Convert basic rsyslog forwarder config to new syntax issue

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
gormank
Posts: 1114
Joined: Tue Dec 02, 2014 12:00 pm

Convert basic rsyslog forwarder config to new syntax issue

Post by gormank »

Hi,
Since we're now on RHEL 7.9 and rsyslog 8.24 with a fairly stable new syntax, I'd like to convert the forwarder from the old syntax to the new. Here's an example of old syntax in use.

$WorkDirectory /var/lib/rsyslog # Where spool files will exist
$ActionQueueFileName FwdRule01 # Unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1GB space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # Save messages to disk on shutdown
$ActionQueueType LinkedList # Use asynchronous processing
$ActionResumeRetryCount -1 # Infinite retries if host is down
*.* @@[2001:4888:a03:3161:c0:9:0:100]:5544

And what I'm trying to use as the new syntax. This is pretty much lifterd from RHEL documentation in the link. https://access.redhat.com/documentation ... log_queues

global(
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)

*.* action(
type="omfwd"
queue.type="linkedlist"
queue.filename="FwdRule01"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="2001:4888:a03:3161:c0:9:0:100"
port="5544"
protocol="tcp"
stop
)

When I use the new syntax and restart rsyslog, it says it stopped, started and shows no other info. /var/log/messages shows the same. No errors.
I've rearranged, added and removed stuff with no luck getting it to work.

Any hints as to where I'm going wrong?
Thanks!
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Convert basic rsyslog forwarder config to new syntax iss

Post by ssax »

This worked for me:

Code: Select all

global(
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)

*.* action(type="omfwd"
queue.filename="FwdRule01"
queue.highWatermark="8000"
queue.lowWatermark="2000"
queue.maxDiskSpace="1g"
#queue.saveOnShutdown="on"
queue.type="Linkedlist"
action.resumeRetryCount="-1"
target="2001:4888:a03:3161:c0:9:0:100"
port="5544"
protocol="tcp"
)
What does /var/log/messages show when you restart the rsyslog service?
gormank
Posts: 1114
Joined: Tue Dec 02, 2014 12:00 pm

Re: Convert basic rsyslog forwarder config to new syntax iss

Post by gormank »

I switched to the config you posted above and it is sending logs to NLS. I'm happy but a bit confused since not much is different.
Here are the messages when rsyslog is restarted.

Code: Select all

Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: omfwd: TCPSendBuf error -2027, destruct TCP Connection to 2001:4888:a03:3161:c0:9::100:5544 [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2027 ]
Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2007 ]
Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2359 ]
Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 systemd[1]: Removed slice User Slice of root.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Stopping System Logging Service...
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: [origin software="rsyslogd" swVersion="8.1911.0-7.el7at" x-pid="9780" x-info="https://www.rsyslog.com"] exiting on signal 15.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Stopped System Logging Service.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Starting System Logging Service...
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2222 ]
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: error during parsing file /etc/rsyslog.d/syslog.forward.new.format.conf, on or before line 14: parameter 'workdirectory' specified more than once - one instance is ignored. Fix config [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2207 ]
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Started System Logging Service.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: error during parsing file /etc/rsyslog.d/syslog.forward.new.format.conf, on or before line 14: parameter 'workDirectory' not known -- typo in config file? [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2207 ]
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: [origin software="rsyslogd" swVersion="8.1911.0-7.el7at" x-pid="31212" x-info="https://www.rsyslog.com"] start
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: imjournal: journal files changed, reloading...  [v8.1911.0-7.el7at try https://www.rsyslog.com/e/0 ]
workdirectory is a global already set in the default /etc/rsyslog.conf. I commented it so that message is gone.

It doesn't like SystemLogSocketName which comes from listen.conf, and I'm not sure if listen.conf should be removed or what.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Convert basic rsyslog forwarder config to new syntax iss

Post by ssax »

I had to comment this one out from yours on my version:

Code: Select all

#queue.saveOnShutdown="on"
I think this is what you would need to do for the listen.conf:

Code: Select all

input(type="imuxsock" socket="/run/systemd/journal/syslog")
https://lists.ubuntu.com/archives/ubunt ... 90443.html
gormank
Posts: 1114
Joined: Tue Dec 02, 2014 12:00 pm

Re: Convert basic rsyslog forwarder config to new syntax iss

Post by gormank »

Thanks. Feel free to lock this one.
Locked