[rsyslog-notify] Forum Thread: pmaixforwardedfrom configuration - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Sun Oct 19 13:47:11 CEST 2014 

User: xdaxdb 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25020#p25020

Message: 
----------
Hi, I'm having trouble getting the plugin pmaixforwardedfrom to work. The
only docs I was able to find to configure it are here:

<!-- m --><a class="postlink"
href="http://www.rsyslog.com/tag/pmaixforwardedfrom/">http://www.rsyslog.com/tag/pmaixforwardedfrom/</a><!--
m -->
<!-- m --><a class="postlink"
href="http://www.rsyslog.com/doc/v7-stable/configuration/ruleset/rsconf1_rulesetparser.html">http://www.rsyslog.com/doc/v7-stable/co
... arser.html</a><!-- m -->

I installed rsyslog and pmaixforwardedfrom using the packages found at <!--
m --><a class="postlink"
href="http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/">http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/</a><!--
m --> :

libgt-0.3.11-1.el6.x86_64.rpm
liblogging-1.0.4-1.el6.x86_64.rpm
rsyslog-7.6.7-1.el6.x86_64.rpm
rsyslog-pmaixforwardedfrom-7.6.0-1.el6.x86_64.rpm

I moved my rsyslog.conf.rpmsave (previous version was v5) back to
rsyslog.conf and with an unmodified configuration the service started and
functioned as expected.

[b:11btqfyr]But I am unable to figure out how to get pmaixforwardedfrom 
working[/b:11btqfyr]. I figured out how to change the port that AIX sends
its syslogs on, (adding ":10514" to the hostname in syslog.conf doesn't
work, you have to change the syslog value in /etc/services) and I verified
the traffic was leaving and arriving at the central logging server with
tcpdump at both ends.

When I start rsyslog I get the following errors (I've tried a few things to
correct this but since I made no progress I rolled back to where I think
the real problem is):

[code:11btqfyr]2014-10-19T04:39:50.627021-07:00 mylogserver
rsyslogd: [origin software="rsyslogd" swVersion="7.6.7"
x-pid="28505" x-info="http://www.rsyslog.com"] start
2014-10-19T04:39:50.605574-07:00 mylogserver
rsyslogd-3003: invalid or yet-unknown config file command
'ActionOmrulesetRulesetName' - have you forgotten to load a module?
[try http://www.rsyslog.com/e/3003 ]
2014-10-19T04:39:50.605727-07:00 mylogserver
rsyslogd-2207: error during parsing file /etc/rsyslog.conf, on or
before line 18: errors occured in file '/etc/rsyslog.conf' around
line 18 [try http://www.rsyslog.com/e/2207 ]
2014-10-19T04:39:50.605848-07:00 mylogserver
rsyslogd-2184: action '*' treated as ':omusrmsg:*' - please
change syntax, '*' will not be supported in the future [try
http://www.rsyslog.com/e/2184 ]
2014-10-19T04:39:50.605861-07:00 mylogserver
rsyslogd-2207: error during parsing file /etc/rsyslog.conf, on or
before line 34: warnings occured in file '/etc/rsyslog.conf' around
line 34 [try http://www.rsyslog.com/e/2207 ]
[/code:11btqfyr]

This is my configuration:

[code:11btqfyr]$ModLoad imuxsock # provides support for local system
logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark  # provides --MARK-- message capability
$ModLoad imudp

$ModLoad pmaixforwardedfrom

# define ruleset for the first device sending malformed data
$Ruleset AIX
$RulesetCreateMainQueue on

# create ruleset-specific queue
$RulesetParser rsyslog.aixforwardedfrom

# note: this deactivates the default parsers
# forward all messages to default ruleset:
$ActionOmrulesetRulesetName RSYSLOG_DefaultRuleset
*.* :omruleset:

# switch back to default ruleset
$Ruleset RSYSLOG_DefaultRuleset

#### RULES ####
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none               
/var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                 
-/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                         
/var/log/spooler
# Save boot messages also to boot.log
local7.*                                               
/var/log/boot.log

# now define the inputs and bind them to the rulesets
# first the default listener (utilizing the default ruleset)
$UDPServerRun 514

# now the one with the parser for device type 1:
$InputUDPServerBindRuleset AIX
$UDPServerRun 10514
[/code:11btqfyr]

More information about the rsyslog-notify mailing list