Hi,
I have try rsyslog -N1 and all see good
rsyslogd: version 8.2001.0, config validation run (level 1), master
config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
And this is the rsyslog.conf file (i remove the #ligne)
module(load="imuxsock") # provides support for local system logging
module(load="imklog" permitnonkernelfacility="on")
module(
load="impstats"
interval="500"
severity="6"
log.file="/var/log/rsyslog-stats.log"
log.syslog="off"
)
$ActionFileDefaultTemplate RSYSLOG_ForwardFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
$PreserveFQDN on
And all the included conf
/etc/rsyslog.d/10-remote.conf
# Redirect auth,authpriv.* to CENTRAL RSYSLOG
auth,authpriv.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="remote_syslog"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="CENTRAL SYSLOG" port="514" protocol="tcp"
)
# Redirect all log to ELK !
*.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="remote_elastic"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="ELK_PLATEFORM" port="5000" protocol="tcp"
)
/etc/rsyslog.d/20-ufw.conf
:msg,contains,"[UFW " /var/log/ufw.log
/etc/rsyslog.d/21-cloudinit.conf
# Log cloudinit generated log messages to file
:syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log
# comment out the following line to allow CLOUDINIT messages through.
# Doing so means you'll also get CLOUDINIT messages in /var/log/syslog
& stop
/etc/rsyslog.d/50-default.conf
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and
/etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
/etc/rsyslog.d/postfix.conf
# Create an additional socket in postfix's chroot in order not to break
# mail logging when rsyslog is restarted. If the directory is missing,
# rsyslog will silently skip creating the socket.
$AddUnixListenSocket /var/spool/postfix/dev/log
And the output of the imstats
Tue Dec 13 13:26:59 2022: global: origin=dynstats
Tue Dec 13 13:26:59 2022: imuxsock: origin=imuxsock submitted=18
ratelimit.discarded=0 ratelimit.numratelimiters=0
Tue Dec 13 13:26:59 2022: action-0-builtin:omfwd: origin=core.action
processed=6 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-1-builtin:omfwd: origin=core.action
processed=18 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-3-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-4-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-5-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-6-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-7-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-8-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-9-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: action-10-builtin:omusrmsg: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:26:59 2022: resource-usage: origin=impstats utime=9059
stime=8957 maxrss=7872 minflt=547 majflt=4 inblock=216 oublock=0
nvcsw=68 nivcsw=44 openfiles=8
Tue Dec 13 13:26:59 2022: action-0-builtin:omfwd queue[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0 maxqsize=0
Tue Dec 13 13:26:59 2022: action-0-builtin:omfwd queue:
origin=core.queue size=0 enqueued=6 full=0 discarded.full=0
discarded.nf=0 maxqsize=2
Tue Dec 13 13:26:59 2022: action-1-builtin:omfwd queue[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0 maxqsize=0
Tue Dec 13 13:26:59 2022: action-1-builtin:omfwd queue:
origin=core.queue size=0 enqueued=18 full=0 discarded.full=0
discarded.nf=0 maxqsize=11
Tue Dec 13 13:26:59 2022: main Q: origin=core.queue size=0 enqueued=18
full=0 discarded.full=0 discarded.nf=0 maxqsize=5
Tue Dec 13 13:35:19 2022: global: origin=dynstats
Tue Dec 13 13:35:19 2022: imuxsock: origin=imuxsock submitted=80
ratelimit.discarded=0 ratelimit.numratelimiters=0
Tue Dec 13 13:35:19 2022: action-0-builtin:omfwd: origin=core.action
processed=64 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-1-builtin:omfwd: origin=core.action
processed=80 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-3-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-4-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-5-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-6-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-7-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-8-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-9-builtin:omfile: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: action-10-builtin:omusrmsg: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Tue Dec 13 13:35:19 2022: resource-usage: origin=impstats utime=9580
stime=19160 maxrss=7872 minflt=543 majflt=0 inblock=0 oublock=0
nvcsw=270 nivcsw=51 openfiles=11
Tue Dec 13 13:35:19 2022: action-0-builtin:omfwd queue[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0 maxqsize=0
Tue Dec 13 13:35:19 2022: action-0-builtin:omfwd queue:
origin=core.queue size=0 enqueued=64 full=0 discarded.full=0
discarded.nf=0 maxqsize=2
Tue Dec 13 13:35:19 2022: action-1-builtin:omfwd queue[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0 maxqsize=0
Tue Dec 13 13:35:19 2022: action-1-builtin:omfwd queue:
origin=core.queue size=0 enqueued=80 full=0 discarded.full=0
discarded.nf=0 maxqsize=10
Tue Dec 13 13:35:19 2022: main Q: origin=core.queue size=0 enqueued=80
full=0 discarded.full=0 discarded.nf=0 maxqsize=10
Le 13/12/2022 à 12:31, David Lang a écrit :
we don't know what your default configuration is (that's set by the
distro, not by us), so please post your full configs.
that said, first check your config for errors (rsyslogd -N1), then
enable impstats so that you can see the status of the different queues
and outputs (to see if you are having queues fill up and outputs failing)
David Lang
On Tue, 13 Dec 2022, Ludovic Hutin via rsyslog wrote:
Date: Tue, 13 Dec 2022 10:13:23 +0100
From: Ludovic Hutin via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Ludovic Hutin <ludovic.hu...@unistra.fr>
Subject: [rsyslog] Configuration of rsyslog to send to 2 remote
servers and
save into local file
Hi,
I have a question that i don't find any answer on google, or i
miss something.
I want to forward logs to 2 remote servers + save log into local
file.
For multiple remote i do that in the /etc/rsyslog.d/10-remote.conf
# Centralized_SYSLOG
auth,authpriv.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="remote_syslog"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="CENTRALIZED_SYSLOG" port="514" protocol="tcp"
)
# Redirect all log to ELK !
*.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="remote_elastic"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="ELK_PLATEFORM" port="5000" protocol="tcp"
)
And i have the default config in /etc/rsyslog.d/50-default.conf
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
But i got nothing in my local /var/log/auth.log
I used default config of rsyslog with this 2 changes
$ActionFileDefaultTemplate RSYSLOG_ForwardFormat
$PreserveFQDN on
I do something wrong, but i don't know what, do you have any idea ?
(rsyslog version : 8.2001.0-1ubuntu1.3)
Best regards,
Ludovic Hutin.
--
Ludovic Hutin
Responsable du pôle PCI (Plateformes Cloud et Intégration)
Direction du Numérique - Département Infrastructure
14 rue René Descartes
F - 67000 STRASBOURG
Tél. : +33 (0)3 68 85 64 78
ludovic.hu...@unistra.fr
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
