The experimental config file is attached, which has all the A/B tests, with associated comments.
I didn't receive the intervening post wondering whether I had posted the config file somewhere, but I did post it at https://github.com/rsyslog/rsyslog/issues/4299, and it also can be accessed there. -ERB -----Original Message----- From: David Lang [mailto:[email protected]] Sent: Sunday, July 05, 2020 5:48 PM To: Eric Blomquist via rsyslog Cc: 'Rainer Gerhards'; Eric Blomquist Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages? please post your config David Lang On Sun, 5 Jul 2020, Eric Blomquist via rsyslog wrote: > Date: Sun, 5 Jul 2020 12:42:00 -0700 > From: Eric Blomquist via rsyslog <[email protected]> > To: 'Rainer Gerhards' <[email protected]>, > 'rsyslog-users' <[email protected]> > Cc: Eric Blomquist <[email protected]> > Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read > kernel messages? > > Thanks for responding. > > Yes, of course. imklog was the first thing I tried, and it has been > configured to load throughout this process. > > In fact, I experimented with a great number of alternative configurations > before I thought to try substituting imkmsg for imklog, only to discover that > imkmsg was/is missing. > > No matter what we do, no rule in an imuxsock ruleset (even *.*) reads > iptables log messages. > > We know the messages exist, both from running dmesg and because standalone > rules (outside an imuxsock ruleset) read the messages. > > I experimented with all varieties of syntax, filter, filter text, operator, > and property. None had any effect. I experimented with imuxsock listeners > on all obvious sockets, and all failed. > > I also experimented with both means of interfacing with systemd-journald > (i.e., configuring journald.conf with the "ForwardToSyslog=yes" directive, > and via imjournal), with no effect. > > All that seems to be left (besides giving imkmsg a try) is something to do > with the imuxsock module and how it handles kernel messages, and we can't > figure it out. > > Having ruleset capability for iptables messages would be a big help, and this > seems to depend on imuxsock. > > Thoughts? > > -ERB > > > -----Original Message----- > From: Rainer Gerhards [mailto:[email protected]] > Sent: Sunday, July 05, 2020 2:01 AM > To: rsyslog-users > Cc: Eric Blomquist > Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read > kernel messages? > > Did you have a look at imklog? That's the original module for kernel > messages. I admit I do not remember why exactly imkmsg was > contributed. > > Rainer > > El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog > (<[email protected]>) escribió: >> >> Does anyone have any idea how to get imuxsock to read kernel messages? >> >> >> >> We have been having trouble getting any rule in an imuxsock ruleset to read >> kernel messages, in particular those from iptables. Without this, ruleset >> functionality is not available. >> >> >> >> Possibly, the difficulty is that imkmsg is absent on our systems and from >> the latest rsyslog package available from the Adiscon repository (8.2006.0). >> No obvious means exists to obtain or install this module. Does anyone have >> this module installed? >> >> >> >> imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to >> capture kernel messages, so at least they're not lost, but again, no ruleset >> functionality is available. >> >> >> >> We have attempted any number of configurations spanning rsyslog.conf, >> journald.conf, and sysctl.conf, including creating listeners specifically >> for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all >> without success. >> >> >> >> Many thanks for any suggestions. >> >> _______________________________________________ >> rsyslog mailing list >> https://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT.
rsyslog.test
Description: Binary data
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
