imtcp.so
>>> $InputTCPServerRun 514
>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>> $template DynFile,"/var/log/system-%HOSTNAME%.log"
>>> :source , !isequal , "localhost" ?DynFile
>>> & ~
>>
>> I have found that
>>
>> :source, condition, "localhost" action
>>
>> doesn't work. ?The "localhost" part is not functional, at least on my
>> system.
>>
>> Try replacing the lines with
>>
>> :fromhost-ip, !isequal, "127.0.0.1" ?DynFile
>> & ~
>>
>> The fromhost-ip ... 127.0.0.1 works on CentOS 5 with rsyslog 5.6
>>
>>> *.info;mail.none;authpriv.none;cron.none ? ? ? ? ? ? ?
>>> ?/var/log/messages
>>> authpriv.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/secure
>>> mail.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
>>> ?-/var/log/maillog
>>> cron.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?/var/log/cron
>>> *.emerg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *
>>> uucp,news.crit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
>>> ?/var/log/spooler
>>> local7.* ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
>>> ?/var/log/boot.log
>>
>> ljl, new to the list
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>



From rgerhards at hq.adiscon.com  Fri Mar  4 09:22:13 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 4 Mar 2011 09:22:13 +0100
Subject: [rsyslog] duplicate entry from imklog
In-Reply-To: <SNT123-DS64C88BB603D4B2D3F0033FAC20@phx.gbl>
References: <BLU0-SMTP1077AB975D158C7B045E433FADB0@phx.gbl>
	<SNT123-DS64C88BB603D4B2D3F0033FAC20@phx.gbl>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDD79@GRFEXC.intern.adiscon.com>

Can you reproduce this with a more recent build? At least you should upgrade
to the latest v3-stable.

Rainer

> -----Original Message-----
> From: David G [mailto:davegu1 at hotmail.com]
> Sent: Friday, March 04, 2011 8:51 AM
> To: David Gutierrez; Rainer Gerhards
> Subject: Re: duplicate entry from imklog
> 
> Any ideas.,
> 
> --------------------------------------------------
> From: "David Gutierrez" <davegu1 at hotmail.com>
> Sent: Wednesday, February 23, 2011 2:52 PM
> To: <rgerhards at adiscon.com>
> Subject: duplicate entry from imklog
> 
> > Ranier,
> > Hope all is going well on your side. I was noticing the imklog sends
> > duplicate entry when restarting and exporting it to a remote host.
> >
> > kernel: imklog 3.18.6, log source = /proc/kmsg started.
> > kernel: imklog 3.18.6, log source = /proc/kmsg started.
> >
> >
> > Any ideas or thoughts.
> >
> > David
> >

From tbergfeld at hq.adiscon.com  Fri Mar  4 15:10:38 2011
From: tbergfeld at hq.adiscon.com (Tom Bergfeld)
Date: Fri, 4 Mar 2011 15:10:38 +0100
Subject: [rsyslog] rsyslog 6.1.5 (devel) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDD88@GRFEXC.intern.adiscon.com>

We have just released rsyslog 6.1.5, the new v6-devel.
This is both a stability and a performance enhancement release. Most
importantly, imtcp was enhanced to support a small number of worker threads
for imtcp processing. This will increase overall processing performance for
high-end environments. Stability has improved by including a number of
important patches, some of which fix abort conditions.
Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-6-1-5-v6-devel/

Download:

http://www.rsyslog.com/rsyslog-6-1-5-v6-devel/

As always, feedback is appreciated.

Best regards,
Tom Bergfeld

--

Support

=======
 

Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.


Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From olivier.fauchon at digitick.com  Sat Mar  5 19:26:56 2011
From: olivier.fauchon at digitick.com (Olivier Fauchon)
Date: Sat, 5 Mar 2011 19:26:56 +0100 (CET)
Subject: [rsyslog] rsyslogd slowing down the system when using RELP and
 remote server unreachable
In-Reply-To: <1943947365.3230.1299349548687.JavaMail.root@zimbra02>
Message-ID: <1806252387.3233.1299349616723.JavaMail.root@zimbra02>

Hi. 

I use rsyslogd for centralizing my webserver's logs. 
Webservers runs rsyslogd too to locally process the logs, and send them to the central log server with OMRELP module. 

Here is the configuration: 

$template DailyAccess,"/data/opt/logs/apache/access.%$YEAR%-%$MONTH%-%$DAY%.log" 
$template DailyError,"/data/opt/logs/apache/error.%$YEAR%-%$MONTH%-%$DAY%.log" 
$template apache,"%HOSTNAME% -%msg%\n" 
$template tracedigitick,"/data/opt/logs/apache/%app-name%/%$now%.log" 

$WorkDirectory /data/rsyslog # where to place spool files 
$MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown 
$ActionQueueFileName remotequeue # unique name prefix for spool files 
$ActionQueueMaxDiskSpace 10g # 1gb space limit (use as much as possible) 
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown 
$ActionQueueType LinkedList # run asynchronously 
$ActionResumeRetryCount -1 # infinety retries if host is do 
$ActionResumeInterval 10 

local5.* :omrelp:192.168.13.10:20514;RSYSLOG_ForwardFormat 
& ~ 
local6.* :omrelp:192.168.13.10:20514;RSYSLOG_ForwardFormat 
& ~ 
if $programname == 'httpd' and $syslogfacility-text == 'user' then :omrelp:192.168.3.9:20514;RSYSLOG_ForwardFormat 
& ~ 
local7.* :omrelp:192.168.3.9:20514;RSYSLOG_ForwardFormat 
local7.* ~ 
~ 

THE PROBLEM: 

This morning, my central rsyslog server was unreachable, and all the webserver went bad (high load, not responding to requests) 
I discovered that they were stuck to Log 'L' state (in apache's server-status page) 
System console 'logger' command was terribly slow too. (4-5 seconds to process) 


*** System information: 

- RedHat Linux myname 2.6.9-89.0.26.ELsmp #1 SMP Sun May 30 09:31:52 EDT 2010 i686 i686 i386 GNU/Linux 

RSyslogd custom compilation: 

/usr/local/rsyslogd/sbin/rsyslogd -v 
rsyslogd 5.6.3, compiled with: 
FEATURE_REGEXP: Yes 
FEATURE_LARGEFILE: Yes 
FEATURE_NETZIP (message compression): Yes 
GSSAPI Kerberos 5 support: No 
FEATURE_DEBUG (debug build, slow code): No 
Atomic operations supported: No 
Runtime Instrumentation (slow code): No 

*** steps to reproduce 

1. use "IPTABLES -A -d IP.OF.CENTAL.RSYSLOGD -p tcp --dport 20514 -j DROP" to isolate the webservers 
2. run while true; do logger "Hello from console logger loop"; done 
3. Wait a couple of seconds, stop the 2. loop and test: 

[root at webserver01 log]# time logger aa 
real 0m4.885s 
user 0m0.001s 
sys 0m0.000s 
[root at digul-ws03 log]# 


I can read strange messages in -dn mode : 

7399.141790000:b7f0eaa0: input thread term: had a timeout waiting on thread termination 
7399.154054000:b7f0eaa0: input thread term: had a timeout waiting on thread termination 
7399.166314000:b7f0eaa0: input thread term: had a timeout waiting on thread termination 
7399.177537000:b6109ba0: main Q: enqueueMsg: cond timeout, dropping message! 
7399.177562000:b6109ba0: main Q: EnqueueMsg advised worker start 
7399.177585000:b6109ba0: imudp: epoll_wait() returned with 1 fds 
7399.177609000:b6109ba0: thrdStarter: usrThrdMain 0xb6109ba0 returned with iRet 0, exiting now. 
7399.177659000:b7f0eaa0: input thread term: thread returned normally and is terminated 
7399.177674000:b7f0eaa0: non-cancel input thread termination succeeded for thread 0xb6109ba0 
7399.177767000:b7f0eaa0: main Q: queue nearly full (10000 entries), but could not drop msg (iRet: 0, severity 6) 
7399.177785000:b7f0eaa0: main Q: enqueueMsg: queue FULL - waiting to drain. 
7401.179944000:b7f0eaa0: main Q: enqueueMsg: cond timeout, dropping message! 
7401.179983000:b7f0eaa0: main Q: EnqueueMsg advised worker start 


Can you tell me more about this behaviour ? 
How can I fix that so the other processes can survive RSyslog communication problems ? 

Thanks 


-- 
Olivier Fauchon 
Tel: 06.85.53.26.41 

From ac26649 at gmail.com  Sat Mar  5 19:46:08 2011
From: ac26649 at gmail.com (antonio manuel ciampi)
Date: Sat, 05 Mar 2011 19:46:08 +0100
Subject: [rsyslog] rsyslogd slowing down the system when using RELP and
 remote server unreachable
In-Reply-To: <1806252387.3233.1299349616723.JavaMail.root@zimbra02>
References: <1806252387.3233.1299349616723.JavaMail.root@zimbra02>
Message-ID: <4D7284F0.6000103@gmail.com>

On 05/03/2011 19:26, Olivier Fauchon wrote:
> Hi.
>
> I use rsyslogd for centralizing my webserver's logs.
> Webservers runs rsyslogd too to locally process the logs, and send them to the central log server with OMRELP module.
>
> Here is the configuration:
>
> $template DailyAccess,"/data/opt/logs/apache/access.%$YEAR%-%$MONTH%-%$DAY%.log"
> $template DailyError,"/data/opt/logs/apache/error.%$YEAR%-%$MONTH%-%$DAY%.log"
> $template apache,"%HOSTNAME% -%msg%\n"
> $template tracedigitick,"/data/opt/logs/apache/%app-name%/%$now%.log"
>
> $WorkDirectory /data/rsyslog # where to place spool files
> $MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown
> $ActionQueueFileName remotequeue # unique name prefix for spool files
> $ActionQueueMaxDiskSpace 10g # 1gb space limit (use as much as possible)
> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> $ActionQueueType LinkedList # run asynchronously
> $ActionResumeRetryCount -1 # infinety retries if host is do
> $ActionResumeInterval 10
>
> local5.* :omrelp:192.168.13.10:20514;RSYSLOG_ForwardFormat
> &  ~
> local6.* :omrelp:192.168.13.10:20514;RSYSLOG_ForwardFormat
> &  ~
> if $programname == 'httpd' and $syslogfacility-text == 'user' then :omrelp:192.168.3.9:20514;RSYSLOG_ForwardFormat
> &  ~
> local7.* :omrelp:192.168.3.9:20514;RSYSLOG_ForwardFormat
> local7.* ~
> ~
>
> THE PROBLEM:
>
> This morning, my central rsyslog server was unreachable, and all the webserver went bad (high load, not responding to requests)
> I discovered that they were stuck to Log 'L' state (in apache's server-status page)
> System console 'logger' command was terribly slow too. (4-5 seconds to process)
>
>
> *** System information:
>
> - RedHat Linux myname 2.6.9-89.0.26.ELsmp #1 SMP Sun May 30 09:31:52 EDT 2010 i686 i686 i386 GNU/Linux
>
> RSyslogd custom compilation:
>
> /usr/local/rsyslogd/sbin/rsyslogd -v
> rsyslogd 5.6.3, compiled with:
> FEATURE_REGEXP: Yes
> FEATURE_LARGEFILE: Yes
> FEATURE_NETZIP (message compression): Yes
> GSSAPI Kerberos 5 support: No
> FEATURE_DEBUG (debug build, slow code): No
> Atomic operations supported: No
> Runtime Instrumentation (slow code): No
>
> *** steps to reproduce
>
> 1. use "IPTABLES -A -d IP.OF.CENTAL.RSYSLOGD -p tcp --dport 20514 -j DROP" to isolate the webservers
> 2. run while true; do logger "Hello from console logger loop"; done
> 3. Wait a couple of seconds, stop the 2. loop and test:
>
> [root at webserver01 log]# time logger aa
> real 0m4.885s
> user 0m0.001s
> sys 0m0.000s
> [root at digul-ws03 log]#
>
>
> I can read strange messages in -dn mode :
>
> 7399.141790000:b7f0eaa0: input thread term: had a timeout waiting on thread termination
> 7399.154054000:b7f0eaa0: input thread term: had a timeout waiting on thread termination
> 7399.166314000:b7f0eaa0: input thread term: had a timeout waiting on thread termination
> 7399.177537000:b6109ba0: main Q: enqueueMsg: cond timeout, dropping message!
> 7399.177562000:b6109ba0: main Q: EnqueueMsg advised worker start
> 7399.177585000:b6109ba0: imudp: epoll_wait() returned with 1 fds
> 7399.177609000:b6109ba0: thrdStarter: usrThrdMain 0xb6109ba0 returned with iRet 0, exiting now.
> 7399.177659000:b7f0eaa0: input thread term: thread returned normally and is terminated
> 7399.177674000:b7f0eaa0: non-cancel input thread termination succeeded for thread 0xb6109ba0
> 7399.177767000:b7f0eaa0: main Q: queue nearly full (10000 entries), but could not drop msg (iRet: 0, severity 6)
> 7399.177785000:b7f0eaa0: main Q: enqueueMsg: queue FULL - waiting to drain.
> 7401.179944000:b7f0eaa0: main Q: enqueueMsg: cond timeout, dropping message!
> 7401.179983000:b7f0eaa0: main Q: EnqueueMsg advised worker start
>
>
> Can you tell me more about this behaviour ?
> How can I fix that so the other processes can survive RSyslog communication problems ?
>
> Thanks
>
>
>    
Why wather go down?
You had created some process that don't work toghether with your system 
read files.log
maybe you find the problem for the solution.
to much time-out, queque, wayting

From david at lang.hm  Sun Mar  6 08:24:19 2011
From: david at lang.hm (david at lang.hm)
Date: Sat, 5 Mar 2011 23:24:19 -0800 (PST)
Subject: [rsyslog] rsyslogd slowing down the system when using RELP and
 remote server unreachable
In-Reply-To: <1806252387.3233.1299349616723.JavaMail.root@zimbra02>
References: <1806252387.3233.1299349616723.JavaMail.root@zimbra02>
Message-ID: <alpine.DEB.2.00.1103052318280.9066@asgard.lang.hm>

First off, I see an inconsistancy in your config

On Sat, 5 Mar 2011, Olivier Fauchon wrote:

> Hi.
>
> I use rsyslogd for centralizing my webserver's logs.
> Webservers runs rsyslogd too to locally process the logs, and send them to the central log server with OMRELP module.
>
> Here is the configuration:
>
> $template DailyAccess,"/data/opt/logs/apache/access.%$YEAR%-%$MONTH%-%$DAY%.log"
> $template DailyError,"/data/opt/logs/apache/error.%$YEAR%-%$MONTH%-%$DAY%.log"
> $template apache,"%HOSTNAME% -%msg%\n"
> $template tracedigitick,"/data/opt/logs/apache/%app-name%/%$now%.log"
>
> $WorkDirectory /data/rsyslog # where to place spool files
> $MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown
> $ActionQueueFileName remotequeue # unique name prefix for spool files
> $ActionQueueMaxDiskSpace 10g # 1gb space limit (use as much as possible)

you set a disk space limit

> $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> $ActionQueueType LinkedList # run asynchronously

but then you pick a memory-only queue type that doesn't use disk

there's also no particular queue type needed to run asynchronously, so the 
comment here is misleading.

> $ActionResumeRetryCount -1 # infinety retries if host is do
> $ActionResumeInterval 10
>
<SNIP>
>
> THE PROBLEM:
>
> This morning, my central rsyslog server was unreachable, and all the 
> webserver went bad (high load, not responding to requests)
> I discovered that they were stuck to Log 'L' state (in apache's server-status page)
> System console 'logger' command was terribly slow too. (4-5 seconds to process)

what is happening is that you have told rsyslog to be very careful about 
forwarding messages and make sure that they get to the destination before 
forgetting about them.

but what happens is that when the destination stops accepting messages, 
rsyslog will queue the messages until it's queue is full, and then stop 
accepting new messages (which causes apache to pause)

If you want to have your sending rsyslog instances use disk to store 
messages that it can't get acknowldgement of you need to use the 
disk-assisted queue type

If you stick with memory based queues, you probably want to bump up the 
max queue size a lot to give you more time.

David Lang

From toddmichael at gmail.com  Mon Mar  7 07:43:32 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Sun, 6 Mar 2011 22:43:32 -0800
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
Message-ID: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>

Been planning an rsyslog deployment for about a month.  Everything performed as expected in my limited use dev environment, but when I deployed rsyslog today to my production environment multiple systems yielded similar disastrous results:

After a few hours Apache jumped up to 250+ processes (max=256, normal=~50) and then started hanging.  At this time, rsyslog also stopped logging altogether.  As soon as I killed rsyslog and started sysklog, httpd processes dropped to 50 and everything went back to normal.  

I'm not sure if this is a case where rsyslog froze and it's state resulted in Apache's inability to close processes or if there is a problem with Apache and Rsyslog when a decent volume of traffic is passed through.  I'm happy to provide additional information if someone could give me some clues as to where to start looking.  At this point we're reverting until I can diagnose this issue and assure my team that I've fixed the problem for good.

Version: rsyslog-3.22.1-3.el5_5.1
System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux



Todd Michael Bushnell
toddmichael at gmail.com




From david at lang.hm  Mon Mar  7 07:47:36 2011
From: david at lang.hm (david at lang.hm)
Date: Sun, 6 Mar 2011 22:47:36 -0800 (PST)
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
Message-ID: <alpine.DEB.2.00.1103062245330.9066@asgard.lang.hm>

do you have rsyslog logging locally or remotely? can you provide the 
rsyslog.conf?

it sounds as if rsyslog could not keep up and you have things configured 
to pause under those conditions (which would cause apache to be unable to 
log, and therefor to end up with lots of processes)

I will point out that 3.22.1 is pretty ancient at this point (current 
stable is 5.6, current development is 6.1)

David Lang

  On Sun, 6 Mar 2011, 
Todd Michael Bushnell wrote:

> Been planning an rsyslog deployment for about a month.  Everything performed as expected in my limited use dev environment, but when I deployed rsyslog today to my production environment multiple systems yielded similar disastrous results:
>
> After a few hours Apache jumped up to 250+ processes (max=256, normal=~50) and then started hanging.  At this time, rsyslog also stopped logging altogether.  As soon as I killed rsyslog and started sysklog, httpd processes dropped to 50 and everything went back to normal.
>
> I'm not sure if this is a case where rsyslog froze and it's state resulted in Apache's inability to close processes or if there is a problem with Apache and Rsyslog when a decent volume of traffic is passed through.  I'm happy to provide additional information if someone could give me some clues as to where to start looking.  At this point we're reverting until I can diagnose this issue and assure my team that I've fixed the problem for good.
>
> Version: rsyslog-3.22.1-3.el5_5.1
> System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
>
>
>
> Todd Michael Bushnell
> toddmichael at gmail.com
>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From olivier.fauchon at digitick.com  Mon Mar  7 10:23:30 2011
From: olivier.fauchon at digitick.com (Olivier Fauchon)
Date: Mon, 7 Mar 2011 10:23:30 +0100 (CET)
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <1394483402.1362.1299489492173.JavaMail.root@zimbra02>
Message-ID: <906779670.1408.1299489809910.JavaMail.root@zimbra02>

Hi ...  

I just found the solution:

When Rsyslog on webserver could not communicate with my central rsyslog server with RELP protocol,
all the logs passed to /dev/log are spooled in memory, until link is back.

When memory limit is reached (10000 Entry), rsyslog throttles the input (/dev/log was really slow).
This is the reason Apache goes mad and blocks (it used /dev/log, in my case)

The workaround is to allow rsyslog to spool its mainqueue on disk . 
Then, if rsyslog can't forward logs to rsyslog central server, it spools all the input logs on disk.

When connectivity to central server is back, it process all the data.

Here is the important part of the configuration:
 
$MainMsgQueueFileName mainqueue  #  <<<<<<<  allow to spool on disk if required
$MainMsgQueueType LinkedList     # dynamic size of buffer
$MainMsgQueueSaveOnShutdown on


Tell me if that helped !

Olivier 


----- Mail original -----
De: "Todd Michael Bushnell" <toddmichael at gmail.com>
?: "rsyslog-users" <rsyslog at lists.adiscon.com>
Envoy?: Lundi 7 Mars 2011 07:43:32
Objet: [rsyslog] Apache/Rsyslog stop working after several hours

Been planning an rsyslog deployment for about a month. Everything
performed as expected in my limited use dev environment, but when I
deployed rsyslog today to my production environment multiple systems
yielded similar disastrous results:

After a few hours Apache jumped up to 250+ processes (max=256,
normal=~50) and then started hanging. At this time, rsyslog also stopped
logging altogether. As soon as I killed rsyslog and started sysklog,
httpd processes dropped to 50 and everything went back to normal.

I'm not sure if this is a case where rsyslog froze and it's state
resulted in Apache's inability to close processes or if there is a
problem with Apache and Rsyslog when a decent volume of traffic is
passed through. I'm happy to provide additional information if someone
could give me some clues as to where to start looking. At this point
we're reverting until I can diagnose this issue and assure my team that
I've fixed the problem for good.

Version: rsyslog-3.22.1-3.el5_5.1
System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST
2008 x86_64 x86_64 x86_64 GNU/Linux



Todd Michael Bushnell
toddmichael at gmail.com



_______________________________________________ rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

-- 
Olivier Fauchon
Digitick
Administrateur syst?me et r?seau
Tel: 06.85.53.26.41

From hidayath.basha at saventech.com  Mon Mar  7 11:41:31 2011
From: hidayath.basha at saventech.com (Hidayath Basha)
Date: Mon, 7 Mar 2011 16:11:31 +0530
Subject: [rsyslog] Transfer Multiple Files To A Centralized Logging Server
Message-ID: <NNEEJGHFADGOILPBHHKLAEPPCDAA.hidayath.basha@saventech.com>

Hi,

I am new to rsyslog. I used syslog-ng for a week. In syslog-ng 2.0.x I was
trying to send multiple files with a single source file driver.

I have multiple files...
some-host:/some/path $ ls -l
-rw------- 1 root root  90K Mar  3 11:37 mylogs-2011-03-03
-rw------- 1 root root  121 Mar  4 11:40 mylogs-2011-03-04


In the conf file....
source s_files{
    file("/some/path/mylogs*");
};


How can I do it with rsyslog? Please point me to some documentation

Thanks and regards,
Hidayath

From rgerhards at hq.adiscon.com  Mon Mar  7 12:38:40 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 7 Mar 2011 12:38:40 +0100
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <906779670.1408.1299489809910.JavaMail.root@zimbra02>
References: <1394483402.1362.1299489492173.JavaMail.root@zimbra02>
	<906779670.1408.1299489809910.JavaMail.root@zimbra02>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDD9A@GRFEXC.intern.adiscon.com>

Well, as David said: if you configure rsyslog to not discard any messages,
you need to think about the consequences. These are obviously if no discard
is permitted, the output destination cannot be reached, and the available
buffer space has been used up, then no more input messages can be accepted,
what usually results in a slowdown of the senders and  ultimately in a system
hang. This is nothing to blame rsyslog about: there are actually some folks
that need this type of processing (due to compliance rules). You can easily
avoid the problem by configuring rsyslog to discard messages when it needs to
do so. Or, as said here, you can write to disk (but keep in mind that disk is
also a limited resource).

For additional information, I would also suggest to have a look at section
4.5 of this paper:

http://download.rsyslog.com/design.pdf

Note: the paper is still unfinished, but it contains a lot of useful
information.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Olivier Fauchon
> Sent: Monday, March 07, 2011 10:24 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Apache/Rsyslog stop working after several hours
> 
> Hi ...
> 
> I just found the solution:
> 
> When Rsyslog on webserver could not communicate with my central rsyslog
> server with RELP protocol, all the logs passed to /dev/log are spooled in
> memory, until link is back.
> 
> When memory limit is reached (10000 Entry), rsyslog throttles the input
> (/dev/log was really slow).
> This is the reason Apache goes mad and blocks (it used /dev/log, in my
case)
> 
> The workaround is to allow rsyslog to spool its mainqueue on disk .
> Then, if rsyslog can't forward logs to rsyslog central server, it spools
all the
> input logs on disk.
> 
> When connectivity to central server is back, it process all the data.
> 
> Here is the important part of the configuration:
> 
> $MainMsgQueueFileName mainqueue  #  <<<<<<<  allow to spool on disk if
> required
> $MainMsgQueueType LinkedList     # dynamic size of buffer
> $MainMsgQueueSaveOnShutdown on
> 
> 
> Tell me if that helped !
> 
> Olivier
> 
> 
> ----- Mail original -----
> De: "Todd Michael Bushnell" <toddmichael at gmail.com>
> ?: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Envoy?: Lundi 7 Mars 2011 07:43:32
> Objet: [rsyslog] Apache/Rsyslog stop working after several hours
> 
> Been planning an rsyslog deployment for about a month. Everything
> performed as expected in my limited use dev environment, but when I
> deployed rsyslog today to my production environment multiple systems
> yielded similar disastrous results:
> 
> After a few hours Apache jumped up to 250+ processes (max=256,
> normal=~50) and then started hanging. At this time, rsyslog also stopped
> logging altogether. As soon as I killed rsyslog and started sysklog, httpd
> processes dropped to 50 and everything went back to normal.
> 
> I'm not sure if this is a case where rsyslog froze and it's state resulted
in
> Apache's inability to close processes or if there is a problem with Apache
and
> Rsyslog when a decent volume of traffic is passed through. I'm happy to
> provide additional information if someone could give me some clues as to
> where to start looking. At this point we're reverting until I can diagnose
this
> issue and assure my team that I've fixed the problem for good.
> 
> Version: rsyslog-3.22.1-3.el5_5.1
> System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST
> 2008 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> 
> Todd Michael Bushnell
> toddmichael at gmail.com
> 
> 
> 
> _______________________________________________ rsyslog mailing
> list http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> 
> --
> Olivier Fauchon
> Digitick
> Administrateur syst?me et r?seau
> Tel: 06.85.53.26.41
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Mon Mar  7 12:50:08 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 7 Mar 2011 12:50:08 +0100
Subject: [rsyslog] Transfer Multiple Files To A Centralized Logging
	Server
In-Reply-To: <NNEEJGHFADGOILPBHHKLAEPPCDAA.hidayath.basha@saventech.com>
References: <NNEEJGHFADGOILPBHHKLAEPPCDAA.hidayath.basha@saventech.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDD9B@GRFEXC.intern.adiscon.com>

This is unfortunately currently not supported by rsyslog. But a refactoring
of imfile is underway that will support it -- but that probably needs a few
weeks before it becomes generally available :(

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Hidayath Basha
> Sent: Monday, March 07, 2011 11:42 AM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Transfer Multiple Files To A Centralized Logging Server
> 
> Hi,
> 
> I am new to rsyslog. I used syslog-ng for a week. In syslog-ng 2.0.x I was
> trying to send multiple files with a single source file driver.
> 
> I have multiple files...
> some-host:/some/path $ ls -l
> -rw------- 1 root root  90K Mar  3 11:37 mylogs-2011-03-03
> -rw------- 1 root root  121 Mar  4 11:40 mylogs-2011-03-04
> 
> 
> In the conf file....
> source s_files{
>     file("/some/path/mylogs*");
> };
> 
> 
> How can I do it with rsyslog? Please point me to some documentation
> 
> Thanks and regards,
> Hidayath
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From arekm at maven.pl  Mon Mar  7 15:02:29 2011
From: arekm at maven.pl (Arkadiusz Miskiewicz)
Date: Mon, 7 Mar 2011 15:02:29 +0100
Subject: [rsyslog] async queues problem
Message-ID: <201103071502.29744.arekm@maven.pl>


Hello,

I'm trying to run 5.6.4 in a environment where any I/O operation on one device 
can hang for ever while I/O operation on second device works fine.

My current config is below. /mnt/test/cron is on NFS disk where I'm DROPing 
all traffic to nfs server on firewall to simulate I/O hang. /var/log/all is on 
local disk.

According to http://bugzilla.adiscon.com/show_bug.cgi?id=230 turning on async 
queues will allow rsyslog to log into /var/log/all file even if I/O for 
/mnt/test/cron hangs.

Unfortunately if /mnt/test/cron hangs then also /var/log/all hangs. Looks like 
async doesn't get activated.

Any ideas?

$ModLoad imuxsock.so    # provides support for local system logging (e.g. via 
logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by 
rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup logs
$FileCreateMode 0640
$DirCreateMode 0750

$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.*                                                     /mnt/test/cron

$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.*                                                     /var/log/all

-- 
Arkadiusz Mi?kiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/

From toddmichael at gmail.com  Mon Mar  7 17:08:13 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Mon, 7 Mar 2011 08:08:13 -0800
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
Message-ID: <35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com>

Appreciate the feedback.  Sorry last night's message so sparse - wasn't feeling too great and wanted to crash.  Few points followed by my config file:

1.  Using TCP, not RELP, because I'm still using syslog-NG as central loghost with rsyslog on servers.

2.  Already have configured to queue locally in the event of outage.  See config below.  I've tested successfully in the past, but yesterday, when there were problems, I checked the local queue and did not see local queueing occurring.  Perhaps it was just slow enough to slow things to a crawl, killing Apache, but not quite slow enough to result in local queueing.  Is that possible?  Should I look to tune this?

3.  Running "ancient" version of Rsyslog because this is the latest in CentOS 5 repo.  Figured this is because it's stable which is what I want.  No need for some of the newer bells at this point.  If I guessed wrong here and latest will give me better stability and performance I'll build new RPMs.

4. Have a number of admitted design deficiencies with Apache and Tomcat that could be contributing to performance although this does not impact sysklog which is why I proceeded as-is until I could get engineering to fix.  

4a. Apache uses logger to send to local syslog socket (where rsyslog writes locally and sends to 2 remote servers) and also writes to its own files locally so we're logging twice locally for every message.  Not good when traffic gets high, I presume.  Just noticed this yesterday so need to get fixed.  To make matters worse, all logging is happening on the same volume.  Until fixed, maybe I should just have rsyslog write local Apache logs to /dev/null and forward to remote syslog - nothing else.  Thoughts?

4b. Log4j sending directly to syslog servers, writing to its own local files and sending to localhost:514 for local logging.  Would prefer all gets handed to rsyslog for local and remote logging.  Need to get engineering to fix that too.  Like mentioned before, to reduce IO contention and avoid duplication, might just configure rsyslog to write to /dev/null as long as it's configured like this.  Only question with 4a/b is that this never posed a problem with sysklog, but is a problem with rsyslog.  This is the reason I did not try to make any major changes in phase 1.  

# Configuration File

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock

# Max Message Size (default 2k)
$MaxMessageSize 8192

# Must listen on localhost for Log4j.  Need engineering to change this
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514

# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# ownership/permissions
$umask 0000
$FileOwner root
$FileGroup wheel
$FileCreateMode 0640

# include directory for breaking directives into separate files (future)
$IncludeConfig /etc/rsyslog.d/

# forward to remote host, queueing to local disk if host is down and memory fills up
# work (spool) files directory
$WorkDirectory /var/log/rsyslog 

# loghost1
# in-memory queue; set for asynchronous processing (?)
$ActionQueueType LinkedList
# failover queue filename; also enables disk mode
$ActionQueueFileName failqueue-loghost1
# infinite retries on insert failure
$ActionResumeRetryCount -1
# save in-memory data if rsyslog shuts down
$ActionQueueSaveOnShutdown on
# remote logging of everything
*.*       @@loghost1:5140

# loghost2
# in-memory queue; set for asynchronous processing (?)
$ActionQueueType LinkedList
# failover queue filename; also enables disk mode
$ActionQueueFileName failqueue-loghost2
# infinite retries on insert failure
$ActionResumeRetryCount -1
# save in-memory data if rsyslog shuts down
$ActionQueueSaveOnShutdown on
# remote logging of everything
*.*       @@loghost2:5140

# Log Filtering Rules

# Emergency Messages 
if $syslogseverity <= '0' then *
if $syslogseverity <= '0' then /var/log/messages
if $syslogseverity <= '0' then ~ 

# Apache
if $programname == 'logger' and ($msg contains 'access_log' or $msg contains 'cookie_log' or $msg contains 'r
equest_log') then /var/log/http
& ~ 
if $programname == 'httpd' and ($syslogfacility-text == 'local5' or $syslogfacility-text == 'local6') then /var/log/http_err
& ~ 

# Log4j (App Logs)
if $programname == 'com.redacted.infra.syslog.Log4jSystemLogger' then /var/log/log4j
& ~ 

# Kernel & IPTables
if $programname == 'kernel' and ($msg contains 'LOGACCEPT' or $msg contains 'LOGDROP') then /var/log/iptables
& ~ 

# Auth Messages
if $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' then /var/log/secure
& ~ 

# Mail
if $syslogfacility-text == 'mail' then /var/log/maillog
& ~ 

# Catchall for remaining log messages
*.* /var/log/messages



On Mar 6, 2011, at 10:43 PM, Todd Michael Bushnell wrote:

> Been planning an rsyslog deployment for about a month.  Everything performed as expected in my limited use dev environment, but when I deployed rsyslog today to my production environment multiple systems yielded similar disastrous results:
> 
> After a few hours Apache jumped up to 250+ processes (max=256, normal=~50) and then started hanging.  At this time, rsyslog also stopped logging altogether.  As soon as I killed rsyslog and started sysklog, httpd processes dropped to 50 and everything went back to normal.  
> 
> I'm not sure if this is a case where rsyslog froze and it's state resulted in Apache's inability to close processes or if there is a problem with Apache and Rsyslog when a decent volume of traffic is passed through.  I'm happy to provide additional information if someone could give me some clues as to where to start looking.  At this point we're reverting until I can diagnose this issue and assure my team that I've fixed the problem for good.
> 
> Version: rsyslog-3.22.1-3.el5_5.1
> System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> 
> Todd Michael Bushnell
> toddmichael at gmail.com
> 
> 
> 


From tbergfeld at hq.adiscon.com  Wed Mar  9 10:56:18 2011
From: tbergfeld at hq.adiscon.com (Tom Bergfeld)
Date: Wed, 9 Mar 2011 10:56:18 +0100
Subject: [rsyslog] rsyslog 5.7.8 (v5-beta) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDDB1@GRFEXC.intern.adiscon.com>

We have just released rsyslog 5.7.8, the new v5-beta.

This is a maintenance release for the current v5-beta branch. It contains
some important bug fixes.

Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-5-7-8-v5-beta/

Download:

http://www.rsyslog.com/rsyslog-5-7-8-v5-beta/

As always, feedback is appreciated.

Best regards,
Tom Bergfeld

--

Support

=======
 

Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.


Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From toddmichael at gmail.com  Wed Mar  9 23:29:11 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Wed, 9 Mar 2011 14:29:11 -0800
Subject: [rsyslog] Troubleshooting Rsyslog/Apache Issues
Message-ID: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>

Posted earlier on this week, but was sick at the time and thus, didn't post enough info to warrant informed response.  Here's some more information along with some specific questions:

Conditions:

- Version: rsyslog-3.22.1-3.el5_5.1
- System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
- Rsyslog Clients w/ Syslog-NG servers
- Transport: TCP

Problem:

Replaced Sysklog with Rsyslog.  After several hours of high traffic, Apache processes jumped from 50 to 250 and Apache eventually stopped working.  As soon as I shutdown Rsyslog and turned up Sysklog, Apache procs went back to normal and all was resolved.  

Questions:

1.  Running old version of Rsyslog (3.22) because this is latest version available in CentOS repository.  Will I get performance/stability improvements upgrading to 5x (e.g. 5.6.2) or even 6x?  If so, I'll build RPMs, but assumed latest version in CentOS 5 repository was sufficient if I don't need latest features.  Am I wrong?  Should I upgrade to latest?

2.  Couple design deficiencies (Apache & Log4 logs are double logged), but deployed as-is until Engineering could fix deficiencies because I wanted to emulate existing Sysklog deployment.  Before fixing, I just need to understand if there's anything about my Rsyslog configuration that would make duplicate logging an issue when it was not an issue with SysKlog.

3.  The one major difference between Sysklog and Rsyslog is the use of TCP.  I know this trades performance for efficiency, but I don't know how to determine if this is the problem.  I don't see issues on the server side and even if there are problems, I have Rsyslog configured to queue locally if anything happens on the server side.  During the problem, there is no local queuing going on.  Are there any diagnostics I can pull to determine if remote syslog is the issue?

Below is my config file.  Is there anything in here that is a glaring issue?  If not, My ideas are to:

1.  Upgrade, then retry.
2.  Remove duplication, then retry.
3.  Change from TCP back to UDP, then retry.
until I determine the source of the problem.

# Configuration File

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock

# Max Message Size (default 2k)
$MaxMessageSize 8192

# Must listen on localhost for Log4j.  Need engineering to change this
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514

# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# ownership/permissions
$umask 0000
$FileOwner root
$FileGroup wheel
$FileCreateMode 0640

# include directory for breaking directives into separate files (future)
$IncludeConfig /etc/rsyslog.d/

# forward to remote host, queueing to local disk if host is down and memory fills up
# work (spool) files directory
$WorkDirectory /var/log/rsyslog 

# loghost1
# in-memory queue; set for asynchronous processing (?)
$ActionQueueType LinkedList
# failover queue filename; also enables disk mode
$ActionQueueFileName failqueue-loghost1
# infinite retries on insert failure
$ActionResumeRetryCount -1
# save in-memory data if rsyslog shuts down
$ActionQueueSaveOnShutdown on
# remote logging of everything
*.*       @@loghost1:5140

# loghost2
# in-memory queue; set for asynchronous processing (?)
$ActionQueueType LinkedList
# failover queue filename; also enables disk mode
$ActionQueueFileName failqueue-loghost2
# infinite retries on insert failure
$ActionResumeRetryCount -1
# save in-memory data if rsyslog shuts down
$ActionQueueSaveOnShutdown on
# remote logging of everything
*.*       @@loghost2:5140

# Log Filtering Rules

# Emergency Messages 
if $syslogseverity <= '0' then *
if $syslogseverity <= '0' then /var/log/messages
if $syslogseverity <= '0' then ~ 

# Apache
if $programname == 'logger' and ($msg contains 'access_log' or $msg contains 'cookie_log' or $msg contains 'r
equest_log') then /var/log/http
& ~ 
if $programname == 'httpd' and ($syslogfacility-text == 'local5' or $syslogfacility-text == 'local6') then /var/log/http_err
& ~ 

# Log4j (App Logs)
if $programname == 'com.redacted.infra.syslog.Log4jSystemLogger' then /var/log/log4j
& ~ 

# Kernel & IPTables
if $programname == 'kernel' and ($msg contains 'LOGACCEPT' or $msg contains 'LOGDROP') then /var/log/iptables
& ~ 

# Auth Messages
if $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' then /var/log/secure
& ~ 

# Mail
if $syslogfacility-text == 'mail' then /var/log/maillog
& ~ 

# Catchall for remaining log messages
*.* /var/log/messages



From mbiebl at gmail.com  Thu Mar 10 00:02:43 2011
From: mbiebl at gmail.com (Michael Biebl)
Date: Thu, 10 Mar 2011 00:02:43 +0100
Subject: [rsyslog] rsyslog 5.7.8 (v5-beta) released
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDDB1@GRFEXC.intern.adiscon.com>
References: <9B6E2A8877C38245BFB15CC491A11DA71DDDB1@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTi=Rx4EFQw3FHEyMnJvcYSY5VUYbHMoqxgL6_AUr@mail.gmail.com>

2011/3/9 Tom Bergfeld <tbergfeld at hq.adiscon.com>:
> We have just released rsyslog 5.7.8, the new v5-beta.
>
> This is a maintenance release for the current v5-beta branch. It contains
> some important bug fixes.

5.7.8 fails to build here.
I'm using
  $ ./configure --build=i486-linux-gnu --prefix=/usr
--includedir=${prefix}/include --mandir=${prefix}/share/man
--infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var
--libexecdir=${prefix}/lib/rsyslog --disable-maintainer-mode
--disable-dependency-tracking --enable-mysql --enable-pgsql
--enable-mail --enable-imfile --enable-gssapi-krb5 --enable-gnutls
--enable-relp --enable-pmaixforwardedfrom --enable-pmcisconames
--enable-pmlastmsg --enable-pmrfc3164sd --enable-pmsnare
--enable-omprog --disable-testbench
--with-systemdsystemunitdir=/lib/systemd/system


make[2]: Entering directory
`/mnt/home/michael/debian/build-area/rsyslog-5.7.8/plugins/pmaixforwardedfrom'
  CC     pmaixforwardedfrom_la-pmaixforwardedfrom.lo
/bin/bash ../../libtool --silent --tag=CC   --mode=compile gcc
-DHAVE_CONFIG_H -I. -I../..  -I../../runtime -I../.. -pthread -I
../../tools   -g -O2 -W -Wall -Wformat-security -Wshadow -Wcast-align
-Wpointer-arith -Wmissing-format-attribute -g -c -o
pmaixforwardedfrom_la-pmaixforwardedfrom.lo `test -f
'pmaixforwardedfrom.c' || echo './'`pmaixforwardedfrom.c
pmaixforwardedfrom.c: In function 'parse':
pmaixforwardedfrom.c:70: warning: unused variable 'opening'
pmaixforwardedfrom.c: In function 'queryEtryPt':
pmaixforwardedfrom.c:146: error: 'modGetKeepType' undeclared (first
use in this function)
pmaixforwardedfrom.c:146: error: (Each undeclared identifier is
reported only once
pmaixforwardedfrom.c:146: error: for each function it appears in.)
make[2]: *** [pmaixforwardedfrom_la-pmaixforwardedfrom.lo] Error 1
make[2]: Leaving directory
`/mnt/home/michael/debian/build-area/rsyslog-5.7.8/plugins/pmaixforwardedfrom'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/mnt/home/michael/debian/build-area/rsyslog-5.7.8'
make: *** [all] Error 2

Might I suggest updating DISTCHECK_CONFIGURE_FLAGS to catch such
errors in the future.

Cheers,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

From rgerhards at hq.adiscon.com  Thu Mar 10 10:00:45 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 10 Mar 2011 10:00:45 +0100
Subject: [rsyslog] rsyslog 5.7.8 (v5-beta) released
In-Reply-To: <AANLkTi=Rx4EFQw3FHEyMnJvcYSY5VUYbHMoqxgL6_AUr@mail.gmail.com>
References: <9B6E2A8877C38245BFB15CC491A11DA71DDDB1@GRFEXC.intern.adiscon.com>
	<AANLkTi=Rx4EFQw3FHEyMnJvcYSY5VUYbHMoqxgL6_AUr@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDDBC@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Michael Biebl
> Sent: Thursday, March 10, 2011 12:03 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog 5.7.8 (v5-beta) released
> 5.7.8 fails to build here.
...
> Might I suggest updating DISTCHECK_CONFIGURE_FLAGS to catch such
> errors in the future.

Indeed, I should have added it there ;) Will do today.

I don't think I do a new release just for that reason (or should I?). I plan
to include some more things and guess the net release will go out either
tomorrow or early next week.

Rainer
> 
> Cheers,
> Michael
> 
> 
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Thu Mar 10 10:05:26 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 10 Mar 2011 10:05:26 +0100
Subject: [rsyslog] Troubleshooting Rsyslog/Apache Issues
In-Reply-To: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>
References: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>

Just some quick points, but I guess useful ones:

The newer version offer much more performance. For details, see here:
http://www.gerhards.net/download/LinuxKongress2010rsyslog.pdf

I see you use script-based filters where you could use much simpler ones.
Script based filters are pretty slow. Go for selector lines or property based
filters (in that order) to gain more speed.

HTH
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> Sent: Wednesday, March 09, 2011 11:29 PM
> To: rsyslog-users
> Subject: [rsyslog] Troubleshooting Rsyslog/Apache Issues
> 
> Posted earlier on this week, but was sick at the time and thus, didn't
> post enough info to warrant informed response.  Here's some more
> information along with some specific questions:
> 
> Conditions:
> 
> - Version: rsyslog-3.22.1-3.el5_5.1
> - System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43
> EST 2008 x86_64 x86_64 x86_64 GNU/Linux
> - Rsyslog Clients w/ Syslog-NG servers
> - Transport: TCP
> 
> Problem:
> 
> Replaced Sysklog with Rsyslog.  After several hours of high traffic,
> Apache processes jumped from 50 to 250 and Apache eventually stopped
> working.  As soon as I shutdown Rsyslog and turned up Sysklog, Apache
> procs went back to normal and all was resolved.
> 
> Questions:
> 
> 1.  Running old version of Rsyslog (3.22) because this is latest
> version available in CentOS repository.  Will I get
> performance/stability improvements upgrading to 5x (e.g. 5.6.2) or even
> 6x?  If so, I'll build RPMs, but assumed latest version in CentOS 5
> repository was sufficient if I don't need latest features.  Am I wrong?
> Should I upgrade to latest?
> 
> 2.  Couple design deficiencies (Apache & Log4 logs are double logged),
> but deployed as-is until Engineering could fix deficiencies because I
> wanted to emulate existing Sysklog deployment.  Before fixing, I just
> need to understand if there's anything about my Rsyslog configuration
> that would make duplicate logging an issue when it was not an issue
> with SysKlog.
> 
> 3.  The one major difference between Sysklog and Rsyslog is the use of
> TCP.  I know this trades performance for efficiency, but I don't know
> how to determine if this is the problem.  I don't see issues on the
> server side and even if there are problems, I have Rsyslog configured
> to queue locally if anything happens on the server side.  During the
> problem, there is no local queuing going on.  Are there any diagnostics
> I can pull to determine if remote syslog is the issue?
> 
> Below is my config file.  Is there anything in here that is a glaring
> issue?  If not, My ideas are to:
> 
> 1.  Upgrade, then retry.
> 2.  Remove duplication, then retry.
> 3.  Change from TCP back to UDP, then retry.
> until I determine the source of the problem.
> 
> # Configuration File
> 
> # Provides kernel logging support (previously done by rklogd)
> $ModLoad imklog
> # Provides support for local system logging (e.g. via logger command)
> $ModLoad imuxsock
> 
> # Max Message Size (default 2k)
> $MaxMessageSize 8192
> 
> # Must listen on localhost for Log4j.  Need engineering to change this
> $ModLoad imudp
> $UDPServerAddress 127.0.0.1
> $UDPServerRun 514
> 
> # Use traditional timestamp format
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> 
> # ownership/permissions
> $umask 0000
> $FileOwner root
> $FileGroup wheel
> $FileCreateMode 0640
> 
> # include directory for breaking directives into separate files
> (future)
> $IncludeConfig /etc/rsyslog.d/
> 
> # forward to remote host, queueing to local disk if host is down and
> memory fills up
> # work (spool) files directory
> $WorkDirectory /var/log/rsyslog
> 
> # loghost1
> # in-memory queue; set for asynchronous processing (?)
> $ActionQueueType LinkedList
> # failover queue filename; also enables disk mode
> $ActionQueueFileName failqueue-loghost1
> # infinite retries on insert failure
> $ActionResumeRetryCount -1
> # save in-memory data if rsyslog shuts down
> $ActionQueueSaveOnShutdown on
> # remote logging of everything
> *.*       @@loghost1:5140
> 
> # loghost2
> # in-memory queue; set for asynchronous processing (?)
> $ActionQueueType LinkedList
> # failover queue filename; also enables disk mode
> $ActionQueueFileName failqueue-loghost2
> # infinite retries on insert failure
> $ActionResumeRetryCount -1
> # save in-memory data if rsyslog shuts down
> $ActionQueueSaveOnShutdown on
> # remote logging of everything
> *.*       @@loghost2:5140
> 
> # Log Filtering Rules
> 
> # Emergency Messages
> if $syslogseverity <= '0' then *
> if $syslogseverity <= '0' then /var/log/messages
> if $syslogseverity <= '0' then ~
> 
> # Apache
> if $programname == 'logger' and ($msg contains 'access_log' or $msg
> contains 'cookie_log' or $msg contains 'r
> equest_log') then /var/log/http
> & ~
> if $programname == 'httpd' and ($syslogfacility-text == 'local5' or
> $syslogfacility-text == 'local6') then /var/log/http_err
> & ~
> 
> # Log4j (App Logs)
> if $programname == 'com.redacted.infra.syslog.Log4jSystemLogger' then
> /var/log/log4j
> & ~
> 
> # Kernel & IPTables
> if $programname == 'kernel' and ($msg contains 'LOGACCEPT' or $msg
> contains 'LOGDROP') then /var/log/iptables
> & ~
> 
> # Auth Messages
> if $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv'
> then /var/log/secure
> & ~
> 
> # Mail
> if $syslogfacility-text == 'mail' then /var/log/maillog
> & ~
> 
> # Catchall for remaining log messages
> *.* /var/log/messages
> 
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From stefan.kleindl at rlb-stmk.raiffeisen.at  Thu Mar 10 11:43:21 2011
From: stefan.kleindl at rlb-stmk.raiffeisen.at (stefan.kleindl at rlb-stmk.raiffeisen.at)
Date: Thu, 10 Mar 2011 11:43:21 +0100
Subject: [rsyslog] Parsing Snare input
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>
References: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>
Message-ID: <OF0B5DC70D.B09E615F-ONC125784F.0039C992-C125784F.003AE6E9@mdcs.at>


After spending a few days(in relation to many others this is probably
childs play) I?m stuck with a problem and I?m out of ideas on how to fix
it.

I?m having a Windows 2003 Server pump his Syslogs via Snare onto a RHEL 6.0
with the 5.6.4 build of rsyslog(compiled with ./configure --enable-mysql
--enable-gnutls --enable-mail) running the latest LogAnalyzer Gui.
I'm also having a RHEL 5.2 pump data into it via rsyslog, default yum
package and settings. UDP, case it matters.

I'm sending all the input to the DB and also logging it to the disk into
seperate files(see config later).

This works fine for the "Syslog Fields" view, where only the ProcessID
field is empty(for either of them).
But, the EventLog fields are just in very bad shape.
EventLog Type, Event Source, EventID and Event User are all missing - for
both the RHEL and the Windows servers.
The whole info is dumped into the message property - like it is by default.

My goal would be to get a properly filled view like
http://loganalyzer-demo.adiscon.com/ (eventlog fields) where especially the
different Event Users are working - but I can't seem to manage.
I?d like to have all the data, parsed or not, on the disk saved and
properly parsed in the MySQL/in the GUI.

I tried template parsing via the rsyslog wiki and David Langs example from
http://lists.adiscon.net/pipermail/rsyslog/2009-October/010978.html

I added the Parser from rsyslog forums
http://kb.monitorware.com/snare-msg-parser-t10171.html#p18502 but I can't
see to apply this to a SQL DB.

I tried direct SQL statements in the rsyslog.conf - to no avail.


Any ideas on how to parse this properly/easy?

regards


# for Snare
$EscapeControlCharactersOnReceive off
#
# #load modules
$ModLoad immark # provides --MARK-- message capability
$ModLoad imudp # provides UDP syslog reception
$ModLoad imtcp # provides TCP syslog reception
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imklog # provides kernel logging support (previously done by
rklogd)
$ModLoad ommail # direct email sending
$ModLoad ommysql

# Provides UDP syslog reception
$UDPServerRun 514

# Provides TCP syslog reception
#$InputTCPServerRun 514

#####################################################
## Log everything to a per host daily logfile        #
######################################################
$template
DailyPerHostLogs,"/var/log/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"
*.* -?DailyPerHostLogs

# Writes everything into DB
*.* :ommysql:localhost,Syslog,rsyslog,password

#MAILTEST - functional 9.3.2011
#$ActionMailSMTPServer xxxx
#$ActionMailFrom xxx
#$ActionMailTo xxx
#$template mailSubject,"%hostname% - %timereported%"
#$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
#$ActionMailSubject mailSubject
#$ActionExecOnlyOnceEveryInterval 20
#:hostname, contains, "xl" :ommail:;mailBody

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*



Windows Example Message:
Service 17978 Thu Mar 10 11:40:39 2011 1139 NTDS LDAP ANONYMOUS LOGON Well
Known Group Information 38866A01 LDAP Interface Internal event: Function
ldap_search completed with an elapsed time of 0 ms. 8585

----------------------------------------
Raiffeisen-Landesbank Steiermark AG, Graz, FN 264700 s, Landesgericht f?r
Zivilrechtssachen Graz, DVR  0040495

Der Austausch von Nachrichten mit oa. Absender via E-Mail dient
ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with a.m. sender via e-mail is only for information
purposes. This medium is not to be used for the exchange of legally-binding
communications.
----------------------------------------

From andersns at basefarm.no  Thu Mar 10 15:37:07 2011
From: andersns at basefarm.no (Anders Synstad)
Date: Thu, 10 Mar 2011 15:37:07 +0100
Subject: [rsyslog] Problem with "corrupt" log message
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDA60@GRFEXC.intern.adiscon.com>
References: <4D37FB67.60406@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDA5C@GRFEXC.intern.adiscon.com>	<4D38144A.4000006@basefarm.no>
	<9B6E2A8877C38245BFB15CC491A11DA71DDA60@GRFEXC.intern.adiscon.com>
Message-ID: <4D78E213.7060909@basefarm.no>

Hello,

On 01/20/2011 01:21 PM, Rainer Gerhards wrote:
>> -----Original Message----- I'm running latest Rsyslog 5.6.2. I
>> pretty much came to the same conclusions as you.
>>
>> I doubt I can reproduce it. Out of several gigabytes of logs each
>> day, this is the first time I've seen it.
>
> Yup... Maybe this helps: I got some reports from folks who have a bit
> of a problem with 5.6.2 and a very good report came in yesterday. I
> am about to look at it. It could be that all of this has a common
> reason. But other than that, I do not have any advise right now...
>

Did these reports give any results regarding this issue?

I've been trying to dig a bit more in our logs, and I've seen it happen
more than once now. It's however a bit hard to locate these corrupt
lines in the logs as they differ slightly.

I also did a quick attempt at some tcpdumping, but without knowing a bit
more what I'm looking for, it's too much data going thru the system at
the moment to be just staring at it.

The bits of configuration related to these logsfiles are:

$ModLoad imudp    # Standard input module for UDP
$ModLoad imtcp    # Standard input module for TCP

$template t-network,"/var/log/network.%$myhostname%.log"
$template bf-default,"%timegenerated:::date-rfc3339% %fromhost% 
%rawmsg:::drop-last-lf%\n"

# Ruleset: network
$Ruleset network-udp-10514
$RulesetCreateMainQueue on
*.*             -?t-network;bf-default

$RuleSet network-tcp-10514
$RulesetCreateMainQueue on
*.*             -?t-network;bf-default

$InputUDPServerBindRuleset network-udp-10514
$UDPServerRun 10514

$InputTCPServerBindRuleset network-tcp-10514
$InputTCPServerRun 10514



I'm using load balancing (active/passive) and different vips on the LB
to point logs from different systems to different ports on my central
loghost. And all in all, this is working very nicely :)

But as you can see, both tcp and udp is logged to the same file, and I
almost willing to bet my right pinky that the problem is related to this.

Another example of a broken log:
> 2011-03-08T12:50:45.973537+01:00
> osl3-lb05b-v2011-03-08T12:50:46.126028+01:00
> some.fw.net <164>Mar 08 2011 12:50:46:
> %ASA-4-106023: Deny tcp src outside:x.x.x.x/6000 dst
> some.lb-lnk:x.x.x.x/3389 by access-group
> new-test-fw-lb-lnk_out [0x4da29309, 0x0]




Regards,
Anders Synstad
Basefarm AS

From rgerhards at hq.adiscon.com  Thu Mar 10 16:09:09 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 10 Mar 2011 16:09:09 +0100
Subject: [rsyslog] Problem with "corrupt" log message
In-Reply-To: <4D78E213.7060909@basefarm.no>
References: <4D37FB67.60406@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDA5C@GRFEXC.intern.adiscon.com>	<4D38144A.4000006@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDA60@GRFEXC.intern.adiscon.com>
	<4D78E213.7060909@basefarm.no>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDDC9@GRFEXC.intern.adiscon.com>

I guess you have lost a couple of updates. I have been working pretty
aggressively on bugs the past two to three weeks. Those issues that I knew
are closed now (except one dangling with ommysql, which I cannot reproduce
and currently get not more data on). Please grab the latest 5.7.8 and see if
the problem persists. If it does, please open a bug tracker, so that we can
work together to find the culprit and fix it :)

Thanks,
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Anders Synstad
> Sent: Thursday, March 10, 2011 3:37 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Problem with "corrupt" log message
> 
> Hello,
> 
> On 01/20/2011 01:21 PM, Rainer Gerhards wrote:
> >> -----Original Message----- I'm running latest Rsyslog 5.6.2. I
> >> pretty much came to the same conclusions as you.
> >>
> >> I doubt I can reproduce it. Out of several gigabytes of logs each
> >> day, this is the first time I've seen it.
> >
> > Yup... Maybe this helps: I got some reports from folks who have a bit
> > of a problem with 5.6.2 and a very good report came in yesterday. I
> > am about to look at it. It could be that all of this has a common
> > reason. But other than that, I do not have any advise right now...
> >
> 
> Did these reports give any results regarding this issue?
> 
> I've been trying to dig a bit more in our logs, and I've seen it happen
> more than once now. It's however a bit hard to locate these corrupt
> lines in the logs as they differ slightly.
> 
> I also did a quick attempt at some tcpdumping, but without knowing a bit
> more what I'm looking for, it's too much data going thru the system at
> the moment to be just staring at it.
> 
> The bits of configuration related to these logsfiles are:
> 
> $ModLoad imudp    # Standard input module for UDP
> $ModLoad imtcp    # Standard input module for TCP
> 
> $template t-network,"/var/log/network.%$myhostname%.log"
> $template bf-default,"%timegenerated:::date-rfc3339% %fromhost%
> %rawmsg:::drop-last-lf%\n"
> 
> # Ruleset: network
> $Ruleset network-udp-10514
> $RulesetCreateMainQueue on
> *.*             -?t-network;bf-default
> 
> $RuleSet network-tcp-10514
> $RulesetCreateMainQueue on
> *.*             -?t-network;bf-default
> 
> $InputUDPServerBindRuleset network-udp-10514
> $UDPServerRun 10514
> 
> $InputTCPServerBindRuleset network-tcp-10514
> $InputTCPServerRun 10514
> 
> 
> 
> I'm using load balancing (active/passive) and different vips on the LB
> to point logs from different systems to different ports on my central
> loghost. And all in all, this is working very nicely :)
> 
> But as you can see, both tcp and udp is logged to the same file, and I
> almost willing to bet my right pinky that the problem is related to this.
> 
> Another example of a broken log:
> > 2011-03-08T12:50:45.973537+01:00
> > osl3-lb05b-v2011-03-08T12:50:46.126028+01:00
> > some.fw.net <164>Mar 08 2011 12:50:46:
> > %ASA-4-106023: Deny tcp src outside:x.x.x.x/6000 dst
> > some.lb-lnk:x.x.x.x/3389 by access-group
> > new-test-fw-lb-lnk_out [0x4da29309, 0x0]
> 
> 
> 
> 
> Regards,
> Anders Synstad
> Basefarm AS
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From andersns at basefarm.no  Thu Mar 10 16:16:14 2011
From: andersns at basefarm.no (Anders Synstad)
Date: Thu, 10 Mar 2011 16:16:14 +0100
Subject: [rsyslog] Problem with "corrupt" log message
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDDC9@GRFEXC.intern.adiscon.com>
References: <4D37FB67.60406@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDA5C@GRFEXC.intern.adiscon.com>	<4D38144A.4000006@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDA60@GRFEXC.intern.adiscon.com>	<4D78E213.7060909@basefarm.no>
	<9B6E2A8877C38245BFB15CC491A11DA71DDDC9@GRFEXC.intern.adiscon.com>
Message-ID: <4D78EB3E.50209@basefarm.no>

I'm still running on 5.6.2 as you mentioned. I've been looking at the 
changelogs for the stable 5.x releases, but haven't seen anything that I 
related to this problem.

I am a bit reluctant to deploy the beta releases on my production 
servers. ;)

Doing some testing at the moment, and will see if I can't open that bug 
tracker if I don't get anywhere.


Regards,
Anders Synstad
Basefarm AS

On 03/10/2011 04:09 PM, Rainer Gerhards wrote:
> I guess you have lost a couple of updates. I have been working pretty
> aggressively on bugs the past two to three weeks. Those issues that I knew
> are closed now (except one dangling with ommysql, which I cannot reproduce
> and currently get not more data on). Please grab the latest 5.7.8 and see if
> the problem persists. If it does, please open a bug tracker, so that we can
> work together to find the culprit and fix it :)
>
> Thanks,
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Anders Synstad
>> Sent: Thursday, March 10, 2011 3:37 PM
>> To: rsyslog at lists.adiscon.com
>> Subject: Re: [rsyslog] Problem with "corrupt" log message
>>
>> Hello,
>>
>> On 01/20/2011 01:21 PM, Rainer Gerhards wrote:
>>>> -----Original Message----- I'm running latest Rsyslog 5.6.2. I
>>>> pretty much came to the same conclusions as you.
>>>>
>>>> I doubt I can reproduce it. Out of several gigabytes of logs each
>>>> day, this is the first time I've seen it.
>>>
>>> Yup... Maybe this helps: I got some reports from folks who have a bit
>>> of a problem with 5.6.2 and a very good report came in yesterday. I
>>> am about to look at it. It could be that all of this has a common
>>> reason. But other than that, I do not have any advise right now...
>>>
>>
>> Did these reports give any results regarding this issue?
>>
>> I've been trying to dig a bit more in our logs, and I've seen it happen
>> more than once now. It's however a bit hard to locate these corrupt
>> lines in the logs as they differ slightly.
>>
>> I also did a quick attempt at some tcpdumping, but without knowing a bit
>> more what I'm looking for, it's too much data going thru the system at
>> the moment to be just staring at it.
>>
>> The bits of configuration related to these logsfiles are:
>>
>> $ModLoad imudp    # Standard input module for UDP
>> $ModLoad imtcp    # Standard input module for TCP
>>
>> $template t-network,"/var/log/network.%$myhostname%.log"
>> $template bf-default,"%timegenerated:::date-rfc3339% %fromhost%
>> %rawmsg:::drop-last-lf%\n"
>>
>> # Ruleset: network
>> $Ruleset network-udp-10514
>> $RulesetCreateMainQueue on
>> *.*             -?t-network;bf-default
>>
>> $RuleSet network-tcp-10514
>> $RulesetCreateMainQueue on
>> *.*             -?t-network;bf-default
>>
>> $InputUDPServerBindRuleset network-udp-10514
>> $UDPServerRun 10514
>>
>> $InputTCPServerBindRuleset network-tcp-10514
>> $InputTCPServerRun 10514
>>
>>
>>
>> I'm using load balancing (active/passive) and different vips on the LB
>> to point logs from different systems to different ports on my central
>> loghost. And all in all, this is working very nicely :)
>>
>> But as you can see, both tcp and udp is logged to the same file, and I
>> almost willing to bet my right pinky that the problem is related to this.
>>
>> Another example of a broken log:
>>> 2011-03-08T12:50:45.973537+01:00
>>> osl3-lb05b-v2011-03-08T12:50:46.126028+01:00
>>> some.fw.net<164>Mar 08 2011 12:50:46:
>>> %ASA-4-106023: Deny tcp src outside:x.x.x.x/6000 dst
>>> some.lb-lnk:x.x.x.x/3389 by access-group
>>> new-test-fw-lb-lnk_out [0x4da29309, 0x0]
>>
>>
>>
>>
>> Regards,
>> Anders Synstad
>> Basefarm AS
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From rgerhards at hq.adiscon.com  Thu Mar 10 17:11:05 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 10 Mar 2011 17:11:05 +0100
Subject: [rsyslog] Problem with "corrupt" log message
In-Reply-To: <4D78EB3E.50209@basefarm.no>
References: <4D37FB67.60406@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDA5C@GRFEXC.intern.adiscon.com>	<4D38144A.4000006@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDA60@GRFEXC.intern.adiscon.com>	<4D78E213.7060909@basefarm.no><9B6E2A8877C38245BFB15CC491A11DA71DDDC9@GRFEXC.intern.adiscon.com>
	<4D78EB3E.50209@basefarm.no>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDDCA@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Anders Synstad
> Sent: Thursday, March 10, 2011 4:16 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Problem with "corrupt" log message
> 
> I'm still running on 5.6.2 as you mentioned. I've been looking at the
> changelogs for the stable 5.x releases, but haven't seen anything that
> I
> related to this problem.

Well, look again:
http://www.rsyslog.com/changelog-for-5-6-4-v5-stable/
http://www.rsyslog.com/changelog-for-5-6-3-v5-stable/

> I am a bit reluctant to deploy the beta releases on my production
> servers. ;)

Note that 5.7.8 will probably turn into the new stable in two weeks or so
(depending on feedback). Maybe it helps to wait until it has reached that
state. 
 
> Doing some testing at the moment, and will see if I can't open that bug
> tracker if I don't get anywhere.

Testing is always good :) It helps most if you can provide a minimal config
that exposes a problem. In any case, I think you are really wasting your time
if you are not trying with 5.6.4 at least.

Rainer
> 
> 
> Regards,
> Anders Synstad
> Basefarm AS
> 
> On 03/10/2011 04:09 PM, Rainer Gerhards wrote:
> > I guess you have lost a couple of updates. I have been working pretty
> > aggressively on bugs the past two to three weeks. Those issues that I
> knew
> > are closed now (except one dangling with ommysql, which I cannot
> reproduce
> > and currently get not more data on). Please grab the latest 5.7.8 and
> see if
> > the problem persists. If it does, please open a bug tracker, so that
> we can
> > work together to find the culprit and fix it :)
> >
> > Thanks,
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Anders Synstad
> >> Sent: Thursday, March 10, 2011 3:37 PM
> >> To: rsyslog at lists.adiscon.com
> >> Subject: Re: [rsyslog] Problem with "corrupt" log message
> >>
> >> Hello,
> >>
> >> On 01/20/2011 01:21 PM, Rainer Gerhards wrote:
> >>>> -----Original Message----- I'm running latest Rsyslog 5.6.2. I
> >>>> pretty much came to the same conclusions as you.
> >>>>
> >>>> I doubt I can reproduce it. Out of several gigabytes of logs each
> >>>> day, this is the first time I've seen it.
> >>>
> >>> Yup... Maybe this helps: I got some reports from folks who have a
> bit
> >>> of a problem with 5.6.2 and a very good report came in yesterday. I
> >>> am about to look at it. It could be that all of this has a common
> >>> reason. But other than that, I do not have any advise right now...
> >>>
> >>
> >> Did these reports give any results regarding this issue?
> >>
> >> I've been trying to dig a bit more in our logs, and I've seen it
> happen
> >> more than once now. It's however a bit hard to locate these corrupt
> >> lines in the logs as they differ slightly.
> >>
> >> I also did a quick attempt at some tcpdumping, but without knowing a
> bit
> >> more what I'm looking for, it's too much data going thru the system
> at
> >> the moment to be just staring at it.
> >>
> >> The bits of configuration related to these logsfiles are:
> >>
> >> $ModLoad imudp    # Standard input module for UDP
> >> $ModLoad imtcp    # Standard input module for TCP
> >>
> >> $template t-network,"/var/log/network.%$myhostname%.log"
> >> $template bf-default,"%timegenerated:::date-rfc3339% %fromhost%
> >> %rawmsg:::drop-last-lf%\n"
> >>
> >> # Ruleset: network
> >> $Ruleset network-udp-10514
> >> $RulesetCreateMainQueue on
> >> *.*             -?t-network;bf-default
> >>
> >> $RuleSet network-tcp-10514
> >> $RulesetCreateMainQueue on
> >> *.*             -?t-network;bf-default
> >>
> >> $InputUDPServerBindRuleset network-udp-10514
> >> $UDPServerRun 10514
> >>
> >> $InputTCPServerBindRuleset network-tcp-10514
> >> $InputTCPServerRun 10514
> >>
> >>
> >>
> >> I'm using load balancing (active/passive) and different vips on the
> LB
> >> to point logs from different systems to different ports on my
> central
> >> loghost. And all in all, this is working very nicely :)
> >>
> >> But as you can see, both tcp and udp is logged to the same file, and
> I
> >> almost willing to bet my right pinky that the problem is related to
> this.
> >>
> >> Another example of a broken log:
> >>> 2011-03-08T12:50:45.973537+01:00
> >>> osl3-lb05b-v2011-03-08T12:50:46.126028+01:00
> >>> some.fw.net<164>Mar 08 2011 12:50:46:
> >>> %ASA-4-106023: Deny tcp src outside:x.x.x.x/6000 dst
> >>> some.lb-lnk:x.x.x.x/3389 by access-group
> >>> new-test-fw-lb-lnk_out [0x4da29309, 0x0]
> >>
> >>
> >>
> >>
> >> Regards,
> >> Anders Synstad
> >> Basefarm AS
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From mbiebl at gmail.com  Thu Mar 10 21:18:11 2011
From: mbiebl at gmail.com (Michael Biebl)
Date: Thu, 10 Mar 2011 21:18:11 +0100
Subject: [rsyslog] rsyslog 5.7.8 (v5-beta) released
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDDBC@GRFEXC.intern.adiscon.com>
References: <9B6E2A8877C38245BFB15CC491A11DA71DDDB1@GRFEXC.intern.adiscon.com>
	<AANLkTi=Rx4EFQw3FHEyMnJvcYSY5VUYbHMoqxgL6_AUr@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDDBC@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTimtLndRzQ-=CBBjoY6EF6x6j-P0Nsrrnd+gajqO@mail.gmail.com>

2011/3/10 Rainer Gerhards <rgerhards at hq.adiscon.com>:
>
> I don't think I do a new release just for that reason (or should I?).

pmaixforwardedfrom is probably one of the more exotic modules, so
making a new relese just because of it looks like a bit of overkill.

Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

From toddmichael at gmail.com  Fri Mar 11 09:11:07 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Fri, 11 Mar 2011 00:11:07 -0800
Subject: [rsyslog] Troubleshooting Rsyslog/Apache Issues
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>
References: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>
Message-ID: <61BB532A-83F9-47D3-8087-AC40369CA3AF@gmail.com>

Appreciate the stellar advice Rainer.  I built a 5.6.x (latest stable), but before upgrading I wanted to do some tests with my existing version/config and then apply some of the rule syntax changes you recommended to gauge performance benefit.  I used the syslog_caller tool to perform a few tests.  Here are those results:

Running the following command on a test box and simply recording realtime for comparison:
time ./syslog_caller -m 50000

Initial (Apache killing) Config w/ Remote TCP logging:		5m38.163s
Switch to UDP Remote Logging:							4m22.497s
Disable Remote Logging:									3m23.322s
Initial w/ Amended Rules (see RULES section):				4m54.055s
Amended Rules w/ expression-based rules commented out:	2m36.023s
Amended Rules w/ MainMsg Disk Queue					7m43.498

Sysklog (for comparison):									2m13.986s

Glad to see just changing my rules improved performance by about 13%.  My initial reaction was to send this info and ask a series of questions based on the data, but instead decided to give it a whirl with the latest stable version: 5.6.4.  

5.6.4 w/ Amended rules:									0m3.773s

Wow - I almost fell off my chair!  This is AMAZING!  Thank you!  Given these results, I just have a couple final questions:

In compliance heavy environments (which I'm in), I assume the recommendation is to add disk queuing for the main queue.  Is this correct? Something like:

$MainMsgQueueFileName mainqueue
$MainMsgQueueType LinkedList
$MainMsgQueueSaveOnShutdown on

I understand there is a performance tradeoff, but given PCI-DSS, it'll be worth it, I think.  

Last, I also have a disk queuing setup to cover me if our central loghost goes down.  I Configured per doc recommendations.  When I ran my latest, blazing fast test, it queued to disk, I presume because output to the central loghost over TCP is so much slower.  The problem: even after all the logs made it to the central loghost, a failqueue file still exists:

-rw------- 1 root root  704235 Mar 10 23:31 failqueue-loghost2.00000007

Furthermore, it continues to receive copies of new messages that I confirm have arrived at the central loghost.  Is this a problem or have I misunderstood the behavior of the failqueue?  My assumption is that it would queue up, but then gradually go to zero once the central loghost caught up.   

Note: when I restart ryslog the file goes away and no duplicates are pushed to the central loghost.  

# Disk Queuing Configuration

# loghost1
# in-memory queue; set for asynchronous processing
$ActionQueueType LinkedList
# failover queue filename; also enables disk mode
$ActionQueueFileName failqueue-loghost1
# infinite retries on insert failure
$ActionResumeRetryCount -1
# save in-memory data if rsyslog shuts down
$ActionQueueSaveOnShutdown on
# remote logging of everything
*.*       @@loghost1:5140

If this is unexpected, let me know and I'll file a bug with more info.  

Thanks again.  This is a happy day.   

Todd


On Mar 10, 2011, at 1:05 AM, Rainer Gerhards wrote:

> Just some quick points, but I guess useful ones:
> 
> The newer version offer much more performance. For details, see here:
> http://www.gerhards.net/download/LinuxKongress2010rsyslog.pdf
> 
> I see you use script-based filters where you could use much simpler ones.
> Script based filters are pretty slow. Go for selector lines or property based
> filters (in that order) to gain more speed.
> 
> HTH
> Rainer
> 
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
>> Sent: Wednesday, March 09, 2011 11:29 PM
>> To: rsyslog-users
>> Subject: [rsyslog] Troubleshooting Rsyslog/Apache Issues
>> 
>> Posted earlier on this week, but was sick at the time and thus, didn't
>> post enough info to warrant informed response.  Here's some more
>> information along with some specific questions:
>> 
>> Conditions:
>> 
>> - Version: rsyslog-3.22.1-3.el5_5.1
>> - System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43
>> EST 2008 x86_64 x86_64 x86_64 GNU/Linux
>> - Rsyslog Clients w/ Syslog-NG servers
>> - Transport: TCP
>> 
>> Problem:
>> 
>> Replaced Sysklog with Rsyslog.  After several hours of high traffic,
>> Apache processes jumped from 50 to 250 and Apache eventually stopped
>> working.  As soon as I shutdown Rsyslog and turned up Sysklog, Apache
>> procs went back to normal and all was resolved.
>> 
>> Questions:
>> 
>> 1.  Running old version of Rsyslog (3.22) because this is latest
>> version available in CentOS repository.  Will I get
>> performance/stability improvements upgrading to 5x (e.g. 5.6.2) or even
>> 6x?  If so, I'll build RPMs, but assumed latest version in CentOS 5
>> repository was sufficient if I don't need latest features.  Am I wrong?
>> Should I upgrade to latest?
>> 
>> 2.  Couple design deficiencies (Apache & Log4 logs are double logged),
>> but deployed as-is until Engineering could fix deficiencies because I
>> wanted to emulate existing Sysklog deployment.  Before fixing, I just
>> need to understand if there's anything about my Rsyslog configuration
>> that would make duplicate logging an issue when it was not an issue
>> with SysKlog.
>> 
>> 3.  The one major difference between Sysklog and Rsyslog is the use of
>> TCP.  I know this trades performance for efficiency, but I don't know
>> how to determine if this is the problem.  I don't see issues on the
>> server side and even if there are problems, I have Rsyslog configured
>> to queue locally if anything happens on the server side.  During the
>> problem, there is no local queuing going on.  Are there any diagnostics
>> I can pull to determine if remote syslog is the issue?
>> 
>> Below is my config file.  Is there anything in here that is a glaring
>> issue?  If not, My ideas are to:
>> 
>> 1.  Upgrade, then retry.
>> 2.  Remove duplication, then retry.
>> 3.  Change from TCP back to UDP, then retry.
>> until I determine the source of the problem.
>> 
>> # Configuration File
>> 
>> # Provides kernel logging support (previously done by rklogd)
>> $ModLoad imklog
>> # Provides support for local system logging (e.g. via logger command)
>> $ModLoad imuxsock
>> 
>> # Max Message Size (default 2k)
>> $MaxMessageSize 8192
>> 
>> # Must listen on localhost for Log4j.  Need engineering to change this
>> $ModLoad imudp
>> $UDPServerAddress 127.0.0.1
>> $UDPServerRun 514
>> 
>> # Use traditional timestamp format
>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> 
>> # ownership/permissions
>> $umask 0000
>> $FileOwner root
>> $FileGroup wheel
>> $FileCreateMode 0640
>> 
>> # include directory for breaking directives into separate files
>> (future)
>> $IncludeConfig /etc/rsyslog.d/
>> 
>> # forward to remote host, queueing to local disk if host is down and
>> memory fills up
>> # work (spool) files directory
>> $WorkDirectory /var/log/rsyslog
>> 
>> # loghost1
>> # in-memory queue; set for asynchronous processing (?)
>> $ActionQueueType LinkedList
>> # failover queue filename; also enables disk mode
>> $ActionQueueFileName failqueue-loghost1
>> # infinite retries on insert failure
>> $ActionResumeRetryCount -1
>> # save in-memory data if rsyslog shuts down
>> $ActionQueueSaveOnShutdown on
>> # remote logging of everything
>> *.*       @@loghost1:5140
>> 
>> # loghost2
>> # in-memory queue; set for asynchronous processing (?)
>> $ActionQueueType LinkedList
>> # failover queue filename; also enables disk mode
>> $ActionQueueFileName failqueue-loghost2
>> # infinite retries on insert failure
>> $ActionResumeRetryCount -1
>> # save in-memory data if rsyslog shuts down
>> $ActionQueueSaveOnShutdown on
>> # remote logging of everything
>> *.*       @@loghost2:5140
>> 
>> # Log Filtering Rules
>> 
>> # Emergency Messages
>> if $syslogseverity <= '0' then *
>> if $syslogseverity <= '0' then /var/log/messages
>> if $syslogseverity <= '0' then ~
>> 
>> # Apache
>> if $programname == 'logger' and ($msg contains 'access_log' or $msg
>> contains 'cookie_log' or $msg contains 'r
>> equest_log') then /var/log/http
>> & ~
>> if $programname == 'httpd' and ($syslogfacility-text == 'local5' or
>> $syslogfacility-text == 'local6') then /var/log/http_err
>> & ~
>> 
>> # Log4j (App Logs)
>> if $programname == 'com.redacted.infra.syslog.Log4jSystemLogger' then
>> /var/log/log4j
>> & ~
>> 
>> # Kernel & IPTables
>> if $programname == 'kernel' and ($msg contains 'LOGACCEPT' or $msg
>> contains 'LOGDROP') then /var/log/iptables
>> & ~
>> 
>> # Auth Messages
>> if $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv'
>> then /var/log/secure
>> & ~
>> 
>> # Mail
>> if $syslogfacility-text == 'mail' then /var/log/maillog
>> & ~
>> 
>> # Catchall for remaining log messages
>> *.* /var/log/messages
>> 
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From toddmichael at gmail.com  Sun Mar 13 08:54:16 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Sat, 12 Mar 2011 23:54:16 -0800
Subject: [rsyslog] imfile and log4j
Message-ID: <DD438BC4-6FBA-4C67-80DE-37BB6DF6BD45@gmail.com>

Trying to work around what appear to be log4j shortcomings: our app is using log4j which (1) dumps to local file and also uses syslog appender to send to rsyslog for proper processing.  The problem is that log4j only appears to support UDP (no TCP and no domain sockets) which results in log entries > 1024 bytes getting broken up.  

The easiest way to handle this - without getting developers involved - is to have rsyslog simply monitor the files to which log4j dumps and forego log4j's syslog appender altogether.  I'm looking into the imfile solution, but documentation suggests that it's more geared to turning non-log files into proper syslog logfile entries (provides default severity, facility, etc...).  In my case, these are already legitimate log messages that I just need rsyslog to grab and forward to my central loghost so that large messages don't get broken up.  Will imfile do this for me or is there a better way if I want to get log messages that do not go through network or unix socket?

Appreciate the guidance.

todd

    




From mbiebl at gmail.com  Sun Mar 13 09:15:47 2011
From: mbiebl at gmail.com (Michael Biebl)
Date: Sun, 13 Mar 2011 09:15:47 +0100
Subject: [rsyslog] imfile and log4j
In-Reply-To: <DD438BC4-6FBA-4C67-80DE-37BB6DF6BD45@gmail.com>
References: <DD438BC4-6FBA-4C67-80DE-37BB6DF6BD45@gmail.com>
Message-ID: <AANLkTikgxo9juyDb_fFWxTgMsiq+No6gTXfz9-icAPbv@mail.gmail.com>

2011/3/13 Todd Michael Bushnell <toddmichael at gmail.com>:
>  ?The problem is that log4j only appears to support UDP (no TCP and no domain sockets)

Wow, hat sounds seriously broken.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

From tbergfeld at hq.adiscon.com  Mon Mar 14 15:03:01 2011
From: tbergfeld at hq.adiscon.com (Tom Bergfeld)
Date: Mon, 14 Mar 2011 15:03:01 +0100
Subject: [rsyslog] rsyslog 6.1.6 (devel) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDDFC@GRFEXC.intern.adiscon.com>

We have just released rsyslog 6.1.6, the new v6-devel.
This release include a couple of important bug-fixes that coordinates it with
fixes applied to earlier versions. It also contains a performance enhancement
for rsyslog's HDFS output plugin (the new logic should be considerably
faster, but we would appreciate feedback on its practical effect).
Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-6-1-6-v6-devel/

Download:

http://www.rsyslog.com/rsyslog-6-1-6-v6-devel/

As always, feedback is appreciated.

Best regards,
Tom Bergfeld
--

Support

=======
 

Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.


Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From mmonitz at gmail.com  Mon Mar 14 18:15:28 2011
From: mmonitz at gmail.com (matan monitz)
Date: Mon, 14 Mar 2011 19:15:28 +0200
Subject: [rsyslog] imfile and log4j
In-Reply-To: <AANLkTikgxo9juyDb_fFWxTgMsiq+No6gTXfz9-icAPbv@mail.gmail.com>
References: <DD438BC4-6FBA-4C67-80DE-37BB6DF6BD45@gmail.com>
	<AANLkTikgxo9juyDb_fFWxTgMsiq+No6gTXfz9-icAPbv@mail.gmail.com>
Message-ID: <AANLkTimiU8h6O2nWHQus6Efra9mHcv2mcW6KLffvQRhe@mail.gmail.com>

how about setting rsyslog to listen on localhost udp and transfer to logging
server via tcp and then just tell log4j to send syslogs to localhost?

On Sun, Mar 13, 2011 at 10:15 AM, Michael Biebl <mbiebl at gmail.com> wrote:

> 2011/3/13 Todd Michael Bushnell <toddmichael at gmail.com>:
> >   The problem is that log4j only appears to support UDP (no TCP and no
> domain sockets)
>
> Wow, hat sounds seriously broken.
>
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From toddmichael at gmail.com  Mon Mar 14 20:21:12 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Mon, 14 Mar 2011 12:21:12 -0700
Subject: [rsyslog] imfile and log4j
In-Reply-To: <AANLkTimiU8h6O2nWHQus6Efra9mHcv2mcW6KLffvQRhe@mail.gmail.com>
References: <DD438BC4-6FBA-4C67-80DE-37BB6DF6BD45@gmail.com>
	<AANLkTikgxo9juyDb_fFWxTgMsiq+No6gTXfz9-icAPbv@mail.gmail.com>
	<AANLkTimiU8h6O2nWHQus6Efra9mHcv2mcW6KLffvQRhe@mail.gmail.com>
Message-ID: <33951ECB-B5EA-41B8-9AB7-C3E9B71B4294@gmail.com>

Matan,

Thanks for the feedback.  This is actually what I do now and it doesn't work because that initial UDP transfer over localhost results in log entries over 1024 bytes getting broken up.  I need to completely avoid UDP to support my large log messages.  Thanks.

Todd




On Mar 14, 2011, at 10:15 AM, matan monitz wrote:

> how about setting rsyslog to listen on localhost udp and transfer to logging
> server via tcp and then just tell log4j to send syslogs to localhost?
> 
> On Sun, Mar 13, 2011 at 10:15 AM, Michael Biebl <mbiebl at gmail.com> wrote:
> 
>> 2011/3/13 Todd Michael Bushnell <toddmichael at gmail.com>:
>>>  The problem is that log4j only appears to support UDP (no TCP and no
>> domain sockets)
>> 
>> Wow, hat sounds seriously broken.
>> 
>> 
>> --
>> Why is it that all of the instruments seeking intelligent life in the
>> universe are pointed away from Earth?
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From david at lang.hm  Mon Mar 14 20:57:07 2011
From: david at lang.hm (david at lang.hm)
Date: Mon, 14 Mar 2011 12:57:07 -0700 (PDT)
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
	<35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com>
Message-ID: <alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm>

On Mon, 7 Mar 2011, Todd Michael Bushnell wrote:

> Appreciate the feedback.  Sorry last night's message so sparse - wasn't feeling too great and wanted to crash.  Few points followed by my config file:
>
> 1.  Using TCP, not RELP, because I'm still using syslog-NG as central 
> loghost with rsyslog on servers.

Ok, this is still a mechanism that will stall if the server stops 
accepting messages

> 2.  Already have configured to queue locally in the event of outage. 
> See config below.  I've tested successfully in the past, but yesterday, 
> when there were problems, I checked the local queue and did not see 
> local queueing occurring.  Perhaps it was just slow enough to slow 
> things to a crawl, killing Apache, but not quite slow enough to result 
> in local queueing.  Is that possible?  Should I look to tune this?

no, if things are slow it will queue locally, and apache will only see 
things slow down if the queue fills up (or if you are writing the queue to 
disk, if the disk can't keep up)

what are you looking at to decide that rsyslog is not queuing messages?

> 3.  Running "ancient" version of Rsyslog because this is the latest in 
> CentOS 5 repo.  Figured this is because it's stable which is what I 
> want.  No need for some of the newer bells at this point.  If I guessed 
> wrong here and latest will give me better stability and performance I'll 
> build new RPMs.

the latest will definantly give you better performance, but the other part 
of the problem is that since it is so old, getting help here is a bit 
harder, simply because it's ahrd to remember back that far.

> 4. Have a number of admitted design deficiencies with Apache and Tomcat 
> that could be contributing to performance although this does not impact 
> sysklog which is why I proceeded as-is until I could get engineering to 
> fix.
>
> 4a. Apache uses logger to send to local syslog socket (where rsyslog 
> writes locally and sends to 2 remote servers) and also writes to its own 
> files locally so we're logging twice locally for every message.  Not 
> good when traffic gets high, I presume.  Just noticed this yesterday so 
> need to get fixed.  To make matters worse, all logging is happening on 
> the same volume.  Until fixed, maybe I should just have rsyslog write 
> local Apache logs to /dev/null and forward to remote syslog - nothing 
> else.  Thoughts?

if you want rsyslog to write the queue to disk you will also have 
performance issues (the rsyslog disk queue is not very efficient)

One question to ask is how critical it is that no logs get lost? you may 
want to configure rsyslog to discard messages if it gets too many queued 
rather than stopping apache.

or you may want to have apache write log files and then have rsyslog use 
imfile to read the file.

> 4b. Log4j sending directly to syslog servers, writing to its own local 
> files and sending to localhost:514 for local logging.  Would prefer all 
> gets handed to rsyslog for local and remote logging.  Need to get 
> engineering to fix that too.  Like mentioned before, to reduce IO 
> contention and avoid duplication, might just configure rsyslog to write 
> to /dev/null as long as it's configured like this.  Only question with 
> 4a/b is that this never posed a problem with sysklog, but is a problem 
> with rsyslog.  This is the reason I did not try to make any major 
> changes in phase 1.

remember that sysklog didn't do TCP logging, it only did UDP logging, so 
it would send the messages out over the network as fast as it could, and 
if the receiver can't keep up the message is lost.

you may want to do a test with rsyslog using UDP instead of TCP and see if 
the behavior is what you expect. If it is, then you are loosing logs 
because your central server can't keep up with UDP, but with TCP you are 
stalling and killing apache instead.

> # Configuration File
>
> # Provides kernel logging support (previously done by rklogd)
> $ModLoad imklog
> # Provides support for local system logging (e.g. via logger command)
> $ModLoad imuxsock
>
> # Max Message Size (default 2k)
> $MaxMessageSize 8192

hmm, you may want to look at enabling jumbo packets on your network so 
that each log message can be pushed in a single packet.

> # Must listen on localhost for Log4j.  Need engineering to change this
> $ModLoad imudp
> $UDPServerAddress 127.0.0.1
> $UDPServerRun 514
>
> # Use traditional timestamp format
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> # ownership/permissions
> $umask 0000
> $FileOwner root
> $FileGroup wheel
> $FileCreateMode 0640
>
> # include directory for breaking directives into separate files (future)
> $IncludeConfig /etc/rsyslog.d/
>
> # forward to remote host, queueing to local disk if host is down and memory fills up
> # work (spool) files directory
> $WorkDirectory /var/log/rsyslog
>
> # loghost1
> # in-memory queue; set for asynchronous processing (?)
> $ActionQueueType LinkedList

in my testing LinkedList was slower than the default. everything does 
asynchronous processing.

but both the default and LinkedList are limited to memory size and the 
$MainMsgQueueSize or $ActionMsgQueueSize (which I think default to 10000)

> # failover queue filename; also enables disk mode
> $ActionQueueFileName failqueue-loghost1

I don't think this enables disk mode, you also need to set the 
$ActionQueueType to a disk related type.

David Lang

> # infinite retries on insert failure
> $ActionResumeRetryCount -1
> # save in-memory data if rsyslog shuts down
> $ActionQueueSaveOnShutdown on
> # remote logging of everything
> *.*       @@loghost1:5140
>
> # loghost2
> # in-memory queue; set for asynchronous processing (?)
> $ActionQueueType LinkedList
> # failover queue filename; also enables disk mode
> $ActionQueueFileName failqueue-loghost2
> # infinite retries on insert failure
> $ActionResumeRetryCount -1
> # save in-memory data if rsyslog shuts down
> $ActionQueueSaveOnShutdown on
> # remote logging of everything
> *.*       @@loghost2:5140
>
> # Log Filtering Rules
>
> # Emergency Messages
> if $syslogseverity <= '0' then *
> if $syslogseverity <= '0' then /var/log/messages
> if $syslogseverity <= '0' then ~
>
> # Apache
> if $programname == 'logger' and ($msg contains 'access_log' or $msg contains 'cookie_log' or $msg contains 'r
> equest_log') then /var/log/http
> & ~
> if $programname == 'httpd' and ($syslogfacility-text == 'local5' or $syslogfacility-text == 'local6') then /var/log/http_err
> & ~
>
> # Log4j (App Logs)
> if $programname == 'com.redacted.infra.syslog.Log4jSystemLogger' then /var/log/log4j
> & ~
>
> # Kernel & IPTables
> if $programname == 'kernel' and ($msg contains 'LOGACCEPT' or $msg contains 'LOGDROP') then /var/log/iptables
> & ~
>
> # Auth Messages
> if $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' then /var/log/secure
> & ~
>
> # Mail
> if $syslogfacility-text == 'mail' then /var/log/maillog
> & ~
>
> # Catchall for remaining log messages
> *.* /var/log/messages
>
>
>
> On Mar 6, 2011, at 10:43 PM, Todd Michael Bushnell wrote:
>
>> Been planning an rsyslog deployment for about a month.  Everything performed as expected in my limited use dev environment, but when I deployed rsyslog today to my production environment multiple systems yielded similar disastrous results:
>>
>> After a few hours Apache jumped up to 250+ processes (max=256, normal=~50) and then started hanging.  At this time, rsyslog also stopped logging altogether.  As soon as I killed rsyslog and started sysklog, httpd processes dropped to 50 and everything went back to normal.
>>
>> I'm not sure if this is a case where rsyslog froze and it's state resulted in Apache's inability to close processes or if there is a problem with Apache and Rsyslog when a decent volume of traffic is passed through.  I'm happy to provide additional information if someone could give me some clues as to where to start looking.  At this point we're reverting until I can diagnose this issue and assure my team that I've fixed the problem for good.
>>
>> Version: rsyslog-3.22.1-3.el5_5.1
>> System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>>
>> Todd Michael Bushnell
>> toddmichael at gmail.com
>>
>>
>>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From david at lang.hm  Mon Mar 14 21:12:17 2011
From: david at lang.hm (david at lang.hm)
Date: Mon, 14 Mar 2011 13:12:17 -0700 (PDT)
Subject: [rsyslog] Parsing Snare input
In-Reply-To: <OF0B5DC70D.B09E615F-ONC125784F.0039C992-C125784F.003AE6E9@mdcs.at>
References: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>
	<OF0B5DC70D.B09E615F-ONC125784F.0039C992-C125784F.003AE6E9@mdcs.at>
Message-ID: <alpine.DEB.2.00.1103141301250.29206@asgard.lang.hm>

On Thu, 10 Mar 2011, stefan.kleindl at rlb-stmk.raiffeisen.at wrote:

> After spending a few days(in relation to many others this is probably
> childs play) I?m stuck with a problem and I?m out of ideas on how to fix
> it.
>
> I?m having a Windows 2003 Server pump his Syslogs via Snare onto a RHEL 6.0
> with the 5.6.4 build of rsyslog(compiled with ./configure --enable-mysql
> --enable-gnutls --enable-mail) running the latest LogAnalyzer Gui.
> I'm also having a RHEL 5.2 pump data into it via rsyslog, default yum
> package and settings. UDP, case it matters.
>
> I'm sending all the input to the DB and also logging it to the disk into
> seperate files(see config later).
>
> This works fine for the "Syslog Fields" view, where only the ProcessID
> field is empty(for either of them).
> But, the EventLog fields are just in very bad shape.
> EventLog Type, Event Source, EventID and Event User are all missing - for
> both the RHEL and the Windows servers.
> The whole info is dumped into the message property - like it is by default.
>
> My goal would be to get a properly filled view like
> http://loganalyzer-demo.adiscon.com/ (eventlog fields) where especially the
> different Event Users are working - but I can't seem to manage.
> I?d like to have all the data, parsed or not, on the disk saved and
> properly parsed in the MySQL/in the GUI.
>
> I tried template parsing via the rsyslog wiki and David Langs example from
> http://lists.adiscon.net/pipermail/rsyslog/2009-October/010978.html

This now needs to be updated since we have the pmsnare parser in the tree. 
it greatly simplifies things.

instead of everything listed on that page,

$ModLoad pmsnare
$RulesetParser rsyslog.snare
$RulesetPArser rsyslog.rfc3164

$template fixsnareFormat,"%timereported% %HOSTNAME%%msg:::drop-last-lf%\n"
$template fixsnareForwardFormat,"<%pri%>%timereported% %HOSTNAME%%msg:::drop-last-lf%\n"

:syslogtag, isequal, "#001" /var/log/mesages;fixsnareFormat
& @192.168.1.1;fixsnareForwardFormat
& ~

this may not be needed in a properly setup environment, but I have some 
servers sending a hex 0x01 character instead of their name. This may be a 
snare config error but I haven't had time to track it down.

> I added the Parser from rsyslog forums
> http://kb.monitorware.com/snare-msg-parser-t10171.html#p18502 but I can't
> see to apply this to a SQL DB.
>
> I tried direct SQL statements in the rsyslog.conf - to no avail.
>
>
> Any ideas on how to parse this properly/easy?

I suspect that the problem you are having is that rsyslog is escaping the 
tab characters (changing a tab into #011) this is getting to be a problem 
for me as well, but currently there is not a way to just disable tab 
escapign without disabling all control character escaping. When I can get 
a little time I need to create a patch to enable tabs to be left alone, 
but I'm on Jury duty for the next couple of weeks, plus have some work 
emergancies that I am having to work on (which is why I haven't been 
checking e-mail for the last week) so I don't know how soon I can get this 
done.

David Lang

> regards
>
>
> # for Snare
> $EscapeControlCharactersOnReceive off
> #
> # #load modules
> $ModLoad immark # provides --MARK-- message capability
> $ModLoad imudp # provides UDP syslog reception
> $ModLoad imtcp # provides TCP syslog reception
> $ModLoad imuxsock # provides support for local system logging (e.g. via
> logger command)
> $ModLoad imklog # provides kernel logging support (previously done by
> rklogd)
> $ModLoad ommail # direct email sending
> $ModLoad ommysql
>
> # Provides UDP syslog reception
> $UDPServerRun 514
>
> # Provides TCP syslog reception
> #$InputTCPServerRun 514
>
> #####################################################
> ## Log everything to a per host daily logfile        #
> ######################################################
> $template
> DailyPerHostLogs,"/var/log/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"
> *.* -?DailyPerHostLogs
>
> # Writes everything into DB
> *.* :ommysql:localhost,Syslog,rsyslog,password
>
> #MAILTEST - functional 9.3.2011
> #$ActionMailSMTPServer xxxx
> #$ActionMailFrom xxx
> #$ActionMailTo xxx
> #$template mailSubject,"%hostname% - %timereported%"
> #$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
> #$ActionMailSubject mailSubject
> #$ActionExecOnlyOnceEveryInterval 20
> #:hostname, contains, "xl" :ommail:;mailBody
>
> #### GLOBAL DIRECTIVES ####
>
> # Use default timestamp format
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> #### RULES ####
>
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.*                                                 /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none                /var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.*                                              /var/log/secure
>
> # Log all the mail messages in one place.
> mail.*                                                  -/var/log/maillog
>
> # Log cron stuff
> cron.*                                                  /var/log/cron
>
> # Everybody gets emergency messages
> *.emerg                                                 *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit                                          /var/log/spooler
>
> # Save boot messages also to boot.log
> local7.*
>
>
>
> Windows Example Message:
> Service 17978 Thu Mar 10 11:40:39 2011 1139 NTDS LDAP ANONYMOUS LOGON Well
> Known Group Information 38866A01 LDAP Interface Internal event: Function
> ldap_search completed with an elapsed time of 0 ms. 8585
>
> ----------------------------------------
> Raiffeisen-Landesbank Steiermark AG, Graz, FN 264700 s, Landesgericht f?r
> Zivilrechtssachen Graz, DVR  0040495
>
> Der Austausch von Nachrichten mit oa. Absender via E-Mail dient
> ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
> duerfen ueber dieses Medium nicht ausgetauscht werden.
> Correspondence with a.m. sender via e-mail is only for information
> purposes. This medium is not to be used for the exchange of legally-binding
> communications.
> ----------------------------------------
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From Nicolas.CLEMENTZ at uha.fr  Mon Mar 14 20:40:00 2011
From: Nicolas.CLEMENTZ at uha.fr (Nicolas CLEMENTZ)
Date: Mon, 14 Mar 2011 20:40:00 +0100
Subject: [rsyslog] Nicolas CLEMENTZ est absent(e).
Message-ID: <OFC0AB5CD7.3F404608-ONC1257853.006C0841-C1257853.006C0841@uha.fr>



Je serai absent(e) ? partir du  14/03/2011 de retour le 28/03/2011.

En cas d'urgence, merci de contacter la hotline du SIRT au
0389205460(2460).
Je r?pondrai ? votre message d?s mon retour.

From david at lang.hm  Mon Mar 14 21:37:31 2011
From: david at lang.hm (david at lang.hm)
Date: Mon, 14 Mar 2011 13:37:31 -0700 (PDT)
Subject: [rsyslog] Troubleshooting Rsyslog/Apache Issues
In-Reply-To: <61BB532A-83F9-47D3-8087-AC40369CA3AF@gmail.com>
References: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>
	<61BB532A-83F9-47D3-8087-AC40369CA3AF@gmail.com>
Message-ID: <alpine.DEB.2.00.1103141314420.29206@asgard.lang.hm>

On Fri, 11 Mar 2011, Todd Michael Bushnell wrote:

> Appreciate the stellar advice Rainer.  I built a 5.6.x (latest stable), but before upgrading I wanted to do some tests with my existing version/config and then apply some of the rule syntax changes you recommended to gauge performance benefit.  I used the syslog_caller tool to perform a few tests.  Here are those results:
>
> Running the following command on a test box and simply recording realtime for comparison:
> time ./syslog_caller -m 50000
>
> Initial (Apache killing) Config w/ Remote TCP logging:		5m38.163s
> Switch to UDP Remote Logging:							4m22.497s
> Disable Remote Logging:									3m23.322s
> Initial w/ Amended Rules (see RULES section):				4m54.055s
> Amended Rules w/ expression-based rules commented out:	2m36.023s
> Amended Rules w/ MainMsg Disk Queue					7m43.498
>
> Sysklog (for comparison):  2m13.986s
>
> Glad to see just changing my rules improved performance by about 13%.  My initial reaction was to send this info and ask a series of questions based on the data, but instead decided to give it a whirl with the latest stable version: 5.6.4.
>
> 5.6.4 w/ Amended rules:  0m3.773s
>
> Wow - I almost fell off my chair!  This is AMAZING!  Thank you!  Given these results, I just have a couple final questions:

we really mean it when we say that performance has improved with the later 
versions ;-)

now, given what you have been describing, I suspect that you are still 
going to have problems, because I think that your central log server just 
can't quite keep up, so with TCP logging you will still block eventually.

> In compliance heavy environments (which I'm in), I assume the 
> recommendation is to add disk queuing for the main queue.  Is this 
> correct? Something like:
>
> $MainMsgQueueFileName mainqueue
> $MainMsgQueueType LinkedList
> $MainMsgQueueSaveOnShutdown on
>
> I understand there is a performance tradeoff, but given PCI-DSS, it'll 
> be worth it, I think.

the thing is that this isn't giving you the reliability that you think it 
is.

the process of logging with rsyslog has many steps

1. write the log to /dev/log

   if the system crashes here the log is lost. has the application already 
completed the action it's trying to log? if so you have no record of it.

2. rsyslog accepts the message and puts it in the main message queue

   unless the main message queue is a disk queue (not a disk assisted 
queue) and you have fsyncs enabled, if the box crashes at this point you 
loose the log

3. rsyslog decides if the message should go to a particular destination, 
if you have a separate action queue for this destination, the message is 
put into that queue.

   again, unless you are using a disk queue, a crash can loose the message

4a. rsyslog sends the log to the remote server and deletes it from the 
action queue.

   unless you are using RELP, rsyslog may send the message to the TCP 
stack, but it has no way of knowing if the remote server has received the 
message.

4b. rsyslog writes the log to a local file

   unless you have fsync enabled after each write, a crash at this time 
will loose the log message.


note that disk queues are very slow, and fsync on ext3 with other write 
activity can stall for seconds at a time.

I did some testing a year or so ago with a very high performance solid 
state drive (a fusion-io PCI card that cost >$5K for 80G of storage), with 
that drive and ext2, without an action queue, I was able to process 8K 
logs/sec, compared to 400K logs/sec with memory queues (at the time I 
could only write out around 80K logs/sec, but faster bursts that fit in 
memory were handled just fine, since then there has been more improvement 
to rsyslog and people are reporting write rates of several hundred 
thousand logs/sec)

doing the same test on a standard SATA drive resulted in around 10 (yes 
TEN) logs/sec being processed.

I also operate in a PCI environment, there are limites to what is expected 
of you in terms of preserving logs.

I would suggest that you end up with two copies of rsyslog running on your 
servers.

the first copy for compliance critical logs.

   these should be a relativly low volume

   the application should be double-logging everything

     i.e.  I am about to do X
           I just tried to do X and it succeded/failed

     this way you can tell if something failed in the middle of a 
transaction and can investigate if the transaction took place or not

   this instance of rsyslog can be configured to sync everything, use RELP, 
write to mirrored drives, etc to do everything you can to make sure the 
log does not get lost.

   the application need to either use RELP to talk to rsyslog, or use 
/dev/log (writes to /dev/log do not return until the log is in the queue)

   if this instance stops (runs out of disk space, crashes, etc) the 
application will halt.


the second copy is for normal activity logs (apache logs, etc)

   these will be a fairly high volume (especially by comparison)

   if systems fail you will loose some of these logs

   at this point you can decide what reliability measures you deem prudent 
for these logs.


personally, for this second category, failover syslog servers running UDP 
on a fairly quiet network are good enough for me, I've tested this setup 
to hundreds of thousands of logs/sec without loosing any logs in my tests 
(and the tests have involved sending billions of log messages), so while 
it is not guaranteed reliability, in practice it is 'good enough'

David Lang

From toddmichael at gmail.com  Tue Mar 15 07:37:23 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Mon, 14 Mar 2011 23:37:23 -0700
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
	<35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com>
	<alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm>
Message-ID: <BF28D817-AA80-42E8-94DB-67762880EB4C@gmail.com>

David,

Thanks for the response.  This was sent before I did the upgrade.  Many of the problems were resolved with that upgrade.  Couple follow-up points to your thorough email:

1.  I configured the mainmsgqueue per recommendation of someone else on the list as a way to prevent rsyslog log processing bottleneck from causing Apache to choke and die:

$MainMsgQueueFileName mainqueue
$MainMsgQueueType LinkedList
$MainMsgQueueSaveOnShutdown on 

After upgrading and testing performance this might not even be necessary in my environment.  This decision was pre-upgrade.  The remaining bottleneck appears to be my TCP loghosts, but backup queuing here, I presume, will go in the Action queue, not the main queue so I might end up removing this.  Correct me if I'm wrong here.

2.  You recommended configuring an imfile for Apache, rather than using logger.  This is actually what I want to do for Log4j (and perhaps Apache), but my reading of imfile documentation gives me the impression that it's geared toward gobbling up non-syslog formatted data and turning it into syslog formatted data.  Thus the reason it assigns default facility and severity, on a per-file basis.  Is it also a viable solution for files containing logs from, for example, Log4j where I have log entries that may be different severity levels?  If not, I'm sure I can break up accordingly.  Performance wise, is this a production grade alternative to using Logger to throw log messages at the domain socket?  I wasn't sure given that the online docs for configuring Apache do not mention imfile.  

Thanks again for the solid feedback.

Todd



On Mar 14, 2011, at 12:57 PM, david at lang.hm wrote:

> On Mon, 7 Mar 2011, Todd Michael Bushnell wrote:
> 
>> Appreciate the feedback.  Sorry last night's message so sparse - wasn't feeling too great and wanted to crash.  Few points followed by my config file:
>> 
>> 1.  Using TCP, not RELP, because I'm still using syslog-NG as central loghost with rsyslog on servers.
> 
> Ok, this is still a mechanism that will stall if the server stops accepting messages
> 
>> 2.  Already have configured to queue locally in the event of outage. See config below.  I've tested successfully in the past, but yesterday, when there were problems, I checked the local queue and did not see local queueing occurring.  Perhaps it was just slow enough to slow things to a crawl, killing Apache, but not quite slow enough to result in local queueing.  Is that possible?  Should I look to tune this?
> 
> no, if things are slow it will queue locally, and apache will only see things slow down if the queue fills up (or if you are writing the queue to disk, if the disk can't keep up)
> 
> what are you looking at to decide that rsyslog is not queuing messages?
> 
>> 3.  Running "ancient" version of Rsyslog because this is the latest in CentOS 5 repo.  Figured this is because it's stable which is what I want.  No need for some of the newer bells at this point.  If I guessed wrong here and latest will give me better stability and performance I'll build new RPMs.
> 
> the latest will definantly give you better performance, but the other part of the problem is that since it is so old, getting help here is a bit harder, simply because it's ahrd to remember back that far.
> 
>> 4. Have a number of admitted design deficiencies with Apache and Tomcat that could be contributing to performance although this does not impact sysklog which is why I proceeded as-is until I could get engineering to fix.
>> 
>> 4a. Apache uses logger to send to local syslog socket (where rsyslog writes locally and sends to 2 remote servers) and also writes to its own files locally so we're logging twice locally for every message.  Not good when traffic gets high, I presume.  Just noticed this yesterday so need to get fixed.  To make matters worse, all logging is happening on the same volume.  Until fixed, maybe I should just have rsyslog write local Apache logs to /dev/null and forward to remote syslog - nothing else.  Thoughts?
> 
> if you want rsyslog to write the queue to disk you will also have performance issues (the rsyslog disk queue is not very efficient)
> 
> One question to ask is how critical it is that no logs get lost? you may want to configure rsyslog to discard messages if it gets too many queued rather than stopping apache.
> 
> or you may want to have apache write log files and then have rsyslog use imfile to read the file.
> 
>> 4b. Log4j sending directly to syslog servers, writing to its own local files and sending to localhost:514 for local logging.  Would prefer all gets handed to rsyslog for local and remote logging.  Need to get engineering to fix that too.  Like mentioned before, to reduce IO contention and avoid duplication, might just configure rsyslog to write to /dev/null as long as it's configured like this.  Only question with 4a/b is that this never posed a problem with sysklog, but is a problem with rsyslog.  This is the reason I did not try to make any major changes in phase 1.
> 
> remember that sysklog didn't do TCP logging, it only did UDP logging, so it would send the messages out over the network as fast as it could, and if the receiver can't keep up the message is lost.
> 
> you may want to do a test with rsyslog using UDP instead of TCP and see if the behavior is what you expect. If it is, then you are loosing logs because your central server can't keep up with UDP, but with TCP you are stalling and killing apache instead.
> 
>> # Configuration File
>> 
>> # Provides kernel logging support (previously done by rklogd)
>> $ModLoad imklog
>> # Provides support for local system logging (e.g. via logger command)
>> $ModLoad imuxsock
>> 
>> # Max Message Size (default 2k)
>> $MaxMessageSize 8192
> 
> hmm, you may want to look at enabling jumbo packets on your network so that each log message can be pushed in a single packet.
> 
>> # Must listen on localhost for Log4j.  Need engineering to change this
>> $ModLoad imudp
>> $UDPServerAddress 127.0.0.1
>> $UDPServerRun 514
>> 
>> # Use traditional timestamp format
>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> 
>> # ownership/permissions
>> $umask 0000
>> $FileOwner root
>> $FileGroup wheel
>> $FileCreateMode 0640
>> 
>> # include directory for breaking directives into separate files (future)
>> $IncludeConfig /etc/rsyslog.d/
>> 
>> # forward to remote host, queueing to local disk if host is down and memory fills up
>> # work (spool) files directory
>> $WorkDirectory /var/log/rsyslog
>> 
>> # loghost1
>> # in-memory queue; set for asynchronous processing (?)
>> $ActionQueueType LinkedList
> 
> in my testing LinkedList was slower than the default. everything does asynchronous processing.
> 
> but both the default and LinkedList are limited to memory size and the $MainMsgQueueSize or $ActionMsgQueueSize (which I think default to 10000)
> 
>> # failover queue filename; also enables disk mode
>> $ActionQueueFileName failqueue-loghost1
> 
> I don't think this enables disk mode, you also need to set the $ActionQueueType to a disk related type.
> 
> David Lang
> 
>> # infinite retries on insert failure
>> $ActionResumeRetryCount -1
>> # save in-memory data if rsyslog shuts down
>> $ActionQueueSaveOnShutdown on
>> # remote logging of everything
>> *.*       @@loghost1:5140
>> 
>> # loghost2
>> # in-memory queue; set for asynchronous processing (?)
>> $ActionQueueType LinkedList
>> # failover queue filename; also enables disk mode
>> $ActionQueueFileName failqueue-loghost2
>> # infinite retries on insert failure
>> $ActionResumeRetryCount -1
>> # save in-memory data if rsyslog shuts down
>> $ActionQueueSaveOnShutdown on
>> # remote logging of everything
>> *.*       @@loghost2:5140
>> 
>> # Log Filtering Rules
>> 
>> # Emergency Messages
>> if $syslogseverity <= '0' then *
>> if $syslogseverity <= '0' then /var/log/messages
>> if $syslogseverity <= '0' then ~
>> 
>> # Apache
>> if $programname == 'logger' and ($msg contains 'access_log' or $msg contains 'cookie_log' or $msg contains 'r
>> equest_log') then /var/log/http
>> & ~
>> if $programname == 'httpd' and ($syslogfacility-text == 'local5' or $syslogfacility-text == 'local6') then /var/log/http_err
>> & ~
>> 
>> # Log4j (App Logs)
>> if $programname == 'com.redacted.infra.syslog.Log4jSystemLogger' then /var/log/log4j
>> & ~
>> 
>> # Kernel & IPTables
>> if $programname == 'kernel' and ($msg contains 'LOGACCEPT' or $msg contains 'LOGDROP') then /var/log/iptables
>> & ~
>> 
>> # Auth Messages
>> if $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' then /var/log/secure
>> & ~
>> 
>> # Mail
>> if $syslogfacility-text == 'mail' then /var/log/maillog
>> & ~
>> 
>> # Catchall for remaining log messages
>> *.* /var/log/messages
>> 
>> 
>> 
>> On Mar 6, 2011, at 10:43 PM, Todd Michael Bushnell wrote:
>> 
>>> Been planning an rsyslog deployment for about a month.  Everything performed as expected in my limited use dev environment, but when I deployed rsyslog today to my production environment multiple systems yielded similar disastrous results:
>>> 
>>> After a few hours Apache jumped up to 250+ processes (max=256, normal=~50) and then started hanging.  At this time, rsyslog also stopped logging altogether.  As soon as I killed rsyslog and started sysklog, httpd processes dropped to 50 and everything went back to normal.
>>> 
>>> I'm not sure if this is a case where rsyslog froze and it's state resulted in Apache's inability to close processes or if there is a problem with Apache and Rsyslog when a decent volume of traffic is passed through.  I'm happy to provide additional information if someone could give me some clues as to where to start looking.  At this point we're reverting until I can diagnose this issue and assure my team that I've fixed the problem for good.
>>> 
>>> Version: rsyslog-3.22.1-3.el5_5.1
>>> System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
>>> 
>>> 
>>> 
>>> Todd Michael Bushnell
>>> toddmichael at gmail.com
>>> 
>>> 
>>> 
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From rgerhards at hq.adiscon.com  Tue Mar 15 08:35:20 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Tue, 15 Mar 2011 08:35:20 +0100
Subject: [rsyslog] imfile and log4j
In-Reply-To: <33951ECB-B5EA-41B8-9AB7-C3E9B71B4294@gmail.com>
References: <DD438BC4-6FBA-4C67-80DE-37BB6DF6BD45@gmail.com><AANLkTikgxo9juyDb_fFWxTgMsiq+No6gTXfz9-icAPbv@mail.gmail.com><AANLkTimiU8h6O2nWHQus6Efra9mHcv2mcW6KLffvQRhe@mail.gmail.com>
	<33951ECB-B5EA-41B8-9AB7-C3E9B71B4294@gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE04@GRFEXC.intern.adiscon.com>

Can you provide some sample log lines?

I think the proper cure would be to add a TCP-syslog driver to log4j. I would
be willing to contribute, but my Java is weak and I don't know any log4j
internals. So if you have someone who knows the udp driver, I think both of
us together could quickly create at least a basic TCP driver.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> Sent: Monday, March 14, 2011 8:21 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] imfile and log4j
> 
> Matan,
> 
> Thanks for the feedback.  This is actually what I do now and it doesn't
> work because that initial UDP transfer over localhost results in log
> entries over 1024 bytes getting broken up.  I need to completely avoid
> UDP to support my large log messages.  Thanks.
> 
> Todd
> 
> 
> 
> 
> On Mar 14, 2011, at 10:15 AM, matan monitz wrote:
> 
> > how about setting rsyslog to listen on localhost udp and transfer to
> logging
> > server via tcp and then just tell log4j to send syslogs to localhost?
> >
> > On Sun, Mar 13, 2011 at 10:15 AM, Michael Biebl <mbiebl at gmail.com>
> wrote:
> >
> >> 2011/3/13 Todd Michael Bushnell <toddmichael at gmail.com>:
> >>>  The problem is that log4j only appears to support UDP (no TCP and
> no
> >> domain sockets)
> >>
> >> Wow, hat sounds seriously broken.
> >>
> >>
> >> --
> >> Why is it that all of the instruments seeking intelligent life in
> the
> >> universe are pointed away from Earth?
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From stefan.kleindl at rlb-stmk.raiffeisen.at  Tue Mar 15 08:46:30 2011
From: stefan.kleindl at rlb-stmk.raiffeisen.at (stefan.kleindl at rlb-stmk.raiffeisen.at)
Date: Tue, 15 Mar 2011 08:46:30 +0100
Subject: [rsyslog] Parsing Snare input
In-Reply-To: <alpine.DEB.2.00.1103141301250.29206@asgard.lang.hm>
References: <0DDC3501-1046-4C0F-A068-372657209109@gmail.com>	<9B6E2A8877C38245BFB15CC491A11DA71DDDBD@GRFEXC.intern.adiscon.com>
	<OF0B5DC70D.B09E615F-ONC125784F.0039C992-C125784F.003AE6E9@mdcs.at>
	<alpine.DEB.2.00.1103141301250.29206@asgard.lang.hm>
Message-ID: <OF2D10E2AD.F3604BD3-ONC1257854.002A2B6E-C1257854.002AB5AF@mdcs.at>


Coincidentally I decided to scrap everything I thought right on Monday and
just tried my luck with a little REGEX, sheets of paper and careful
reverse-testing.

http://kb.monitorware.com/feedback-snare-parsing-t10768.html

$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag,
EventLogType, EventSource, EventId, EventUser) values ('%msg:F:10%',
%syslogfacility%, '%HOSTNAME%', %syslogpriority%,
'%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%,
'%msg:F:3%', '%msg:F:6%', '%msg:F:8%', '%msg:F:2%','%msg:F:4%')",sql

:syslogtag, contains, "Win" /var/log/windows #Personal checker, don't need
& >localhost,Syslog,rsyslog,password;dbFormat

That does the trick for me for now :)

Is the .snare parser documented at some point to see what it's doing?

regards and thanks
Stefan



Von:	david at lang.hm
An:	rsyslog at lists.adiscon.com
Datum:	14.03.2011 21:12
Betreff:	Re: [rsyslog] Parsing Snare input
Gesendet von:	rsyslog-bounces at lists.adiscon.com



On Thu, 10 Mar 2011, stefan.kleindl at rlb-stmk.raiffeisen.at wrote:

> After spending a few days(in relation to many others this is probably
> childs play) I?m stuck with a problem and I?m out of ideas on how to fix
> it.
>
> I?m having a Windows 2003 Server pump his Syslogs via Snare onto a RHEL
6.0
> with the 5.6.4 build of rsyslog(compiled with ./configure --enable-mysql
> --enable-gnutls --enable-mail) running the latest LogAnalyzer Gui.
> I'm also having a RHEL 5.2 pump data into it via rsyslog, default yum
> package and settings. UDP, case it matters.
>
> I'm sending all the input to the DB and also logging it to the disk into
> seperate files(see config later).
>
> This works fine for the "Syslog Fields" view, where only the ProcessID
> field is empty(for either of them).
> But, the EventLog fields are just in very bad shape.
> EventLog Type, Event Source, EventID and Event User are all missing - for
> both the RHEL and the Windows servers.
> The whole info is dumped into the message property - like it is by
default.
>
> My goal would be to get a properly filled view like
> http://loganalyzer-demo.adiscon.com/ (eventlog fields) where especially
the
> different Event Users are working - but I can't seem to manage.
> I?d like to have all the data, parsed or not, on the disk saved and
> properly parsed in the MySQL/in the GUI.
>
> I tried template parsing via the rsyslog wiki and David Langs example
from
> http://lists.adiscon.net/pipermail/rsyslog/2009-October/010978.html

This now needs to be updated since we have the pmsnare parser in the tree.
it greatly simplifies things.

instead of everything listed on that page,

$ModLoad pmsnare
$RulesetParser rsyslog.snare
$RulesetPArser rsyslog.rfc3164

$template fixsnareFormat,"%timereported% %HOSTNAME%%msg:::drop-last-lf%\n"
$template fixsnareForwardFormat,"<%pri%>%timereported%
%HOSTNAME%%msg:::drop-last-lf%\n"

:syslogtag, isequal, "#001" /var/log/mesages;fixsnareFormat
& @192.168.1.1;fixsnareForwardFormat
& ~

this may not be needed in a properly setup environment, but I have some
servers sending a hex 0x01 character instead of their name. This may be a
snare config error but I haven't had time to track it down.

> I added the Parser from rsyslog forums
> http://kb.monitorware.com/snare-msg-parser-t10171.html#p18502 but I can't
> see to apply this to a SQL DB.
>
> I tried direct SQL statements in the rsyslog.conf - to no avail.
>
>
> Any ideas on how to parse this properly/easy?

I suspect that the problem you are having is that rsyslog is escaping the
tab characters (changing a tab into #011) this is getting to be a problem
for me as well, but currently there is not a way to just disable tab
escapign without disabling all control character escaping. When I can get
a little time I need to create a patch to enable tabs to be left alone,
but I'm on Jury duty for the next couple of weeks, plus have some work
emergancies that I am having to work on (which is why I haven't been
checking e-mail for the last week) so I don't know how soon I can get this
done.

David Lang

> regards
>
>
> # for Snare
> $EscapeControlCharactersOnReceive off
> #
> # #load modules
> $ModLoad immark # provides --MARK-- message capability
> $ModLoad imudp # provides UDP syslog reception
> $ModLoad imtcp # provides TCP syslog reception
> $ModLoad imuxsock # provides support for local system logging (e.g. via
> logger command)
> $ModLoad imklog # provides kernel logging support (previously done by
> rklogd)
> $ModLoad ommail # direct email sending
> $ModLoad ommysql
>
> # Provides UDP syslog reception
> $UDPServerRun 514
>
> # Provides TCP syslog reception
> #$InputTCPServerRun 514
>
> #####################################################
> ## Log everything to a per host daily logfile        #
> ######################################################
> $template
>
DailyPerHostLogs,"/var/log/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"

> *.* -?DailyPerHostLogs
>
> # Writes everything into DB
> *.* :ommysql:localhost,Syslog,rsyslog,password
>
> #MAILTEST - functional 9.3.2011
> #$ActionMailSMTPServer xxxx
> #$ActionMailFrom xxx
> #$ActionMailTo xxx
> #$template mailSubject,"%hostname% - %timereported%"
> #$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
> #$ActionMailSubject mailSubject
> #$ActionExecOnlyOnceEveryInterval 20
> #:hostname, contains, "xl" :ommail:;mailBody
>
> #### GLOBAL DIRECTIVES ####
>
> # Use default timestamp format
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> #### RULES ####
>
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.*                                                 /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none                /var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.*                                              /var/log/secure
>
> # Log all the mail messages in one place.
> mail.*                                                  -/var/log/maillog
>
> # Log cron stuff
> cron.*                                                  /var/log/cron
>
> # Everybody gets emergency messages
> *.emerg                                                 *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit                                          /var/log/spooler
>
> # Save boot messages also to boot.log
> local7.*
>
>
>
> Windows Example Message:
> Service 17978 Thu Mar 10 11:40:39 2011 1139 NTDS LDAP ANONYMOUS LOGON
Well
> Known Group Information 38866A01 LDAP Interface Internal event: Function
> ldap_search completed with an elapsed time of 0 ms. 8585
>
> ----------------------------------------
> Raiffeisen-Landesbank Steiermark AG, Graz, FN 264700 s, Landesgericht f?r
> Zivilrechtssachen Graz, DVR  0040495
>
> Der Austausch von Nachrichten mit oa. Absender via E-Mail dient
> ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
> duerfen ueber dieses Medium nicht ausgetauscht werden.
> Correspondence with a.m. sender via e-mail is only for information
> purposes. This medium is not to be used for the exchange of
legally-binding
> communications.
> ----------------------------------------
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com



----------------------------------------
Raiffeisen-Landesbank Steiermark AG, Graz, FN 264700 s, Landesgericht f?r
Zivilrechtssachen Graz, DVR  0040495

Der Austausch von Nachrichten mit oa. Absender via E-Mail dient
ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with a.m. sender via e-mail is only for information
purposes. This medium is not to be used for the exchange of legally-binding
communications.
----------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/rsyslog/attachments/20110315/2dfce2b9/attachment.gif>

From david at lang.hm  Wed Mar 16 05:34:42 2011
From: david at lang.hm (david at lang.hm)
Date: Tue, 15 Mar 2011 21:34:42 -0700 (PDT)
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <BF28D817-AA80-42E8-94DB-67762880EB4C@gmail.com>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
	<35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com>
	<alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm>
	<BF28D817-AA80-42E8-94DB-67762880EB4C@gmail.com>
Message-ID: <alpine.DEB.2.00.1103152130140.5340@asgard.lang.hm>

On Mon, 14 Mar 2011, Todd Michael Bushnell wrote:

> David,
>
> Thanks for the response.  This was sent before I did the upgrade.  Many 
> of the problems were resolved with that upgrade.  Couple follow-up 
> points to your thorough email:
>
> 1.  I configured the mainmsgqueue per recommendation of someone else on 
> the list as a way to prevent rsyslog log processing bottleneck from 
> causing Apache to choke and die:
>
> $MainMsgQueueFileName mainqueue
> $MainMsgQueueType LinkedList

Rainer can correct me here, but I don't think that QueueFileName makes any 
difference with FixedArray or LinkedList message types

> $MainMsgQueueSaveOnShutdown on
>
> After upgrading and testing performance this might not even be necessary 
> in my environment.  This decision was pre-upgrade.  The remaining 
> bottleneck appears to be my TCP loghosts, but backup queuing here, I 
> presume, will go in the Action queue, not the main queue so I might end 
> up removing this.  Correct me if I'm wrong here.

I think that you are correct, it will back up in the ActionQueue if you 
have a separate one defined.

> 2.  You recommended configuring an imfile for Apache, rather than using 
> logger.  This is actually what I want to do for Log4j (and perhaps 
> Apache), but my reading of imfile documentation gives me the impression 
> that it's geared toward gobbling up non-syslog formatted data and 
> turning it into syslog formatted data.  Thus the reason it assigns 
> default facility and severity, on a per-file basis.

Yes, this is correct.

> Is it also a viable solution for files containing logs from, for 
> example, Log4j where I have log entries that may be different severity 
> levels?  If not, I'm sure I can break up accordingly.  Performance wise, 
> is this a production grade alternative to using Logger to throw log 
> messages at the domain socket?  I wasn't sure given that the online docs 
> for configuring Apache do not mention imfile.

It isn't designed for this, I wonder if the new parser stack can be made 
to work with imfile (since Rainer is working on modifications in this 
area, it may be a good time for this to be added)

David Lang


> Thanks again for the solid feedback.
>
> Todd
>
>
>
> On Mar 14, 2011, at 12:57 PM, david at lang.hm wrote:
>
>> On Mon, 7 Mar 2011, Todd Michael Bushnell wrote:
>>
>>> Appreciate the feedback.  Sorry last night's message so sparse - wasn't feeling too great and wanted to crash.  Few points followed by my config file:
>>>
>>> 1.  Using TCP, not RELP, because I'm still using syslog-NG as central loghost with rsyslog on servers.
>>
>> Ok, this is still a mechanism that will stall if the server stops accepting messages
>>
>>> 2.  Already have configured to queue locally in the event of outage. See config below.  I've tested successfully in the past, but yesterday, when there were problems, I checked the local queue and did not see local queueing occurring.  Perhaps it was just slow enough to slow things to a crawl, killing Apache, but not quite slow enough to result in local queueing.  Is that possible?  Should I look to tune this?
>>
>> no, if things are slow it will queue locally, and apache will only see things slow down if the queue fills up (or if you are writing the queue to disk, if the disk can't keep up)
>>
>> what are you looking at to decide that rsyslog is not queuing messages?
>>
>>> 3.  Running "ancient" version of Rsyslog because this is the latest in CentOS 5 repo.  Figured this is because it's stable which is what I want.  No need for some of the newer bells at this point.  If I guessed wrong here and latest will give me better stability and performance I'll build new RPMs.
>>
>> the latest will definantly give you better performance, but the other part of the problem is that since it is so old, getting help here is a bit harder, simply because it's ahrd to remember back that far.
>>
>>> 4. Have a number of admitted design deficiencies with Apache and Tomcat that could be contributing to performance although this does not impact sysklog which is why I proceeded as-is until I could get engineering to fix.
>>>
>>> 4a. Apache uses logger to send to local syslog socket (where rsyslog writes locally and sends to 2 remote servers) and also writes to its own files locally so we're logging twice locally for every message.  Not good when traffic gets high, I presume.  Just noticed this yesterday so need to get fixed.  To make matters worse, all logging is happening on the same volume.  Until fixed, maybe I should just have rsyslog write local Apache logs to /dev/null and forward to remote syslog - nothing else.  Thoughts?
>>
>> if you want rsyslog to write the queue to disk you will also have performance issues (the rsyslog disk queue is not very efficient)
>>
>> One question to ask is how critical it is that no logs get lost? you may want to configure rsyslog to discard messages if it gets too many queued rather than stopping apache.
>>
>> or you may want to have apache write log files and then have rsyslog use imfile to read the file.
>>
>>> 4b. Log4j sending directly to syslog servers, writing to its own local files and sending to localhost:514 for local logging.  Would prefer all gets handed to rsyslog for local and remote logging.  Need to get engineering to fix that too.  Like mentioned before, to reduce IO contention and avoid duplication, might just configure rsyslog to write to /dev/null as long as it's configured like this.  Only question with 4a/b is that this never posed a problem with sysklog, but is a problem with rsyslog.  This is the reason I did not try to make any major changes in phase 1.
>>
>> remember that sysklog didn't do TCP logging, it only did UDP logging, so it would send the messages out over the network as fast as it could, and if the receiver can't keep up the message is lost.
>>
>> you may want to do a test with rsyslog using UDP instead of TCP and see if the behavior is what you expect. If it is, then you are loosing logs because your central server can't keep up with UDP, but with TCP you are stalling and killing apache instead.
>>
>>> # Configuration File
>>>
>>> # Provides kernel logging support (previously done by rklogd)
>>> $ModLoad imklog
>>> # Provides support for local system logging (e.g. via logger command)
>>> $ModLoad imuxsock
>>>
>>> # Max Message Size (default 2k)
>>> $MaxMessageSize 8192
>>
>> hmm, you may want to look at enabling jumbo packets on your network so that each log message can be pushed in a single packet.
>>
>>> # Must listen on localhost for Log4j.  Need engineering to change this
>>> $ModLoad imudp
>>> $UDPServerAddress 127.0.0.1
>>> $UDPServerRun 514
>>>
>>> # Use traditional timestamp format
>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>
>>> # ownership/permissions
>>> $umask 0000
>>> $FileOwner root
>>> $FileGroup wheel
>>> $FileCreateMode 0640
>>>
>>> # include directory for breaking directives into separate files (future)
>>> $IncludeConfig /etc/rsyslog.d/
>>>
>>> # forward to remote host, queueing to local disk if host is down and memory fills up
>>> # work (spool) files directory
>>> $WorkDirectory /var/log/rsyslog
>>>
>>> # loghost1
>>> # in-memory queue; set for asynchronous processing (?)
>>> $ActionQueueType LinkedList
>>
>> in my testing LinkedList was slower than the default. everything does asynchronous processing.
>>
>> but both the default and LinkedList are limited to memory size and the $MainMsgQueueSize or $ActionMsgQueueSize (which I think default to 10000)
>>
>>> # failover queue filename; also enables disk mode
>>> $ActionQueueFileName failqueue-loghost1
>>
>> I don't think this enables disk mode, you also need to set the $ActionQueueType to a disk related type.
>>
>> David Lang
>>
>>> # infinite retries on insert failure
>>> $ActionResumeRetryCount -1
>>> # save in-memory data if rsyslog shuts down
>>> $ActionQueueSaveOnShutdown on
>>> # remote logging of everything
>>> *.*       @@loghost1:5140
>>>
>>> # loghost2
>>> # in-memory queue; set for asynchronous processing (?)
>>> $ActionQueueType LinkedList
>>> # failover queue filename; also enables disk mode
>>> $ActionQueueFileName failqueue-loghost2
>>> # infinite retries on insert failure
>>> $ActionResumeRetryCount -1
>>> # save in-memory data if rsyslog shuts down
>>> $ActionQueueSaveOnShutdown on
>>> # remote logging of everything
>>> *.*       @@loghost2:5140
>>>
>>> # Log Filtering Rules
>>>
>>> # Emergency Messages
>>> if $syslogseverity <= '0' then *
>>> if $syslogseverity <= '0' then /var/log/messages
>>> if $syslogseverity <= '0' then ~
>>>
>>> # Apache
>>> if $programname == 'logger' and ($msg contains 'access_log' or $msg contains 'cookie_log' or $msg contains 'r
>>> equest_log') then /var/log/http
>>> & ~
>>> if $programname == 'httpd' and ($syslogfacility-text == 'local5' or $syslogfacility-text == 'local6') then /var/log/http_err
>>> & ~
>>>
>>> # Log4j (App Logs)
>>> if $programname == 'com.redacted.infra.syslog.Log4jSystemLogger' then /var/log/log4j
>>> & ~
>>>
>>> # Kernel & IPTables
>>> if $programname == 'kernel' and ($msg contains 'LOGACCEPT' or $msg contains 'LOGDROP') then /var/log/iptables
>>> & ~
>>>
>>> # Auth Messages
>>> if $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' then /var/log/secure
>>> & ~
>>>
>>> # Mail
>>> if $syslogfacility-text == 'mail' then /var/log/maillog
>>> & ~
>>>
>>> # Catchall for remaining log messages
>>> *.* /var/log/messages
>>>
>>>
>>>
>>> On Mar 6, 2011, at 10:43 PM, Todd Michael Bushnell wrote:
>>>
>>>> Been planning an rsyslog deployment for about a month.  Everything performed as expected in my limited use dev environment, but when I deployed rsyslog today to my production environment multiple systems yielded similar disastrous results:
>>>>
>>>> After a few hours Apache jumped up to 250+ processes (max=256, normal=~50) and then started hanging.  At this time, rsyslog also stopped logging altogether.  As soon as I killed rsyslog and started sysklog, httpd processes dropped to 50 and everything went back to normal.
>>>>
>>>> I'm not sure if this is a case where rsyslog froze and it's state resulted in Apache's inability to close processes or if there is a problem with Apache and Rsyslog when a decent volume of traffic is passed through.  I'm happy to provide additional information if someone could give me some clues as to where to start looking.  At this point we're reverting until I can diagnose this issue and assure my team that I've fixed the problem for good.
>>>>
>>>> Version: rsyslog-3.22.1-3.el5_5.1
>>>> System: Linux ******* 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>>
>>>>
>>>> Todd Michael Bushnell
>>>> toddmichael at gmail.com
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From david at lang.hm  Wed Mar 16 05:40:57 2011
From: david at lang.hm (david at lang.hm)
Date: Tue, 15 Mar 2011 21:40:57 -0700 (PDT)
Subject: [rsyslog] imfile ideas
In-Reply-To: <alpine.DEB.2.00.1103152130140.5340@asgard.lang.hm>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com>
	<35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com>
	<alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm>
	<BF28D817-AA80-42E8-94DB-67762880EB4C@gmail.com>
	<alpine.DEB.2.00.1103152130140.5340@asgard.lang.hm>
Message-ID: <alpine.DEB.2.00.1103152135530.5340@asgard.lang.hm>

deliberatly breaking the subject here to call attention to this portion of 
a prior post

On Tue, 15 Mar 2011, david at lang.hm wrote:

> On Mon, 14 Mar 2011, Todd Michael Bushnell wrote:
>
>> Is it also a viable solution for files containing logs from, for example, 
>> Log4j where I have log entries that may be different severity levels?  If 
>> not, I'm sure I can break up accordingly.  Performance wise, is this a 
>> production grade alternative to using Logger to throw log messages at the 
>> domain socket?  I wasn't sure given that the online docs for configuring 
>> Apache do not mention imfile.
>
> It isn't designed for this, I wonder if the new parser stack can be made to 
> work with imfile (since Rainer is working on modifications in this area, it 
> may be a good time for this to be added)

I'm wondering if it would make sense to change imfile to use a parser 
stack like the other inputs, this way if you have a file with specific 
formats you could easily write a parser to do a excellantjob with that 
format.

I don't know if the exiting paragraph variation to imfile could be 
re-worked as a set of parsers, of if they would need to remain, with the 
parser kicking in on the data selected (line, or paragraph based)

the default parser would be 'make all the data be the message, and set the 
type and severity from config variables' to match existing behavior.

David Lang

From rgerhards at hq.adiscon.com  Wed Mar 16 11:06:51 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 16 Mar 2011 11:06:51 +0100
Subject: [rsyslog] imfile refactoring
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE14@GRFEXC.intern.adiscon.com>

Good news on the refactoring:

http://blog.gerhards.net/2011/03/refactored-imfile-module-now-publically.html

Feedback appreciated!

Rainer

From rgerhards at hq.adiscon.com  Wed Mar 16 11:10:37 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 16 Mar 2011 11:10:37 +0100
Subject: [rsyslog] imfile ideas
In-Reply-To: <alpine.DEB.2.00.1103152135530.5340@asgard.lang.hm>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com><35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com><alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm><BF28D817-AA80-42E8-94DB-67762880EB4C@gmail.com><alpine.DEB.2.00.1103152130140.5340@asgard.lang.hm>
	<alpine.DEB.2.00.1103152135530.5340@asgard.lang.hm>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE15@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Wednesday, March 16, 2011 5:41 AM
> To: rsyslog-users
> Subject: [rsyslog] imfile ideas
> 
> deliberatly breaking the subject here to call attention to this portion of
a prior
> post
> 
> On Tue, 15 Mar 2011, david at lang.hm wrote:
> 
> > On Mon, 14 Mar 2011, Todd Michael Bushnell wrote:
> >
> >> Is it also a viable solution for files containing logs from, for
> >> example, Log4j where I have log entries that may be different
> >> severity levels?  If not, I'm sure I can break up accordingly.
> >> Performance wise, is this a production grade alternative to using
> >> Logger to throw log messages at the domain socket?  I wasn't sure
> >> given that the online docs for configuring Apache do not mention imfile.
> >
> > It isn't designed for this, I wonder if the new parser stack can be
> > made to work with imfile (since Rainer is working on modifications in
> > this area, it may be a good time for this to be added)
> 
> I'm wondering if it would make sense to change imfile to use a parser stack
> like the other inputs, this way if you have a file with specific formats
you
> could easily write a parser to do a excellantjob with that format.
> 
> I don't know if the exiting paragraph variation to imfile could be
re-worked as
> a set of parsers, of if they would need to remain, with the parser kicking
in on
> the data selected (line, or paragraph based)
> 
> the default parser would be 'make all the data be the message, and set the
> type and severity from config variables' to match existing behavior.

