Re: [rsyslog] need help with rsyslog

David Lang via rsyslog Mon, 27 May 2024 20:36:42 -0700

8.24 is ancient (with some unknown additional backports by redhat), so it's verypossible that you are using options that it doesn't know about


if you do rsyslogd -N1 does it report any errors in the config file?


I know that imfile has been re-written at least once since 8.24

It would be far better for you to update to a current version.

David Lang

On Tue, 28 May 2024, Chun-An Lee via rsyslog wrote:

Date: Tue, 28 May 2024 10:31:54 +0800
From: Chun-An Lee via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Chun-An Lee <chunan...@gmail.com>
Subject: [rsyslog] need help with rsyslog

Dear All,
I installed the Rsyslog(8.24.55)  on Redhat 7.5.
everything looks like okay, but i found an issue that I can only receive
the last input block log(oracle: mysky) from the remote soc
server(192.168.1.1).
If i rearranged them, move the Tag="oracle: mysyk" to the top one and  the
Tag="oracle: pce" move to the last one than I only received Tag="oracle:
pce" log. the configuration showed as below

module(load="imfile" mode="inotify")

input(
       type="imfile"
       File="/PC/PCDB/PCDB_ora_*.xml"
       Tag="oracle: pce"
       ignoreOlderThan="86400"
       startmsg.regex="^(<AuditRecord>|</Audit>).*"
       freshStartTail="off"
       deleteStateOnFileDelete="on"
       Severity="info"
       Facility="local5"
       ruleset="sentinel-1468"
)

input(
       type="imfile"
       File="/PC/PDDB/PDDB_ora*.xml"
       Tag="oracle: pde"
       ignoreOlderThan="86400"
       startmsg.regex="^(<AuditRecord>|</Audit>).*"
       freshStartTail="off"
       deleteStateOnFileDelete="on"
       Severity="info"
       Facility="local5"
       ruleset="sentinel-1468"
)

input(
       type="imfile"
       File="/PC/MYSYK/MYSYK_ora_*.xml"
       Tag="oracle: mysyk"
       ignoreOlderThan="86400"
       startmsg.regex="^(<AuditRecord>|</Audit>).*"
       freshStartTail="off"
       deleteStateOnFileDelete="on"
       Severity="info"
       Facility="local5"
       ruleset="sentinel-1468"
)

ruleset(name="sentinel-1468"){
   action(type="omfwd" target="192.168.1.1" port="1468" protocol="tcp")
}

Could members help me to find out the root cause.
Thanks in advance
TerenceLee
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] need help with rsyslog

Reply via email to