Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Convert basic rsyslog forwarder config to new syntax issue

https://support.nagios.com/forum/viewtopic.php?t=63728

Page 1 of 1

Convert basic rsyslog forwarder config to new syntax issue

Posted: Tue Oct 12, 2021 5:12 pm
by gormank
Hi,
Since we're now on RHEL 7.9 and rsyslog 8.24 with a fairly stable new syntax, I'd like to convert the forwarder from the old syntax to the new. Here's an example of old syntax in use.

$WorkDirectory /var/lib/rsyslog # Where spool files will exist
$ActionQueueFileName FwdRule01 # Unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1GB space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # Save messages to disk on shutdown
$ActionQueueType LinkedList # Use asynchronous processing
$ActionResumeRetryCount -1 # Infinite retries if host is down
*.* @@[2001:4888:a03:3161:c0:9:0:100]:5544

And what I'm trying to use as the new syntax. This is pretty much lifterd from RHEL documentation in the link. https://access.redhat.com/documentation ... log_queues

global(
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)

*.* action(
type="omfwd"
queue.type="linkedlist"
queue.filename="FwdRule01"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="2001:4888:a03:3161:c0:9:0:100"
port="5544"
protocol="tcp"
stop
)

When I use the new syntax and restart rsyslog, it says it stopped, started and shows no other info. /var/log/messages shows the same. No errors.
I've rearranged, added and removed stuff with no luck getting it to work.

Any hints as to where I'm going wrong?
Thanks!

Re: Convert basic rsyslog forwarder config to new syntax iss

Posted: Wed Oct 13, 2021 4:42 pm
by ssax
This worked for me:

Code: Select all

global(
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)

*.* action(type="omfwd"
queue.filename="FwdRule01"
queue.highWatermark="8000"
queue.lowWatermark="2000"
queue.maxDiskSpace="1g"
#queue.saveOnShutdown="on"
queue.type="Linkedlist"
action.resumeRetryCount="-1"
target="2001:4888:a03:3161:c0:9:0:100"
port="5544"
protocol="tcp"
)
What does /var/log/messages show when you restart the rsyslog service?

Re: Convert basic rsyslog forwarder config to new syntax iss

Posted: Wed Oct 13, 2021 6:11 pm
by gormank
I switched to the config you posted above and it is sending logs to NLS. I'm happy but a bit confused since not much is different.
Here are the messages when rsyslog is restarted.

Code: Select all

Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: omfwd: TCPSendBuf error -2027, destruct TCP Connection to 2001:4888:a03:3161:c0:9::100:5544 [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2027 ]
Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2007 ]
Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2359 ]
Oct 13 22:50:01 solktxeshsc-v-pieoamx-01 systemd[1]: Removed slice User Slice of root.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Stopping System Logging Service...
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[9780]: [origin software="rsyslogd" swVersion="8.1911.0-7.el7at" x-pid="9780" x-info="https://www.rsyslog.com"] exiting on signal 15.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Stopped System Logging Service.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Starting System Logging Service...
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2222 ]
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: error during parsing file /etc/rsyslog.d/syslog.forward.new.format.conf, on or before line 14: parameter 'workdirectory' specified more than once - one instance is ignored. Fix config [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2207 ]
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 systemd[1]: Started System Logging Service.
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: error during parsing file /etc/rsyslog.d/syslog.forward.new.format.conf, on or before line 14: parameter 'workDirectory' not known -- typo in config file? [v8.1911.0-7.el7at try https://www.rsyslog.com/e/2207 ]
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: [origin software="rsyslogd" swVersion="8.1911.0-7.el7at" x-pid="31212" x-info="https://www.rsyslog.com"] start
Oct 13 22:50:27 solktxeshsc-v-pieoamx-01 rsyslogd[31212]: imjournal: journal files changed, reloading...  [v8.1911.0-7.el7at try https://www.rsyslog.com/e/0 ]
workdirectory is a global already set in the default /etc/rsyslog.conf. I commented it so that message is gone.

It doesn't like SystemLogSocketName which comes from listen.conf, and I'm not sure if listen.conf should be removed or what.

Re: Convert basic rsyslog forwarder config to new syntax iss

Posted: Thu Oct 14, 2021 3:53 pm
by ssax
I had to comment this one out from yours on my version:

Code: Select all

#queue.saveOnShutdown="on"
I think this is what you would need to do for the listen.conf:

Code: Select all

input(type="imuxsock" socket="/run/systemd/journal/syslog")
https://lists.ubuntu.com/archives/ubunt ... 90443.html

Re: Convert basic rsyslog forwarder config to new syntax iss

Posted: Mon Oct 18, 2021 11:34 am
by gormank
Thanks. Feel free to lock this one.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited