sorry, accidently removed list address. My reply is now quoted first level... below On Wed, 2013-04-10 at 13:03 +0200, Rainer Gerhards wrote: > On Wed, 2013-04-10 at 10:54 +0000, C. L. Martinez wrote: > > Hi Rainer, > > > > My mistake: I had forgotten to include the modules. Now, I have only one > > problem (I am using version provided by FreeBSD). Actual config is: > > > > #rsyslog v7 config file > > > > # if you experience problems, check > > # http://www.rsyslog.com/troubleshoot for assistance > > > > # Increasing Message size > > $MaxMessageSize 64k > > > > > > #### MODULES #### > > > > # Input modules > > module(load="imudp") > > input(type="imudp" port="514") > > module(load="imtcp") > > input(type="imtcp" port="514") > > > > # Output modules > > module(load="omrelp") > > > > > > > > #### Templates definitions #### > > > > $template srx_rfc5424fmt,"juniper_srx_logs %fromhost-ip% %msg%\n" > > > > > > #### RULES #### > > > > # Default spool directory > > $WorkDirectory /data/logs/rsyslog > > $MainMsgQueueFileName mainq > > $MainMsgQueueType LinkedList > > $MainMsgQueueSaveOnShutDown on > > $MainMsgQueueMaxDiskSpace 40g > > $MainMsgQueueSize 8000000 > > > > # > > # Rules for Juniper SRX firewall > > # > > if $fromhost-ip == '172.31.0.2' then { > > action(type="omfwd" protocol="tcp" target="172.17.22.2" > > port="20514" template="srx_rfc5424fmt" > > queue.filename="junosfwd" > > queue.maxdiskspace="10g" > > queue.saveonshutdown="on" > > queue.type="linkedlist" > > queue.maxfilesize="20m" > > action.resumeretrycount="-1") > > action(type="omfile" file="/data/logs/plain/junos.log" > > template="RSYSLOG_TraditionalFileFormat") > > action(type="omrelp" target="172.17.22.5" port="10514" > > template="RSYSLOG_TraditionalFileFormat" > > queue.filename="ossec_junosfwd" > > queue.maxdiskspace="10g" > > queue.saveonshutdown="on" > > queue.type="linkedlist" > > queue.maxfilesize="20m" > > action.resumeretrycount="-1") > > stop > > } > > > > and debug returns me this error: > > > > 0966.837493917:802007400: type: 'omrelp' > > 0966.837504158:802007400: action.writeallmarkmessages: (unset) > > 0966.837513173:802007400: action.execonlyeverynthtime: (unset) > > 0966.837522218:802007400: action.execonlyeverynthtimetimeout: (unset) > > 0966.837531193:802007400: action.execonlyonceeveryinterval: (unset) > > 0966.837540233:802007400: action.execonlywhenpreviousissuspended: (unset) > > 0966.837549293:802007400: action.repeatedmsgcontainsoriginalmsg: (unset) > > 0966.837558323:802007400: action.resumeretrycount: -1 > > 0966.837567566:802007400: action.resumeinterval: (unset) > > 0966.837581087:802007400: Called LogError, msg: config objects are not > > supported by module 'omrelp' -- legacy config options MUST be used instead > > 0966.837942794:802007400: rsyslog/glbl: using '127.0.0.1' as localhost IP > > 0966.837964050:802007400: Called LogError, msg: error during parsing file > > /data/config/etc/rsyslog/rsyslog-siem.conf, on or before line 64: errors > > occured in file '/data/config/etc/rsyslog/rsyslog-siem.conf' around line 64 > > 0966.838318742:802007400: cnf:global:script > > 0966.838358873:802007400: begin ruleset optimization phase > > 0966.838364567:802007400: ruleset 'RSYSLOG_DefaultRuleset' before > > optimization: > > > > According to this, I need to change my config to: > > > > #rsyslog v7 config file > > > > # if you experience problems, check > > # http://www.rsyslog.com/troubleshoot for assistance > > > > # Increasing Message size > > $MaxMessageSize 64k > > > > > > #### MODULES #### > > > > # Input modules > > module(load="imudp") > > input(type="imudp" port="514") > > module(load="imtcp") > > input(type="imtcp" port="514") > > > > # Output modules > > module(load="omrelp") > > > > > > > > #### Templates definitions #### > > > > $template srx_rfc5424fmt,"juniper_srx_logs %fromhost-ip% %msg%\n" > > > > > > #### RULES #### > > > > # Default spool directory > > $WorkDirectory /data/logs/rsyslog > > $MainMsgQueueFileName mainq > > $MainMsgQueueType LinkedList > > $MainMsgQueueSaveOnShutDown on > > $MainMsgQueueMaxDiskSpace 40g > > $MainMsgQueueSize 