Date: Fri, 9 Jul 2021 02:43:59 +0200
From: Daniel Pocock via rsyslog <[email protected]>
To: Daniel Pocock via rsyslog <[email protected]>
Cc: Daniel Pocock <[email protected]>
Subject: Re: [rsyslog] RHEL / CentOS 8.1 omelasticsearch JSON issues
On 09/07/2021 02:32, David Lang wrote:
8.32 is quite a bit older than 8.1911 (2-3 years)
Please log a message with the template RSYSLOG_DebugFormat on both so we
can see what's different
This came from CentOS 8.1 with RSYSLOG_DebugFormat:
Debug line with all properties:
FROMHOST: 'something', fromhost-ip: '127.0.0.1', HOSTNAME: 'something',
PRI: 30,
syslogtag 'lt-reConServer[12456]:', programname: 'lt-reConServer',
APP-NAME: 'lt-reConServer', PROCID: '12456', MSGID: '-',
TIMESTAMP: 'Jul 9 02:38:08', STRUCTURED-DATA: '-',
msg: '@cee:
{"hostname":"something.example.org","pri":"DEBUG","syslog!pri":6,"time":"2021-07-09T00:38:08.262005743Z","pname":"lt-reConServer","subsys":"RECON","proc!id":12456,"proc!tid":139979031448192,"file!name":"Conversation.cxx","file!line":45,"msg":"Conversation
created, handle=1"}'
escaped msg: '@cee:
{"hostname":"something.example.org","pri":"DEBUG","syslog!pri":6,"time":"2021-07-09T00:38:08.262005743Z","pname":"lt-reConServer","subsys":"RECON","proc!id":12456,"proc!tid":139979031448192,"file!name":"Conversation.cxx","file!line":45,"msg":"Conversation
created, handle=1"}'
inputname: imjournal rawmsg: '@cee:
{"hostname":"something.example.org","pri":"DEBUG","syslog!pri":6,"time":"2021-07-09T00:38:08.262005743Z","pname":"lt-reConServer","subsys":"RECON","proc!id":12456,"proc!tid":139979031448192,"file!name":"Conversation.cxx","file!line":45,"msg":"Conversation
created, handle=1"}'
$!:{ "_BOOT_ID": "94fbf657a095412d80b4c387cbd90230", "_MACHINE_ID":
"e339bc1ec88911eb92d2fb6499360034", "PRIORITY": "6", "SYSLOG_FACILITY":
"3", "_TRANSPORT": "syslog", "_CAP_EFFECTIVE": "0", "_HOSTNAME":
"something.example.org", "_AUDIT_LOGINUID": "1000",
"_SYSTEMD_OWNER_UID": "1000", "_SYSTEMD_SLICE": "user-1000.slice",
"_SYSTEMD_USER_SLICE": "-.slice", "_UID": "1000", "_GID": "1000",
"_SELINUX_CONTEXT":
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
"SYSLOG_IDENTIFIER": "lt-reConServer", "_COMM": "lt-reConServer",
"_EXE":
"\/home\/daniel\/ws\/resiprocate\/resip-github\/apps\/reConServer\/.libs\/lt-reConServer",
"_CMDLINE":
"\/home\/daniel\/ws\/resiprocate\/resip-github\/apps\/reConServer\/.libs\/lt-reConServer
apps\/reConServer\/reConServer.config.test-local", "_AUDIT_SESSION":
"3", "_SYSTEMD_CGROUP":
"\/user.slice\/user-1000.slice\/session-3.scope", "_SYSTEMD_SESSION":
"3", "_SYSTEMD_UNIT": "session-3.scope", "_SYSTEMD_INVOCATION_ID":
"f2e7e38ea3374a869ee7f51eaf745e1d", "SYSLOG_PID": "12456", "_PID":
"12456", "MESSAGE": "@cee:
{\"hostname\":\"something.example.org\",\"pri\":\"DEBUG\",\"syslog!pri\":6,\"time\":\"2021-07-09T00:38:08.262005743Z\",\"pname\":\"lt-reConServer\",\"subsys\":\"RECON\",\"proc!id\":12456,\"proc!tid\":139979031448192,\"file!name\":\"Conversation.cxx\",\"file!line\":45,\"msg\":\"Conversation
created, handle=1\"}", "_SOURCE_REALTIME_TIMESTAMP": "1625791088262026" }
$.:
$/:
I also don't know what the default rsyslog.conf is on every system, so
please include that as well.
on 8.1911 you can start rsyslog with the command line option -o
/path/to/file and that file will then contain the combined config
(including ny included files)
At this point, I suspect that what is different is where the include is
for the different distros, one including the file before it writes
things to the default files and the other after, but that's a guess
without seeing the full configs.
Please find the output from -o underneath
It includes both omelasticsearch and omfwd
The omfwd is working for me if I send it over TCP to the newer rsyslog
## full conf created by rsyslog version 8.1911.0-7.el8_4.2 at 2021-07-09
02:41:25 ##
##### BEGIN CONFIG: /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock"
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal"
StateFile="imjournal.state") # File to store the position in the
journal
#module(load="imklog") # reads kernel messages (the same are read from
journald)
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
##### BEGIN CONFIG: /etc/rsyslog.d/reConServer-test.conf
# sudo dnf install rsyslog-elasticsearch
module(load="mmjsonparse")
*.* :mmjsonparse:
template(name="isJSON" type="list") {
property(name="$!all-json")
}
#module(load="omelasticsearch")
#*.* action(type="omelasticsearch"
# template="isJSON"
# server="my-host"
# serverport="9200"
# searchIndex="log"
# searchType="_doc"
# uid="admin"
# pwd="secret")
*.* /tmp/debugfmt;RSYSLOG_DebugFormat
##### END CONFIG: /etc/rsyslog.d/reConServer-test.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### sample forwarding rule ###
*.* action(type="omfwd"
queue.filename="fwdRule1"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
queue.type="LinkedList"
action.resumeRetryCount="-1"
Target="my-host" Port="514" Protocol="tcp")
##### END CONFIG: /etc/rsyslog.conf
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
