Hi Arya,
This is completed my rsyslog configuration:
I also tried many ways, but did not discard.
$ModLoad impstats.so
$PStatsInterval 300
syslog.info /var/log/rsyslog-stats
#--------------------------------------------------This line is comment
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#--------------------------------------------------This line is comment
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerAddress * # all local interfaces
$UDPServerRun 514 # start UDP server (log server receiver)
#--------------------------------------------------This line is comment
$ModLoad imtcp.so # provides TCP syslog reception and GSS-API (if compiled)
$InputTCPServerRun 514 # start TCP server (log server receiver)
#--------------------------------------------------This line is comment
$ModLoad imrelp.so # RELP input
$InputRELPServerRun 20514 # start RELP Protocol
#--------------------------------------------------This line is comment
$ModLoad imfile.so # Text file input
$InputFileName /var/log/i-am-a-text-file.log
$InputFileTag my-text-file:
$InputFileStateFile stat-file1
$InputFileSeverity error
$InputFileFacility local7
$InputFilePollInterval 10 # check for new lines every 10 seconds
$InputRunFileMonitor
#--------------------------------------------------This line is comment
$ModLoad ommysql.so # Log to MySQL
#--------------------------------------------------This line is comment
$ModLoad omrelp.so # Send to another host via RELP
# Globals -----------------------------------------This line is comment
$umask 0000
$DirCreateMode 0640
$FileCreateMode 0640
$RepeatedMsgReduction on
$WorkDirectory /var/log/rsyslog # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName queue # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$MainMsgQueueMaxFileSize 100M
$ActionQueueMaxFileSize 5M
# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# a template useful for debugging format issues
$template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, EventLogType, EventID) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
$template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
####Discard Message
:msg, contains, "861: NT AUTHORITY\SYSTEM:" ~
:msg, !contains, "861: NT AUTHORITY\SYSTEM:" ~
:msg, startswith, "861: NT AUTHORITY\SYSTEM:" ~
# Store all log files in MySQL DB :
*.*
mmysql:127.0.0.1,Syslog,rsyslog,mypassword
#--------------------------------------------------This line is comment
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console;TraditionalFileFormat
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages;TraditionalFormat
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#--------------------------------------------------This line is comment
$IncludeConfig /etc/rsyslog.d/*.conf[/I]
Where i am wrong, how to confifure it???
Any help is appreciate.
Best regards,