This sounds like a very interesting approach. But I'd like to wait for the
imfile refactoring to finish, because the more we change in existing code,
the harder it becomes to merge both together.

Rainer

> 
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Wed Mar 16 11:14:48 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 16 Mar 2011 11:14:48 +0100
Subject: [rsyslog] Apache/Rsyslog stop working after several hours
In-Reply-To: <alpine.DEB.2.00.1103152130140.5340@asgard.lang.hm>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com><35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com><alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm><BF28D817-AA80-42E8-94DB-67762880EB4C@gmail.com>
	<alpine.DEB.2.00.1103152130140.5340@asgard.lang.hm>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE16@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Wednesday, March 16, 2011 5:35 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Apache/Rsyslog stop working after several hours
> 
> On Mon, 14 Mar 2011, Todd Michael Bushnell wrote:
> 
> > David,
> >
> > Thanks for the response.  This was sent before I did the upgrade.
> > Many of the problems were resolved with that upgrade.  Couple
> > follow-up points to your thorough email:
> >
> > 1.  I configured the mainmsgqueue per recommendation of someone else
> > on the list as a way to prevent rsyslog log processing bottleneck from
> > causing Apache to choke and die:
> >
> > $MainMsgQueueFileName mainqueue
> > $MainMsgQueueType LinkedList
> 
> Rainer can correct me here, but I don't think that QueueFileName makes any
> difference with FixedArray or LinkedList message types

As usual, David is absolutely right :) The queue file name is simply ignored
in that case.

Rainer 

From friedl at hq.adiscon.com  Wed Mar 16 17:35:20 2011
From: friedl at hq.adiscon.com (Florian Riedl)
Date: Wed, 16 Mar 2011 17:35:20 +0100
Subject: [rsyslog] rsyslog 5.7.9 (beta) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE1C@GRFEXC.intern.adiscon.com>

Hi everyone,

We have just released rsyslog 5.7.9, the new v5-beta.

This is primarily a bug-fixing release with a small enhancement handling a
very uncommon case (rsyslog build on newer kernel and executed on older one).
This probably is the last 5.7 release before the beginning of the new stable
5.8 versions.

PLEASE NOTE that this version contains fixes which are not yet part of
v5-stable. Especially the fix for bug 236 (failover scenario) is rather big
and it  has some potential for regressions. So we decided to release v5-beta
first, check the feedback, and only after that release the updated v5-stable.
As such, feedback would be deeply appreciated (even more than usually ;)).

Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-5-7-9-v5-beta/

Download:

http://www.rsyslog.com/rsyslog-5-7-9-v5-beta/

As always, feedback is appreciated.

Best regards,
Florian Riedl

--

Support
=======
Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.

Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From toddmichael at gmail.com  Thu Mar 17 01:17:38 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Wed, 16 Mar 2011 17:17:38 -0700
Subject: [rsyslog] Back logs from disk assisted queue not flowing to central
	loghost after service restored
Message-ID: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com>

Have central loghost configured with disk assisted queue like so:

$WorkDirectory /var/log/rsyslog 
$ActionQueueType LinkedList
$ActionQueueFileName failqueue-loghost2
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on

# remote logging of everything
*.*       @@loghost1:5140

Central loghost still running syslog-ng.  Had a problem with it that caused it to fail on multiple occasions over the past couple days.  Resolved the problem and logs are now flowing to it, but the files that were created on the clients during this period are not going away, nor are the back logs flowing to the central loghost.  For example:

# syslog client
#/var/log/syslog
-rw------- 1 root root 1049189 Mar 16 01:13 failqueue-loghost2.00000002
-rw------- 1 root root 1048848 Mar 14 13:25 failqueue-loghost2.00000003
-rw------- 1 root root 1048648 Mar 14 17:20 failqueue-loghost2.00000004
-rw------- 1 root root 1049066 Mar 15 00:19 failqueue-loghost2.00000005
-rw------- 1 root root 1048619 Mar 15 00:27 failqueue-loghost2.00000006
-rw------- 1 root root 1048907 Mar 15 13:20 failqueue-loghost2.00000007
-rw------- 1 root root  949887 Mar 16 01:13 failqueue-loghost2.00000008
-rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi

Running rsyslog-5.6.4.


From rgerhards at hq.adiscon.com  Thu Mar 17 08:39:23 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 17 Mar 2011 08:39:23 +0100
Subject: [rsyslog] Back logs from disk assisted queue not flowing to
	centralloghost after service restored
In-Reply-To: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com>

This looks like we need a debug log...

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> Sent: Thursday, March 17, 2011 1:18 AM
> To: rsyslog-users
> Subject: [rsyslog] Back logs from disk assisted queue not flowing to
> centralloghost after service restored
> 
> Have central loghost configured with disk assisted queue like so:
> 
> $WorkDirectory /var/log/rsyslog
> $ActionQueueType LinkedList
> $ActionQueueFileName failqueue-loghost2
> $ActionResumeRetryCount -1
> $ActionQueueSaveOnShutdown on
> 
> # remote logging of everything
> *.*       @@loghost1:5140
> 
> Central loghost still running syslog-ng.  Had a problem with it that
> caused it to fail on multiple occasions over the past couple days.
> Resolved the problem and logs are now flowing to it, but the files that
> were created on the clients during this period are not going away, nor
> are the back logs flowing to the central loghost.  For example:
> 
> # syslog client
> #/var/log/syslog
> -rw------- 1 root root 1049189 Mar 16 01:13 failqueue-loghost2.00000002
> -rw------- 1 root root 1048848 Mar 14 13:25 failqueue-loghost2.00000003
> -rw------- 1 root root 1048648 Mar 14 17:20 failqueue-loghost2.00000004
> -rw------- 1 root root 1049066 Mar 15 00:19 failqueue-loghost2.00000005
> -rw------- 1 root root 1048619 Mar 15 00:27 failqueue-loghost2.00000006
> -rw------- 1 root root 1048907 Mar 15 13:20 failqueue-loghost2.00000007
> -rw------- 1 root root  949887 Mar 16 01:13 failqueue-loghost2.00000008
> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi
> 
> Running rsyslog-5.6.4.
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From toddmichael at gmail.com  Thu Mar 17 15:52:37 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Thu, 17 Mar 2011 07:52:37 -0700
Subject: [rsyslog] Back logs from disk assisted queue not flowing to
	centralloghost after service restored
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com>
Message-ID: <6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com>

Will do Rainer.  Just confirming, I should send zipped debug logs to this list or is there a private email address you prefer?  Also, I ran debug on an existing system moments ago - a system that currently has several of these "stuck" failqueue logfiles.  Want to make sure that will give you what you need or if I need to start over, simulate a central loghost outage and grab that information?  If the former, I have what you need and will send once I get confirm on location to send.  The latter will take some time so I can simulate worthwhile test.  Thx.  

todd




On Mar 17, 2011, at 12:39 AM, Rainer Gerhards wrote:

> This looks like we need a debug log...
> 
> Rainer
> 
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
>> Sent: Thursday, March 17, 2011 1:18 AM
>> To: rsyslog-users
>> Subject: [rsyslog] Back logs from disk assisted queue not flowing to
>> centralloghost after service restored
>> 
>> Have central loghost configured with disk assisted queue like so:
>> 
>> $WorkDirectory /var/log/rsyslog
>> $ActionQueueType LinkedList
>> $ActionQueueFileName failqueue-loghost2
>> $ActionResumeRetryCount -1
>> $ActionQueueSaveOnShutdown on
>> 
>> # remote logging of everything
>> *.*       @@loghost1:5140
>> 
>> Central loghost still running syslog-ng.  Had a problem with it that
>> caused it to fail on multiple occasions over the past couple days.
>> Resolved the problem and logs are now flowing to it, but the files that
>> were created on the clients during this period are not going away, nor
>> are the back logs flowing to the central loghost.  For example:
>> 
>> # syslog client
>> #/var/log/syslog
>> -rw------- 1 root root 1049189 Mar 16 01:13 failqueue-loghost2.00000002
>> -rw------- 1 root root 1048848 Mar 14 13:25 failqueue-loghost2.00000003
>> -rw------- 1 root root 1048648 Mar 14 17:20 failqueue-loghost2.00000004
>> -rw------- 1 root root 1049066 Mar 15 00:19 failqueue-loghost2.00000005
>> -rw------- 1 root root 1048619 Mar 15 00:27 failqueue-loghost2.00000006
>> -rw------- 1 root root 1048907 Mar 15 13:20 failqueue-loghost2.00000007
>> -rw------- 1 root root  949887 Mar 16 01:13 failqueue-loghost2.00000008
>> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi
>> 
>> Running rsyslog-5.6.4.
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From rgerhards at hq.adiscon.com  Thu Mar 17 16:01:13 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 17 Mar 2011 16:01:13 +0100
Subject: [rsyslog] Back logs from disk assisted queue not flowing
	tocentralloghost after service restored
In-Reply-To: <6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com>
	<6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE32@GRFEXC.intern.adiscon.com>

Please feel free to send to my private email address (the list will probably
reject due to size anyway). I promise to have a quick look, but I will
probably not be able to have an in-depth look until some time next week (but
hopefully the quick look helps ;))

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> Sent: Thursday, March 17, 2011 3:53 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Back logs from disk assisted queue not flowing
> tocentralloghost after service restored
> 
> Will do Rainer.  Just confirming, I should send zipped debug logs to this
list or
> is there a private email address you prefer?  Also, I ran debug on an
existing
> system moments ago - a system that currently has several of these "stuck"
> failqueue logfiles.  Want to make sure that will give you what you need or
if I
> need to start over, simulate a central loghost outage and grab that
> information?  If the former, I have what you need and will send once I get
> confirm on location to send.  The latter will take some time so I can
simulate
> worthwhile test.  Thx.
> 
> todd
> 
> 
> 
> 
> On Mar 17, 2011, at 12:39 AM, Rainer Gerhards wrote:
> 
> > This looks like we need a debug log...
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> >> Sent: Thursday, March 17, 2011 1:18 AM
> >> To: rsyslog-users
> >> Subject: [rsyslog] Back logs from disk assisted queue not flowing to
> >> centralloghost after service restored
> >>
> >> Have central loghost configured with disk assisted queue like so:
> >>
> >> $WorkDirectory /var/log/rsyslog
> >> $ActionQueueType LinkedList
> >> $ActionQueueFileName failqueue-loghost2
> >> $ActionResumeRetryCount -1
> >> $ActionQueueSaveOnShutdown on
> >>
> >> # remote logging of everything
> >> *.*       @@loghost1:5140
> >>
> >> Central loghost still running syslog-ng.  Had a problem with it that
> >> caused it to fail on multiple occasions over the past couple days.
> >> Resolved the problem and logs are now flowing to it, but the files that
> >> were created on the clients during this period are not going away, nor
> >> are the back logs flowing to the central loghost.  For example:
> >>
> >> # syslog client
> >> #/var/log/syslog
> >> -rw------- 1 root root 1049189 Mar 16 01:13 failqueue-loghost2.00000002
> >> -rw------- 1 root root 1048848 Mar 14 13:25 failqueue-loghost2.00000003
> >> -rw------- 1 root root 1048648 Mar 14 17:20 failqueue-loghost2.00000004
> >> -rw------- 1 root root 1049066 Mar 15 00:19 failqueue-loghost2.00000005
> >> -rw------- 1 root root 1048619 Mar 15 00:27 failqueue-loghost2.00000006
> >> -rw------- 1 root root 1048907 Mar 15 13:20 failqueue-loghost2.00000007
> >> -rw------- 1 root root  949887 Mar 16 01:13 failqueue-loghost2.00000008
> >> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi
> >>
> >> Running rsyslog-5.6.4.
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Thu Mar 17 16:53:49 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 17 Mar 2011 16:53:49 +0100
Subject: [rsyslog] Back logs from disk assisted queue not
	flowingtocentralloghost after service restored
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDE32@GRFEXC.intern.adiscon.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com><6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDE32@GRFEXC.intern.adiscon.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE34@GRFEXC.intern.adiscon.com>

I have had a quick look at the debug log. Check line 133. It looks like there
is some problem within the queue file. This makes rsyslog switch over to
using a pure memory queue. 

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, March 17, 2011 4:01 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Back logs from disk assisted queue not
> flowingtocentralloghost after service restored
> 
> Please feel free to send to my private email address (the list will
probably
> reject due to size anyway). I promise to have a quick look, but I will
probably
> not be able to have an in-depth look until some time next week (but
> hopefully the quick look helps ;))
> 
> Rainer
> 
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> > Sent: Thursday, March 17, 2011 3:53 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] Back logs from disk assisted queue not flowing
> > tocentralloghost after service restored
> >
> > Will do Rainer.  Just confirming, I should send zipped debug logs to
> > this
> list or
> > is there a private email address you prefer?  Also, I ran debug on an
> existing
> > system moments ago - a system that currently has several of these "stuck"
> > failqueue logfiles.  Want to make sure that will give you what you
> > need or
> if I
> > need to start over, simulate a central loghost outage and grab that
> > information?  If the former, I have what you need and will send once I
> > get confirm on location to send.  The latter will take some time so I
> > can
> simulate
> > worthwhile test.  Thx.
> >
> > todd
> >
> >
> >
> >
> > On Mar 17, 2011, at 12:39 AM, Rainer Gerhards wrote:
> >
> > > This looks like we need a debug log...
> > >
> > > Rainer
> > >
> > >> -----Original Message-----
> > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > >> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> > >> Sent: Thursday, March 17, 2011 1:18 AM
> > >> To: rsyslog-users
> > >> Subject: [rsyslog] Back logs from disk assisted queue not flowing
> > >> to centralloghost after service restored
> > >>
> > >> Have central loghost configured with disk assisted queue like so:
> > >>
> > >> $WorkDirectory /var/log/rsyslog
> > >> $ActionQueueType LinkedList
> > >> $ActionQueueFileName failqueue-loghost2 $ActionResumeRetryCount
> -1
> > >> $ActionQueueSaveOnShutdown on
> > >>
> > >> # remote logging of everything
> > >> *.*       @@loghost1:5140
> > >>
> > >> Central loghost still running syslog-ng.  Had a problem with it
> > >> that caused it to fail on multiple occasions over the past couple
days.
> > >> Resolved the problem and logs are now flowing to it, but the files
> > >> that were created on the clients during this period are not going
> > >> away, nor are the back logs flowing to the central loghost.  For
example:
> > >>
> > >> # syslog client
> > >> #/var/log/syslog
> > >> -rw------- 1 root root 1049189 Mar 16 01:13
> > >> failqueue-loghost2.00000002
> > >> -rw------- 1 root root 1048848 Mar 14 13:25
> > >> failqueue-loghost2.00000003
> > >> -rw------- 1 root root 1048648 Mar 14 17:20
> > >> failqueue-loghost2.00000004
> > >> -rw------- 1 root root 1049066 Mar 15 00:19
> > >> failqueue-loghost2.00000005
> > >> -rw------- 1 root root 1048619 Mar 15 00:27
> > >> failqueue-loghost2.00000006
> > >> -rw------- 1 root root 1048907 Mar 15 13:20
> > >> failqueue-loghost2.00000007
> > >> -rw------- 1 root root  949887 Mar 16 01:13
failqueue-loghost2.00000008
> > >> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi
> > >>
> > >> Running rsyslog-5.6.4.
> > >>
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From david at lang.hm  Thu Mar 17 20:35:24 2011
From: david at lang.hm (david at lang.hm)
Date: Thu, 17 Mar 2011 12:35:24 -0700 (PDT)
Subject: [rsyslog] imfile ideas
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDE15@GRFEXC.intern.adiscon.com>
References: <40818077-A94B-437A-A0DA-858E4AD5652F@gmail.com><35048BEA-52A9-4965-8BD5-D32ED0933D1D@gmail.com><alpine.DEB.2.00.1103141237220.29206@asgard.lang.hm><BF28D817-AA80-42E8-94DB-67762880EB4C@gmail.com><alpine.DEB.2.00.1103152130140.5340@asgard.lang.hm>
	<alpine.DEB.2.00.1103152135530.5340@asgard.lang.hm>
	<9B6E2A8877C38245BFB15CC491A11DA71DDE15@GRFEXC.intern.adiscon.com>
Message-ID: <alpine.DEB.2.00.1103171234320.29206@asgard.lang.hm>

On Wed, 16 Mar 2011, Rainer Gerhards wrote:

>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
>>
>> deliberatly breaking the subject here to call attention to this portion 
>> of a prior post
>>
>> On Tue, 15 Mar 2011, david at lang.hm wrote:
>>
>>> On Mon, 14 Mar 2011, Todd Michael Bushnell wrote:
>>>
>>>> Is it also a viable solution for files containing logs from, for
>>>> example, Log4j where I have log entries that may be different
>>>> severity levels?  If not, I'm sure I can break up accordingly.
>>>> Performance wise, is this a production grade alternative to using
>>>> Logger to throw log messages at the domain socket?  I wasn't sure
>>>> given that the online docs for configuring Apache do not mention imfile.
>>>
>>> It isn't designed for this, I wonder if the new parser stack can be
>>> made to work with imfile (since Rainer is working on modifications in
>>> this area, it may be a good time for this to be added)
>>
>> I'm wondering if it would make sense to change imfile to use a parser stack
>> like the other inputs, this way if you have a file with specific formats
>> you
>> could easily write a parser to do a excellantjob with that format.
>>
>> I don't know if the exiting paragraph variation to imfile could be 
>> re-worked as a set of parsers, of if they would need to remain, with 
>> the parser kicking in on the data selected (line, or paragraph based)
>>
>> the default parser would be 'make all the data be the message, and set the
>> type and severity from config variables' to match existing behavior.
>
> This sounds like a very interesting approach. But I'd like to wait for the
> imfile refactoring to finish, because the more we change in existing code,
> the harder it becomes to merge both together.

I was definantly thinking in terms of this happening in the new version, 
not the existing one.

David Lang

From toddmichael at gmail.com  Fri Mar 18 06:34:19 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Thu, 17 Mar 2011 22:34:19 -0700
Subject: [rsyslog] Back logs from disk assisted queue not
	flowingtocentralloghost after service restored
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDE34@GRFEXC.intern.adiscon.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com><6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDE32@GRFEXC.intern.adiscon.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDE34@GRFEXC.intern.adiscon.com>
Message-ID: <EB3A79AE-3D94-4CF9-97BB-4CC4173EB63C@gmail.com>

Rainer,

Will send you additional debug to your private email momentarily.  Here's what I'm seeing:  As expected, rsyslog starts to locally queue logs in file identified by ActionQueueFileName (e.g. failqueue-loghost#.0000n) if central loghost is inaccessible.  This is good.  To simulate, I use iptables to block traffic to one of my loghosts and then blast 10,000 messages on that client.  Here's what $WorkDirectory looks like when I do this:

[root at server1 rsyslog]# ls -al
total 4988
drwxr-x--- 2 root wheel    4096 Mar 17 21:34 .
drwxr-xr-x 7 root root     4096 Mar 17 04:08 ..
-rw------- 1 root root   619948 Mar 17 21:34 failqueue-loghost1.00000002
-rw------- 1 root root  1048800 Mar 17 21:34 failqueue-loghost2.00000001
-rw------- 1 root root  1048850 Mar 17 21:34 failqueue-loghost2.00000002
-rw------- 1 root root  1048581 Mar 17 21:34 failqueue-loghost2.00000003
-rw------- 1 root root  1048988 Mar 17 21:34 failqueue-loghost2.00000004
-rw------- 1 root root   234515 Mar 17 21:34 failqueue-loghost2.00000005

Note: loghost2 is the server I make inaccessible.  loghost1 is still accessible.  assume it's queuing because loghost can't keep up with message blast.  

I then restart iptables to make loghost2 accessible again.  after a minute or so I check $WorkDirectory and it looks like this:

[root at server1 rsyslog]# ls -al
total 860
drwxr-x--- 2 root wheel   4096 Mar 17 21:36 .
drwxr-xr-x 7 root root    4096 Mar 17 04:08 ..
-rw------- 1 root root  621295 Mar 17 21:36 failqueue-loghost1.00000002
-rw------- 1 root root  236716 Mar 17 21:36 failqueue-loghost2.00000005

So as you can see, most of the logs clear out as expected, but I'm always left with one logfile for each of my logservers.  When I check the central loghosts they have already received all of the test messages so these remaining files contain messages that the central loghosts already have.  Furthermore, future logs destined for the central loghosts get appended to these files even though they are arriving at the central loghosts.  

I then stop rsyslog (I clearly identify where I do this by echoing "RSYSLOG RESTART" in debug file) and start it back up.  When I do this, both files go away.  

Note: though not represented in this debug, I'm sometimes seeing the same behavior with the my MainMsgQueue.  The file will stick around and all new log entries get copied to it until rsyslog is restarted and the files go away.  

Hopefully the debug log will provide some answers.  Thx.

Todd

On Mar 17, 2011, at 8:53 AM, Rainer Gerhards wrote:

> I have had a quick look at the debug log. Check line 133. It looks like there
> is some problem within the queue file. This makes rsyslog switch over to
> using a pure memory queue. 
> 
> Rainer
> 
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>> Sent: Thursday, March 17, 2011 4:01 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Back logs from disk assisted queue not
>> flowingtocentralloghost after service restored
>> 
>> Please feel free to send to my private email address (the list will
> probably
>> reject due to size anyway). I promise to have a quick look, but I will
> probably
>> not be able to have an in-depth look until some time next week (but
>> hopefully the quick look helps ;))
>> 
>> Rainer
>> 
>>> -----Original Message-----
>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
>>> Sent: Thursday, March 17, 2011 3:53 PM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] Back logs from disk assisted queue not flowing
>>> tocentralloghost after service restored
>>> 
>>> Will do Rainer.  Just confirming, I should send zipped debug logs to
>>> this
>> list or
>>> is there a private email address you prefer?  Also, I ran debug on an
>> existing
>>> system moments ago - a system that currently has several of these "stuck"
>>> failqueue logfiles.  Want to make sure that will give you what you
>>> need or
>> if I
>>> need to start over, simulate a central loghost outage and grab that
>>> information?  If the former, I have what you need and will send once I
>>> get confirm on location to send.  The latter will take some time so I
>>> can
>> simulate
>>> worthwhile test.  Thx.
>>> 
>>> todd
>>> 
>>> 
>>> 
>>> 
>>> On Mar 17, 2011, at 12:39 AM, Rainer Gerhards wrote:
>>> 
>>>> This looks like we need a debug log...
>>>> 
>>>> Rainer
>>>> 
>>>>> -----Original Message-----
>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
>>>>> Sent: Thursday, March 17, 2011 1:18 AM
>>>>> To: rsyslog-users
>>>>> Subject: [rsyslog] Back logs from disk assisted queue not flowing
>>>>> to centralloghost after service restored
>>>>> 
>>>>> Have central loghost configured with disk assisted queue like so:
>>>>> 
>>>>> $WorkDirectory /var/log/rsyslog
>>>>> $ActionQueueType LinkedList
>>>>> $ActionQueueFileName failqueue-loghost2 $ActionResumeRetryCount
>> -1
>>>>> $ActionQueueSaveOnShutdown on
>>>>> 
>>>>> # remote logging of everything
>>>>> *.*       @@loghost1:5140
>>>>> 
>>>>> Central loghost still running syslog-ng.  Had a problem with it
>>>>> that caused it to fail on multiple occasions over the past couple
> days.
>>>>> Resolved the problem and logs are now flowing to it, but the files
>>>>> that were created on the clients during this period are not going
>>>>> away, nor are the back logs flowing to the central loghost.  For
> example:
>>>>> 
>>>>> # syslog client
>>>>> #/var/log/syslog
>>>>> -rw------- 1 root root 1049189 Mar 16 01:13
>>>>> failqueue-loghost2.00000002
>>>>> -rw------- 1 root root 1048848 Mar 14 13:25
>>>>> failqueue-loghost2.00000003
>>>>> -rw------- 1 root root 1048648 Mar 14 17:20
>>>>> failqueue-loghost2.00000004
>>>>> -rw------- 1 root root 1049066 Mar 15 00:19
>>>>> failqueue-loghost2.00000005
>>>>> -rw------- 1 root root 1048619 Mar 15 00:27
>>>>> failqueue-loghost2.00000006
>>>>> -rw------- 1 root root 1048907 Mar 15 13:20
>>>>> failqueue-loghost2.00000007
>>>>> -rw------- 1 root root  949887 Mar 16 01:13
> failqueue-loghost2.00000008
>>>>> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi
>>>>> 
>>>>> Running rsyslog-5.6.4.
>>>>> 
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>> 
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From rgerhards at hq.adiscon.com  Fri Mar 18 09:58:19 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Fri, 18 Mar 2011 09:58:19 +0100
Subject: [rsyslog] Back logs from disk assisted queue
	notflowingtocentralloghost after service restored
In-Reply-To: <EB3A79AE-3D94-4CF9-97BB-4CC4173EB63C@gmail.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com><6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE32@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DDE34@GRFEXC.intern.adiscon.com>
	<EB3A79AE-3D94-4CF9-97BB-4CC4173EB63C@gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE39@GRFEXC.intern.adiscon.com>

Hi Todd,

thanks for the detailed report. Unfortunately, I do not have time at the
moment to go through this longer debugging effort (I need to create slides
for a conference next week, plus have to do some paid work...). I'd
appreciate if you could open a bug tracker with the info. I will look at it
asap, but that's probably after next week.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> Sent: Friday, March 18, 2011 6:34 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Back logs from disk assisted queue
> notflowingtocentralloghost after service restored
> 
> Rainer,
> 
> Will send you additional debug to your private email momentarily.  Here's
> what I'm seeing:  As expected, rsyslog starts to locally queue logs in file
> identified by ActionQueueFileName (e.g. failqueue-loghost#.0000n) if
central
> loghost is inaccessible.  This is good.  To simulate, I use iptables to
block traffic
> to one of my loghosts and then blast 10,000 messages on that client.
Here's
> what $WorkDirectory looks like when I do this:
> 
> [root at server1 rsyslog]# ls -al
> total 4988
> drwxr-x--- 2 root wheel    4096 Mar 17 21:34 .
> drwxr-xr-x 7 root root     4096 Mar 17 04:08 ..
> -rw------- 1 root root   619948 Mar 17 21:34 failqueue-loghost1.00000002
> -rw------- 1 root root  1048800 Mar 17 21:34 failqueue-loghost2.00000001
> -rw------- 1 root root  1048850 Mar 17 21:34 failqueue-loghost2.00000002
> -rw------- 1 root root  1048581 Mar 17 21:34 failqueue-loghost2.00000003
> -rw------- 1 root root  1048988 Mar 17 21:34 failqueue-loghost2.00000004
> -rw------- 1 root root   234515 Mar 17 21:34 failqueue-loghost2.00000005
> 
> Note: loghost2 is the server I make inaccessible.  loghost1 is still
accessible.
> assume it's queuing because loghost can't keep up with message blast.
> 
> I then restart iptables to make loghost2 accessible again.  after a minute
or so
> I check $WorkDirectory and it looks like this:
> 
> [root at server1 rsyslog]# ls -al
> total 860
> drwxr-x--- 2 root wheel   4096 Mar 17 21:36 .
> drwxr-xr-x 7 root root    4096 Mar 17 04:08 ..
> -rw------- 1 root root  621295 Mar 17 21:36 failqueue-loghost1.00000002
> -rw------- 1 root root  236716 Mar 17 21:36 failqueue-loghost2.00000005
> 
> So as you can see, most of the logs clear out as expected, but I'm always
left
> with one logfile for each of my logservers.  When I check the central
loghosts
> they have already received all of the test messages so these remaining
files
> contain messages that the central loghosts already have.  Furthermore,
> future logs destined for the central loghosts get appended to these files
> even though they are arriving at the central loghosts.
> 
> I then stop rsyslog (I clearly identify where I do this by echoing "RSYSLOG
> RESTART" in debug file) and start it back up.  When I do this, both files
go
> away.
> 
> Note: though not represented in this debug, I'm sometimes seeing the same
> behavior with the my MainMsgQueue.  The file will stick around and all new
> log entries get copied to it until rsyslog is restarted and the files go
away.
> 
> Hopefully the debug log will provide some answers.  Thx.
> 
> Todd
> 
> On Mar 17, 2011, at 8:53 AM, Rainer Gerhards wrote:
> 
> > I have had a quick look at the debug log. Check line 133. It looks
> > like there is some problem within the queue file. This makes rsyslog
> > switch over to using a pure memory queue.
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> >> Sent: Thursday, March 17, 2011 4:01 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Back logs from disk assisted queue not
> >> flowingtocentralloghost after service restored
> >>
> >> Please feel free to send to my private email address (the list will
> > probably
> >> reject due to size anyway). I promise to have a quick look, but I
> >> will
> > probably
> >> not be able to have an in-depth look until some time next week (but
> >> hopefully the quick look helps ;))
> >>
> >> Rainer
> >>
> >>> -----Original Message-----
> >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> >>> Sent: Thursday, March 17, 2011 3:53 PM
> >>> To: rsyslog-users
> >>> Subject: Re: [rsyslog] Back logs from disk assisted queue not
> >>> flowing tocentralloghost after service restored
> >>>
> >>> Will do Rainer.  Just confirming, I should send zipped debug logs to
> >>> this
> >> list or
> >>> is there a private email address you prefer?  Also, I ran debug on
> >>> an
> >> existing
> >>> system moments ago - a system that currently has several of these
> "stuck"
> >>> failqueue logfiles.  Want to make sure that will give you what you
> >>> need or
> >> if I
> >>> need to start over, simulate a central loghost outage and grab that
> >>> information?  If the former, I have what you need and will send once
> >>> I get confirm on location to send.  The latter will take some time
> >>> so I can
> >> simulate
> >>> worthwhile test.  Thx.
> >>>
> >>> todd
> >>>
> >>>
> >>>
> >>>
> >>> On Mar 17, 2011, at 12:39 AM, Rainer Gerhards wrote:
> >>>
> >>>> This looks like we need a debug log...
> >>>>
> >>>> Rainer
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>>>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> >>>>> Sent: Thursday, March 17, 2011 1:18 AM
> >>>>> To: rsyslog-users
> >>>>> Subject: [rsyslog] Back logs from disk assisted queue not flowing
> >>>>> to centralloghost after service restored
> >>>>>
> >>>>> Have central loghost configured with disk assisted queue like so:
> >>>>>
> >>>>> $WorkDirectory /var/log/rsyslog
> >>>>> $ActionQueueType LinkedList
> >>>>> $ActionQueueFileName failqueue-loghost2
> $ActionResumeRetryCount
> >> -1
> >>>>> $ActionQueueSaveOnShutdown on
> >>>>>
> >>>>> # remote logging of everything
> >>>>> *.*       @@loghost1:5140
> >>>>>
> >>>>> Central loghost still running syslog-ng.  Had a problem with it
> >>>>> that caused it to fail on multiple occasions over the past couple
> > days.
> >>>>> Resolved the problem and logs are now flowing to it, but the files
> >>>>> that were created on the clients during this period are not going
> >>>>> away, nor are the back logs flowing to the central loghost.  For
> > example:
> >>>>>
> >>>>> # syslog client
> >>>>> #/var/log/syslog
> >>>>> -rw------- 1 root root 1049189 Mar 16 01:13
> >>>>> failqueue-loghost2.00000002
> >>>>> -rw------- 1 root root 1048848 Mar 14 13:25
> >>>>> failqueue-loghost2.00000003
> >>>>> -rw------- 1 root root 1048648 Mar 14 17:20
> >>>>> failqueue-loghost2.00000004
> >>>>> -rw------- 1 root root 1049066 Mar 15 00:19
> >>>>> failqueue-loghost2.00000005
> >>>>> -rw------- 1 root root 1048619 Mar 15 00:27
> >>>>> failqueue-loghost2.00000006
> >>>>> -rw------- 1 root root 1048907 Mar 15 13:20
> >>>>> failqueue-loghost2.00000007
> >>>>> -rw------- 1 root root  949887 Mar 16 01:13
> > failqueue-loghost2.00000008
> >>>>> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi
> >>>>>
> >>>>> Running rsyslog-5.6.4.
> >>>>>
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com
> >>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From corsmith at gmail.com  Fri Mar 18 19:09:36 2011
From: corsmith at gmail.com (Corey Smith)
Date: Fri, 18 Mar 2011 14:09:36 -0400
Subject: [rsyslog] imsolaris unexpected behavior
Message-ID: <AANLkTik58sVBfa782YKxnMJNNDGq41dPiUjPVdqYchds@mail.gmail.com>

We are using rsyslog-4.7.3 on solaris 10 i86pc and getting unexpected
behavior when we try to run rsyslog as the only system logger.  All of
the normal system syslogs processed by imsolaris seem to be facility
user.notice.

Format:

$template CustomFileFormat,"%timestamp%
%syslogfacility-text%.%syslogseverity-text% %fromhost:::lowercase%
%syslogtag%%msg:::drop-last-lf%\n"

Example:

Mar 18 13:59:43 user.notice 2.2.2.2  xntpd[330]: [ID 854739
daemon.info] synchronized to 1.1.1.1, stratum=2

The expectation is that the facility in this example would be
"daemon.info" and not "user.notice".  The original log message would
have been "xntpd[330]: synchronized to 1.1.1.1, stratum=2".

-Corey Smith

From corsmith at gmail.com  Mon Mar 21 14:53:34 2011
From: corsmith at gmail.com (Corey Smith)
Date: Mon, 21 Mar 2011 09:53:34 -0400
Subject: [rsyslog] imsolaris unexpected behavior
In-Reply-To: <AANLkTik58sVBfa782YKxnMJNNDGq41dPiUjPVdqYchds@mail.gmail.com>
References: <AANLkTik58sVBfa782YKxnMJNNDGq41dPiUjPVdqYchds@mail.gmail.com>
Message-ID: <AANLkTi=XXsYUF4YOH2qiqPEXF7tXo8ojFsVuiPR4yEiH@mail.gmail.com>

On Fri, Mar 18, 2011 at 2:09 PM, Corey Smith <corsmith at gmail.com> wrote:
> We are using rsyslog-4.7.3 on solaris 10 i86pc and getting unexpected
> behavior when we try to run rsyslog as the only system logger. ?All of
> the normal system syslogs processed by imsolaris seem to be facility
> user.notice.

