rsyslog server v8

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


rsyslog server v8

Postby sloe » Mon Feb 12, 2018 1:34 pm

Hi,

I'm new to rsyslog, but have been tasked with setting up a new server for our clients to log to. I put this config together from reading a few man pages and forum posts on the Internet. The config has errors, although I know which lines they are on, I don't know what the problem is nor how I should resolve them. Any clues would be greatly appreciated.

The server is a Solaris 11/sparc sun4v box, and the rsyslog version is 8.7.4 compiled with:
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: No
64bit Atomic operations supported: No
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64


Config
Code: Select all
# grep -v^# /etc/rsyslog.conf|grep -v ^$
$ModLoad imsolaris      # for Solaris kernel logging
$ModLoad imtcp
$InputTCPServerRun 514
$ModLoad imudp.so       # provides UDP syslog reception
$UDPServerRun 514      # start a UDP syslog server at standard port 514
$UDPServerAddress *     # listen to all IP addresses
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
 &stop
$template FromIp,"/var/log/%FROMHOST-IP%.log"
*.* ?FromIp
 &stop
$WorkDirectory /var/spool/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
*.alert;kern.err;daemon.err                     :omusrmsg:operator
*.alert                                         :omusrmsg:root
*.info;mail.none;auth.none;cron.none            -/var/log/misc.log
auth.*                                          -/var/log/auth.log
daemon.*                                        -/var/log/daemon.log
mail.*                                          -/var/log/mail.log
*.emerg                                         :omusrmsg:*



The error message is :

Code: Select all
# /usr/lib/rsyslog/rsyslogd -N 1
rsyslogd: version 8.4.2, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: error during parsing file (null), on or before line 50: STOP is followed by unreachable statements!  [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file (null), on or before line 50: STOP is followed by unreachable statements!  [try http://www.rsyslog.com/e/2207 ]
rsyslogd: End of config validation run. Bye.
sloe
Avarage
 
Posts: 10
Joined: Mon Feb 12, 2018 9:27 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: rsyslog server v8

Postby deoren » Tue Feb 13, 2018 5:26 am

The server is a Solaris 11/sparc sun4v box, and the rsyslog version is 8.7.4


Are you able to use anything newer for your syslog receiver? v8.7.4 is pretty old and lots of bugs have been fixed since that point in time.

I'm not familiar enough with the older configuration syntax to know for sure, but this looks suspect:

Code: Select all
*.* ?RemoteLogs
 &stop
$template FromIp,"/var/log/%FROMHOST-IP%.log"
*.* ?FromIp
 &stop


I would guess that after the first two lines shown here that the lines that follow will not be reached. If I am reading the syntax correctly, rsyslog is told to record all messages using the "RemoteLogs" template, then stop instead of processing them any further. What specifically are you trying to accomplish with those lines?

This is a lot to take in when you first read it (I was in that situation not that long ago), but it gives a good overview of the newer configuration format:

https://selivan.github.io/2017/02/07/rs ... lover.html

While it has its flaws, I'd also suggest taking a look at the documentation for rsyslog:

http://www.rsyslog.com/doc/v8-stable/

You can also generate epub files from the source:

https://github.com/rsyslog/rsyslog-doc

I can also link to an unofficial one if you have an interest in that format.
deoren
Avarage
 
Posts: 15
Joined: Wed Dec 13, 2017 6:49 am
Location: USA

Re: rsyslog server v8

Postby sloe » Tue Feb 13, 2018 1:24 pm

Our company blocked git so cannot get there.

I removed those suspect lines and had some success logging to disc. I have since rewitten the config thus,

Code: Select all
$ModLoad imsolaris      # for Solaris kernel logging
# TCP
$ModLoad imtcp
$InputTCPServerRun 514
# UDP
$ModLoad imudp.so       # provides UDP syslog reception
$UDPServerRun 514      # start a UDP syslog server at standard port 514
# IP to listen on
$UDPServerAddress *     # listen to all IP addresses
#$TCPServerAddress *     # listen to all IP addresses


# Global directives

$WorkDirectory /var/spool/rsyslog/work
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format

$template TmplMsg, "/var/spool/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"

$FileOwner root
$FileGroup sys
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022

*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
authpriv.*     /var/log/authprivlog
if $syslogfacility == 10 then /var/log/authprivlog

*.emerg                                         :omusrmsg:*
*.alert                                         :omusrmsg:root
*.info;mail.none;auth.none;cron.none            -/var/log/misc.log
auth.*                                          -/var/log/auth.log
daemon.*                                        -/var/log/daemon.log
mail.*                                          -/var/log/mail.log

# to network over TCP  - NOT WORKING
authpriv.*;*.err;kern.debug;daemon.notice;mail.crit;*.emerg;*.alert     @@127.0.0.1:514

