Yes Sent from phone, thus brief.
Patrick Leung via rsyslog <[email protected]> schrieb am Fr., 21. Feb. 2020, 21:16: > Thanks for all the help thus far. > In this case, the "--enable-imjournal" and "--enable-libsystemd" need to > be declared when building rsyslog w/ imjournal? > > Thanks > Patrick > > > On Thursday, February 20, 2020, 04:12:17 p.m. PST, David Lang < > [email protected]> wrote: > > > > > > I would expect it tobe, it's been a while since I built from scratch, and > I > wasn't building for a systemd enabled distro at that point. > > David Lang > > On Thu, 20 Feb 2020, Patrick Leung wrote: > > > Date: Thu, 20 Feb 2020 23:14:09 +0000 (UTC) > > From: Patrick Leung <[email protected]> > > To: David Lang <[email protected]> > > Cc: Patrick Leung via rsyslog <[email protected]> > > Subject: Re: [rsyslog] rsyslog journald filtering > > > > A quick question if you don't mind: > > > > I would like to double check the required build changes/configuration in > rsyslog to build a working imjournal. My distro is Yocto warrior-based > (systemd-v241), the rsyslog_v8.1903.0 recipe has "imjournal" package option > enabled (i.e. PACKAGECONFIG += "imjournal"). > > > > Is enabling of "libsystemd" in rsyslog required in order to have > imjournal plugin working? > > > > Thanks, > > Patrick > > > > On Wednesday, February 19, 2020, 01:25:21 p.m. EST, David Lang < > [email protected]> wrote: > > > > > > > > > > > > setup a short test where you turn of imuxsock and only have imjournal, > then log > > everything with the debug format so that you can see what an imjournal > message > > looks like. > > > > David Lang > > > > On Wed, 19 Feb 2020, Patrick Leung wrote: > > > >> Date: Wed, 19 Feb 2020 17:46:59 +0000 (UTC) > >> From: Patrick Leung <[email protected]> > >> To: David Lang <[email protected]> > >> Cc: Patrick Leung via rsyslog <[email protected]> > >> Subject: Re: [rsyslog] rsyslog journald filtering > >> > >> Hi, > >> Looks like the "/etc/rsyslog.d/custom-rsyslog.conf" in my previous > email response has the "else-if" clause missed (somehow). It checks for > "imuxsock" and then "imjournal" and logs accordingly as you suggested: > >> if ( $inputname == "imuxsock") then { > >> action(type="omfile" ...) > >> } else if ( $inputname == "imjournal" ) then { > >> action(type="omfile" file="/var/log/syslog/imjournal.log" > template="RSYSLOG_DebugFormat") > >> } > >> > >> The problem I've been facing is that there is NO imjournal logs being > filed. > >> I tried also having rsyslog.conf that loads and uses > imjournal/mmjsonparse only (no *.conf include), NO logs have been filed as > well. I am trying to figure out why there is no imjournal log, then the > next step is to examine the meta-data and build the filters. > >> > >> I assume imjournal is working in rsyslog_v8.1903, and (even though it > is not project supported AFAIK) there is still development happening in > imjournal plug-in ( > https://github.com/rsyslog/rsyslog/commits/master/plugins/imjournal/imjournal.c > ). > >> > >> Thanks, > >> Patrick > >> > >> > >> On Wednesday, February 19, 2020, 05:47:21 a.m. EST, David Lang < > [email protected]> wrote: > >> > >> > >> > >> > >> > >> On Wed, 19 Feb 2020, Patrick Leung wrote: > >> > >>> Hi, > >>> Sorry about the illegible config file content. Please allow me to try > again. My system is using rsyslog_8.1903 from Yocto > meta-openembedded/warrior that has systemd-journald_v241 forward to syslog. > "/etc/rsyslog.conf" includes a custom rsyslog configuration > "/etc/rsyslog.d/custom-rsyslog.conf". Please see below the configuration > files. > >>> > >>> Given these configuration files, I obtain ONLY logging entries from > imuxsock. The "RSYSLOG_DebugFormat" gives me the syslog message, e.g. > >>> > >>> Debug line with all properties: > >>> FROMHOST: 'xxx', fromhost-ip: '127.0.0.1', HOSTNAME: 'xxx', PRI: 30, > >>> syslogtag 'systemd[1]:', programname: 'systemd', APP-NAME: 'systemd', > PROCID: '1', MSGID: '-', > >>> TIMESTAMP: 'Feb 18 16:17:16', STRUCTURED-DATA: '-', > >>> msg: ' Started machine-id persistence.' > >>> escaped msg: ' Started machine-id persistence.' > >>> inputname: imuxsock rawmsg: '<30>Feb 18 16:17:16 systemd[1]: Started > machine-id persistence.' > >>> $!:{ "msg": "Started machine-id persistence." } > >>> $.: > >>> $/: > >>> > >>> I would like to craft a rsyslog configuration such that both imuxsock > and imjournal are used, and I will have a filtering base on the meta data > in structured journald log fetched from imjournal. > >> > >> Ok, now setup similar thing for a log you get from imjournal and look > at the > >> different properties that you get. > >> > >> I would suggest that you look at what inputname is for each one, that > will > >> probably work for your filtering. > >> > >> David Lang > >> > >> > >>> I hope the given information clarifies my approach. > >>> > >>> > >>> Thanks, > >>> Patrick > >>> ============================== > >>> [/etc/rsyslog.conf] > >>> module(load="imuxsock" > >>> SysSock.Use="on" > >>> SysSock.Name="/run/systemd/journal/syslog") > >>> > >>> module(load="builtin:omfile" > >>> dirCreateMode="0755" > >>> fileCreateMode="0640") > >>> > >>> module(load="mmjsonparse") > >>> action(type="mmjsonparse") > >>> > >>> # Set the default permissions > >>> $FileOwner syslog > >>> $FileGroup syslog > >>> $FileCreateMode 0640 > >>> $DirCreateMode 0755 > >>> $Umask 0022 > >>> $PrivDropToUser syslog > >>> $PrivDropToGroup syslog > >>> > >>> include(file="/etc/rsyslog.d/*.conf" mode="required") > >>> > >>> ============================== > >>> > >>> [/etc/rsyslog.d/custom-rsyslog.conf] > >>> module(load="imjournal" PersisStateInterval="100") > >>> action(type="mmjsonparse") > >>> if ( $inputname == "imuxsock" ) then { > >>> action(type="omfile" file="/var/log/syslog/imuxsock.log" > template="RSYSLOG_DebugFormat") > >>> else if ( $inputname == "imjournal" ) then { > >>> action(type="omfile" file="/var/log/syslog/imjournal.log" > template="RSYSLOG_DebugFormat") > >>> } > >>> > >> > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
