[rsyslog-notify] Forum Thread: Re: Prevent rsyslog server from indexing its own logs - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Tue Nov 24 12:28:03 CET 2015 

User: wegdave 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26184#p26184

Message: 
----------
Hello.

Thanks for the answer.

Well, it worked, partially.

See, whenever I restart the rsyslog service it writes this:

[code:30ryeafb]
[root at brjgs058 brjgs058]# cat syslog.log
Nov 24 09:18:23 brjgs058 rsyslogd: [origin
software="rsyslogd" swVersion="5.8.10" x-pid="31562"
x-info="http://www.rsyslog.com"] start
Nov 24 09:18:23 brjgs058 rsyslogd-2051: syntax error in
expression [try http://www.rsyslog.com/e/2051 ]
Nov 24 09:18:23 brjgs058 rsyslogd: the last error occured in
/etc/rsyslog.conf, line 13:"if ($hostname = 'BRJGS058') then stop "
Nov 24 09:18:23 brjgs058 rsyslogd: warning: selector line
without actions will be discarded
Nov 24 09:18:23 brjgs058 rsyslogd-3000: unknown facility name
"ntp" [try http://www.rsyslog.com/e/3000 ]
Nov 24 09:18:23 brjgs058 rsyslogd: the last error occured in
/etc/rsyslog.conf, line 41:"ntp.*                              
                   ?TmplSyslog"
Nov 24 09:18:23 brjgs058 rsyslogd: warning: selector line
without actions will be discarded
Nov 24 09:18:23 brjgs058 rsyslogd-3000: unknown facility name
"logaudit" [try http://www.rsyslog.com/e/3000 ]
Nov 24 09:18:23 brjgs058 rsyslogd: the last error occured in
/etc/rsyslog.conf, line 42:"logaudit.*                         
                   ?TmplSyslog"
Nov 24 09:18:23 brjgs058 rsyslogd: warning: selector line
without actions will be discarded
Nov 24 09:18:23 brjgs058 rsyslogd-3000: unknown facility name
"logalert" [try http://www.rsyslog.com/e/3000 ]
Nov 24 09:18:23 brjgs058 rsyslogd: the last error occured in
/etc/rsyslog.conf, line 43:"logalert.*                         
                   ?TmplSyslog"
Nov 24 09:18:23 brjgs058 rsyslogd: warning: selector line
without actions will be discarded
Nov 24 09:18:23 brjgs058 rsyslogd-3000: unknown facility name
"clock" [try http://www.rsyslog.com/e/3000 ]
Nov 24 09:18:23 brjgs058 rsyslogd: the last error occured in
/etc/rsyslog.conf, line 44:"clock.*                            
                           ?TmplSyslog"
Nov 24 09:18:23 brjgs058 rsyslogd: warning: selector line
without actions will be discarded
Nov 24 09:18:23 brjgs058 rsyslogd-2124: CONFIG ERROR: could
not interpret master config file '/etc/rsyslog.conf'. [try
http://www.rsyslog.com/e/2124 ]
[/code:30ryeafb]

Reach line 3: 

[code:30ryeafb]
Nov 24 09:18:23 brjgs058 rsyslogd: the last error occured in
/etc/rsyslog.conf, line 13:"if ($hostname = 'BRJGS058') then stop "
[/code:30ryeafb]

It seems that it doesn't understand the command.

Also, it seems that some of the classes are not quite right or does not
exist, like clock and ntp.

RSYSLOG Version:

[code:30ryeafb][root at brjgs058 rsyslog]# rpm -qa | grep rsyslog
rsyslog-5.8.10-6.el6.i686
[root at brjgs058 rsyslog]#[/code:30ryeafb]

OS:
[code:30ryeafb][root at brjgs058 rsyslog]# cat /etc/redhat-release
CentOS release 6.3 (Final)
[root at brjgs058 rsyslog]#[/code:30ryeafb]


Current rsyslog.conf:

[code:30ryeafb]

[root at brjgs058 rsyslog]# cat /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by
rklogd)
$ModLoad imudp
$UDPServerRun 514

#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf

#### RULES ####

if ($hostname = 'BRJGS058') then stop


*.info;mail.none;authpriv.none;cron.none               
/var/log/messages
#authpriv.*                                             
/var/log/secure
#mail.*                                                 
-/var/log/maillog
#cron.*                                                  /var/log/cron
#*.emerg                                                 *
#uucp,news.crit                                         
/var/log/spooler

$template TmplSyslog, "/var/log/rsyslog/%HOSTNAME%/syslog.log"


# Save boot messages also to boot.log
#local7.*                                                ?TmplSyslog
#daemon.*                                               ?TmplSyslog
#user.*                                                 ?TmplSyslog
user.*                                                  ?TmplSyslog
mail.*                                                  ?TmplSyslog
daemon.*                                                ?TmplSyslog
auth.*                                                  ?TmplSyslog
syslog.*                                                ?TmplSyslog
lpr.*                                                   ?TmplSyslog
news.*                                                  ?TmplSyslog
uucp.*                                                  ?TmplSyslog
cron.*                                                  ?TmplSyslog
security.*                                              ?TmplSyslog
ftp.*                                                   ?TmplSyslog
ntp.*                                                   ?TmplSyslog
logaudit.*                                              ?TmplSyslog
logalert.*                                              ?TmplSyslog
clock.*                                                 ?TmplSyslog
local0.*                                                ?TmplSyslog
local1.*                                                ?TmplSyslog
local2.*                                                ?TmplSyslog
local3.*                                                ?TmplSyslog
local4.*                                                ?TmplSyslog
local5.*                                                ?TmplSyslog
local6.*                                                ?TmplSyslog
local7.*                                                ?TmplSyslog



[root at brjgs058 rsyslog]#

[/code:30ryeafb]

More information about the rsyslog-notify mailing list