Attached (inline) is a patch against 4.7.3 that properly extracts the
facility/priority.

I noticed that the master branch version of this file has a completely
different parser system.  Is there a better version of rsyslog for
Solaris that we should be targeting ?

-Corey Smith

--- runtime/parser.c.orig	Fri Mar 18 22:57:58 2011
+++ runtime/parser.c	Fri Mar 18 22:58:54 2011
@@ -305,10 +305,10 @@
 			if(pri & ~(LOG_FACMASK|LOG_PRIMASK))
 				pri = DEFUPRI;
 		}
+		pMsg->iFacility = LOG_FAC(pri);
+		pMsg->iSeverity = LOG_PRI(pri);
+		MsgSetAfterPRIOffs(pMsg, msg - pMsg->pszRawMsg);
 	}
-	pMsg->iFacility = LOG_FAC(pri);
-	pMsg->iSeverity = LOG_PRI(pri);
-	MsgSetAfterPRIOffs(pMsg, msg - pMsg->pszRawMsg);

 	/* rger 2005-11-24 (happy thanksgiving!): we now need to check if we have
 	 * a traditional syslog message or one formatted according to syslog-protocol.

From rgerhards at hq.adiscon.com  Mon Mar 21 14:57:21 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 21 Mar 2011 14:57:21 +0100
Subject: [rsyslog] imsolaris unexpected behavior
In-Reply-To: <AANLkTi=XXsYUF4YOH2qiqPEXF7tXo8ojFsVuiPR4yEiH@mail.gmail.com>
References: <AANLkTik58sVBfa782YKxnMJNNDGq41dPiUjPVdqYchds@mail.gmail.com>
	<AANLkTi=XXsYUF4YOH2qiqPEXF7tXo8ojFsVuiPR4yEiH@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE49@GRFEXC.intern.adiscon.com>

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Corey Smith
> Sent: Monday, March 21, 2011 2:54 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] imsolaris unexpected behavior
> 
> On Fri, Mar 18, 2011 at 2:09 PM, Corey Smith <corsmith at gmail.com> wrote:
> > We are using rsyslog-4.7.3 on solaris 10 i86pc and getting unexpected
> > behavior when we try to run rsyslog as the only system logger. ?All of
> > the normal system syslogs processed by imsolaris seem to be facility
> > user.notice.
> 
> Attached (inline) is a patch against 4.7.3 that properly extracts the
> facility/priority.

Thanks for the patch. I will be to a conference starting Wednesday evening,
so this week is a bit "tight". I'll check  the solaris build once again next
week.

> 
> I noticed that the master branch version of this file has a completely
different
> parser system.  Is there a better version of rsyslog for Solaris that we
should
> be targeting ?

The parser has become more modular. The system in v5+ is the one to stay.
However, it should be fairly easy to merge any changes up. But I think I'll
need to understand in detail first what the issue really is/was.

It may be a good idea to open a bug tracker in bugzilla for this (mailing
list and forum threads have some risk of getting forgotten in busy times...).

Thanks,
Rainer
> 
> -Corey Smith
> 
> --- runtime/parser.c.orig	Fri Mar 18 22:57:58 2011
> +++ runtime/parser.c	Fri Mar 18 22:58:54 2011
> @@ -305,10 +305,10 @@
>  			if(pri & ~(LOG_FACMASK|LOG_PRIMASK))
>  				pri = DEFUPRI;
>  		}
> +		pMsg->iFacility = LOG_FAC(pri);
> +		pMsg->iSeverity = LOG_PRI(pri);
> +		MsgSetAfterPRIOffs(pMsg, msg - pMsg->pszRawMsg);
>  	}
> -	pMsg->iFacility = LOG_FAC(pri);
> -	pMsg->iSeverity = LOG_PRI(pri);
> -	MsgSetAfterPRIOffs(pMsg, msg - pMsg->pszRawMsg);
> 
>  	/* rger 2005-11-24 (happy thanksgiving!): we now need to check if
> we have
>  	 * a traditional syslog message or one formatted according to syslog-
> protocol.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From corsmith at gmail.com  Mon Mar 21 17:30:32 2011
From: corsmith at gmail.com (Corey Smith)
Date: Mon, 21 Mar 2011 12:30:32 -0400
Subject: [rsyslog] imsolaris unexpected behavior
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDE49@GRFEXC.intern.adiscon.com>
References: <AANLkTik58sVBfa782YKxnMJNNDGq41dPiUjPVdqYchds@mail.gmail.com>
	<AANLkTi=XXsYUF4YOH2qiqPEXF7tXo8ojFsVuiPR4yEiH@mail.gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDE49@GRFEXC.intern.adiscon.com>
Message-ID: <AANLkTikct8FjpaUiBwV93hmwgxwJ4bif2tHU0mYO1uyt@mail.gmail.com>

On Mon, Mar 21, 2011 at 9:57 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> It may be a good idea to open a bug tracker in bugzilla for this (mailing
> list and forum threads have some risk of getting forgotten in busy times...).

I created the bug in bugzilla.

http://bugzilla.adiscon.com/show_bug.cgi?id=239

-Corey Smith

From rgerhards at hq.adiscon.com  Mon Mar 21 18:14:52 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 21 Mar 2011 18:14:52 +0100
Subject: [rsyslog] imsolaris unexpected behavior
In-Reply-To: <AANLkTikct8FjpaUiBwV93hmwgxwJ4bif2tHU0mYO1uyt@mail.gmail.com>
References: <AANLkTik58sVBfa782YKxnMJNNDGq41dPiUjPVdqYchds@mail.gmail.com><AANLkTi=XXsYUF4YOH2qiqPEXF7tXo8ojFsVuiPR4yEiH@mail.gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE49@GRFEXC.intern.adiscon.com>
	<AANLkTikct8FjpaUiBwV93hmwgxwJ4bif2tHU0mYO1uyt@mail.gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE4A@GRFEXC.intern.adiscon.com>

Thanks a lot. Please ping me if you have not heard back fromm y be the end of
*next* week.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Corey Smith
> Sent: Monday, March 21, 2011 5:31 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] imsolaris unexpected behavior
> 
> On Mon, Mar 21, 2011 at 9:57 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > It may be a good idea to open a bug tracker in bugzilla for this
> (mailing
> > list and forum threads have some risk of getting forgotten in busy
> times...).
> 
> I created the bug in bugzilla.
> 
> http://bugzilla.adiscon.com/show_bug.cgi?id=239
> 
> -Corey Smith
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From frisvolj at lafayette.edu  Mon Mar 21 21:52:39 2011
From: frisvolj at lafayette.edu (Jason Frisvold)
Date: Mon, 21 Mar 2011 16:52:39 -0400
Subject: [rsyslog] rsyslog filtering by port ?
Message-ID: <4D87BA97.9020401@lafayette.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

	I'm working on a centralized logging system and I'm using rsyslog as
our syslog daemon.  I'm looking to accept logs from servers, routers,
switches, and other appliances.  Our syslog server is a RHEL 6 system
running rsyslog 4.6.2.

	For router/switch devices, syslog comes in on a single facility and
filtering is relatively easy.  But when I start combining this with
other sources such as servers, I run into problems.

	To start, I configured a firewall device to send syslog via udp:10003.
 I can filter these via IP :

$ModLoad imudp.so
$UDPServerRun 10003

if $source == '192.168.1.1' then /logs/syslog/FWSM_ASA/192.168.1.1.log
if $source == '192.168.2.1' then /logs/syslog/FWSM_ASA/192.168.2.1.log
...

if $source == '192.168.1.1' or $source == '192.168.2.1' ... then ~

# And then the rest of the stock rsyslog.conf is below


It would be nice if I could use a template to deal with the above, but
the only way I can think to do that would be if I could filter by the
destination port, ie 10003.  So I could send firewall data to 10003,
routers to 10004, etc.

For server, I was planning on using a TCP connection, eventually a TLS
TCP connection.  Again, templating seems the right way to go, but my
testing thus far ended up with all of the data mixed up one way or another.

Has anyone done this?  Can you share your rsyslog.conf file so I can see
how this is accomplished?

Thanks,

- -- 
- ---------------------------
Jason Frisvold
Network Engineer
frisvolj at lafayette.edu
- ---------------------------
"What I cannot create, I do not understand"
   - Richard Feynman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2HupcACgkQO80o6DJ8UvnMFgCeNmHJ6+a+2dNaLh+8tNci+vGI
ivAAn3ZfsB6gpZBu+rp2Mwe+zQotXawL
=Hyzk
-----END PGP SIGNATURE-----

From david at lang.hm  Mon Mar 21 23:09:24 2011
From: david at lang.hm (david at lang.hm)
Date: Mon, 21 Mar 2011 15:09:24 -0700 (PDT)
Subject: [rsyslog] rsyslog filtering by port ?
In-Reply-To: <4D87BA97.9020401@lafayette.edu>
References: <4D87BA97.9020401@lafayette.edu>
Message-ID: <alpine.DEB.2.00.1103211505140.25335@asgard.lang.hm>

On Mon, 21 Mar 2011, Jason Frisvold wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> 	I'm working on a centralized logging system and I'm using rsyslog as
> our syslog daemon.  I'm looking to accept logs from servers, routers,
> switches, and other appliances.  Our syslog server is a RHEL 6 system
> running rsyslog 4.6.2.
>
> 	For router/switch devices, syslog comes in on a single facility and
> filtering is relatively easy.  But when I start combining this with
> other sources such as servers, I run into problems.
>
> 	To start, I configured a firewall device to send syslog via udp:10003.
> I can filter these via IP :
>
> $ModLoad imudp.so
> $UDPServerRun 10003
>
> if $source == '192.168.1.1' then /logs/syslog/FWSM_ASA/192.168.1.1.log
> if $source == '192.168.2.1' then /logs/syslog/FWSM_ASA/192.168.2.1.log
> ...
>
> if $source == '192.168.1.1' or $source == '192.168.2.1' ... then ~
>
> # And then the rest of the stock rsyslog.conf is below
>
>
> It would be nice if I could use a template to deal with the above, but
> the only way I can think to do that would be if I could filter by the
> destination port, ie 10003.  So I could send firewall data to 10003,
> routers to 10004, etc.
>
> For server, I was planning on using a TCP connection, eventually a TLS
> TCP connection.  Again, templating seems the right way to go, but my
> testing thus far ended up with all of the data mixed up one way or another.
>
> Has anyone done this?  Can you share your rsyslog.conf file so I can see
> how this is accomplished?

using the very old 4.6.2 you are limited in what you can do, with more 
modern versions you can create separate rulesets and tie them in to 
separate inputs.

however, I think that if you go back and look at your logs, you will find 
that you can do some filtering in a much simpler way.

for example,

all Cisco equipment logs with something like %ASA (for firewalls) at the 
beginning of it's programname, so you could have a filter that matched all 
logs with that pattern, and then used the dynafile option to split them 
out to different files per machine (followed by another line to throw away 
the log so that it doesn't match anything else)

repeat this for all the things that are clearly identified, and then so a 
similar dynafile log for the remainder (the servers)

David Lang

From bouillabaisse at pepsi.fishpuppy.com  Tue Mar 22 03:20:37 2011
From: bouillabaisse at pepsi.fishpuppy.com (rich)
Date: Mon, 21 Mar 2011 19:20:37 -0700
Subject: [rsyslog] using $InputPTCPServerListenIP
Message-ID: <4D880775.8090702@pepsi.fishpuppy.com>

Background:

I am relatviely new to the use of rsyslog.  I am testing with v6.1.2. 
The company I am helping wants to test the feasibility of using rsyslog 
as an aggregating logger that is capable of 50mb/sec bursts of messages. 
  We have written our own output module that preps these messages 
received for other steps in our pipeline.

I am conducting tests that are measuring the throughput of various 
client/protocol to aggregating log server configurations.  The plan is 
to use a box with multi-core/multi-processor/multi-network 
interfaces/fast disks and lots of memory to receive these messages from 
multiple "client" boxes running  [r]*syslog[-ng]* or windows variant. 
 From what I have read in the manual and on the web site, it looks like 
"plain" tcp is likely to perform best at moving messages to the 
aggregating server for us.  BTW, I have a similar configuration that 
uses the disk based overflow to capture the messages.

Below is one of the aggregating log server conf files that I am 
considering.  It is trying to utilize the InputPTCPServerListenIP 
directive to listen to a local IP on a multi-homed host.  This doesn't 
seem to work for me.
The port based configuraitons seem to work fine, but the IP listener on 
real and/or aliased local IPs isn't happening.

I have taken the advice in the manual... to keep the rules as simple as 
possible.  I was hoping to use the local IP addresses to spread the work 
across multiple queues with minimal parsing for message identity.

Questions:

Am I doing something wrong?  (it certainly wouldn't be the first time :-)

Is $InputPTCPServerListenIP supported in 6.1.2?

Finally, if you had to make rsyslog go as fast as possible, what 
strategy would you use?  Is the plain tcp the way... i.e., for systems 
that can send tcp?

Insights into this would be much appreciated.

TIA,

Rich Johnson

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#            For more information see
#            /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  ourcompany module test 9.  See README for more information about the 
testing.
#

#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by 
rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# commented out KLogPath fails due to access permissions... use setup 
fifo pipe
# at /var/run/rsyslog/kmsg instead
#$KLogPath /proc/kmsg
$KLogPath /var/run/rsyslog/kmsg

# provides UDP, TCP and Plain TCP syslog reception respectively
$ModLoad imptcp

# load ourcompany output module
$ModLoad omourcompany

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
# $RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

# establish default location for spool files
$WorkDirectory /var/rsyslog/work

###########################
#### Std Local Rules ######
###########################

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

########################

# ourcompany special template (see 
http://www.rsyslog.com/doc/property_replacer.html for possibilities)
$template 
ourcompanyFormat,"%timegenerated%,%hostname%,%syslogtag%,%msg%\n",sql


# Test clients send TCP traffic on port 10515 (rsyslogd clients).  This 
is like test 2
# except that PTCP is used.  It is a high perf version of the tcp input 
handler and has
# the advantage of being configured to listen to a local address. Here 
is the server
# rule setup:

$RuleSet clients
$RulesetCreateMainQueue on # create ruleset-specific queue
user.info;local3.info;local4.info;local5.info;local6.info;uucp.info 
:omourcompany:;ourcompanyFormat
& ~

# bind rulesets to plain tcp listener
$InputPTCPServerInputName clients
$InputPTCPServerBindRuleset clients
$InputPTCPServerListenIP 192.168.10.10
# and activate it:
$InputPTCPServerRun 10515


From toddmichael at gmail.com  Tue Mar 22 04:45:20 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Mon, 21 Mar 2011 20:45:20 -0700
Subject: [rsyslog] Back logs from disk assisted queue
	notflowingtocentralloghost after service restored
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDE39@GRFEXC.intern.adiscon.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com><6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE32@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DDE34@GRFEXC.intern.adiscon.com>
	<EB3A79AE-3D94-4CF9-97BB-4CC4173EB63C@gmail.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDE39@GRFEXC.intern.adiscon.com>
Message-ID: <0C7B4CEE-4378-4F9E-9505-D77986DFD001@gmail.com>

Thanks for the feedback Rainer.  I understand you're busy.  Just tried via multiple browsers (chrome, safari) to access the Bugs page (http://www.rsyslog.com/bugs), but no such luck (no error - just a blank page on both occasions)  Will try again tomorrow to file the bug.

If I should be hitting a URL other than http://www.rsyslog.com/bugs let me know and I'll get this filed.  

Todd





On Mar 18, 2011, at 1:58 AM, Rainer Gerhards wrote:

> Hi Todd,
> 
> thanks for the detailed report. Unfortunately, I do not have time at the
> moment to go through this longer debugging effort (I need to create slides
> for a conference next week, plus have to do some paid work...). I'd
> appreciate if you could open a bug tracker with the info. I will look at it
> asap, but that's probably after next week.
> 
> Rainer
> 
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
>> Sent: Friday, March 18, 2011 6:34 AM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Back logs from disk assisted queue
>> notflowingtocentralloghost after service restored
>> 
>> Rainer,
>> 
>> Will send you additional debug to your private email momentarily.  Here's
>> what I'm seeing:  As expected, rsyslog starts to locally queue logs in file
>> identified by ActionQueueFileName (e.g. failqueue-loghost#.0000n) if
> central
>> loghost is inaccessible.  This is good.  To simulate, I use iptables to
> block traffic
>> to one of my loghosts and then blast 10,000 messages on that client.
> Here's
>> what $WorkDirectory looks like when I do this:
>> 
>> [root at server1 rsyslog]# ls -al
>> total 4988
>> drwxr-x--- 2 root wheel    4096 Mar 17 21:34 .
>> drwxr-xr-x 7 root root     4096 Mar 17 04:08 ..
>> -rw------- 1 root root   619948 Mar 17 21:34 failqueue-loghost1.00000002
>> -rw------- 1 root root  1048800 Mar 17 21:34 failqueue-loghost2.00000001
>> -rw------- 1 root root  1048850 Mar 17 21:34 failqueue-loghost2.00000002
>> -rw------- 1 root root  1048581 Mar 17 21:34 failqueue-loghost2.00000003
>> -rw------- 1 root root  1048988 Mar 17 21:34 failqueue-loghost2.00000004
>> -rw------- 1 root root   234515 Mar 17 21:34 failqueue-loghost2.00000005
>> 
>> Note: loghost2 is the server I make inaccessible.  loghost1 is still
> accessible.
>> assume it's queuing because loghost can't keep up with message blast.
>> 
>> I then restart iptables to make loghost2 accessible again.  after a minute
> or so
>> I check $WorkDirectory and it looks like this:
>> 
>> [root at server1 rsyslog]# ls -al
>> total 860
>> drwxr-x--- 2 root wheel   4096 Mar 17 21:36 .
>> drwxr-xr-x 7 root root    4096 Mar 17 04:08 ..
>> -rw------- 1 root root  621295 Mar 17 21:36 failqueue-loghost1.00000002
>> -rw------- 1 root root  236716 Mar 17 21:36 failqueue-loghost2.00000005
>> 
>> So as you can see, most of the logs clear out as expected, but I'm always
> left
>> with one logfile for each of my logservers.  When I check the central
> loghosts
>> they have already received all of the test messages so these remaining
> files
>> contain messages that the central loghosts already have.  Furthermore,
>> future logs destined for the central loghosts get appended to these files
>> even though they are arriving at the central loghosts.
>> 
>> I then stop rsyslog (I clearly identify where I do this by echoing "RSYSLOG
>> RESTART" in debug file) and start it back up.  When I do this, both files
> go
>> away.
>> 
>> Note: though not represented in this debug, I'm sometimes seeing the same
>> behavior with the my MainMsgQueue.  The file will stick around and all new
>> log entries get copied to it until rsyslog is restarted and the files go
> away.
>> 
>> Hopefully the debug log will provide some answers.  Thx.
>> 
>> Todd
>> 
>> On Mar 17, 2011, at 8:53 AM, Rainer Gerhards wrote:
>> 
>>> I have had a quick look at the debug log. Check line 133. It looks
>>> like there is some problem within the queue file. This makes rsyslog
>>> switch over to using a pure memory queue.
>>> 
>>> Rainer
>>> 
>>>> -----Original Message-----
>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>>>> Sent: Thursday, March 17, 2011 4:01 PM
>>>> To: rsyslog-users
>>>> Subject: Re: [rsyslog] Back logs from disk assisted queue not
>>>> flowingtocentralloghost after service restored
>>>> 
>>>> Please feel free to send to my private email address (the list will
>>> probably
>>>> reject due to size anyway). I promise to have a quick look, but I
>>>> will
>>> probably
>>>> not be able to have an in-depth look until some time next week (but
>>>> hopefully the quick look helps ;))
>>>> 
>>>> Rainer
>>>> 
>>>>> -----Original Message-----
>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
>>>>> Sent: Thursday, March 17, 2011 3:53 PM
>>>>> To: rsyslog-users
>>>>> Subject: Re: [rsyslog] Back logs from disk assisted queue not
>>>>> flowing tocentralloghost after service restored
>>>>> 
>>>>> Will do Rainer.  Just confirming, I should send zipped debug logs to
>>>>> this
>>>> list or
>>>>> is there a private email address you prefer?  Also, I ran debug on
>>>>> an
>>>> existing
>>>>> system moments ago - a system that currently has several of these
>> "stuck"
>>>>> failqueue logfiles.  Want to make sure that will give you what you
>>>>> need or
>>>> if I
>>>>> need to start over, simulate a central loghost outage and grab that
>>>>> information?  If the former, I have what you need and will send once
>>>>> I get confirm on location to send.  The latter will take some time
>>>>> so I can
>>>> simulate
>>>>> worthwhile test.  Thx.
>>>>> 
>>>>> todd
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Mar 17, 2011, at 12:39 AM, Rainer Gerhards wrote:
>>>>> 
>>>>>> This looks like we need a debug log...
>>>>>> 
>>>>>> Rainer
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>>>>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
>>>>>>> Sent: Thursday, March 17, 2011 1:18 AM
>>>>>>> To: rsyslog-users
>>>>>>> Subject: [rsyslog] Back logs from disk assisted queue not flowing
>>>>>>> to centralloghost after service restored
>>>>>>> 
>>>>>>> Have central loghost configured with disk assisted queue like so:
>>>>>>> 
>>>>>>> $WorkDirectory /var/log/rsyslog
>>>>>>> $ActionQueueType LinkedList
>>>>>>> $ActionQueueFileName failqueue-loghost2
>> $ActionResumeRetryCount
>>>> -1
>>>>>>> $ActionQueueSaveOnShutdown on
>>>>>>> 
>>>>>>> # remote logging of everything
>>>>>>> *.*       @@loghost1:5140
>>>>>>> 
>>>>>>> Central loghost still running syslog-ng.  Had a problem with it
>>>>>>> that caused it to fail on multiple occasions over the past couple
>>> days.
>>>>>>> Resolved the problem and logs are now flowing to it, but the files
>>>>>>> that were created on the clients during this period are not going
>>>>>>> away, nor are the back logs flowing to the central loghost.  For
>>> example:
>>>>>>> 
>>>>>>> # syslog client
>>>>>>> #/var/log/syslog
>>>>>>> -rw------- 1 root root 1049189 Mar 16 01:13
>>>>>>> failqueue-loghost2.00000002
>>>>>>> -rw------- 1 root root 1048848 Mar 14 13:25
>>>>>>> failqueue-loghost2.00000003
>>>>>>> -rw------- 1 root root 1048648 Mar 14 17:20
>>>>>>> failqueue-loghost2.00000004
>>>>>>> -rw------- 1 root root 1049066 Mar 15 00:19
>>>>>>> failqueue-loghost2.00000005
>>>>>>> -rw------- 1 root root 1048619 Mar 15 00:27
>>>>>>> failqueue-loghost2.00000006
>>>>>>> -rw------- 1 root root 1048907 Mar 15 13:20
>>>>>>> failqueue-loghost2.00000007
>>>>>>> -rw------- 1 root root  949887 Mar 16 01:13
>>> failqueue-loghost2.00000008
>>>>>>> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-loghost2.qi
>>>>>>> 
>>>>>>> Running rsyslog-5.6.4.
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com
>>>>> 
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>> 
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From rgerhards at hq.adiscon.com  Tue Mar 22 07:35:37 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Tue, 22 Mar 2011 07:35:37 +0100
Subject: [rsyslog] Back logs from disk assisted
	queuenotflowingtocentralloghost after service restored
In-Reply-To: <0C7B4CEE-4378-4F9E-9505-D77986DFD001@gmail.com>
References: <F8A422B7-2A62-4D91-AC24-A2DE964F1645@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE20@GRFEXC.intern.adiscon.com><6450703E-70C4-4655-9147-4DC83DD2A4CA@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE32@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DDE34@GRFEXC.intern.adiscon.com><EB3A79AE-3D94-4CF9-97BB-4CC4173EB63C@gmail.com><9B6E2A8877C38245BFB15CC491A11DA71DDE39@GRFEXC.intern.adiscon.com>
	<0C7B4CEE-4378-4F9E-9505-D77986DFD001@gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE4B@GRFEXC.intern.adiscon.com>

Todd,

sorry, the web folks seem to have screwed up with the URL redirector on one
of the recent site changes. The actual bug tracker URL is

http://bugzilla.adiscon.com/

I'll see that the redirector gets fixed.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> Sent: Tuesday, March 22, 2011 4:45 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Back logs from disk assisted
> queuenotflowingtocentralloghost after service restored
> 
> Thanks for the feedback Rainer.  I understand you're busy.  Just tried
> via multiple browsers (chrome, safari) to access the Bugs page
> (http://www.rsyslog.com/bugs), but no such luck (no error - just a
> blank page on both occasions)  Will try again tomorrow to file the bug.
> 
> If I should be hitting a URL other than http://www.rsyslog.com/bugs let
> me know and I'll get this filed.
> 
> Todd
> 
> 
> 
> 
> 
> On Mar 18, 2011, at 1:58 AM, Rainer Gerhards wrote:
> 
> > Hi Todd,
> >
> > thanks for the detailed report. Unfortunately, I do not have time at
> the
> > moment to go through this longer debugging effort (I need to create
> slides
> > for a conference next week, plus have to do some paid work...). I'd
> > appreciate if you could open a bug tracker with the info. I will look
> at it
> > asap, but that's probably after next week.
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> >> Sent: Friday, March 18, 2011 6:34 AM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Back logs from disk assisted queue
> >> notflowingtocentralloghost after service restored
> >>
> >> Rainer,
> >>
> >> Will send you additional debug to your private email momentarily.
> Here's
> >> what I'm seeing:  As expected, rsyslog starts to locally queue logs
> in file
> >> identified by ActionQueueFileName (e.g. failqueue-loghost#.0000n) if
> > central
> >> loghost is inaccessible.  This is good.  To simulate, I use iptables
> to
> > block traffic
> >> to one of my loghosts and then blast 10,000 messages on that client.
> > Here's
> >> what $WorkDirectory looks like when I do this:
> >>
> >> [root at server1 rsyslog]# ls -al
> >> total 4988
> >> drwxr-x--- 2 root wheel    4096 Mar 17 21:34 .
> >> drwxr-xr-x 7 root root     4096 Mar 17 04:08 ..
> >> -rw------- 1 root root   619948 Mar 17 21:34 failqueue-
> loghost1.00000002
> >> -rw------- 1 root root  1048800 Mar 17 21:34 failqueue-
> loghost2.00000001
> >> -rw------- 1 root root  1048850 Mar 17 21:34 failqueue-
> loghost2.00000002
> >> -rw------- 1 root root  1048581 Mar 17 21:34 failqueue-
> loghost2.00000003
> >> -rw------- 1 root root  1048988 Mar 17 21:34 failqueue-
> loghost2.00000004
> >> -rw------- 1 root root   234515 Mar 17 21:34 failqueue-
> loghost2.00000005
> >>
> >> Note: loghost2 is the server I make inaccessible.  loghost1 is still
> > accessible.
> >> assume it's queuing because loghost can't keep up with message
> blast.
> >>
> >> I then restart iptables to make loghost2 accessible again.  after a
> minute
> > or so
> >> I check $WorkDirectory and it looks like this:
> >>
> >> [root at server1 rsyslog]# ls -al
> >> total 860
> >> drwxr-x--- 2 root wheel   4096 Mar 17 21:36 .
> >> drwxr-xr-x 7 root root    4096 Mar 17 04:08 ..
> >> -rw------- 1 root root  621295 Mar 17 21:36 failqueue-
> loghost1.00000002
> >> -rw------- 1 root root  236716 Mar 17 21:36 failqueue-
> loghost2.00000005
> >>
> >> So as you can see, most of the logs clear out as expected, but I'm
> always
> > left
> >> with one logfile for each of my logservers.  When I check the
> central
> > loghosts
> >> they have already received all of the test messages so these
> remaining
> > files
> >> contain messages that the central loghosts already have.
> Furthermore,
> >> future logs destined for the central loghosts get appended to these
> files
> >> even though they are arriving at the central loghosts.
> >>
> >> I then stop rsyslog (I clearly identify where I do this by echoing
> "RSYSLOG
> >> RESTART" in debug file) and start it back up.  When I do this, both
> files
> > go
> >> away.
> >>
> >> Note: though not represented in this debug, I'm sometimes seeing the
> same
> >> behavior with the my MainMsgQueue.  The file will stick around and
> all new
> >> log entries get copied to it until rsyslog is restarted and the
> files go
> > away.
> >>
> >> Hopefully the debug log will provide some answers.  Thx.
> >>
> >> Todd
> >>
> >> On Mar 17, 2011, at 8:53 AM, Rainer Gerhards wrote:
> >>
> >>> I have had a quick look at the debug log. Check line 133. It looks
> >>> like there is some problem within the queue file. This makes
> rsyslog
> >>> switch over to using a pure memory queue.
> >>>
> >>> Rainer
> >>>
> >>>> -----Original Message-----
> >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> >>>> Sent: Thursday, March 17, 2011 4:01 PM
> >>>> To: rsyslog-users
> >>>> Subject: Re: [rsyslog] Back logs from disk assisted queue not
> >>>> flowingtocentralloghost after service restored
> >>>>
> >>>> Please feel free to send to my private email address (the list
> will
> >>> probably
> >>>> reject due to size anyway). I promise to have a quick look, but I
> >>>> will
> >>> probably
> >>>> not be able to have an in-depth look until some time next week
> (but
> >>>> hopefully the quick look helps ;))
> >>>>
> >>>> Rainer
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>>>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> >>>>> Sent: Thursday, March 17, 2011 3:53 PM
> >>>>> To: rsyslog-users
> >>>>> Subject: Re: [rsyslog] Back logs from disk assisted queue not
> >>>>> flowing tocentralloghost after service restored
> >>>>>
> >>>>> Will do Rainer.  Just confirming, I should send zipped debug logs
> to
> >>>>> this
> >>>> list or
> >>>>> is there a private email address you prefer?  Also, I ran debug
> on
> >>>>> an
> >>>> existing
> >>>>> system moments ago - a system that currently has several of these
> >> "stuck"
> >>>>> failqueue logfiles.  Want to make sure that will give you what
> you
> >>>>> need or
> >>>> if I
> >>>>> need to start over, simulate a central loghost outage and grab
> that
> >>>>> information?  If the former, I have what you need and will send
> once
> >>>>> I get confirm on location to send.  The latter will take some
> time
> >>>>> so I can
> >>>> simulate
> >>>>> worthwhile test.  Thx.
> >>>>>
> >>>>> todd
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Mar 17, 2011, at 12:39 AM, Rainer Gerhards wrote:
> >>>>>
> >>>>>> This looks like we need a debug log...
> >>>>>>
> >>>>>> Rainer
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>>>>>> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> >>>>>>> Sent: Thursday, March 17, 2011 1:18 AM
> >>>>>>> To: rsyslog-users
> >>>>>>> Subject: [rsyslog] Back logs from disk assisted queue not
> flowing
> >>>>>>> to centralloghost after service restored
> >>>>>>>
> >>>>>>> Have central loghost configured with disk assisted queue like
> so:
> >>>>>>>
> >>>>>>> $WorkDirectory /var/log/rsyslog
> >>>>>>> $ActionQueueType LinkedList
> >>>>>>> $ActionQueueFileName failqueue-loghost2
> >> $ActionResumeRetryCount
> >>>> -1
> >>>>>>> $ActionQueueSaveOnShutdown on
> >>>>>>>
> >>>>>>> # remote logging of everything
> >>>>>>> *.*       @@loghost1:5140
> >>>>>>>
> >>>>>>> Central loghost still running syslog-ng.  Had a problem with it
> >>>>>>> that caused it to fail on multiple occasions over the past
> couple
> >>> days.
> >>>>>>> Resolved the problem and logs are now flowing to it, but the
> files
> >>>>>>> that were created on the clients during this period are not
> going
> >>>>>>> away, nor are the back logs flowing to the central loghost.
> For
> >>> example:
> >>>>>>>
> >>>>>>> # syslog client
> >>>>>>> #/var/log/syslog
> >>>>>>> -rw------- 1 root root 1049189 Mar 16 01:13
> >>>>>>> failqueue-loghost2.00000002
> >>>>>>> -rw------- 1 root root 1048848 Mar 14 13:25
> >>>>>>> failqueue-loghost2.00000003
> >>>>>>> -rw------- 1 root root 1048648 Mar 14 17:20
> >>>>>>> failqueue-loghost2.00000004
> >>>>>>> -rw------- 1 root root 1049066 Mar 15 00:19
> >>>>>>> failqueue-loghost2.00000005
> >>>>>>> -rw------- 1 root root 1048619 Mar 15 00:27
> >>>>>>> failqueue-loghost2.00000006
> >>>>>>> -rw------- 1 root root 1048907 Mar 15 13:20
> >>>>>>> failqueue-loghost2.00000007
> >>>>>>> -rw------- 1 root root  949887 Mar 16 01:13
> >>> failqueue-loghost2.00000008
> >>>>>>> -rw------- 1 root root    1653 Mar 16 01:13 failqueue-
> loghost2.qi
> >>>>>>>
> >>>>>>> Running rsyslog-5.6.4.
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> rsyslog mailing list
> >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>> http://www.rsyslog.com
> >>>>>> _______________________________________________
> >>>>>> rsyslog mailing list
> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>> http://www.rsyslog.com
> >>>>>
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From nikolaidis.fotis at gmail.com  Tue Mar 22 10:53:12 2011
From: nikolaidis.fotis at gmail.com (Nikolaidis Fotis)
Date: Tue, 22 Mar 2011 10:53:12 +0100
Subject: [rsyslog] Transfer Multiple Files To A Centralized Logging
	Server
In-Reply-To: <mailman.16.1300760460.3040.rsyslog@lists.adiscon.com>
References: <mailman.16.1300760460.3040.rsyslog@lists.adiscon.com>
Message-ID: <4D887188.6080100@gmail.com>


Hi.

In fact even with the current implementation you can do that.
Because i needed something similar what i did, was to make a script that 
autocreated the file list.

But with this approach you have three problems.
1) If you have more  than 100 files to monitor, you must recompile rsyslog
2) Depending on the appending frequency of the files, performance may be 
really bad.
3) You cannot monitor files that are created dynamically.

