Mariusz, you are correct, this is for SPLUNK related activities. I was told not to use omhttp, but at the time I did not know that term and thought he meant "http."
I ran the "*rsyslogd -N1*" command. The response I got was: ID for group ‘ ’ could not be found [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/3003 ] -------------------------- Warron French On Mon, Apr 15, 2024 at 10:52 AM Mariusz Kruk via rsyslog < rsyslog@lists.adiscon.com> wrote: > I see you're trying to send data to Splunk and thus probably want the > files read as a user running the Universal Forwarder. > > Instead of writing files locally you can send them straight to HEC input > using the omhttp module. (which gives you additional flexibility since > you can dynamically overwrite the metadata on the fly). > > But anyway, if your rsyslogd doesn't start, check with "rsyslogd -N1" > where's the problem in your config. (you can give a config filename with > -f option if you're not using standard /etc/rsyslog.conf). > > MK > > On 15.04.2024 15:59, warron.french via rsyslog wrote: > > At David, Mariusz, and Attila, here is my attempt to provide the syntax > > (again). I am thinking you might not have received it because it came in > > image form before. > > > > Snippets of my Rsyslog.conf > > > > $ModLoad imudp > > > > $UDPServerRun 514 > > > > > > > > ########## UDG-specific; Start > > > > # $ModLoad omfile; Wfrench; 28FEB2024; does not work, error 3003 > > > > Module(load=”builtin:omfile”) > > > > $CreateDirs on > > > > $DirCreateMode 0700 > > > > #$dirGroup root > > > > #$dirOwner root > > > > $FileCreateMode 0600 > > > > #$FileGroup splunk > > > > #$FileOwner root > > > > ########## UDG-specific; End > > > > > > ############### Syntax with Templates and Conditionals > > needed ################# > > > > ################## TEMPLATES > > ############################# > > > > $template CATC,”/var/log/remote/%HOSTNAME%.log” > > > > $template SECU,”/var/log/remote/%HOSTNAME%/secure” > > > > $template MESG,”/var/log/remote/%HOSTNAME%/messages” > > > > #################### CONDITIONALS > ######################## > > > > if ($fromhost-ip startswith ‘172.20.245.5’ or $fromhost-ip contains > > ‘172.20.245.101’) then { > > > > > > authpriv.* > > -?SECU > > > > > > *.info;mail.none;authpriv.none;cron.none > > -?MESG > > > > & stop > > > > } else if ( $fromhost contains ‘i42tskvm’ ) then { > > > > > > *.* > > -?MESG > > > > stop > > > > } else { > > > > > > *.* > > /var/log/messages > > > > stop > > > > } > > > > # > > > > ####### End all Custom Directives to support TGS Rsyslog forwarding to > > MNTR01 in support of CDP-initiative > > > > > > I am not permitted to provide the entire Rsyslog Configuration, but we > are > > not using /etc/rsyslog.d/ files at all, we do not have any files in > there. > > > > > > -------------------------- > > Warron French > > > > > > > > On Mon, Apr 15, 2024 at 9:53 AM warron.french <warron.fre...@gmail.com> > > wrote: > > > >> Did you not see the full config? I provided it as an image. Was the > >> image blocked at your end, from being received? > >> > >> -------------------------- > >> Warron French > >> > >> > >> > >> On Sat, Apr 6, 2024 at 3:04 AM David Lang via rsyslog < > >> rsyslog@lists.adiscon.com> wrote: > >> > >>> it's common for rsyslog configs to drop privileges, and if it does so, > it > >>> can't > >>> then make use of those privileges to open files as other users, etc. > >>> > >>> This is why we need to see the full config, and any files included. > >>> > >>> David Lang > >>> > >>> On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote: > >>> > >>>> Also remember that in Linux system (quoting the man 2 chown): > >>>> > >>>> Only a privileged process (Linux: one with the CAP_CHOWN > >>>> capability) may change the owner of a file. The owner of a file may > >>>> change the group of the file to any group of which that owner > >>>> is a member. A privileged process (Linux: with CAP_CHOWN) may > >>>> change the group arbitrarily. > >>>> > >>>> So if your rsyslogd is an unprivileged process (it does not have > >>>> CAP_CHOWN granted explicitly and it does not run as root user), you > >>> won' > >>>> be able to create files as a different user. > >>>> > >>>> MK > >>>> > >>>> On 6.04.2024 07:20, David Lang via rsyslog wrote: > >>>>> if you are using the action() syntax, you set the ownership as part > of > >>>>> the action. > >>>>> > >>>>> if you post your full config (including included files) we can better > >>>>> guess what's wrong with it. > >>>>> > >>>>> David Lang > >>>>> > >>>>> On Sat, 6 Apr 2024, warron.french via rsyslog wrote: > >>>>> > >>>>>> I am running multiple servers on RHEL-7.9 at work and with no option > >>> to > >>>>>> upgrade to a newer major version. > >>>>>> > >>>>>> I have a server collecting (consolidating) logs from other (remote) > >>>>>> servers > >>>>>> and need to store the various independently generated logfiles but > >>>>>> also set > >>>>>> the Group-owner to something other than root. > >>>>>> > >>>>>> I thought the proper syntax to do this was to set: > >>>>>> $FileOwner somegroup > >>>>>> > >>>>>> But rsyslogd upon restart fails to accept this directive. > >>>>>> > >>>>>> Can someone tell me what directive I should be using because > >>>>>> attempting to > >>>>>> find the Rsyslog documentation specific to my RHEL-7.9 in > combination > >>> to > >>>>>> answering this query at *rsyslog.com <http://rsyslog.com> * > >>>>>> is not proving to be useful. > >>>>>> > >>>>>> Thank you in advance for your assistance, > >>>>>> > >>>>>> -------------------------- > >>>>>> Warron French > >>>>>> _______________________________________________ > >>>>>> rsyslog mailing list > >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com/professional-services/ > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > >>>>>> POST if you DON'T LIKE THAT. > >>>>>> > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com/professional-services/ > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > >>>>> if you DON'T LIKE THAT. > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com/professional-services/ > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>> myriad of > >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>> DON'T > >>>> LIKE THAT. > >>> _______________________________________________ > >>> rsyslog mailing list > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>> DON'T LIKE THAT. > >> > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
