Hello everyone, I have a problem that I cannot solve.
On the basis of this configuration I correctly receive the logs from the remote server on the "machine1.log" file and I am able to forward them correctly to another remote server. The problem is that not even the system logs are written to the /var/log/messages file. If I try to move the $IncludeConfig directive to the bottom of the rsyslog.conf file, all the logs the remote server sends me are written to the /var/log/messages file (obviously in an ideal situation this shouldn't happen) How can I go about solving? I tried to use the "stop" directive by inserting it in several places but I don't get the desired effect ... either it writes everything to the messages or it doesn't write anything. Where am I wrong? RSYSLOG.CONF # rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal module(load="mmutf8fix") $ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad imfile $ModLoad imtcp $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/ssl/private/rsyslog/certificate-p7b_new.pem $DefaultNetstreamDriverCertFile /etc/ssl/private/rsyslog/certificate_new.pem $DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog/certificate-key.pem #### GLOBAL DIRECTIVES #### #global(debug.gnutls="10" debug.logFile="/var/log/rsyslogdebug") $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### $IncludeConfig /etc/rsyslog.d/*.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log auth.info,authpriv.info @@10.1.2.3:514 REMOTE.CONF ############################### # RECEPTION AND FORWARD RULES # ############################### $PreserveFQDN on $FileOwner user $FileGroup user $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 ### SourceIP – 10.X.X.X $template RemoteTCP2000,"/opt/SI/logs/machine1.log" $RuleSet RemoteTCP2000 *.* -?RemoteTCP2000 $InputTCPServerBindRuleset RemoteTCP2000 $InputTCPServerRun 2000 $RulesetCreateMainQueue on $InputTCPServerKeepAlive on $ActionResumeRetryCount -1 input(type="imfile" File="/opt/SI/logs/machine1.log" Tag="4000" reopenOnTruncate="on" ) $template RAW, "%rawmsg:1:20480%\n" action(type="omfwd" Target="10.Y.Y.Y" Port="4000" Protocol="tcp" template="RAW" KeepAlive="on" ResendLastMSGOnReconnect="on" action.resumeRetryCount="-1" StreamDriver="gtls" StreamDriverMode="1" queue.saveOnShutdown="on" queue.type="disk" queue.filename="tcp4000_queue" queue.size="10000" StreamDriverPermittedPeers="*") #& ~ #& stop _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
