[rsyslog-notify] Forum Thread: Re: Fatal error on disk queue - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Wed Jan 27 17:20:52 CET 2016 

User: Jzeolla 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26300#p26300

Message: 
----------
[quote="dlang":3sim9n7a]what is your config?[/quote:3sim9n7a]

For sensitivity reasons, I've masked some fields.  

rsyslog.conf
[code:3sim9n7a]
module(load="impstats" interval="300" facility="16" severity="6"
format="cee" resetCounters="off" log.syslog="on")
module(load="mmjsonparse")
$ActionFileDefaultTemplate RSYSLOG_FileFormat
$DropMsgsWithMaliciousDnsPTRRecords onlegitimate reverse lookups)
$AllowedSender TCP, server1.example.com,
server2.example.com
$AbortOnUncleanConfig on
$RepeatedMsgReduction on
$RepeatedMsgContainsOriginalMsg on
$LogRSyslogStatusMessages on
$MaxMessageSize 2048
$MainMsgQueueType FixedArray
$MainMsgQueueSaveOnShutdown on
$MainMsgQueueDiscardSeverity 7
$FileOwner owner
$FileGroup group
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup root
$WorkDirectory /data/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
[/code:3sim9n7a]

50-default.conf (reference
[url=http://kb.monitorware.com/post25935.html:3sim9n7a]this[/url:3sim9n7a]
conversation)
[code:3sim9n7a]
template(name="facilityfiles" type="string"
string="/var/log/%syslogfacility-text%.log")

# Set ruleset - this is because more than one config writes to
/var/log/messages and is intended to resolve multiple threads writing to
the file at the same time
ruleset(name="writetomessages") {
/var/log/messages
}

# Log all syslog remotely over UDP
@server1.example.com:514

# Write auth and authpriv logs to auth.log
auth,authpriv.* {
/var/log/auth.log
stop
}

# Write everything going to local4 to /var/log/messages
local4.* call writetomessages

# Ignore everything going to local2, but still send it remotely
local2.* stop

# Write everything other than local2 and auth,authpriv to the catchall
syslog file
*.* /var/log/syslog

# Write messages to /var/log/messages
if ($syslogseverity-text == ["info", "notice", "warn"] and not
$syslogfacility-text == ["auth", "authpriv", "cron", "daemon", "mail",
"news"]) then call writetomessages

# Write the following syslog facilities to their respective .log files
if $syslogfacility-text == ["cron", "user", "uucp", "daemon", "kern",
"lpr", "mail"] then ?facilityfiles

# Write mail to separate logs depending on the severity level
if ($syslogfacility-text == "mail" and $syslogseverity < 7) then
/var/log/mail.info
if ($syslogfacility-text == "mail" and $syslogseverity < 5) then
/var/log/mail.warn
if ($syslogfacility-text == "mail" and $syslogseverity < 3) then
/var/log/mail.crit

# Write news to separate logs depending on the serverity level and set the
user to "news"
if ($syslogfacility-text == "news" and $syslogseverity < 6) then
action(type="omfile" file="/var/log/news/news.notice"
dirCreateMode="0755" dirOwner="news" dirGroup="adm" fileOwner="news"
fileGroup="adm" fileCreateMode="0640")
if ($syslogfacility-text == "news" and $syslogseverity < 4) then
action(type="omfile" file="/var/log/news/news.err" dirCreateMode="0755"
dirOwner="news" dirGroup="adm" fileOwner="news" fileGroup="adm"
fileCreateMode="0640")
if ($syslogfacility-text == "news" and $syslogseverity < 3) then
action(type="omfile" file="/var/log/news/news.crit"
dirCreateMode="0755" dirOwner="news" dirGroup="adm" fileOwner="news"
fileGroup="adm" fileCreateMode="0640")

# Write debug messages
if ($syslogseverity-text == "debug" and not $syslogfacility-text ==
["auth", "authpriv", "news", "mail"]) then /var/log/debug

# Write messages of emergency severity to the console
*.emerg /dev/console
[/code:3sim9n7a]

logstore.conf (modified, but the two actions under the parsesuccess are 15
and 17)
[code:3sim9n7a]
global(preserveFQDN="on")

## Load the appropriate modules
module(load="imrelp")

## Default log templates
# Templates for syslog that successfully parses as JSON.
template(name="example1" type="string"
string="/data/syslog/%$!fromhost-ip%/%$year%/%$month%/%$!fromhost-ip%-%$year%-%$month%-%$day%.log")
# Templates for syslog that doesn't successfully parse as JSON
template(name="example2" type="string"
string="/data/syslog/%fromhost-ip%/%$year%/%$month%/%fromhost-ip%-%$year%-%$month%-%$day%.log")
# Parse the JSON-formatted syslog and format it as RFC3164 syslog.  
template(name="json" type="string" string="%$!timereported% %$!fromhost-ip%
%$!syslogtag%%$!message%\n")
## Service-specific log templates
template(name="auth" type="string"
string="/data/syslog/services/authentication-%$year%-%$month%-%$day%.log")

ruleset(name="example") {
	# Parse the JSON
	action(type="mmjsonparse")

	if ($parsesuccess == "OK") then {
			action(type="omfile" dynaFile="auth" template="json"
dirCreateMode="0750" dirGroup="group" dirOwner="syslog" fileOwner="syslog"
fileGroup="group" fileCreateMode="0640" queue.type="LinkedList"
queue.filename="15" queue.saveonshutdown="on"
queue.discardseverity="7" queue.discardmark="10000"
queue.highwatermark="7500" queue.size="10240"
queue.maxfilesize="100m" queue.maxdiskspace="20g")
			action(type="omfile" dynaFile="example1" template="json"
dirCreateMode="0750" dirGroup="group" dirOwner="syslog" fileOwner="syslog"
fileGroup="group" fileCreateMode="0640" queue.type="LinkedList"
queue.filename="17" queue.saveonshutdown="on"
queue.discardseverity="7" queue.discardmark="10000"
queue.highwatermark="7500" queue.size="10240"
queue.maxfilesize="100m" queue.maxdiskspace="20g")
}

## Configure some store-specific directives
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /fake/location/trusted-server-chain.crt
$DefaultNetstreamDriverCertFile
/fake/location/server1.example.com.crt
$DefaultNetstreamDriverKeyFile
/fake/location/server1.example.com.key
input(type="imrelp" port="514" tls="off" ruleset="example")
[/code:3sim9n7a]

More information about the rsyslog-notify mailing list