Hello!
JFYI, there is no point to use template and dynaFIle below because your
template is constant. I.e. filename is the same always. You can just use
the "file" option instead. When I proposed this I was expecting you'd like
to place the file under /var/log/remote/%HOSTNAME% path. That's why I did
"dynaFile" there.
```
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplVPXMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
```
On Fri, 10 Sept 2021 at 10:25, <[email protected]> wrote:
> Thanks David
>
> Yes, my bad, i was still trying to load the "imtcp" module instead of
> the "imptcp" module. The rsyslog syntax is now valid, which is a good
> start.
>
> And yes, I'm constrained by what I can pull from redhat. Not my choice!
>
> So, my entire config now looks like the below:
>
> $ModLoad imuxsock # provides support for local system logging (e.g.
> via logger command)
> $ModLoad imjournal # provides access to the systemd journal
> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
> template (name="TmplCiscoFirewallFormat" type="string"
> string="%TIMESTAMP% %HOSTNAME%
> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
> )
> template (name="TmplCiscoFirewallFile" type="string"
> string="/var/log/remote/cisco/firewalllog"
> )
> $ModLoad imudp
> $RuleSet remoteudp1
> :programname, isequal, "SFIMS"
> ?TmplCiscoFirewallFile;TmplCiscoFirewallFormat
> & ~
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> $RuleSet RSYSLOG_DefaultRuleset
> $InputUDPServerBindRuleset remoteudp1
> $UDPServerRun 514
> $ModLoad imptcp
> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
> template(name="TmplVPXMsg" type="string"
> string="/var/log/remote/netscaler/netscalerlog")
> template(name="TmplAppfwMsg" type="string"
> string="/var/log/remote/netscaler/appfwlog")
> template(name="TmplCiscoRouterMsg" type="string"
> string="/var/log/remote/cisco/router/routerlog")
> ruleset(name="remote1") {
> if $msg contains 'VPX' then {
> action(type="omfile" name="netscaler_vpx_file"
> dynaFile="TmplVPXMsg")
> } else if $msg contains 'br01' then {
> action(type="omfile" name="cisco_router_file"
> dynaFile="TmplCiscoRouterMsg")
> } else if $msg contains 'appfw' then {
> action(type="omfile" name="netscaler_appfw_file"
> dynaFile="TmplAppfwMsg")
> }
> }
> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
> $WorkDirectory /var/lib/rsyslog
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $IncludeConfig /etc/rsyslog.d/*.conf
> $OmitLocalLogging on
> $IMJournalStateFile imjournal.state
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> authpriv.* /var/log/secure
> mail.* -/var/log/maillog
> cron.* /var/log/cron
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local7.* /var/log/boot.log
> local7.notice /var/log/cmd.log
>
>
> It's a mish-mash of old and new styles.
>
> The logs for the templated "TmplVPXMsg" "TmplAppfwMsg"
> "TmplCiscoRouterMsg" are working nicely.
>
> My issue is still how to pick out the remaining logs coming in over
> 514/TCP (ruleset="remote1") and stash them into the templated
> "TmplAuthpriv" "TmplMsg" "TmplCron" "TmplMail" "TmplCmd".
> I don't know the correct syntax for catching these within the
> "remote1" ruleset!
>
> Within previous iterations we had something like:
>
> # Provides TCP syslog reception
> $ModLoad imtcp
>
> $RuleSet remote1
> :msg, regex , "[Zz][SsUu][Vv][Pp][Xx]"
> ?TmplNetscalerFile;TmplNetcalerFormat
> & ~
> authpriv.* ?TmplAuthpriv
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> cron.* ?TmplCron
> mail.* ?TmplMail
> local7.notice ?TmplCmd
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back
> to the default rule set
> $InputTCPServerBindRuleset remote1 #Define a new input and bind it to
> the "remote1" rule set
> $InputTCPServerRun 514
>
> Pointers appreciated!
>
> TIA
>
> Pete
> --
>
>
>
> Quoting David Lang <[email protected]>:
>
> > please post your full config, the example config does not have 101
> > lines, so it doesn't match the error you are posting.
> >
> > Also be aware that 8.24 is no about 5 years old and unsupported by
> > the community, you are running something unique to redhat.
> >
> > that said, the imptcp module should be available, but they may have
> > put it in a different package, but you should get similar results
> > with the imtcp module
> >
> > David Lang
> >
> > On Fri, 10 Sep 2021, lists--- via rsyslog wrote:
> >
> >> Date: Fri, 10 Sep 2021 02:41:02 +0100
> >> From: lists--- via rsyslog <[email protected]>
> >> To: Yuri Bushmelev <[email protected]>
> >> Cc: [email protected], rsyslog-users <[email protected]>
> >> Subject: Re: [rsyslog] Struggling with the basics - trying to filter on
> text
> >> AND have logs go to /var/log/remote/yadayada
> >>
> >> Quoting Yuri Bushmelev <[email protected]>:
> >>
> >>> Hello!
> >>>
> >>> Please consider to stop useing the $ThisConfigSyntaxStyle as "it will
> make
> >>> your life miserable" (c) Reiner Gerhards .. There is nice new syntax
> made
> >>> more than 10 years ago.