If you want, you can test the module that Rainer mentioned and give me 
some feedback :>

Subject:
Re: [rsyslog] Transfer Multiple Files To A Centralized Logging Server
From:
"Rainer Gerhards" <rgerhards at hq.adiscon.com>
Date:
Mon, 7 Mar 2011 12:50:08 +0100

To:
"rsyslog-users" <rsyslog at lists.adiscon.com>


This is unfortunately currently not supported by rsyslog. But a refactoring
of imfile is underway that will support it -- but that probably needs a few
weeks before it becomes generally available:(

Rainer


>  -----Original Message-----
>  From:rsyslog-bounces at lists.adiscon.com  [mailto:rsyslog-
>  bounces at lists.adiscon.com] On Behalf Of Hidayath Basha
>  Sent: Monday, March 07, 2011 11:42 AM
>  To:rsyslog at lists.adiscon.com
>  Subject: [rsyslog] Transfer Multiple Files To A Centralized Logging Server
>  
>  Hi,
>  
>  I am new to rsyslog. I used syslog-ng for a week. In syslog-ng 2.0.x I was
>  trying to send multiple files with a single source file driver.
>  
>  I have multiple files...
>  some-host:/some/path $ ls -l
>  -rw------- 1 root root  90K Mar  3 11:37 mylogs-2011-03-03
>  -rw------- 1 root root  121 Mar  4 11:40 mylogs-2011-03-04
>  
>  
>  In the conf file....
>  source s_files{
>       file("/some/path/mylogs*");
>  };
>  
>  
>  How can I do it with rsyslog? Please point me to some documentation
>  
>  Thanks and regards,
>  Hidayath
>  _______________


From tbergfeld at hq.adiscon.com  Tue Mar 22 13:39:18 2011
From: tbergfeld at hq.adiscon.com (Tom Bergfeld)
Date: Tue, 22 Mar 2011 13:39:18 +0100
Subject: [rsyslog] rsyslog 5.6.5 (v5-stable) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE61@GRFEXC.intern.adiscon.com>

We have just released rsyslog 5.6.5, the new v5-stable.

This is probably the last version of the 5.6 stable branch. It contains some
important bug fixes. Upgrading to this version is recommended.

Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-5-6-5-v5-stable/

Download:

http://www.rsyslog.com/rsyslog-5-6-5-v5-stable/

As always, feedback is appreciated.

Best regards,
Tom Bergfeld
--

Support
=======
Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.

Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From rodney.mckee at gmail.com  Thu Mar 24 04:03:11 2011
From: rodney.mckee at gmail.com (Rodney McKee)
Date: Thu, 24 Mar 2011 14:03:11 +1100
Subject: [rsyslog] redundant remote logging with relp
Message-ID: <AANLkTinidvpV_dEsx6mW3phdv-t1aHKuMcoKfzSVfnmy@mail.gmail.com>

Whats the best way to log from remote sites

I have numerous systems in a remote site that I want to have redundant
logging provided locally, I want to reduce the chance of  have logs spooling
on the clients so they will have:

*.* @@log1:514
$ActionExecOnlyWhenPreviousIsSuspended on
& @@log2:514
& /var/spool/rsyslog
$ActionExecOnlyWhenPreviousIsSuspended off

The two local (to clients) log servers will then forward the logs they
receive to redundant log servers in my local site.

# log1
$ModLoad omrelp
*.* :omrelp:log1.drp:20514;RSYSLOG_ForwardFormat

#log2
$ModLoad omrelp
*.* :omrelp:log2.drp:20514;RSYSLOG_ForwardFormat

The two local (to me) log servers will then be forwarding the collected logs
onto a flume syslog collector to be then be processed in elastic search.

Should the two remote log servers send using RELP  to a single VRRP address
running between 2 log servers or will RELP work better with a one to one
relationship

So in ascii art:

log1 (remote) - \   log1 (local)
                          log (local VRRP address)
log2 (remote) - /  log2 (local)

or

log1 (remote) - log1 (local)
and
log2 (remote) - log2 (local)

OR is it possible to have RELP use something like this:

*.* :omrelp:log1.drp:20514;RSYSLOG_ForwardFormat
$ActionExecOnlyWhenPreviousIsSuspended on
*.* :omrelp:log2.drp:20514;RSYSLOG_ForwardFormat
& /var/spool/rsyslog
$ActionExecOnlyWhenPreviousIsSuspended off


I hope this ascii art works  :-)

Thanks in advance
-- 
Rgds
Rodney McKee

From andersns at basefarm.no  Thu Mar 24 10:26:25 2011
From: andersns at basefarm.no (Anders Synstad)
Date: Thu, 24 Mar 2011 10:26:25 +0100
Subject: [rsyslog] parsertest.sh fails on new 5.6.5 release
Message-ID: <4D8B0E41.7040801@basefarm.no>

I'm trying to compile this new 5.6.5 release of rsyslog using the same 
compile options and host as last time when I built the 5.6.2 release.

However, with v5.6.5 the "parsertest.sh" test now fails. The test itself 
doesn't appear to be changed from previous versions.

The error I get is:

 > File ./testsuites/weird.parse1:
 > Expected Response:
 > '14,user,info,Aug 30 23:00:05,localhost.localdomain,,,'
 > Actual Response:
 > '14,user,info,Aug 30 23:00:05,localhost,,,'
 > test './testsuites/weird.parse1' failed!
 > Number of tests run:  48, number of failures: 4, test: parse1/udp

Anyone else getting this?



Regards,
Anders Synstad
Basefarm AS

From andersns at basefarm.no  Thu Mar 24 11:34:08 2011
From: andersns at basefarm.no (Anders Synstad)
Date: Thu, 24 Mar 2011 11:34:08 +0100
Subject: [rsyslog] parsertest.sh fails on new 5.6.5 release
In-Reply-To: <4D8B0E41.7040801@basefarm.no>
References: <4D8B0E41.7040801@basefarm.no>
Message-ID: <4D8B1E20.7020206@basefarm.no>

Actually, I correct myself. There appears to be a change in the 
weird.parse1 testsuite:

--- rsyslog-5.6.2/tests/testsuites/weird.parse1 2010-11-25 
12:39:51.000000000 +0100
+++ rsyslog-5.6.5/tests/testsuites/weird.parse1 2011-03-11 
10:58:37.000000000 +0100
@@ -11,10 +11,10 @@
  14,user,info,Aug 30 23:00:05,X4711,,,
  # there is a SP at the end of the line
  <14>Aug 30 23:00:05
-14,user,info,Aug 30 23:00:05,localhost,,,
+14,user,info,Aug 30 23:00:05,localhost.localdomain,,,
  # and here is no SP at the end of the line
  <14>Aug 30 23:00:05
-14,user,info,Aug 30 23:00:05,localhost,,,
+14,user,info,Aug 30 23:00:05,localhost.localdomain,,,
  # unfortunately, I can not test missing dates with this test suite, 
because
  # we would have the current date in the response, which we can not 
check against
  #
@@ -31,7 +31,7 @@
  14,user,info,Aug 30 23:00:05,X4711,,,
  # there is a SP at the end of the line
  <14>2010-08-30T23:00:05Z
-14,user,info,Aug 30 23:00:05,localhost,,,
+14,user,info,Aug 30 23:00:05,localhost.localdomain,,,
  # and here is no SP at the end of the line
  <14>2010-08-30T23:00:05Z
-14,user,info,Aug 30 23:00:05,localhost,,,
+14,user,info,Aug 30 23:00:05,localhost.localdomain,,,


I guess there is some change in the rsyslog code, that has resulted in 
this test update?


Regards,
Anders Synstad
Basefarm AS

On 03/24/2011 10:26 AM, Anders Synstad wrote:
> I'm trying to compile this new 5.6.5 release of rsyslog using the same
> compile options and host as last time when I built the 5.6.2 release.
>
> However, with v5.6.5 the "parsertest.sh" test now fails. The test itself
> doesn't appear to be changed from previous versions.
>
> The error I get is:
>
>  > File ./testsuites/weird.parse1:
>  > Expected Response:
>  > '14,user,info,Aug 30 23:00:05,localhost.localdomain,,,'
>  > Actual Response:
>  > '14,user,info,Aug 30 23:00:05,localhost,,,'
>  > test './testsuites/weird.parse1' failed!
>  > Number of tests run: 48, number of failures: 4, test: parse1/udp
>
> Anyone else getting this?
>
>
>
> Regards,
> Anders Synstad
> Basefarm AS
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From piavka at cs.bgu.ac.il  Thu Mar 24 15:14:16 2011
From: piavka at cs.bgu.ac.il (Piavlo)
Date: Thu, 24 Mar 2011 16:14:16 +0200
Subject: [rsyslog] high cpu spkies by rsyslog which barely does anything
Message-ID: <4D8B51B8.7050908@cs.bgu.ac.il>

 
Hi,

I'd like to use rsyslog as central log collection solution.
Manwhile I've compiled and installed as rsyslog 5.6.4 with a stock
configuration as drop in replacement to local ksyslogd
But I see a high quick cpu usage bursts by rsyslog every few seconds
while it barely does anything.
Most of the cpu time is spent in user mode.
This happends on ec2 large instance with Centos-5.5.

Below are the configs and sample strace/lsof of the rsyslogd process.

Any idea why this happens?

[root at www1a ~]# cat /etc/rsyslog.conf | grep -v -e '^$' -e '^#'
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ModLoad imklog
$ModLoad imuxsock
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
[root at www1a ~]# 
[root at www1a ~]# lsof -p $(pgrep rsyslogd)
COMMAND    PID USER   FD   TYPE             DEVICE     SIZE       NODE NAME
rsyslogd 29994 root  cwd    DIR                8,1     4096          2 /
rsyslogd 29994 root  rtd    DIR                8,1     4096          2 /
rsyslogd 29994 root  txt    REG                8,1  1961412    2378118
/usr/local/rsyslog/5.6.4/sbin/rsyslogd
rsyslogd 29994 root  mem    REG                8,1   137256    1720349
/lib64/ld-2.5.so
rsyslogd 29994 root  mem    REG                8,1    83344    1543492
/usr/lib64/libz.so.1.2.3
rsyslogd 29994 root  mem    REG                8,1   142696    1720364
/lib64/libpthread-2.5.so
rsyslogd 29994 root  mem    REG                8,1    20424    1720336
/lib64/libdl-2.5.so
rsyslogd 29994 root  mem    REG                8,1    50288    1720370
/lib64/librt-2.5.so
rsyslogd 29994 root  mem    REG                8,1  1712536    1720326
/lib64/libc-2.5.so
rsyslogd 29994 root  mem    REG                8,1    85956    2378093
/usr/local/rsyslog/5.6.4/lib/rsyslog/lmnet.so
rsyslogd 29994 root  mem    REG                8,1    90745    2378128
/usr/local/rsyslog/5.6.4/lib/rsyslog/imklog.so
rsyslogd 29994 root  mem    REG                8,1    53471    2378110
/usr/local/rsyslog/5.6.4/lib/rsyslog/imuxsock.so
rsyslogd 29994 root    0r   REG                0,3        0 4026531849
/proc/kmsg
rsyslogd 29994 root    1w   REG                8,1     5019    1048938
/var/log/messages
rsyslogd 29994 root    2w   REG                8,1 18336275    1048939
/var/log/secure
rsyslogd 29994 root    3u  unix 0xffff8800241a2a80            80601917
/dev/log
rsyslogd 29994 root    4w   REG                8,1   214769    1048943
/var/log/cron
[root at www1a ~]#
[root at www1a ~]# strace -c -r -T -q -f -p $(pgrep rsyslogd)
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
   nan    0.000000           0         4           write
   nan    0.000000           0         4           select
   nan    0.000000           0         4           recvfrom
   nan    0.000000           0         4           gettimeofday
   nan    0.000000           0        20         4 futex
------ ----------- ----------- --------- --------- ----------------
100.00    0.000000                    36         4 total
[root at www1a ~]#                               
[root at www1a ~]# strace -v -r -T -q -f -p $(pgrep rsyslogd)
[pid 29995]      0.000000 futex(0x6a5d5c, FUTEX_WAIT, 1167, NULL
<unfinished ...>
[pid 29994]      0.005107 select(1, NULL, NULL, NULL, {85286, 180000}
<unfinished ...>
[pid 29997]      0.000049 read(0,  <unfinished ...>
[pid 29998]      0.000021 select(4, [3], NULL, NULL, NULL) = 1 (in [3])
<4.329724>
[pid 29998]      4.329868 recvfrom(3, "<86>Mar 24 14:01:07 sshd[4487]:
"..., 2048, 0, NULL, NULL) = 92 <0.000015>
[pid 29998]      0.000097 gettimeofday({1300975267, 753128}, NULL) = 0
<0.000010>
[pid 29998]      0.000079 futex(0x6a5d5c, FUTEX_WAKE_OP, 1, 1, 0x6a5d58,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1 <0.000014>
[pid 29998]      0.000052 select(4, [3], NULL, NULL, NULL <unfinished ...>
[pid 29995]      0.000021 <... futex resumed> ) = 0 <4.335124>
[pid 29995]      0.000077 futex(0x6a1b30, FUTEX_WAKE, 1) = 0 <0.000057>
[pid 29995]      0.000203 write(2, "Mar 24 14:01:07 www1a
sshd[4487]"..., 95 <unfinished ...>
[pid 29998]      0.024438 <... select resumed> ) = 1 (in [3]) <0.024706>
[pid 29995]      0.000024 <... write resumed> ) = 95 <0.024442>
[pid 29998]      0.000247 recvfrom(3, "<86>Mar 24 14:01:07 sshd[4487]:
"..., 2048, 0, NULL, NULL) = 95 <0.000014>
[pid 29998]      0.000066 gettimeofday({1300975267, 778334}, NULL) = 0
<0.000010>
[pid 29998]      0.000078 select(4, [3], NULL, NULL, NULL <unfinished ...>
[pid 29995]      0.005155 write(2, "Mar 24 14:01:07 www1a
sshd[4487]"..., 98) = 98 <0.000345>
[pid 29995]      0.000489 futex(0x6a5d5c, FUTEX_WAIT, 1169, NULL
<unfinished ...>
[pid 29998]      0.107333 <... select resumed> ) = 1 (in [3]) <0.112941>
[pid 29998]      0.000053 recvfrom(3, "<86>Mar 24 14:01:07 sshd[4487]:
"..., 2048, 0, NULL, NULL) = 84 <0.000016>
[pid 29998]      0.000068 gettimeofday({1300975267, 891512}, NULL) = 0
<0.000010>
[pid 29998]      0.000079 futex(0x6a5d5c, FUTEX_WAKE_OP, 1, 1, 0x6a5d58,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1 <0.000014>
[pid 29998]      0.000050 select(4, [3], NULL, NULL, NULL <unfinished ...>
[pid 29995]      0.001586 <... futex resumed> ) = 0 <0.109150>
[pid 29995]      0.000071 futex(0x6a1b30, FUTEX_WAKE, 1) = 0 <0.000046>
[pid 29995]      0.000169 write(2, "Mar 24 14:01:07 www1a
sshd[4487]"..., 87) = 87 <0.000065>
[pid 29995]      0.000194 futex(0x6a5d5c, FUTEX_WAIT, 1171, NULL
<unfinished ...>
[pid 29998]      1.420908 <... select resumed> ) = 1 (in [3]) <1.422893>
[pid 29998]      0.000049 recvfrom(3, "<86>Mar 24 14:01:09 sshd[4517]:
"..., 2048, 0, NULL, NULL) = 64 <0.000014>
[pid 29998]      0.000503 gettimeofday({1300975269, 315123}, NULL) = 0
<0.000042>
[pid 29998]      0.000121 futex(0x6a5d5c, FUTEX_WAKE_OP, 1, 1, 0x6a5d58,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1} <unfinished ...>
[pid 29995]      0.000490 <... futex resumed> ) = 0 <1.422056>
[pid 29998]      0.000010 <... futex resumed> ) = 1 <0.000487>
[pid 29995]      0.000122 futex(0x6a1b30, FUTEX_WAKE, 1 <unfinished ...>
[pid 29998]      0.000019 select(4, [3], NULL, NULL, NULL <unfinished ...>
[pid 29995]      0.000067 <... futex resumed> ) = 0 <0.000072>
[pid 29995]      0.000127 write(2, "Mar 24 14:01:09 www1a
sshd[4517]"..., 67) = 67 <0.000105>
[pid 29995]      0.001215 futex(0x6a5d5c, FUTEX_WAIT, 1173, NULL
<unfinished ...>
[pid 29998]      4.916991 <... select resumed> ) = 1 (in [3]) <4.918369>
[pid 29998]      0.000050 recvfrom(3, "<86>Mar 24 14:01:14 sshd[4518]:
"..., 2048, 0, NULL, NULL) = 92 <0.000013>
[pid 29998]      0.000060 gettimeofday({1300975274, 234392}, NULL) = 0
<0.000009>
[pid 29998]      0.000079 futex(0x6a5d5c, FUTEX_WAKE_OP, 1, 1, 0x6a5d58,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1 <0.000014>
[pid 29998]      0.000050 select(4, [3], NULL, NULL, NULL <unfinished ...>
[pid 29995]      0.002861 <... futex resumed> ) = 0 <4.920060>
[pid 29995]      0.000177 futex(0x6a1b30, FUTEX_WAKE, 1) = 0 <0.000059>
[pid 29995]      0.000218 write(2, "Mar 24 14:01:14 www1a
sshd[4518]"..., 95) = 95 <0.000076>
[pid 29995]      0.000378 futex(0x6a5d5c, FUTEX_WAIT, 1175, NULL
<unfinished ...>
[pid 29998]      0.067782 <... select resumed> ) = 1 (in [3]) <0.071383>
[pid 29998]      0.000054 recvfrom(3, "<86>Mar 24 14:01:14 sshd[4518]:
"..., 2048, 0, NULL, NULL) = 95 <0.000014>
[pid 29998]      0.000069 gettimeofday({1300975274, 306060}, NULL) = 0
<0.000011>
[pid 29998]      0.000080 futex(0x6a5d5c, FUTEX_WAKE_OP, 1, 1, 0x6a5d58,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1 <0.000014>
[pid 29998]      0.000050 select(4, [3], NULL, NULL, NULL <unfinished ...>
[pid 29995]      0.001890 <... futex resumed> ) = 0 <0.069908>
[pid 29995]      0.000070 futex(0x6a1b30, FUTEX_WAKE, 1) = 0 <0.000044>
[pid 29995]      0.000170 write(2, "Mar 24 14:01:14 www1a
sshd[4518]"..., 98) = 98 <0.000069>
[pid 29995]      0.000285 futex(0x6a5d5c, FUTEX_WAIT, 1177, NULL
<unfinished ...>
[pid 29998]      0.098664 <... select resumed> ) = 1 (in [3]) <0.101048>
[pid 29998]      0.001766 recvfrom(3, "<86>Mar 24 14:01:14 sshd[4518]:
"..., 2048, 0, NULL, NULL) = 84 <0.000047>
[pid 29998]      0.000125 gettimeofday({1300975274, 409161}, NULL) = 0
<0.000039>
[pid 29998]      0.000119 futex(0x6a5d5c, FUTEX_WAKE_OP, 1, 1, 0x6a5d58,
{FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1} <unfinished ...>
[pid 29995]      0.000062 <... futex resumed> ) = 0 <0.100721>
[pid 29998]      0.000009 <... futex resumed> ) = 1 <0.000058>
[pid 29995]      0.000071 futex(0x6a1b30, FUTEX_WAKE, 1 <unfinished ...>
[pid 29998]      0.000019 select(4, [3], NULL, NULL, NULL <unfinished ...>
[pid 29995]      0.000065 <... futex resumed> ) = 0 <0.000070>
[pid 29995]      0.000118 write(2, "Mar 24 14:01:14 www1a
sshd[4518]"..., 87) = 87 <0.000069>
[pid 29995]      0.000200 futex(0x6a5d5c, FUTEX_WAIT, 1179, NULL
<unfinished ...>
[root at www1a ~]#     


PS. One difference I noticed between stock rsyslog and syslog-ng configs
is that rsyslog holds just one fd open to /dev/log
and select's it, while syslog-ng holds about 15 different fd's to
/dev/log and epoll's them.
Any particular reason for such a drastic difference?

Thanks
Alex
                             

From marcin at mejor.pl  Fri Mar 25 14:00:20 2011
From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=)
Date: Fri, 25 Mar 2011 14:00:20 +0100
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
Message-ID: <4D8C91E4.3040304@mejor.pl>

Hi!
Since a couple of days (or weeks) i'm observing that rsyslog dosesn't
shutdown after SIGTERM. I have to send SIGTERM a 4-5 times to terminate
rsyslog (which is problematic for init sripts). Rsyslog dosen't save
queue on disk spool in this situation.

I'm using rsyslog from git (master branch). I've prepared debug log, i
can send it if it will be helpfull.
Thanks!

# grep -v "^$\|^#.*" /etc/rsyslog.conf
$ModLoad impstats
$PStatsInterval 3600
$ModLoad immark.so
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imudp.so
$ModLoad imrelp.so
$ModLoad omrelp.so
$ModLoad imtcp.so
$ModLoad imfile
$SystemLogRateLimitInterval 0
$WorkDirectory /var/spool/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName dbq
$ActionResumeRetryCount -1
$MainMsgQueueMaxFileSize 512M
$MainMsgQueueSaveOnShutdown on
$MainMsgQueueCheckpointInterval 600
$MainMsgQueueSyncQueueFiles on
$InputRELPServerRun 20514
$InputFileName /var/log/exim/exim_main.log
$InputFileTag hermes.exim_main:
$InputFileStateFile hermes.exim_main
$InputFileFacility mail
$InputFilePollInterval 10
$InputRunFileMonitor
$InputFileName /var/log/exim/exim_panic.log
$InputFileTag hermes.exim_panic:
$InputFileStateFile hermes.exim_panic
$InputFileFacility mail
$InputFileSeverity error
$InputRunFileMonitor
$InputFileName /var/log/apache2/access_log
$InputFileTag hermes.apache_access:
$InputFileStateFile hermes.apache_access
$InputFileFacility mail
$InputRunFileMonitor
$InputFileName /var/log/apache2/error_log
$InputFileTag hermes.apache_error:
$InputFileStateFile hermes.apache_error
$InputFileSeverity notice
$InputRunFileMonitor
*.* :omrelp:10.10.10.25:20514
:inputname, isequal, "imfile" ~
:inputname, isequal, "imrelp" ~
kern.*     /dev/console
kern.*     /var/log/kern.log
:programname, isequal, "named" /var/log/named/named.log
& ~
:programname, isequal, "dovecot" /var/log/dovecot.log
& ~
:msg, contains, "PWD=/ ; USER=root ;
COMMAND=/usr/lib/nagios/plugins/check_mailq" ~
:programname, isequal, "ntpd" /var/log/ntp/ntpd.log
& ~
*.info;mail.none;authpriv.none;cron.none -/var/log/messages.log
authpriv.*       /var/log/secure.log
mail.*           -/var/log/mail.log
cron.*           -/var/log/cron.log
*.emerg          *
uucp,news.crit  -/var/log/spooler.log
local7.*       /var/log/boot.log



-- 
xmpp (jabber): marcin  [at]  mejor.pl
www: http://blog.mejor.pl/

From david at lang.hm  Sat Mar 26 00:19:54 2011
From: david at lang.hm (david at lang.hm)
Date: Fri, 25 Mar 2011 16:19:54 -0700 (PDT)
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <4D8C91E4.3040304@mejor.pl>
References: <4D8C91E4.3040304@mejor.pl>
Message-ID: <alpine.DEB.2.00.1103251616380.5017@asgard.lang.hm>

I suspect that what's happening is that since you have

> $MainMsgQueueSaveOnShutdown on

what's happening is that when you send the kill -15, it starts trying to 
save all the messages from it's queue to disk before it shuts down.

David Lang

On Fri, 25 Mar 2011, Marcin Miros?aw wrote:

> Hi!
> Since a couple of days (or weeks) i'm observing that rsyslog dosesn't
> shutdown after SIGTERM. I have to send SIGTERM a 4-5 times to terminate
> rsyslog (which is problematic for init sripts). Rsyslog dosen't save
> queue on disk spool in this situation.
>
> I'm using rsyslog from git (master branch). I've prepared debug log, i
> can send it if it will be helpfull.
> Thanks!

From marcin at mejor.pl  Sat Mar 26 11:18:28 2011
From: marcin at mejor.pl (=?ISO-8859-2?Q?Marcin_Miros=B3aw?=)
Date: Sat, 26 Mar 2011 11:18:28 +0100
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <alpine.DEB.2.00.1103251616380.5017@asgard.lang.hm>
References: <4D8C91E4.3040304@mejor.pl>
	<alpine.DEB.2.00.1103251616380.5017@asgard.lang.hm>
Message-ID: <4D8DBD74.70907@mejor.pl>

W dniu 2011-03-26 00:19, david at lang.hm pisze:
> I suspect that what's happening is that since you have
> 
>> $MainMsgQueueSaveOnShutdown on
> 
> what's happening is that when you send the kill -15, it starts trying to
> save all the messages from it's queue to disk before it shuts down.

But how long rsyslog should try to save queue? It should takes seconds
(i don't have many messages) not minutes nor hours. Something changed a
few weeks ago, earlier i didn't noticed such situation.
Regards!

From heiko at shruuf.de  Sun Mar 27 13:17:08 2011
From: heiko at shruuf.de (Heiko Becker)
Date: Sun, 27 Mar 2011 13:17:08 +0200
Subject: [rsyslog] Failed Test: imtcp_conndrop.sh
Message-ID: <4D8F1CB4.2080901@shruuf.de>

Hi,

imtcp_conndrop.sh test sometimes fails for rsyslog-5.6.5. Output: 
http://paste.pocoo.org/raw/360318/
Any suggestions for the cause? Thanks for your effort in advance.

Best regards,
Heiko Becker

From igor.sverkos at googlemail.com  Mon Mar 28 02:26:27 2011
From: igor.sverkos at googlemail.com (Igor Sverkos)
Date: Mon, 28 Mar 2011 02:26:27 +0200
Subject: [rsyslog] Why doesn't /var/log/syslog include mail.* messages?
Message-ID: <AANLkTikbOwLrbidQ79988BWetR=+82n-AnyAy9Dpey71@mail.gmail.com>

Hi,

I am new to rsyslog. Currently I don't understand, why mail.* messages
aren't included in the /var/log/syslog file. This is the default
Debian rsyslog.conf:

> [...]
> ###############
> #### RULES ####
> ###############
>
> #
> # First some standard log files.  Log by facility.
> #
> auth,authpriv.*                 /var/log/auth.log
> *.*;auth,authpriv.none          -/var/log/syslog
> #cron.*                         /var/log/cron.log
> daemon.*                        -/var/log/daemon.log
> kern.*                          -/var/log/kern.log
> lpr.*                           -/var/log/lpr.log
> mail.*                          -/var/log/mail.log
> user.*                          -/var/log/user.log
>
> #
> # Logging for the mail system.  Split it up so that
> # it is easy to write scripts to parse these files.
> #
> mail.info                       -/var/log/mail.info
> mail.warn                       -/var/log/mail.warn
> mail.err                        /var/log/mail.err
>
> [...]

In my understanding, a message with the facility "mail" and severity
"info" comes in, the following should happen:

1. Rule:
Does *not* match facility "auth" or "authpriv", so the message won't
get into "/var/log/auth.log".
The next rule should get processed.

2. Rule:
*Does* match facility *and* severity "*.*", so it's included.
It doesn't match "auth" or "authpriv.*", so it isn't excluded.

=> The message *should* get into /var/log/syslog...

But it doesn't?!

It will be written to /var/log/mail.log (rule "mail.*") and also into
/var/log/mail.info (rule "mail.info")... but why won't it also be
logged in /var/log/syslog?


-- 
Best wishes,
Igor

From rgerhards at hq.adiscon.com  Mon Mar 28 09:06:30 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Mon, 28 Mar 2011 09:06:30 +0200
Subject: [rsyslog] Failed Test: imtcp_conndrop.sh
In-Reply-To: <4D8F1CB4.2080901@shruuf.de>
References: <4D8F1CB4.2080901@shruuf.de>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDE90@GRFEXC.intern.adiscon.com>

Thanks for bringing this issue up. I have blogged about what is happening
because I think this can be useful for others as well:

http://blog.gerhards.net/2011/03/why-does-rsyslog-testbench-sometimes.html

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Heiko Becker
> Sent: Sunday, March 27, 2011 1:17 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Failed Test: imtcp_conndrop.sh
> 
> Hi,
> 
> imtcp_conndrop.sh test sometimes fails for rsyslog-5.6.5. Output:
> http://paste.pocoo.org/raw/360318/
> Any suggestions for the cause? Thanks for your effort in advance.
> 
> Best regards,
> Heiko Becker
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From stefan.kleindl at rlb-stmk.raiffeisen.at  Mon Mar 28 09:23:20 2011
From: stefan.kleindl at rlb-stmk.raiffeisen.at (stefan.kleindl at rlb-stmk.raiffeisen.at)
Date: Mon, 28 Mar 2011 09:23:20 +0200
Subject: [rsyslog] Max syslog message size?
Message-ID: <OFB5D5C463.12D1C41C-ONC1257861.00277EF9-C1257861.002896C7@mdcs.at>



I?m running into a probably known problem with Windows by Snare where my
messages get trunkated.
The last huge message I got was an incredible 1670 letters/2098 including
spaces and tabs. (EventID 4624 - so a normal Logon)

I?ve read that syslog itself is limited to 1024(or 512 even?) byte but
frankly, right now I'm not sure if its rsyslog(any limit), Snare(cutting at
sendtime?) or UDP packet size which is causing the trouble here.

Any insight and solution on this matter?

regards

----------------------------------------
Raiffeisen-Landesbank Steiermark AG, Graz, FN 264700 s, Landesgericht f?r
Zivilrechtssachen Graz, DVR  0040495

Der Austausch von Nachrichten mit oa. Absender via E-Mail dient
ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with a.m. sender via e-mail is only for information
purposes. This medium is not to be used for the exchange of legally-binding
communications.
----------------------------------------

From tbergfeld at hq.adiscon.com  Tue Mar 29 15:11:58 2011
From: tbergfeld at hq.adiscon.com (Tom Bergfeld)
Date: Tue, 29 Mar 2011 15:11:58 +0200
Subject: [rsyslog] rsyslog 5.7.10 (v5-beta) released
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDEBF@GRFEXC.intern.adiscon.com>

We have just released rsyslog 5.7.10, the new v5-beta.

This is another set of bug fixes, with some bugs that recently came in.
It also contains some non-intrusive enhancements, like example code that
demos how to write a strgen module that generates SQL statements.

Please see the ChangeLog for more details.

ChangeLog:

http://www.rsyslog.com/changelog-for-5-7-10-v5-beta/

Download:

http://www.rsyslog.com/rsyslog-5-7-10-v5-beta/

As always, feedback is appreciated.

Best regards,
Tom Bergfeld
--

Support
=======
Improving rsyslog is costly, but you can help!  We are looking for
organizations that find rsyslog useful and wish to contribute back.  You can
contribute by reporting bugs, improve the software, or donate money or
equipment.

Commercial support contracts for rsyslog are available, and they help finance
continued maintenance.  Adiscon GmbH, a privately held German company, is
currently funding rsyslog development. We are always looking for interesting
development projects. For details on how to help, please see
http://www.rsyslog.com/doc-how2help.html.

From lanas at securenet.net  Wed Mar 30 02:20:06 2011
From: lanas at securenet.net (lanas)
Date: Tue, 29 Mar 2011 20:20:06 -0400
Subject: [rsyslog] per-application log file
Message-ID: <20110329202006.6746c214@mistral.stie>

Hello,

  What I would like to do is to have a special log file for one
application.  I would like to have all logging from that app go to that
file and nowhere else. So I do:

if $programname == 'applogTest' then /var/log/applogtest.log

  This works, but messages are also sent to the main system log file.
How can log messages be *only* sent to this applogtest.log file ?

Thanks !


From paul.ruiz at gmail.com  Wed Mar 30 02:31:28 2011
From: paul.ruiz at gmail.com (Paul Ruiz)
Date: Tue, 29 Mar 2011 17:31:28 -0700
Subject: [rsyslog] per-application log file
In-Reply-To: <20110329202006.6746c214@mistral.stie>
References: <20110329202006.6746c214@mistral.stie>
Message-ID: <AANLkTimuwe8tdhRJCFm2px3-QGED3WMUZ4536Xjaw7PV@mail.gmail.com>

Add the line "& ~" after.  & continues the action and ~ discards the event

if $programname == 'applogTest' then /var/log/applogtest.log
& ~

On Tue, Mar 29, 2011 at 5:20 PM, lanas <lanas at securenet.net> wrote:

> Hello,
>
>  What I would like to do is to have a special log file for one
> application.  I would like to have all logging from that app go to that
> file and nowhere else. So I do:
>
> if $programname == 'applogTest' then /var/log/applogtest.log
>
>  This works, but messages are also sent to the main system log file.
> How can log messages be *only* sent to this applogtest.log file ?
>
> Thanks !
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

From david at lang.hm  Wed Mar 30 03:03:55 2011
From: david at lang.hm (david at lang.hm)
Date: Tue, 29 Mar 2011 18:03:55 -0700 (PDT)
Subject: [rsyslog] per-application log file
In-Reply-To: <20110329202006.6746c214@mistral.stie>
References: <20110329202006.6746c214@mistral.stie>
Message-ID: <alpine.DEB.2.00.1103291802510.29543@asgard.lang.hm>

On Tue, 29 Mar 2011, lanas wrote:

> Hello,
>
>  What I would like to do is to have a special log file for one
> application.  I would like to have all logging from that app go to that
> file and nowhere else. So I do:
>
> if $programname == 'applogTest' then /var/log/applogtest.log
>
>  This works, but messages are also sent to the main system log file.
> How can log messages be *only* sent to this applogtest.log file ?

do

if $programname == 'applogTest' then /var/log/applogtest.log
& ~

the & says to do the same test as the prior line

the ~ says to throw away this log message and don't do anything else with 
it.

David Lang

From roland.kamke at auconet.com  Wed Mar 30 08:47:05 2011
From: roland.kamke at auconet.com (Roland Kamke)
Date: Wed, 30 Mar 2011 08:47:05 +0200
Subject: [rsyslog] Regexp values in comparison
Message-ID: <69DFC544026A844790C013C0FB16B9E0B61F7E@eta.firma.lan>

A newbie question: Is it possible to use values matching a regular
expression in a comparison?

Imagine I receive messges like this: "disk usage of /dev/sdb2 is 60%",
"disk usage of /dev/sda3 is 80%", etc. All match the regular expression
"disk usage of [/a-zA-Z0-9]* is [0-9]*%". I do not want to log all these
messages, but only those where disk usage is at least 75 per cent.
Can this be achieved by proper configuration?
Where to look in the documentation?

