[rsyslog-notify] Forum Thread: Help with sorting by port received - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Tue Feb 23 19:09:47 CET 2016
User: reswob
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26360#p26360
Message:
----------
I have a large number of servers sending their logs to two different ports,
514 and 11514. I currently have rsyslog working receiving logs on 514 and
filtering to different files using if/then statements. I now want to have
rsyslog listen on 11514 and put EVERYTHING from that port into one file.
I don't know much about rsyslog and I've inherited the working config so I
backed up the working config and I've been googling like crazy and trying
different things, but nothing has worked.
Here is the working config:
#Modules
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imudp
$UDPServerRun 514
# Feeds
if $programname startswith 'CEF' then /var/log/cef.log
& ~
if ($programname == 'named' or $msg contains '%DNSSERVER') then
/var/log/dns.log
& ~
....
if $hostname startswith '10.10.' then /var/log/cleanup.log #catchall
*.info;mail.none;authpriv.non;cron.none
/var/log/messages
<other rules for local logging>
So what I first tried to do was just a listener for the additional port and
then add rules for the messages coming in on that port:
#Modules
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imudp
#$UDPServerRun 514
input(type="imudp" port="514")
input(type="imudp" port="11514")
# Feeds
if $msg contains 'event1' then /var/log/specialservers.log
& ~
if $programname startswith 'CEF' then /var/log/cef.log
& ~
if ($programname == 'named' or $msg contains '%DNSSERVER') then
/var/log/dns.log
& ~
....
if $hostname startswith '10.10.' then /var/log/cleanup.log #catchall
*.info;mail.none;authpriv.non;cron.none
/var/log/messages
<other rules for local logging>
But while the specialservers.log was created, nothing was added. Also,
/var/log/messages said:
rsyslogd-3000: unknown priority name "" [try <!-- m --><a class="postlink"
href="http://www.rsyslog.com/e/3000">http://www.rsyslog.com/e/3000</a><!--
m -->] (which just tells me it's a generic error)
rsyslogd: the last error occured in /etc/rsyslog.conf, line 10:
"input(type="imudp" port="11514")"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd-2124: CONFIG ERROR: could not interpret master config file
'/etc/rsyslog.conf'. [try <!-- m --><a class="postlink"
href="http://www.rsyslog.com/e/2124">http://www.rsyslog.com/e/2124</a><!--
m -->] (which just tells me to read the whole line for the error
description)
So this implied there was something wrong with the way I was configuring
listening.
So I then tried
#Modules
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imudp
#$UDPServerRun 514
input(type="imudp" port="514" ruleset="remotefrom514")
input(type="imudp" port="11514" ruleset="specialservers")
# Feeds
ruleset(name="specialservers") {
if $msg contains 'event1' then /var/log/specialservers.log
}
ruleset(name="remotefrom514") {
if $programname startswith 'CEF' then /var/log/cef.log
& ~
if ($programname == 'named' or $msg contains '%DNSSERVER') then
/var/log/dns.log
& ~
....
if $hostname startswith '10.10.' then /var/log/cleanup.log #catchall
*.info;mail.none;authpriv.non;cron.none
/var/log/messages
<other rules for local logging>
}
And I got the same thing as above. No logs in the specialservers.log and
the same error in /var/log/messages [with the one difference being line 18
says input(type="imudp" port="11514" ruleset="specialservers")]
I'm running 5.8.10 (that's what the swVersion says when it starts and stops
in /var/log/messages)
Can someone help?
To restate my goal, I would like everything coming in on port 11514 to go
into one log file, while things coming in on 514 get sorted as configured.
Thanks
More information about the rsyslog-notify
mailing list