> >>>
> >>> I guess this is more or less what you're looking for:
> >>>
> >>> ```
> >>> input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
> >>>
> >>> template(name="TmplVPXMsg" type="string"
> >>> string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
> >>> template(name="TmplAppfwMsg" type="string"
> >>> string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
> >>> template(name="TmplCiscoRouterMsg" type="string"
> >>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
> >>>
> >>> ruleset(name="remote1") {
> >>> if $msg contains 'VPX' then {
> >>> action(type="omfile" name="netscaler_vpx_file"
> >>> dynaFile="TmplNetscalerMsg")
> >>> } else if $msg contains 'br01' then {
> >>> action(type="omfile" name="cisco_router_file"
> >>> dynaFile="TmplCiscoRouterMsg")
> >>> } else if $msg contains 'appfw' then {
> >>> action(type="omfile" name="netscaler_appfw_file"
> >>> dynaFile="TmplAppfwMsg")
> >>> }
> >>> }
> >>> ```
> >>>
> >>> There is still some space for improvements though. I'd suggest creating
> >>> different inputs for different kinds of logs. This way you can speedup
> >>> processing a bit (because `if $msg contains ...` is slow). Do not
> overuse
> >>> local variables though ($.something).
> >>>
> >>> ```
> >>> # Assuming VPX and appfw logs are coming from the same device
> >>> # Otherwise easier to create one more input and remove `if $msg
> contains`
> >>> completely
> >>> input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
> >>>
> >>> input(type="imptcp" name="cisco_router" port="2515"
> ruleset="cisco_router")
> >>>
> >>> # /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
> >>> template(name="TmplNetscalerMsg" type="list" {
> >>> constant(value="/var/log/remote/netscaler/")
> >>> property(name="hostname")
> >>> constant(value="/")
> >>> property(name="$.ns_type")
> >>> constant(value="log")
> >>> }
> >>>
> >>> template(name="TmplCiscoRouterMsg" type="string"
> >>> string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
> >>>
> >>> ruleset(name="netscaler") {
> >>> if $msg contains 'VPX' then {
> >>> set $.ns_type = "vpx";
> >>> } else if $msg contains 'appfw' then {
> >>> set $.ns_type = "appfw";
> >>> } else {
> >>> set $.ns_type = "UNKNOWN";
> >>> }
> >>> action(type="omfile" name="netscaler_appfw_file"
> >>> dynaFile="TmplNetscalerMsg")
> >>> }
> >>>
> >>> ruleset(name="cisco_router") {
> >>> action(type="omfile" name="cisco_router_file"
> >>> dynaFile="TmplCiscoRouterMsg")
> >>> }
> >>> ```
> >>>
> >>> All this knowledge I got from reading the Rsyslog docs here:
> >>> https://www.rsyslog.com/doc/v8-stable/configuration/index.html
> >>> Yes, it's not that well structured but still worth reading if you're
> using
> >>> Rsyslog a lot.
> >>>
> >>>
> >>> On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
> >>> [email protected]> wrote:
> >>>
> >>>> I can successfully have logs going to the correct files under
> >>>> /var/log/remote/%HOSTNAME%/whatever, with the following template:
> >>>>
> >>>> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> >>>> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> >>>> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> >>>> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> >>>> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
> >>>>
> >>>> and following ruleset:
> >>>>
> >>>> $RuleSet justlogs
> >>>> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> >>>> $RuleSet RSYSLOG_DefaultRuleset
> >>>> $InputTCPServerBindRuleset justlogs
> >>>> $InputTCPServerRun 514
> >>>>
> >>>>
> >>>> And direct some logs into specific folders, a la:
> >>>>
> >>>> ruleset(name="remote1"){
> >>>> if $msg contains 'VPX' then {
> >>>> action(type="omfile"
> >>>> file="/var/log/remote/netscaler/netscalerlog")
> >>>> }
> >>>> if $msg contains 'br01' then {
> >>>> action(type="omfile"
> >>>> file="/var/log/remote/cisco/router/routerlog")
> >>>> }
> >>>> if $msg contains 'appfw' then {
> >>>> action(type="omfile"
> >>>> file="/var/log/remote/netscaler/appfwlog")
> >>>> }
> >>>> }
> >>>> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
> >>>> back to the default rule set
> >>>> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
> >>>> to the "remote1" rule set
> >>>> $InputTCPServerRun 514
> >>>>
> >>>> But not both at the same time! I've tried smashing the rulesets
> >>>> together, but no joy.
> >>>>
> >>>> Reading the manual makes my brain hurt. And the online rsyslog.conf
> >>>> builder isn't working for me.
> >>>>
> >>>> Pointers appreciated!
> >>>>
> >>>> TIA
> >>>>
> >>>> Pete
> >>>> --
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>
> >>>
> >>> --
> >>> Yury Bushmelev
> >>>
> >>
> >> Thanks Yuri
> >>
> >> This is all good, but rsyslog doesn't like the config!
> >>
> >> rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level
> >> 1), master config /etc/rsyslog.conf |
> >> rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
> >> try http://www.rsyslog.com/e/2209 ] |
> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
> >> line 101: parameter 'ruleset' not known -- typo in config file?
> >> [v8.24.0-57.el7_9.1 try http
> >> ://www.rsyslog.com/e/2207 ]
> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
> >> line 101: parameter 'port' not known -- typo in config file?
> >> [v8.24.0-57.el7_9.1 try http://
> >> www.rsyslog.com/e/2207 ]
> >> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
> >> line 101: parameter 'name' not known -- typo in config file?
> >> [v8.24.0-57.el7_9.1 try http://
> >> www.rsyslog.com/e/2207 ]
> >>
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you DON'T LIKE THAT.
> >
>
>
>
>
>
--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
