MonitorWare Knowledge Base

Hi all,
I have a strange behaviour with directives $IncludeConfig.
In my config file (used only for testing this directive) i have three simple template,

Code: Select all

$template TestTemplate_1, "MSG_1:%msg%\n"
$template TestTemplate_2, "MSG_2:%msg%\n"
$template TestTemplate_3, "MSG_3:%msg%\n"

and these filter

Code: Select all

if $msg contains 'test' then /var/log/test.log;TestTemplate_1
$IncludeConfig /etc/rsyslog.d/include.conf
if $msg contains 'test' then /var/log/test.log;TestTemplate_2
if $msg contains 'test' then /var/log/test.log;TestTemplate_3

where /etc/rsyslog.d/include.conf is

Code: Select all

$template IncludeTemplate, "INCLUDE_CONF:%msg%\n"
if $msg contains_i 'test' then /var/log/test.log;IncludeTemplate
& ~

If I launch via shell this command

Code: Select all

# logger test


in /var/log/test.log i see only

Code: Select all

"INCLUDE_CONF:| test"

but there isn't any

Code: Select all

"MSG_1: test"

Is this the correct behaviour of this directives? The IncludeConfig can only placed at top of the config file or in any position?
My idea is to place different config file via $IncludeConfig as replacer of many lines of filter in different position of the main config file, is possibile?

I use rsyslogd 3.20.2 on RedHat ES System

Thanks for any help
Giuseppe

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

please post your complete config files, I can not see in which sequence things occur.

... but I can answer some of your questions You can place as many includeconfig statement as you like and they will be included exactly at the spot where you do that. They can even include further includeconfigs. But I am not sure if what you describe (in regard to the filters) works. Can you sketch a bit more precisely what you intend to do?

Hi, thanks for your reply, i try to explain what I intend to do
First of all this is the complete config files, i use it only for testing the IncludeConfig

Main config file

Code: Select all

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)

$template TestTemplate_1, "MSG_1:%msg%\n"
$template TestTemplate_2, "MSG_2:%msg%\n"
$template TestTemplate_3, "MSG_3:%msg%\n"

if $msg contains 'test' then /var/log/test.log;TestTemplate_1
$IncludeConfig /tmp/rsyslog.d/include.conf
if $msg contains 'test' then /var/log/test.log;TestTemplate_2
if $msg contains 'test' then /var/log/test.log;TestTemplate_3
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  -/var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


The file used by $IncludeConfig

Code: Select all

$template IncludeTemplate, "INCLUDE_CONF:%msg%\n"
if $msg contains_i 'test' then /var/log/test.log;IncludeTemplate
& ~


I have seen that the IncludeConfig seem to drop the first filter rules on top of IncludeConfig declaration.

What I intend to do.....
My Rsyslog server receive log from a large number of different host and i want regroup this host in about 5/6 macro category. For each Macro Category I want use a specific include file.
In main config file i want only some Directive and some global template equal for all the file that i want to include, and a series of IncludeConfig (one for each Macro Categories) in some order that are very important for discard in cascade messages that aren't useful.
The contents of an specific file is something like that (the other config file that i want include is similar)

Code: Select all

$AllowedSender UDP, 192.168.1.0/24, 192.168.2.0/24, and so on

#VARIOUS FILTERS
if $syslogtag contains_i 'something' then ~
# VARIOUS ACTIONS
if $fromhost-ip startswith '192.168.1' and ($syslogfacility-text == 'auth' or $syslogfacility-text == 'security' or $syslogfacility-text == 'authpriv') then :ommysql:ipaddres,DBNAME,USR,PWD
if $fromhost-ip startswith '192.168.1' then ~

if $fromhost-ip startswith '192.168.2' and ($syslogfacility-text == 'auth' or $syslogfacility-text == 'security' or $syslogfacility-text == 'authpriv') then :ommysql:ipaddres,DBNAME,USR,PWD
if $fromhost-ip startswith '192.168.2' then ~

if $fromhost-ip startswith '192.168.3' and ($syslogfacility-text == 'auth' or $syslogfacility-text == 'security' or $syslogfacility-text == 'authpriv') then :ommysql:ipaddres,DBNAME,USR,PWD
if $fromhost-ip startswith '192.168.3' then ~
and so on for all subnet of the AllowSender

I have seen that if on top of IncludeConfig there is simple action (i.e. if $msg contains 'test' then /var/log/test.log;TestTemplate_1) this action is ignored, otherwise if there is another IncludeConfig this is processed. For my purpose the second case is ok, but for the first case, is this the correct behaviour?

I hope haved explain what I want to do.


Thanks for any reply or comment

Giuseppe

just let me gather some more information. The debug log contains the in-memory representation of what was read in. This is definitely useful. Search in Google for "rsyslog troubleshooting" and you'll find a document that tells you how to do that. Look at the case in depth-later.