Thank you
Roland

 


From david at lang.hm  Wed Mar 30 09:17:19 2011
From: david at lang.hm (david at lang.hm)
Date: Wed, 30 Mar 2011 00:17:19 -0700 (PDT)
Subject: [rsyslog] Regexp values in comparison
In-Reply-To: <69DFC544026A844790C013C0FB16B9E0B61F7E@eta.firma.lan>
References: <69DFC544026A844790C013C0FB16B9E0B61F7E@eta.firma.lan>
Message-ID: <alpine.DEB.2.00.1103300013130.29543@asgard.lang.hm>

On Wed, 30 Mar 2011, Roland Kamke wrote:

> A newbie question: Is it possible to use values matching a regular
> expression in a comparison?
>
> Imagine I receive messges like this: "disk usage of /dev/sdb2 is 60%",
> "disk usage of /dev/sda3 is 80%", etc. All match the regular expression
> "disk usage of [/a-zA-Z0-9]* is [0-9]*%". I do not want to log all these
> messages, but only those where disk usage is at least 75 per cent.
> Can this be achieved by proper configuration?

yes, you would do three regex matches

first look for values between 75% and 79%

"disk usage of [/a-zA-Z0-9]* is 7[5-9]%"

then look for values between 80% and 99%

"disk usage of [/a-zA-Z0-9]* is [8-9][0-9]%"

and finally look for 100%

"disk usage of [/a-zA-Z0-9]* is 100%"

it may be possible to combine these with something similar to

"disk usage of [/a-zA-Z0-9]* is (7[5-9]|[8-9][0-9]|100)%"

but having three separate tests is clearer to many people

> Where to look in the documentation?

look for regex matches.

David Lang

From andersns at basefarm.no  Wed Mar 30 10:47:53 2011
From: andersns at basefarm.no (Anders Synstad)
Date: Wed, 30 Mar 2011 10:47:53 +0200
Subject: [rsyslog] TCP syslogging from switches (Cisco 4948)
Message-ID: <4D92EE39.8090709@basefarm.no>

Hello,

I'm trying to sort out TCP syslogging from these switches, and not 
surprisingly I'm running into some problems. And I do know most of the 
answers to my own questions here. Just a vague hope that someone have 
had the same problems and also a nice solution (or conclude that there 
is no easy solution).

I have my tcp listeners running on my central loghost server, and this 
is all working nicely. And I also have some firewalls logging TCP, and 
they work nicely.

The problem is that the logs from these Cisco switches doesnt end with 
ASCII 0a (line feed), so rsyslog just piles the logs up and prints them 
out in a big blob every now and then (guessing when buffer is full).

Example:

2011-03-23T23:57:35.145806+01:00 SOMESWITCH  (851), with alt-sw03a.osl 
GigabitEthernet1/44 (1886).<132>154002: Mar 23 22:52:34.010: 
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on 
GigabitEthernet1/44 (1886), with alt-sw03a.osl GigabitEthernet1/43 
(851).<132>154003: Mar 23 22:52:34.010: %CDP-4-NATIVE_VLAN_MISMATCH: 
Native VLAN mismatch discovered on GigabitEthernet1/43 (851), with 
alt-sw03a.osl GigabitEthernet1/44 (1886).<132>154004: Mar 23 
22:53:34.009: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch 
discovered on GigabitEthernet1/44 (1886), with alt-sw03a.osl 
GigabitEthernet1/43 (851).<132>154005: Mar 23 22:53:34.009: 
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on 
GigabitEthernet1/43 (851), with alt-sw03a.osl GigabitEthernet1/44 
(1886).<132>154006: Mar 23 22:54:34.008: %CDP-4-NATIVE_VLAN_MISMATCH: 
Native VLAN mismatch discovered on GigabitEthernet1/44 (1886), with 
alt-sw03a.osl GigabitEthernet1/43 (851).<132>154007: Mar 23 
22:54:34.008: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch 
discovered on GigabitEthernet1/43 (851), with alt-sw03a.osl 
GigabitEthernet1/44 (1886).<132>154008: Mar 23 22:55:34.007: 
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on 
GigabitEthernet1/44 (1886), with alt-sw03a.osl GigabitEthernet1/43 
(851).<132>154009: Mar 23 22:55:34.007: %CDP-4-NATIVE_VLAN_MISMATCH: 
Native VLAN mismatch discovered on GigabitEthernet1/43 (851), with 
alt-sw03a.osl GigabitEthernet1/44 (1886).<132>154010: Mar 23 
22:56:34.005: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch 
discovered on GigabitEthernet1/44 (1886), with alt-sw03a.osl 
GigabitEthernet1/43 (851).<132>154011: Mar 23 22:56:34.005: 
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on 
GigabitEthernet1/43 (851), with alt-sw03a.osl GigabitEthernet1/44 
(1886).<132>154012: Mar 23 22:57:34.004: %CDP-4-NATIVE_VLAN_MISMATCH: 
Native VLAN mismatch discovered on GigabitEthernet1/44 (1886), with 
alt-sw03a.osl GigabitEthernet1/43 (851).<132>154013: Mar 23 
22:57:34.004: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch 
discovered on GigabitEthernet


While the switch logs every minute, the logs gets printed to the logfile 
every 6th minute in these blobs.


Has anyone else perhaps observed this? And have a nice solution?


Regards,
Anders Synstad
Basefarm AS

From rgerhards at hq.adiscon.com  Wed Mar 30 11:04:50 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 30 Mar 2011 11:04:50 +0200
Subject: [rsyslog] TCP syslogging from switches (Cisco 4948)
In-Reply-To: <4D92EE39.8090709@basefarm.no>
References: <4D92EE39.8090709@basefarm.no>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDEC8@GRFEXC.intern.adiscon.com>

The Cisco implementation is simply broken. You need to complain there. The
more customers complain, the better the chance this finally gets fixed. I
have talked to my contacts inside Cisco a couple of years ago, but they were
not able to initiate a correction. Looks like actual customers need to make
that move.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Anders Synstad
> Sent: Wednesday, March 30, 2011 10:48 AM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] TCP syslogging from switches (Cisco 4948)
> 
> Hello,
> 
> I'm trying to sort out TCP syslogging from these switches, and not
surprisingly
> I'm running into some problems. And I do know most of the answers to my
> own questions here. Just a vague hope that someone have had the same
> problems and also a nice solution (or conclude that there is no easy
solution).
> 
> I have my tcp listeners running on my central loghost server, and this is
all
> working nicely. And I also have some firewalls logging TCP, and they work
> nicely.
> 
> The problem is that the logs from these Cisco switches doesnt end with
ASCII
> 0a (line feed), so rsyslog just piles the logs up and prints them out in a
big
> blob every now and then (guessing when buffer is full).
> 
> Example:
> 
> 2011-03-23T23:57:35.145806+01:00 SOMESWITCH  (851), with alt-sw03a.osl
> GigabitEthernet1/44 (1886).<132>154002: Mar 23 22:52:34.010:
> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
> GigabitEthernet1/44 (1886), with alt-sw03a.osl GigabitEthernet1/43
> (851).<132>154003: Mar 23 22:52:34.010: %CDP-4-
> NATIVE_VLAN_MISMATCH:
> Native VLAN mismatch discovered on GigabitEthernet1/43 (851), with alt-
> sw03a.osl GigabitEthernet1/44 (1886).<132>154004: Mar 23
> 22:53:34.009: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
> discovered on GigabitEthernet1/44 (1886), with alt-sw03a.osl
> GigabitEthernet1/43 (851).<132>154005: Mar 23 22:53:34.009:
> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
> GigabitEthernet1/43 (851), with alt-sw03a.osl GigabitEthernet1/44
> (1886).<132>154006: Mar 23 22:54:34.008: %CDP-4-
> NATIVE_VLAN_MISMATCH:
> Native VLAN mismatch discovered on GigabitEthernet1/44 (1886), with alt-
> sw03a.osl GigabitEthernet1/43 (851).<132>154007: Mar 23
> 22:54:34.008: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
> discovered on GigabitEthernet1/43 (851), with alt-sw03a.osl
> GigabitEthernet1/44 (1886).<132>154008: Mar 23 22:55:34.007:
> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
> GigabitEthernet1/44 (1886), with alt-sw03a.osl GigabitEthernet1/43
> (851).<132>154009: Mar 23 22:55:34.007: %CDP-4-
> NATIVE_VLAN_MISMATCH:
> Native VLAN mismatch discovered on GigabitEthernet1/43 (851), with alt-
> sw03a.osl GigabitEthernet1/44 (1886).<132>154010: Mar 23
> 22:56:34.005: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
> discovered on GigabitEthernet1/44 (1886), with alt-sw03a.osl
> GigabitEthernet1/43 (851).<132>154011: Mar 23 22:56:34.005:
> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
> GigabitEthernet1/43 (851), with alt-sw03a.osl GigabitEthernet1/44
> (1886).<132>154012: Mar 23 22:57:34.004: %CDP-4-
> NATIVE_VLAN_MISMATCH:
> Native VLAN mismatch discovered on GigabitEthernet1/44 (1886), with alt-
> sw03a.osl GigabitEthernet1/43 (851).<132>154013: Mar 23
> 22:57:34.004: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
> discovered on GigabitEthernet
> 
> 
> While the switch logs every minute, the logs gets printed to the logfile
every
> 6th minute in these blobs.
> 
> 
> Has anyone else perhaps observed this? And have a nice solution?
> 
> 
> Regards,
> Anders Synstad
> Basefarm AS
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From andersns at basefarm.no  Wed Mar 30 11:07:27 2011
From: andersns at basefarm.no (Anders Synstad)
Date: Wed, 30 Mar 2011 11:07:27 +0200
Subject: [rsyslog] TCP syslogging from switches (Cisco 4948)
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDEC8@GRFEXC.intern.adiscon.com>
References: <4D92EE39.8090709@basefarm.no>
	<9B6E2A8877C38245BFB15CC491A11DA71DDEC8@GRFEXC.intern.adiscon.com>
Message-ID: <4D92F2CF.5030703@basefarm.no>

Thank you :)

This is basicly what my though was aswell. Just wanted it confirmed.


Regards,
Anders Synstad
Basefarm AS

On 03/30/2011 11:04 AM, Rainer Gerhards wrote:
> The Cisco implementation is simply broken. You need to complain there. The
> more customers complain, the better the chance this finally gets fixed. I
> have talked to my contacts inside Cisco a couple of years ago, but they were
> not able to initiate a correction. Looks like actual customers need to make
> that move.
>
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Anders Synstad
>> Sent: Wednesday, March 30, 2011 10:48 AM
>> To: rsyslog at lists.adiscon.com
>> Subject: [rsyslog] TCP syslogging from switches (Cisco 4948)
>>
>> Hello,
>>
>> I'm trying to sort out TCP syslogging from these switches, and not
> surprisingly
>> I'm running into some problems. And I do know most of the answers to my
>> own questions here. Just a vague hope that someone have had the same
>> problems and also a nice solution (or conclude that there is no easy
> solution).
>>
>> I have my tcp listeners running on my central loghost server, and this is
> all
>> working nicely. And I also have some firewalls logging TCP, and they work
>> nicely.
>>
>> The problem is that the logs from these Cisco switches doesnt end with
> ASCII
>> 0a (line feed), so rsyslog just piles the logs up and prints them out in a
> big
>> blob every now and then (guessing when buffer is full).
>>
>> Example:
>>
>> 2011-03-23T23:57:35.145806+01:00 SOMESWITCH  (851), with alt-sw03a.osl
>> GigabitEthernet1/44 (1886).<132>154002: Mar 23 22:52:34.010:
>> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
>> GigabitEthernet1/44 (1886), with alt-sw03a.osl GigabitEthernet1/43
>> (851).<132>154003: Mar 23 22:52:34.010: %CDP-4-
>> NATIVE_VLAN_MISMATCH:
>> Native VLAN mismatch discovered on GigabitEthernet1/43 (851), with alt-
>> sw03a.osl GigabitEthernet1/44 (1886).<132>154004: Mar 23
>> 22:53:34.009: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
>> discovered on GigabitEthernet1/44 (1886), with alt-sw03a.osl
>> GigabitEthernet1/43 (851).<132>154005: Mar 23 22:53:34.009:
>> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
>> GigabitEthernet1/43 (851), with alt-sw03a.osl GigabitEthernet1/44
>> (1886).<132>154006: Mar 23 22:54:34.008: %CDP-4-
>> NATIVE_VLAN_MISMATCH:
>> Native VLAN mismatch discovered on GigabitEthernet1/44 (1886), with alt-
>> sw03a.osl GigabitEthernet1/43 (851).<132>154007: Mar 23
>> 22:54:34.008: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
>> discovered on GigabitEthernet1/43 (851), with alt-sw03a.osl
>> GigabitEthernet1/44 (1886).<132>154008: Mar 23 22:55:34.007:
>> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
>> GigabitEthernet1/44 (1886), with alt-sw03a.osl GigabitEthernet1/43
>> (851).<132>154009: Mar 23 22:55:34.007: %CDP-4-
>> NATIVE_VLAN_MISMATCH:
>> Native VLAN mismatch discovered on GigabitEthernet1/43 (851), with alt-
>> sw03a.osl GigabitEthernet1/44 (1886).<132>154010: Mar 23
>> 22:56:34.005: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
>> discovered on GigabitEthernet1/44 (1886), with alt-sw03a.osl
>> GigabitEthernet1/43 (851).<132>154011: Mar 23 22:56:34.005:
>> %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
>> GigabitEthernet1/43 (851), with alt-sw03a.osl GigabitEthernet1/44
>> (1886).<132>154012: Mar 23 22:57:34.004: %CDP-4-
>> NATIVE_VLAN_MISMATCH:
>> Native VLAN mismatch discovered on GigabitEthernet1/44 (1886), with alt-
>> sw03a.osl GigabitEthernet1/43 (851).<132>154013: Mar 23
>> 22:57:34.004: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
>> discovered on GigabitEthernet
>>
>>
>> While the switch logs every minute, the logs gets printed to the logfile
> every
>> 6th minute in these blobs.
>>
>>
>> Has anyone else perhaps observed this? And have a nice solution?
>>
>>
>> Regards,
>> Anders Synstad
>> Basefarm AS
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From marcin at mejor.pl  Wed Mar 30 14:27:30 2011
From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=)
Date: Wed, 30 Mar 2011 14:27:30 +0200
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <4D8C91E4.3040304@mejor.pl>
References: <4D8C91E4.3040304@mejor.pl>
Message-ID: <4D9321B2.2030304@mejor.pl>

I've started rsyslogd without backgrounding him, after hit ctrl+c i got:

[...]
5980.477298473:9790a960: strm 0x176c7d78: file 3 write wrote 206 bytes
5980.477310792:9790a960: strm 0x17958838: file
15(/var/log/apache2/error_log) closing
5980.477337492:9790a960: main Q: entry added, size now log 9028, phys
9060 entries
5980.477347958:9790a960: main Q: EnqueueMsg advised worker start
5980.477356981:9790a960: Terminating main queue...
5980.477366048:9790a960: main Q: initiating worker thread shutdown sequence
5980.477376322:9790a960: main Q: trying shutdown of regular workers
5980.477447838:9790a960: sent SIGTTIN to worker thread 0x9584eb70
5980.477460078:9790a960: main Q:Reg: waiting 1499ms on worker thread
termination, 1 still running
5981.977455494:9790a960: main Q:Reg: timeout waiting on worker thread
termination
5981.977487009:9790a960: sent SIGTTIN to worker thread 0x9584eb70
5981.977500445:9790a960: main Q: regular shutdown timed out on primary
queue (this is OK)
5981.977509906:9790a960: main Q: setting EnqOnly mode
5981.977520053:9790a960: main Q: trying immediate shutdown of regular
workers (if any)
5981.977532050:9790a960: sent SIGTTIN to worker thread 0x9584eb70
5981.977543146:9790a960: main Q:Reg: waiting 1000ms on worker thread
termination, 1 still running
5982.977598860:9790a960: main Q:Reg: timeout waiting on worker thread
termination
5982.977628445:9790a960: sent SIGTTIN to worker thread 0x9584eb70
5982.977641142:9790a960: main Q: immediate shutdown timed out on primary
queue (this is acceptable and triggers cancellation)
5982.977650982:9790a960: main Q: checking to see if we need to cancel
any worker threads of the primary queue
5982.977662054:9790a960: sent SIGTTIN to worker thread 0x9584eb70,
giving it a chance to terminate
5982.987739596:9790a960: cooperative worker termination failed, using
cancellation...
5982.987751923:9790a960: wti 0x176a9d10: canceling worker thread

^C6175.499130974:9790a960: DoDie called.
^C6177.569066745:9790a960: DoDie called.
^C6178.119066849:9790a960: DoDie called.
^C6178.509119532:9790a960: DoDie called.
RELP/10.10.10.256178.509150207:9790a960:



Signal 6 (SIGABRT) occured, execution must be terminated.



6178.533316523:9790a960: Mutex log for all known mutex operations:
6178.533329944:9790a960: If the call trace is empty, you may want to
./configure --enable-rtinst
6178.533338708:9790a960:

To submit bug reports, visit http://www.rsyslog.com/bugs

6178.533352061:9790a960:

To submit bug reports, visit http://www.rsyslog.com/bugs

Terminated


I can't reproduce problem in all tries. It depend on <something more> or
it's a little randomly :(
But problem isn't nice, logrotate can't do its job, because rsyslogd
isn't properly restarted. I suspect that sometimes doesn't write to file
defined in way:
:programname, isequal, "named" /var/log/named/named.log


& ~

Regards!

From rgerhards at hq.adiscon.com  Wed Mar 30 14:52:48 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 30 Mar 2011 14:52:48 +0200
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <4D9321B2.2030304@mejor.pl>
References: <4D8C91E4.3040304@mejor.pl> <4D9321B2.2030304@mejor.pl>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDECA@GRFEXC.intern.adiscon.com>

Well, three things:

1) the worker hangs, but the debug log is not complete enough to know why
2) you are pressing ctl-c 5 times, what will trigger the actual abort (but
don't mind, it would very probably not have been able to recover)
3) I strongly think the root cause is the same as in this bug tracker:
http://bugzilla.adiscon.com/show_bug.cgi?id=238
You are reporting a race condition and memory corruption there, and if this
happens all kinds of strange things can happen.

I may be wrong with 3), but I need a complete debug log to at least have a
chance to try that. You can mail me a complete log if you like. Pleas zip/tar
before sending.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw
> Sent: Wednesday, March 30, 2011 2:28 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Rsyslog doesn't terminate after kill -15
> 
> I've started rsyslogd without backgrounding him, after hit ctrl+c i
> got:
> 
> [...]
> 5980.477298473:9790a960: strm 0x176c7d78: file 3 write wrote 206 bytes
> 5980.477310792:9790a960: strm 0x17958838: file
> 15(/var/log/apache2/error_log) closing
> 5980.477337492:9790a960: main Q: entry added, size now log 9028, phys
> 9060 entries
> 5980.477347958:9790a960: main Q: EnqueueMsg advised worker start
> 5980.477356981:9790a960: Terminating main queue...
> 5980.477366048:9790a960: main Q: initiating worker thread shutdown
> sequence
> 5980.477376322:9790a960: main Q: trying shutdown of regular workers
> 5980.477447838:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> 5980.477460078:9790a960: main Q:Reg: waiting 1499ms on worker thread
> termination, 1 still running
> 5981.977455494:9790a960: main Q:Reg: timeout waiting on worker thread
> termination
> 5981.977487009:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> 5981.977500445:9790a960: main Q: regular shutdown timed out on primary
> queue (this is OK)
> 5981.977509906:9790a960: main Q: setting EnqOnly mode
> 5981.977520053:9790a960: main Q: trying immediate shutdown of regular
> workers (if any)
> 5981.977532050:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> 5981.977543146:9790a960: main Q:Reg: waiting 1000ms on worker thread
> termination, 1 still running
> 5982.977598860:9790a960: main Q:Reg: timeout waiting on worker thread
> termination
> 5982.977628445:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> 5982.977641142:9790a960: main Q: immediate shutdown timed out on
> primary
> queue (this is acceptable and triggers cancellation)
> 5982.977650982:9790a960: main Q: checking to see if we need to cancel
> any worker threads of the primary queue
> 5982.977662054:9790a960: sent SIGTTIN to worker thread 0x9584eb70,
> giving it a chance to terminate
> 5982.987739596:9790a960: cooperative worker termination failed, using
> cancellation...
> 5982.987751923:9790a960: wti 0x176a9d10: canceling worker thread
> 
> ^C6175.499130974:9790a960: DoDie called.
> ^C6177.569066745:9790a960: DoDie called.
> ^C6178.119066849:9790a960: DoDie called.
> ^C6178.509119532:9790a960: DoDie called.
> RELP/10.10.10.256178.509150207:9790a960:
> 
> 
> 
> Signal 6 (SIGABRT) occured, execution must be terminated.
> 
> 
> 
> 6178.533316523:9790a960: Mutex log for all known mutex operations:
> 6178.533329944:9790a960: If the call trace is empty, you may want to
> ./configure --enable-rtinst
> 6178.533338708:9790a960:
> 
> To submit bug reports, visit http://www.rsyslog.com/bugs
> 
> 6178.533352061:9790a960:
> 
> To submit bug reports, visit http://www.rsyslog.com/bugs
> 
> Terminated
> 
> 
> I can't reproduce problem in all tries. It depend on <something more>
> or
> it's a little randomly :(
> But problem isn't nice, logrotate can't do its job, because rsyslogd
> isn't properly restarted. I suspect that sometimes doesn't write to
> file
> defined in way:
> :programname, isequal, "named" /var/log/named/named.log
> 
> 
> & ~
> 
> Regards!
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From rgerhards at hq.adiscon.com  Wed Mar 30 15:53:34 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 30 Mar 2011 15:53:34 +0200
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDECA@GRFEXC.intern.adiscon.com>
References: <4D8C91E4.3040304@mejor.pl> <4D9321B2.2030304@mejor.pl>
	<9B6E2A8877C38245BFB15CC491A11DA71DDECA@GRFEXC.intern.adiscon.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDED0@GRFEXC.intern.adiscon.com>

I got the complete debug log. A potential issue may be that the RELP client
can not connect to the server (did firewall drop connection request)? At
least this is where the code hangs. This may be the result of some data race
that occurred previously.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, March 30, 2011 2:53 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Rsyslog doesn't terminate after kill -15
> 
> Well, three things:
> 
> 1) the worker hangs, but the debug log is not complete enough to know
> why
> 2) you are pressing ctl-c 5 times, what will trigger the actual abort
> (but
> don't mind, it would very probably not have been able to recover)
> 3) I strongly think the root cause is the same as in this bug tracker:
> http://bugzilla.adiscon.com/show_bug.cgi?id=238
> You are reporting a race condition and memory corruption there, and if
> this
> happens all kinds of strange things can happen.
> 
> I may be wrong with 3), but I need a complete debug log to at least
> have a
> chance to try that. You can mail me a complete log if you like. Pleas
> zip/tar
> before sending.
> 
> Rainer
> 
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw
> > Sent: Wednesday, March 30, 2011 2:28 PM
> > To: rsyslog at lists.adiscon.com
> > Subject: Re: [rsyslog] Rsyslog doesn't terminate after kill -15
> >
> > I've started rsyslogd without backgrounding him, after hit ctrl+c i
> > got:
> >
> > [...]
> > 5980.477298473:9790a960: strm 0x176c7d78: file 3 write wrote 206
> bytes
> > 5980.477310792:9790a960: strm 0x17958838: file
> > 15(/var/log/apache2/error_log) closing
> > 5980.477337492:9790a960: main Q: entry added, size now log 9028, phys
> > 9060 entries
> > 5980.477347958:9790a960: main Q: EnqueueMsg advised worker start
> > 5980.477356981:9790a960: Terminating main queue...
> > 5980.477366048:9790a960: main Q: initiating worker thread shutdown
> > sequence
> > 5980.477376322:9790a960: main Q: trying shutdown of regular workers
> > 5980.477447838:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> > 5980.477460078:9790a960: main Q:Reg: waiting 1499ms on worker thread
> > termination, 1 still running
> > 5981.977455494:9790a960: main Q:Reg: timeout waiting on worker thread
> > termination
> > 5981.977487009:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> > 5981.977500445:9790a960: main Q: regular shutdown timed out on
> primary
> > queue (this is OK)
> > 5981.977509906:9790a960: main Q: setting EnqOnly mode
> > 5981.977520053:9790a960: main Q: trying immediate shutdown of regular
> > workers (if any)
> > 5981.977532050:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> > 5981.977543146:9790a960: main Q:Reg: waiting 1000ms on worker thread
> > termination, 1 still running
> > 5982.977598860:9790a960: main Q:Reg: timeout waiting on worker thread
> > termination
> > 5982.977628445:9790a960: sent SIGTTIN to worker thread 0x9584eb70
> > 5982.977641142:9790a960: main Q: immediate shutdown timed out on
> > primary
> > queue (this is acceptable and triggers cancellation)
> > 5982.977650982:9790a960: main Q: checking to see if we need to cancel
> > any worker threads of the primary queue
> > 5982.977662054:9790a960: sent SIGTTIN to worker thread 0x9584eb70,
> > giving it a chance to terminate
> > 5982.987739596:9790a960: cooperative worker termination failed, using
> > cancellation...
> > 5982.987751923:9790a960: wti 0x176a9d10: canceling worker thread
> >
> > ^C6175.499130974:9790a960: DoDie called.
> > ^C6177.569066745:9790a960: DoDie called.
> > ^C6178.119066849:9790a960: DoDie called.
> > ^C6178.509119532:9790a960: DoDie called.
> > RELP/10.10.10.256178.509150207:9790a960:
> >
> >
> >
> > Signal 6 (SIGABRT) occured, execution must be terminated.
> >
> >
> >
> > 6178.533316523:9790a960: Mutex log for all known mutex operations:
> > 6178.533329944:9790a960: If the call trace is empty, you may want to
> > ./configure --enable-rtinst
> > 6178.533338708:9790a960:
> >
> > To submit bug reports, visit http://www.rsyslog.com/bugs
> >
> > 6178.533352061:9790a960:
> >
> > To submit bug reports, visit http://www.rsyslog.com/bugs
> >
> > Terminated
> >
> >
> > I can't reproduce problem in all tries. It depend on <something more>
> > or
> > it's a little randomly :(
> > But problem isn't nice, logrotate can't do its job, because rsyslogd
> > isn't properly restarted. I suspect that sometimes doesn't write to
> > file
> > defined in way:
> > :programname, isequal, "named" /var/log/named/named.log
> >
> >
> > & ~
> >
> > Regards!
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From marcin at mejor.pl  Wed Mar 30 16:02:56 2011
From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=)
Date: Wed, 30 Mar 2011 16:02:56 +0200
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDED0@GRFEXC.intern.adiscon.com>
References: <4D8C91E4.3040304@mejor.pl>
	<4D9321B2.2030304@mejor.pl>	<9B6E2A8877C38245BFB15CC491A11DA71DDECA@GRFEXC.intern.adiscon.com>
	<9B6E2A8877C38245BFB15CC491A11DA71DDED0@GRFEXC.intern.adiscon.com>
Message-ID: <4D933810.4080502@mejor.pl>

W dniu 30.03.2011 15:53, Rainer Gerhards pisze:
> I got the complete debug log. A potential issue may be that the RELP client
> can not connect to the server (did firewall drop connection request)? At
> least this is where the code hangs. This may be the result of some data race
> that occurred previously.

It's the best firewall, destination is turned off:) Because destination
isn't available 24h i made spool on host (on which problem appeared).

From rgerhards at hq.adiscon.com  Wed Mar 30 16:05:04 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Wed, 30 Mar 2011 16:05:04 +0200
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <4D933810.4080502@mejor.pl>
References: <4D8C91E4.3040304@mejor.pl><4D9321B2.2030304@mejor.pl>	<9B6E2A8877C38245BFB15CC491A11DA71DDECA@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DDED0@GRFEXC.intern.adiscon.com>
	<4D933810.4080502@mejor.pl>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDED2@GRFEXC.intern.adiscon.com>

Firewall seems to break tcp and hangs the connection. Fix firewall.

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Marcin Miroslaw
> Sent: Wednesday, March 30, 2011 4:03 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Rsyslog doesn't terminate after kill -15
> 
> W dniu 30.03.2011 15:53, Rainer Gerhards pisze:
> > I got the complete debug log. A potential issue may be that the RELP
> client
> > can not connect to the server (did firewall drop connection request)?
> At
> > least this is where the code hangs. This may be the result of some
> data race
> > that occurred previously.
> 
> It's the best firewall, destination is turned off:) Because destination
> isn't available 24h i made spool on host (on which problem appeared).
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From marcin at mejor.pl  Wed Mar 30 16:12:51 2011
From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=)
Date: Wed, 30 Mar 2011 16:12:51 +0200
Subject: [rsyslog] Rsyslog doesn't terminate after kill -15
In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA71DDED2@GRFEXC.intern.adiscon.com>
References: <4D8C91E4.3040304@mejor.pl><4D9321B2.2030304@mejor.pl>	<9B6E2A8877C38245BFB15CC491A11DA71DDECA@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA71DDED0@GRFEXC.intern.adiscon.com>	<4D933810.4080502@mejor.pl>
	<9B6E2A8877C38245BFB15CC491A11DA71DDED2@GRFEXC.intern.adiscon.com>
Message-ID: <4D933A63.3040108@mejor.pl>

W dniu 30.03.2011 16:05, Rainer Gerhards pisze:
> Firewall seems to break tcp and hangs the connection. Fix firewall.

I don't think this is problem with firewall. Destination host can be
reached by openvpn (probably this is important information in this
case). Tcpdump shows:
16:09:56.669039 IP 10.10.0.1.50035 > 10.10.10.25.20514: S
902666024:902666024(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 5>
and nothing else.

From rodney.mckee at gmail.com  Thu Mar 31 04:13:19 2011
From: rodney.mckee at gmail.com (Rodney McKee)
Date: Thu, 31 Mar 2011 13:13:19 +1100 (EST)
Subject: [rsyslog] buffer file not flushed
Message-ID: <26003689.36.1301537596042.JavaMail.rmckee@wsrmckee>

I the simple setup I have the following: 

*.*;local0.none @@log1
$ActionExecOnlyWhenPreviousIsSuspended on
& @@log2
& /var/spool/rsyslog-buffer
$ActionExecOnlyWhenPreviousIsSuspended off

When testing a complete failure the rsyslog-buffer file is used, so all good. But the contents are not flushed from the buffer after the connection is re-established.
Should I be doing something different (use relp) to ensure the buffer is flushed?

Thanks in advance
Rodney McKee

From toddmichael at gmail.com  Thu Mar 31 05:53:30 2011
From: toddmichael at gmail.com (Todd Michael Bushnell)
Date: Wed, 30 Mar 2011 20:53:30 -0700
Subject: [rsyslog] buffer file not flushed
In-Reply-To: <26003689.36.1301537596042.JavaMail.rmckee@wsrmckee>
References: <26003689.36.1301537596042.JavaMail.rmckee@wsrmckee>
Message-ID: <BC7E8D7A-D9D5-4381-B97C-1FA891252E52@gmail.com>

Rodney,

I discovered this a few weeks ago and filed a bug that has since been acted upon.  Rainer responded with a patch, but I've not yet had time to test.  Long story short: it's a known issue that will be resolved in the near future.  

http://bugzilla.adiscon.com/show_bug.cgi?id=241

todd




On Mar 30, 2011, at 7:13 PM, Rodney McKee wrote:

> I the simple setup I have the following: 
> 
> *.*;local0.none @@log1
> $ActionExecOnlyWhenPreviousIsSuspended on
> & @@log2
> & /var/spool/rsyslog-buffer
> $ActionExecOnlyWhenPreviousIsSuspended off
> 
> When testing a complete failure the rsyslog-buffer file is used, so all good. But the contents are not flushed from the buffer after the connection is re-established.
> Should I be doing something different (use relp) to ensure the buffer is flushed?
> 
> Thanks in advance
> Rodney McKee
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com


From rgerhards at hq.adiscon.com  Thu Mar 31 07:28:59 2011
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Date: Thu, 31 Mar 2011 07:28:59 +0200
Subject: [rsyslog] buffer file not flushed
In-Reply-To: <BC7E8D7A-D9D5-4381-B97C-1FA891252E52@gmail.com>
References: <26003689.36.1301537596042.JavaMail.rmckee@wsrmckee>
	<BC7E8D7A-D9D5-4381-B97C-1FA891252E52@gmail.com>
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DDEDB@GRFEXC.intern.adiscon.com>

I am not sure if it actually is the same issue, but I would definitely like
to get feedback if the patch resolves the situation.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Todd Michael Bushnell
> Sent: Thursday, March 31, 2011 5:54 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] buffer file not flushed
> 
> Rodney,
> 
> I discovered this a few weeks ago and filed a bug that has since been
> acted upon.  Rainer responded with a patch, but I've not yet had time
> to test.  Long story short: it's a known issue that will be resolved in
> the near future.
> 
> http://bugzilla.adiscon.com/show_bug.cgi?id=241
> 
> todd
> 
> 
> 
> 
> On Mar 30, 2011, at 7:13 PM, Rodney McKee wrote:
> 
> > I the simple setup I have the following:
> >
> > *.*;local0.none @@log1
> > $ActionExecOnlyWhenPreviousIsSuspended on
> > & @@log2
> > & /var/spool/rsyslog-buffer
> > $ActionExecOnlyWhenPreviousIsSuspended off
> >
> > When testing a complete failure the rsyslog-buffer file is used, so
> all good. But the contents are not flushed from the buffer after the
> connection is re-established.
> > Should I be doing something different (use relp) to ensure the buffer
> is flushed?
> >
> > Thanks in advance
> > Rodney McKee
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

From roland.kamke at auconet.com  Thu Mar 31 16:04:44 2011
From: roland.kamke at auconet.com (Roland Kamke)
Date: Thu, 31 Mar 2011 16:04:44 +0200
Subject: [rsyslog] Sending SNMP traps to different receivers
Message-ID: <69DFC544026A844790C013C0FB16B9E0B61FF1@eta.firma.lan>

Depending on the content of a syslog message I would like to send SNMP
traps to different hosts.
I guess I should have multiple SNMP configuration blocks describing the
target hosts in the rsyslog.conf. Then I learnt the term ruleset where
"... a specific input, or part of an input (like a tcp listener) will
use a specific ruleset to "pass its messages to" ...". Unfortunately I
am talking about output data now.

Is it possible to have multiple SNMP configuration setting in the
rsyslog configuration? Will they override settings as they appear in the
file(s)? Can I tell an action which SNMP output "channel" to use?
Is there a concept similar to ruleset that applies to output data, SNMP
traps in particular?

	Thank you,
	Roland