Thanks for all the help thus far. In this case, the "--enable-imjournal" and "--enable-libsystemd" need to be declared when building rsyslog w/ imjournal?
Thanks Patrick On Thursday, February 20, 2020, 04:12:17 p.m. PST, David Lang <[email protected]> wrote: I would expect it tobe, it's been a while since I built from scratch, and I wasn't building for a systemd enabled distro at that point. David Lang On Thu, 20 Feb 2020, Patrick Leung wrote: > Date: Thu, 20 Feb 2020 23:14:09 +0000 (UTC) > From: Patrick Leung <[email protected]> > To: David Lang <[email protected]> > Cc: Patrick Leung via rsyslog <[email protected]> > Subject: Re: [rsyslog] rsyslog journald filtering > > A quick question if you don't mind: > > I would like to double check the required build changes/configuration in > rsyslog to build a working imjournal. My distro is Yocto warrior-based > (systemd-v241), the rsyslog_v8.1903.0 recipe has "imjournal" package option > enabled (i.e. PACKAGECONFIG += "imjournal"). > > Is enabling of "libsystemd" in rsyslog required in order to have imjournal > plugin working? > > Thanks, > Patrick > > On Wednesday, February 19, 2020, 01:25:21 p.m. EST, David Lang > <[email protected]> wrote: > > > > > > setup a short test where you turn of imuxsock and only have imjournal, then > log > everything with the debug format so that you can see what an imjournal message > looks like. > > David Lang > > On Wed, 19 Feb 2020, Patrick Leung wrote: > >> Date: Wed, 19 Feb 2020 17:46:59 +0000 (UTC) >> From: Patrick Leung <[email protected]> >> To: David Lang <[email protected]> >> Cc: Patrick Leung via rsyslog <[email protected]> >> Subject: Re: [rsyslog] rsyslog journald filtering >> >> Hi, >> Looks like the "/etc/rsyslog.d/custom-rsyslog.conf" in my previous email >> response has the "else-if" clause missed (somehow). It checks for "imuxsock" >> and then "imjournal" and logs accordingly as you suggested: >> if ( $inputname == "imuxsock") then { >> action(type="omfile" ...) >> } else if ( $inputname == "imjournal" ) then { >> action(type="omfile" file="/var/log/syslog/imjournal.log" >> template="RSYSLOG_DebugFormat") >> } >> >> The problem I've been facing is that there is NO imjournal logs being filed. >> I tried also having rsyslog.conf that loads and uses imjournal/mmjsonparse >> only (no *.conf include), NO logs have been filed as well. I am trying to >> figure out why there is no imjournal log, then the next step is to examine >> the meta-data and build the filters. >> >> I assume imjournal is working in rsyslog_v8.1903, and (even though it is not >> project supported AFAIK) there is still development happening in imjournal >> plug-in >> (https://github.com/rsyslog/rsyslog/commits/master/plugins/imjournal/imjournal.c). >> >> Thanks, >> Patrick >> >> >> On Wednesday, February 19, 2020, 05:47:21 a.m. EST, David Lang >> <[email protected]> wrote: >> >> >> >> >> >> On Wed, 19 Feb 2020, Patrick Leung wrote: >> >>> Hi, >>> Sorry about the illegible config file content. Please allow me to try >>> again. My system is using rsyslog_8.1903 from Yocto >>> meta-openembedded/warrior that has systemd-journald_v241 forward to syslog. >>> "/etc/rsyslog.conf" includes a custom rsyslog configuration >>> "/etc/rsyslog.d/custom-rsyslog.conf". Please see below the configuration >>> files. >>> >>> Given these configuration files, I obtain ONLY logging entries from >>> imuxsock. The "RSYSLOG_DebugFormat" gives me the syslog message, e.g. >>> >>> Debug line with all properties: >>> FROMHOST: 'xxx', fromhost-ip: '127.0.0.1', HOSTNAME: 'xxx', PRI: 30, >>> syslogtag 'systemd[1]:', programname: 'systemd', APP-NAME: 'systemd', >>> PROCID: '1', MSGID: '-', >>> TIMESTAMP: 'Feb 18 16:17:16', STRUCTURED-DATA: '-', >>> msg: ' Started machine-id persistence.' >>> escaped msg: ' Started machine-id persistence.' >>> inputname: imuxsock rawmsg: '<30>Feb 18 16:17:16 systemd[1]: Started >>> machine-id persistence.' >>> $!:{ "msg": "Started machine-id persistence." } >>> $.: >>> $/: >>> >>> I would like to craft a rsyslog configuration such that both imuxsock and >>> imjournal are used, and I will have a filtering base on the meta data in >>> structured journald log fetched from imjournal. >> >> Ok, now setup similar thing for a log you get from imjournal and look at the >> different properties that you get. >> >> I would suggest that you look at what inputname is for each one, that will >> probably work for your filtering. >> >> David Lang >> >> >>> I hope the given information clarifies my approach. >>> >>> >>> Thanks, >>> Patrick >>> ============================== >>> [/etc/rsyslog.conf] >>> module(load="imuxsock" >>> SysSock.Use="on" >>> SysSock.Name="/run/systemd/journal/syslog") >>> >>> module(load="builtin:omfile" >>> dirCreateMode="0755" >>> fileCreateMode="0640") >>> >>> module(load="mmjsonparse") >>> action(type="mmjsonparse") >>> >>> # Set the default permissions >>> $FileOwner syslog >>> $FileGroup syslog >>> $FileCreateMode 0640 >>> $DirCreateMode 0755 >>> $Umask 0022 >>> $PrivDropToUser syslog >>> $PrivDropToGroup syslog >>> >>> include(file="/etc/rsyslog.d/*.conf" mode="required") >>> >>> ============================== >>> >>> [/etc/rsyslog.d/custom-rsyslog.conf] >>> module(load="imjournal" PersisStateInterval="100") >>> action(type="mmjsonparse") >>> if ( $inputname == "imuxsock" ) then { >>> action(type="omfile" file="/var/log/syslog/imuxsock.log" >>> template="RSYSLOG_DebugFormat") >>> else if ( $inputname == "imjournal" ) then { >>> action(type="omfile" file="/var/log/syslog/imjournal.log" >>> template="RSYSLOG_DebugFormat") >>> } >>> >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
