Rsyslog templates are not working after migrating to rocky 8

jatin.bishtg4s · August 22, 2024, 7:51am

Hey,

I have server that is migrated to rocky 8 from centos 7. We are using rsyslog withing the server so get logs is a path. The template was working fine in centos 7 and stopped working in rocky 8

template path /etc/rsyslog.conf
$template RemoteLogs,“/var/log/servicelog/%syslogtag%/remote-%$YEAR%-%$MONTH%-%$DAY%.log”
. ?RemoteLogs

the logs were coming like this
/var/log/servicelog/[service-name]/remote-2024-08-22.log

but in rocky 8 the logs are coming in path
/var/log/servicelog/remote-2024-08-22.log

when i run this command it shows me the syslogtag correctly
awk ‘{print $5}’ /var/log/messages | sed -r ‘s/([[0-9]{1,6}])?://g’ | sort | uniq

while i also checked the logs /var/log/rsyslog-debug.log and it says

strm 0x7f223c00d6e0: stream.c: strmFlushinternal: file 19(/var/log/servicelog/java/remote-2024-08-22.log) flush, buflen 265

Can someone suggest what to do ?

nazunalika · August 22, 2024, 8:17am

I’m not sure why your %syslogtag% portion isn’t working exactly. I haven’t used the legacy format in a long time, so it’s not clear where the issue may be, whether it’s client or server side of rsyslog, and I don’t know if using %programname% would maybe help. I would try using that instead and see if that maybe helps.

As an aside, what I would suggest though is to move to the advanced template format, as a lot of what we’re used to from EL7 and older is considered obsolete in rsyslog.

Here is an example. Below I’m using the advanced format with template, ruleset, and input. I also use programname instead of syslogtag mainly because it parses syslogtag and makes it show up more cleanly.

[root@router remote]# cat /etc/rsyslog.d/00_collect.conf
module(load="imtcp")
module(load="imudp")

template(name="TmplAuth" type="string" string="/var/log/remote/%programname%/%FROMHOST%-secure.log")

template(name="TmplMsg" type="string" string="/var/log/remote/%programname%/%FROMHOST%-messages.log")

# Adding this ruleset to process remote messages
ruleset(name="remote_1_log"){
  authpriv.*                               action(type="omfile" DynaFile="TmplAuth")
  *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
}

input(type="imtcp" port="514" ruleset="remote_1_log")
input(type="imudp" port="514" ruleset="remote_1_log")

My forwarder, I just do this.

[root@xmpp01 ~]# cat /etc/rsyslog.d/send.conf
*.* action(type="omfwd"
           target="10.100.0.1"
           port="514"
           protocol="udp"
           action.resumeRetryCount="100"
           queue.type="LinkedList"
           queue.size="1000")

With these configurations, this is what appears for me on my receiver.

[root@router remote]# pwd
/var/log/remote
[root@router remote]# ll
total 0
drwx------. 2 root root 55 Aug 22 01:07 rsyslogd
drwx------. 2 root root 53 Aug 22 01:07 sshd
drwx------. 2 root root 55 Aug 22 01:07 systemd
drwx------. 2 root root 55 Aug 22 01:07 systemd-logind
[root@router remote]# find .
.
./systemd
./systemd/xmpp01.example.com-messages.log
./rsyslogd
./rsyslogd/xmpp01.example.com-messages.log
./sshd
./sshd/xmpp01.example.com-secure.log
./systemd-logind
./systemd-logind/xmpp01.example.com-messages.log

jatin.bishtg4s · August 22, 2024, 8:37am

Thanks for your reply

I tried this approach but the result is the same it’s not reading the programname as well

the config is as below

module(load=“imtcp”)
module(load=“imudp”)

template(name=“TmplAuth” type=“string” string=“/var/log/remote/%programname%/remote-%$YEAR%-%$MONTH%-%$DAY%-secure.log”)

template(name=“TmplMsg” type=“string” string=“/var/log/remote/%programname%/remote-%$YEAR%-%$MONTH%-%$DAY%-messages.log”)

Adding this ruleset to process remote messages

ruleset(name=“remote_1_log”){
authpriv.* action(type=“omfile” DynaFile=“TmplAuth”)
*.info;mail.none;authpriv.none;cron.none action(type=“omfile” DynaFile=“TmplMsg”)
}

but the logs are coming in

ll /var/log/remote/remote-2024-08-22-messages.log

-rw-r–r–. 1 root root 6329 Aug 22 08:36 /var/log/remote/remote-2024-08-22-messages.log

mrd83 · August 22, 2024, 10:09pm

Well, I may be completely wrong here, but your quotes look weird to me. Like those forced by M$ in their ‘word’ text editor. I see in your post:
”
and I think the correct syntax is:
"

Again - just an observation

system · October 21, 2024, 10:10pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.