Rsyslog configuration
Hi Guys,
I would like to check on how to add some information for the rsyslog. Currently below is the log i get: Apr 13 13:28:46 bigip1 err iControlPortal.cgi[15479]: Checking for FIPS card.. FIPS open failed. Apr 13 13:30:01 bigip1 err sSMTP[17636]: Unable to locate mail Apr 13 13:30:01 bigip1 err sSMTP[17636]: Cannot open mail:25 Apr 13 14:00:01 bigip1 err sSMTP[17774]: Unable to locate mail Apr 13 14:00:01 bigip1 err sSMTP[17774]: Cannot open mail:25 Apr 13 14:30:01 bigip1 err sSMTP[18031]: Unable to locate mail Apr 13 14:30:01 bigip1 err sSMTP[18031]: Cannot open mail:25 Apr 13 14:31:47 bigip1 err iControlPortal.cgi[15479]: Checking for FIPS card.. FIPS open failed. Apr 13 14:31:47 bigip1 err iControlPortal.cgi[15479]: Checking for FIPS card.. FIPS open failed. Apr 13 14:31:47 bigip1 err iControlPortal.cgi[15479]: Checking for FIPS card.. FIPS open failed. I don't know the log is sending from which device. I would like to add the ip of the source device into the info Below is my configuration file. # rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. kern.err /var/log/kernel.log # Log anything (except mail) of level info or higher. #*.info;mail.none;authpriv.none;cron.none # *.=cri, *.=alert, *.=emerg *.error;authpriv.none;cron.none /var/log/rsyslog.log # The authpriv file has restricted access. authpriv.* /var/log/server.log # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg /var/log/rsyslog.log # Save news errors of level crit and higher in a special file. uucp,news.warn /var/log/server.log # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### # A template to for higher precision timestamps + severity logging #$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" #:programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl Rsyslog version [root@zabsrv zabbix]# rsyslogd -version rsyslogd 7.6.7, compiled with: FEATURE_REGEXP: Yes GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes Runtime Instrumentation (slow code): No uuid support: Yes Number of Bits in RainerScript integers: 64 See http://www.rsyslog.com for more information. Thank you very much in advance. |
Quote:
Code:
Apr 10 03:10:15 syslog anacron[11484]: Normal exit (1 job run) Now, if you want to convert that DNS name to an IP, there might be some sort of configuration thing you can do within rsyslog.conf |
Hi Wells,
Yeah you are right. bigip1 is actually the hostname the F5 (just join the company and don't know the hostname of every device). However, i check through the rsyslog config file and do not find any line related about the output. Now i would like to add the ip of the source device also if possible. If anyone else got any idea on this, please help. Thank you very much. Rsyslog.conf # rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### #Discarding the message with particular words # Log all kernel messages to the console. # Logging much else clutters up the screen. kern.err /var/log/kernel.log # Log anything (except mail) of level info or higher. #*.info;mail.none;authpriv.none;cron.none # *.=cri, *.=alert, *.=emerg *.error;authpriv.none;cron.none /var/log/rsyslog.log # The authpriv file has restricted access. authpriv.* /var/log/server.log # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg /var/log/rsyslog.log # Save news errors of level crit and higher in a special file. uucp,news.warn /var/log/server.log # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### # A template to for higher precision timestamps + severity logging #$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" #:programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl #$template verbose, "%syslogseverity%, %syslogfacility%, %timegenerated%, %HOSTNAME%, %msg%\n" |
Quote:
you start editing /etc/hosts: <ip_of_bigip1> bigip1 Reasons being, in my experience,
Editing /etc/hosts does require that you find the current IP of bigip1 and it puts the responsibility squarely on you to construct a working template file for rsyslog to process %HOSTNAME to %FROMHOST-IP Good Luck! |
Hi,
I managed to find out how to add the source ip into the msg. :) I change the template at the line $ActionFileDefaultTemplate By default it use RSYSLOG_TraditionalFileFormat and below is the template's format. "%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" So, i created a template with the info i need and assign to the $ActionFileDefaultTemplate. Below is the example. $template TestSyslog, "%syslogseverity%, %syslogfacility%, %timegenerated%, %fromhost-ip% ,%HOSTNAME%, %msg%\n" $ActionFileDefaultTemplate TestSyslog For those who wants to change the format like me, you may refer to below link: https://access.redhat.com/documentat...f_rsyslog.html Thanks everyone who helped :) |
Good job and Well done!
Can you mark this thread Solved in "Thread Tools" at the top right of the first post? Thanks. |
All times are GMT -5. The time now is 08:02 AM. |