MonitorWare Knowledge Base

Hi All,

I'm new to rsyslog and want to convert my old syslog-ng configuration.
filter f_semsd { match('<agent_name>'); };
filter f_tcp_semsd { filter(f_semsd) and ( match(EVENT) or match(FATAL) or match(CRITICAL) or match(MAJOR) or match(CLEARED) ); };
filter f_tcp_semsd_active { filter(f_tcp_semsd) and match("<hsb>active</hsb>"); };
log { source(src_local); filter(f_semsd); destination(d_sems); };
log { source(src_local); filter(f_tcp_semsd_active); destination(d_sems2); };


The 1ste log entry can be entered as:
:msg,contains,"<agent_name>"
& /var/log/sems.log
&~

But how can I put the 2nd log line?
I'm using rsyslog-2.0.6-1.el5 so I can't use the if-then clause.

Any help appreciated!
Thx Johan

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Hi Johan,

can you explain what the second filter does?

Please also note that with v2, you are rather limited, so I guess (not knowing what the filter actually does do) that it is not easy to implement it.

Rainer

I want to see all messages containing "<agent_name>" and "<hsb>active</hsb>" and one or more occurrences of "EVENT", "FATAL", "CRITICAL", "MAJOR", "CLEARED"

I created some rsyslog config for this:

Code: Select all

:msg, contains, "<agent_name>"  /var/log/sems.log

:msg, contains, "<agent_name>"
:msg, contains, "EVENT"
& /var/log/sems2.log
& ~

:msg, contains, "<agent_name>"
:msg, contains, "FATAL"
& /var/log/sems2.log
& ~

:msg, contains, "<agent_name>"
:msg, contains, "CRITICAL"
& /var/log/sems2.log
& ~

:msg, contains, "<agent_name>"
:msg, contains, "MAJOR"
& /var/log/sems2.log
& ~

:msg, contains, "<agent_name>"
:msg, contains, "CLEARED"
& /var/log/sems2.log
& ~

:msg, contains, "<agent_name>"  /var/log/sems.log
& ~


But I think this is ugly and inefficient.
Is there an other way to perform these actions?

This is not only ugly and inefficient, it also does not work You should see lots of error messages in syslog.error when you start the configuration. The reason is that you can not combine filters, they need to be followed by the action. So you can not do

:msg, contains, "<agent_name>"
:msg, contains, "FATAL"
& /var/log/sems2.log
& ~

but only

:msg, contains, "FATAL" /var/log/sems2.log
& ~

The solution is to use the if..then construct. I know it's not available in v2, but so there is no way around upgrading.

Rainer

indeed, there were several errors during the start of the rsyslog process.

I've rewritten the rules using "regex". It is possible as the lines it receives from the process are always the same structure.

So currently the configuration looks like this:

Code: Select all

:msg, regex, "<agent_name>.*<hsb>standby</hsb>.*<topic>EVENT</topic>"    /var/log/sems2.log
:msg, regex, "<agent_name>.*<hsb>standby</hsb>.*<topic>FATAL</topic>"    /var/log/sems2.log
:msg, regex, "<agent_name>.*<hsb>standby</hsb>.*<topic>CRITICAL</topic>" /var/log/sems2.log
:msg, regex, "<agent_name>.*<hsb>standby</hsb>.*<topic>MAJOR</topic>"    /var/log/sems2.log
:msg, regex, "<agent_name>.*<hsb>standby</hsb>.*<topic>CLEARED</topic>"  /var/log/sems2.log

:msg, contains, "<agent_name>"  /var/log/sems.log
& ~


Is there a way to combine those 4 lines?
ereregex should be able to do that but is only available in v4.

I don't know the performance impact of such :msg rules and the use of regex and contains. Should I see any performance impact with the rules above?

Thx Johan

regexp has a performance impact, in the case of v2 I think an even large one. But nothing you can do against that...