# locally, to a file in work dir - WORKING, but only from local host.Other clients not recorded.
#*.*   ?TmplMsg # but will fill up your disc asap
authpriv.*;*.err;kern.debug;daemon.notice;mail.crit;*.emerg;*.alert;*.debug     ?TmplMsg


The directory for this rsyslog server (called bec2a) is created e.g:
-rw-r----- 1 root staff 248 Feb 13 12:20 /var/spool/rsyslog/bec2a/su.log

If I uncomment the line #$TCPServerAddress * # listen to all IP addresses, I have an error:
rsyslogd: invalid or yet-unknown config file command 'TCPServerAddress' - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
sloe
Avarage
 
Posts: 10
Joined: Mon Feb 12, 2018 9:27 am

Re: rsyslog server v8

Postby sloe » Tue Feb 13, 2018 4:18 pm

Hi,

I have rewritten this config again. After seeing which ports were listening, I noticed that UDP 514 was not and TCP was (10514). If I set the ruleset Remote to be default the server can log to itself into the correct durectory ( defined in template Remote). When I set the ruleset called Local nothing was logged anywhere so I commented most of this out.

The rewritten code below looks cleaner and more logical to me, but of course does not work. UDP:514 is not listening for a start. Checking the syntax worked fine e.g

Code: Select all
# /usr/lib/rsyslog/rsyslogd -N 9
rsyslogd: version 8.4.2, config validation run (level 9), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.



Without further ado, please find an rsyslog.conf configuration...
Code: Select all
# grep -v ^# /etc/rsyslog.conf|grep -v ^$
$ModLoad imsolaris      # for Solaris kernel logging
$ModLoad imtcp
$ModLoad imudp
$WorkDirectory /var/spool/rsyslog/work
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format

$template Remote, "/var/spool/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"

template(name="json-template"
  type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"@version\":\"1")
      constant(value="\",\"message\":\"")     property(name="msg" format="json")
      constant(value="\",\"sysloghost\":\"")  property(name="hostname")
      constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"programname\":\"") property(name="programname")
      constant(value="\",\"procid\":\"")      property(name="procid")
    constant(value="\"}\n")
}

$FileOwner root
$FileGroup sys
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022

$RuleSet local
*.emerg                                         :omusrmsg:*
*.alert                                         :omusrmsg:root
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

$RuleSet Remote
*.*   ?Remote
$DefaultRuleset Remote

$InputTCPServerBindRuleset Remote
$InputTCPServerRun 10514
$InputUDPServerBindRuleset Remote
$UDPServerRun 514
sloe
Avarage
 
Posts: 10
Joined: Mon Feb 12, 2018 9:27 am

Re: rsyslog server v8

Postby deoren » Tue Feb 13, 2018 5:35 pm

I may be wrong in this, but from what I recall the obsolete legacy format requires that directives be specified in a particular order. I believe that you'll need to move your inputs towards the top of the file just after the modules are loaded. While the syntax takes some getting used to, I recommend adapting your configuration to the current configuration format and also upgrading to a newer version of rsyslog.
deoren
Avarage
 
Posts: 15
Joined: Wed Dec 13, 2017 6:49 am
Location: USA

Re: rsyslog server v8

Postby sloe » Wed Feb 14, 2018 9:46 am

Thanks for the info. Last time I checked the highest package available was 8.7.2 Even Unixpackages.com's latest release was for version 5.8.13 on sparc/Solaris 11. If compiling from source is the only option, then this probably won't be allowed.

Moving the listeners to the top breaks because I bind a ruleset to a listener, which of course no longer work because the rulesets are defined later... Catch 22.
sloe
Avarage
 
Posts: 10
Joined: Mon Feb 12, 2018 9:27 am

Re: rsyslog server v8

Postby sloe » Thu Feb 15, 2018 9:44 am

I have the config working now for tcp and ucp. :) Thanks.

Final config on Soalris 11/rsyslog 8.7.4 is:
# grep -v ^# /etc/rsyslog.conf|grep -v ^$
$ModLoad imsolaris # for Solaris kernel logging
$ModLoad imtcp
$ModLoad imudp
$ModLoad imrelp
$WorkDirectory /var/spool/rsyslog/work
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
$template DynaFile,"/var/spool/rsyslog/%HOSTNAME%.log"
template(name="json-template"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\",\"sysloghost\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\"}\n")
}
$FileOwner root
$FileGroup sys
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
$RuleSet Local
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.emerg :omusrmsg:*
*.alert :omusrmsg:root
$RuleSet Remote
*.* ?DynaFile
&stop
$DefaultRuleset Remote
$InputTCPServerBindRuleset Remote
$InputTCPServerRun 514
$InputUDPServerBindRuleset Remote
$UDPServerRun 514


I'll start a new thread for my RELP
sloe
Avarage
 
Posts: 10
Joined: Mon Feb 12, 2018 9:27 am

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 3 guests

cron