Not logging to file as per templates

Everything related with getting rsyslog up and running (but not beyond that point ;))

Moderator: rgerhards

Google Ads


Not logging to file as per templates

Postby rbaker » Tue Aug 11, 2015 11:43 pm

I have been struggling with getting rsyslog to log to the files I have defined. I have verified it is listening on the specified TCP and UDP ports, and can confirm (with tcpdump) that logging is reaching the host. Here is the config I have been trying to use:

Code: Select all
#### MODULES ####

module(load="imuxsock")    # provides support for local system logging (e.g. via logger command)
module(load="imklog")      # provides kernel logging support (previously done by rklogd)
module(load="immark")      # provides --MARK-- message capability
module(load="imudp")      # Provides UDP syslog reception
module(load="imtcp")      # Provides TCP syslog reception


#### GLOBAL DIRECTIVES ####

$umask 0000


#### TEMPLATES ####

template(name="DailyPerHost_cisco_asa" type="string" string="/var/log/syslog/cisco/asa/%FROMHOST%/%$year%%$month%%$day%.log")
template(name="DailyPerHost_cisco_nexus" type="string" string="/var/log/syslog/cisco/nexus/%FROMHOST%/%$year%%$month%%$day%.log")
template(name="DailyPerHost_cisco_wap" type="string" string="/var/log/syslog/cisco/wap/%FROMHOST%/%$year%%$month%%$day%.log")
template(name="DailyPerHost_cisco_ios" type="string" string="/var/log/syslog/cisco/ios/$now.log")

#### REMOTE RULES ####

ruleset(name="remote") {
   if ($fromhost == "172.18.44.19" or
      $fromhost == "172.22.3.5" or
      $fromhost == "172.22.135.68" or
      $fromhost == "172.19.4.31") then {
      action(type="omfile" DirCreateMode="0755" FileCreateMode="0644"
          DynaFile="DailyPerHost_cisco_asa"
         template="RSYSLOG_TraditionalFileFormat")

   if ($fromhost == "172.22.0.3" or
                $fromhost == "172.22.0.3") then {
                action(type="omfile" DirCreateMode="0755" FileCreateMode="0644"
          DynaFile="DailyPerHost_cisco_nexus"
                        template="RSYSLOG_TraditionalFileFormat")

   if ($fromhost == "172.22.20.10" or
                $fromhost == "172.22.30.11" or
                $fromhost == "172.22.10.39" or
                $fromhost == "172.22.20.11" or
                $fromhost == "172.22.10.40") then {
                action(type="omfile" DirCreateMode="0755" FileCreateMode="0644"
          DynaFile="DailyPerHost_cisco_wap"
                        template="RSYSLOG_TraditionalFileFormat")
   
   action(type="omfile" DirCreateMode="0755" FileCreateMode="0644"
       DynaFile="DailyPerHost_cisco_ios"
                  template="RSYSLOG_TraditionalFileFormat")   
   & stop } } }
}


input(type="imudp" port="514" ruleset="remote")
input(type="imtcp" port="1514" ruleset="remote")
   
   
#### LOCAL RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 action(type="omfile" file="/dev/console")

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                action(type="omfile" file="/var/log/messages")

# The authpriv file has restricted access.
authpriv.*                                              action(type="omfile" file="/var/log/secure")

# Log all the mail messages in one place.
mail.*                                                  action(type="omfile" file="/var/log/maillog")

# Log cron stuff
cron.*                                                  action(type="omfile" file="/var/log/cron")

# Everybody gets emergency messages
*.emerg                                                 action(type="omusrmsg" users="*")

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          action(type="omfile" file="/var/log/spooler")

# Save boot messages also to boot.log
local7.*                                                action(type="omfile" file="/var/log/boot.log")


Thoughts?
rbaker
New
 
Posts: 4
Joined: Fri Jul 24, 2015 5:28 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Not logging to file as per templates

Postby rbaker » Tue Aug 11, 2015 11:50 pm

Should have added I am running rsyslogd 7.4.7
rbaker
New
 
Posts: 4
Joined: Fri Jul 24, 2015 5:28 pm

Re: Not logging to file as per templates

Postby dlang » Wed Aug 12, 2015 12:46 am

The most common cause of logs not going where you want them to is that the contents of the log are not what you think they are.

try logging with the format RSYSLOG_DebugFormat for a few minutes and check the variables that show up in that log to see if they are what you expect them to be.

For example, $fromhost is the result of doing a DNS lookup for $fromhost-ip, so it's very probable that you have names in that variable instead of IP addresses.
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: Not logging to file as per templates

Postby rbaker » Wed Aug 12, 2015 3:18 am

But wouldn't the config DailyPerHost_cisco_ios template catch everything at the end then? I likely would have double logging as I probably should have a specific Stop configured in each sub-section of the IP matching. I'll try the debug logging, but I thought my last line of the config was a catch all for anything that didn't match...
rbaker
New
 
Posts: 4
Joined: Fri Jul 24, 2015 5:28 pm

Re: Not logging to file as per templates

Postby dlang » Wed Aug 12, 2015 4:26 am

reformatting to show the nesting, it's not doing what you think it's doing, all the if's are nested inside each other

Code: Select all
ruleset(name="remote") {
     if ($fromhost == "172.18.44.19" or $fromhost == "172.22.3.5" or $fromhost == "172.22.135.68" or $fromhost == "172.19.4.31") then {
        action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" DynaFile="DailyPerHost_cisco_asa" template="RSYSLOG_TraditionalFileFormat")
        if ($fromhost == "172.22.0.3" or $fromhost == "172.22.0.3") then {
            action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" DynaFile="DailyPerHost_cisco_nexus" template="RSYSLOG_TraditionalFileFormat")
            if ($fromhost == "172.22.20.10" or $fromhost == "172.22.30.11" or $fromhost == "172.22.10.39" or $fromhost == "172.22.20.11" or $fromhost == "172.22.10.40") then {
                action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" DynaFile="DailyPerHost_cisco_wap" template="RSYSLOG_TraditionalFileFormat")
                action(type="omfile" DirCreateMode="0755" FileCreateMode="0644" DynaFile="DailyPerHost_cisco_ios" template="RSYSLOG_TraditionalFileFormat")
                & stop
            }
        }
    }
}


note the & is meaningless as the prior action has no condition, so that line could just read 'stop' and it would be the same.
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: Not logging to file as per templates

Postby rbaker » Wed Aug 19, 2015 4:09 am

I think I know what to try (not nest the if statements and add a condition to the catch-all at the end). I'll give it a shot and let you know how I make out. I appreciate the feedback.
rbaker
New
 
Posts: 4
Joined: Fri Jul 24, 2015 5:28 pm

Google Ads



Return to Installation

Who is online

Users browsing this forum: No registered users and 1 guest

cron