8000000 > > > > # > > # Rules for Juniper SRX firewall > > # > > if $fromhost-ip == '172.31.0.2' then { > > action(type="omfwd" protocol="tcp" target="172.17.22.2" > > port="20514" template="srx_rfc5424fmt" > > queue.filename="junosfwd" > > queue.maxdiskspace="10g" > > queue.saveonshutdown="on" > > queue.type="linkedlist" > > queue.maxfilesize="20m" > > action.resumeretrycount="-1") > > action(type="omfile" file="/data/logs/plain/junos.log" > > template="RSYSLOG_TraditionalFileFormat") > > } > > if $fromhost-ip == '172.31.0.2' and $msg contains_i 'RT_FLOW_SESSION_CLOSE' > > then :omrelp:172.17.22.5:10514 > > & ~ > > > > Should work?? > > > ON quick look, I think so. omrelp supports action() statements only > starting with 7.3.10, which was released today. > > Rainer > > > > On Wed, Apr 10, 2013 at 9:53 AM, Rainer Gerhards > > <[email protected]>wrote: > > > > > On Wed, 2013-04-10 at 09:48 +0000, C. L. Martinez wrote: > > > > Hello Rainer, > > > > > > > > Finally, I have where is the problem with my modules. Here is the debug > > > > file. > > > > > > > The log looks fine (but you have only one action, I think you reduced?). > > > As it looks, I think the fromhost-IP is different from what you expect. > > > > > > To get info, add > > > > > > *.* /var/log/msgprops;RSYSLOG_DebugFormat > > > > > > to rsyslog.conf, let some messages run through the engine and post the > > > result (or review yourself to see if the properties contain what you > > > expect). > > > > > > I also see that you use a slightly older version. IF all looks well, > > > upgrading is probably a good idea, maybe there was a bug. > > > > > > Rainer > > > > > > > > On Wed, Apr 10, 2013 at 9:05 AM, Rainer Gerhards > > > > <[email protected]>wrote: > > > > > > > > > Please provide debug log. > > > > > On Wed, 2013-04-10 at 09:04 +0000, C. L. Martinez wrote: > > > > > > Hi all, > > > > > > > > > > > > I am trying to configure several actions using v7 syntax without > > > luck. > > > > > My > > > > > > actual rsyslog.conf: > > > > > > > > > > > > #rsyslog v7 config file > > > > > > > > > > > > # if you experience problems, check > > > > > > # http://www.rsyslog.com/troubleshoot for assistance > > > > > > > > > > > > # Increasing Message size > > > > > > $MaxMessageSize 64k > > > > > > > > > > > > > > > > > > #### MODULES #### > > > > > > > > > > > > # Input modules > > > > > > > > > > > > # Output modules > > > > > > module(load="omfile") > > > > > > module(load="omfwd") > > > > > > #module(load="omtcp") > > > > > > > > > > > > > > > > > > > > > > > > #### Templates definitions #### > > > > > > > > > > > > $template srx_rfc5424fmt,"test_logs %fromhost-ip% %msg%\n" > > > > > > > > > > > > > > > > > > #### RULES #### > > > > > > > > > > > > # Default spool directory > > > > > > $WorkDirectory /data/logs/rsyslog > > > > > > $MainMsgQueueFileName mainq > > > > > > $MainMsgQueueType LinkedList > > > > > > $MainMsgQueueSaveOnShutDown on > > > > > > $MainMsgQueueMaxDiskSpace 40g > > > > > > $MainMsgQueueSize 8000000 > > > > > > > > > > > > > > > > > > if $fromhost-ip == '172.31.0.2' then { > > > > > > action(type="omfwd" protocol="tcp" target="172.17.22.2" > > > > > > port="20514" template="srx_rfc5424fmt" > > > > > > queue.filename="junosfwd" > > > > > > queue.maxdiskspace="10g" > > > > > > queue.saveonshutdown="on" > > > > > > queue.type="linkedlist" > > > > > > queue.maxfilesize="20m" > > > > > > action.resumeretrycount="-1") > > > > > > action(type="omfile" file="/data/logs/plain/junsa.log" > > > > > > template="RSYSLOG_TraditionalFileFormat") > > > > > > stop > > > > > > } > > > > > > > > > > > > but with this configuration, logs are not redirected or written to > > > disk. > > > > > > Any idea why?? > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com/professional-services/ > > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > > > DON'T LIKE THAT. > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com/professional-services/ > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > > > DON'T LIKE THAT. > > > > > > > > > > > >
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
