MonitorWare Knowledge Base

Help please.
I have spend many hours trying to get rsyslog to work and don't want to fall back to the old syslog daemon.

After downloading the latest rsyslog onto our Redhat enterprise server, I copied the: rsyslog.conf rsyslog.init rsyslog.log rsyslog.sysconfig
into /etc

Currently, I start it with: /usr/local/sbin/rsyslogd -r[514] -t[514] -f /etc/rsyslog.conf

rsyslog.sysconfig has the "r" option
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

Here my conf file:

$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imudp.so # provides UDP syslog reception
$ModLoad imtcp.so # provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)

$template DynaFile,"/var/log/system-%HOSTNAME%.log"
*.* -?DynaFile

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

LOCAL0.* local0-7
local1.* local0-7
local2.* local0-7
local3.* local0-7
local4.* local0-7
local5.* local0-7
LOCAL6.* local0-7

# Save boot messages also to boot.log
local7.* /var/log/boot.log


rsyslog successfully created a: system-prodntwk1l.log file, like I had hoped, but no files are being created for any remote systems. I know the syslog information is arriving at the server after running a trace - but rsyslog seems to ignore them.

Any help would be HIGHLY appreciated.

I am on a cell phone, thus brief...

There is a v3 compatibility doc on the site. review that. they way listners are started has changed. you need to add some directives. i think thats the problem.

rainer

Adding this to the rsyslog.conf solved the problem and my routers and switches are logging successfully into individual files.
$ModLoad imudp.so
$UDPSeverAddress X.Y.Z.Z
$UDPServerRun 514

Rather impressive and so much nicer than than the normal syslog. Thanks for the quick reply.
Vielen Dank.
Will test stability and hope to move this into production soon.
Marc

Excellent I'd **** to get some feedback on the testing results, especially if all goes well (I tend to hear about the problems, but not when all went well ). Some performance metrics would also be nice

Rainer