Is there a way to bind a ruleset to the default system log socket?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Is there a way to bind a ruleset to the default system log socket?

deoren
Hi,

If I want to use a ruleset named "local" for an input that handles the
default local unix socket, how would I define the module and input
entries to reflect that?

I thought this would do it:

module(load="imuxsock")
input(type="imuxsock" ruleset="local")

but rsyslog complains like so:

 > error during parsing file /etc/rsyslog.conf, on or before line 174:
parameter 'socket' required but not specified - fix config
 > imuxsock: required parameter are missing  [v8.27.0 try
http://www.rsyslog.com/e/2211

I've tried different variations, but I think I'm missing the obvious.

Looking around, I see that #765 added ruleset support for the imuxsock
module. The tests/testsuites/imuxsock_logger_ruleset.conf file from the
related commit[1] has this example conf block:

module(load="../plugins/imuxsock/.libs/imuxsock" sysSock.use="off")
input( type="imuxsock" socket="testbench_socket"
        useSpecialParser="off"
        ruleset="testruleset"
        parseHostname="on")

I looked over the documentation[2] and I see 'Socket' underneath the
Input Parameters section. I see this description for that option:

 > Socket <name-of-socket> adds additional unix socket, default none

I attempted to add that option to the input definition, but evidently I
have the syntax wrong. I'm really not trying to setup a new socket, just
tie a ruleset to the input.

Thanks for reading this.

[1]
https://github.com/rsyslog/rsyslog/commit/16db662d9fac0f9636eea873d690a629641be5bc#diff-dfb2a8c075f712e3d922afa06ee6ad93

[2] http://www.rsyslog.com/doc/v8-stable/configuration/modules/imuxsock.html
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is there a way to bind a ruleset to the default system log socket?

David Lang
unfortunantly, this is a gap in rsyslog's capabilities. What you can do is
assign a ruleset to all remote inputs, and then what's left is the /dev/log
(and rsyslog internal) logs

you can also test the input of a log message and call a ruleset
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is there a way to bind a ruleset to the default system log socket?

rsyslog-users mailing list
In reply to this post by deoren
Well, you have to specify on which socket imuxsock will listen,
otherwise it cannot know where to listen. You are not creating any
socket by this, unless you explicitly configure otherwise. I would blame
the rsyslog documentation here for not mentioning this (if I am mistaken
please correct me) I will open a PR to fix it when I find time for it.
By default you probably want to listen on something like "/dev/log",
with this parameter the input should work, and you should be able to
specify ruleset for each imuxsock input.

Something like 'input(type="imuxsock" ruleset="local"
Socket="/dev/log")' should work for you.


On 07/11/2017 09:07 AM, deoren wrote:

> Hi,
>
> If I want to use a ruleset named "local" for an input that handles the
> default local unix socket, how would I define the module and input
> entries to reflect that?
>
> I thought this would do it:
>
> module(load="imuxsock")
> input(type="imuxsock" ruleset="local")
>
> but rsyslog complains like so:
>
> > error during parsing file /etc/rsyslog.conf, on or before line 174:
> parameter 'socket' required but not specified - fix config
> > imuxsock: required parameter are missing  [v8.27.0 try
> http://www.rsyslog.com/e/2211
>
> I've tried different variations, but I think I'm missing the obvious.
>
> Looking around, I see that #765 added ruleset support for the imuxsock
> module. The tests/testsuites/imuxsock_logger_ruleset.conf file from
> the related commit[1] has this example conf block:
>
> module(load="../plugins/imuxsock/.libs/imuxsock" sysSock.use="off")
> input(    type="imuxsock" socket="testbench_socket"
>     useSpecialParser="off"
>     ruleset="testruleset"
>     parseHostname="on")
>
> I looked over the documentation[2] and I see 'Socket' underneath the
> Input Parameters section. I see this description for that option:
>
> > Socket <name-of-socket> adds additional unix socket, default none
>
> I attempted to add that option to the input definition, but evidently
> I have the syntax wrong. I'm really not trying to setup a new socket,
> just tie a ruleset to the input.
>
> Thanks for reading this.
>
> [1]
> https://github.com/rsyslog/rsyslog/commit/16db662d9fac0f9636eea873d690a629641be5bc#diff-dfb2a8c075f712e3d922afa06ee6ad93
>
> [2]
> http://www.rsyslog.com/doc/v8-stable/configuration/modules/imuxsock.html
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.

--
Jiří Vymazal
Software Engineer
RedHat, Inc.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is there a way to bind a ruleset to the default system log socket?

deoren
In reply to this post by David Lang
On 7/11/17 2:59 AM, David Lang wrote:
> unfortunantly, this is a gap in rsyslog's capabilities. What you can do
> is assign a ruleset to all remote inputs, and then what's left is the
> /dev/log (and rsyslog internal) logs
>
> you can also test the input of a log message and call a ruleset

Thanks. I called myself assigning a ruleset to all remote inputs, but
believed I had found log entries from remote systems in local files. I
suspected when I saw it that I have an error in my configuration
somewhere, but haven't spent the time to track it down yet.

I checked just now and couldn't find any occurrence in the recent local
logs on the remote rsyslog receiver, so it's likely it was a momentary
issue due to a configuration mistake.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is there a way to bind a ruleset to the default system log socket?

deoren
In reply to this post by rsyslog-users mailing list
On 7/11/17 3:36 AM, Jiří Vymazal via rsyslog wrote:
> Well, you have to specify on which socket imuxsock will listen,
> otherwise it cannot know where to listen. You are not creating any
> socket by this, unless you explicitly configure otherwise.

I guess I incorrectly assumed that these two entries would setup a
default socket since I didn't specify one:

module(load="imuxsock")
input(type="imuxsock" ruleset="local")

It only seems to be an issue when I specify the ruleset option. If I
leave the entry just as 'input(type="imuxsock")' rsyslog seems to be
happy to apply default settings.


> I would blame
> the rsyslog documentation here for not mentioning this (if I am mistaken
> please correct me) I will open a PR to fix it when I find time for it.

Awesome, thank you.

> By default you probably want to listen on something like "/dev/log",
> with this parameter the input should work, and you should be able to
> specify ruleset for each imuxsock input.
>
> Something like 'input(type="imuxsock" ruleset="local"
> Socket="/dev/log")' should work for you.

Thanks. Pretending that I am not attempting to apply a ruleset, are
these two lines equivalent:

input(type="imuxsock" Socket="/dev/log" ruleset="local")
input(type="imuxsock")

In other words, will explicitly specifying /dev/log leave out some other
messages that would ordinarily be picked up by not specifying a socket
and allowing rsyslog to automatically apply those settings?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is there a way to bind a ruleset to the default system log socket?

rsyslog-users mailing list
On 07/11/2017 03:31 PM, deoren wrote:

> On 7/11/17 3:36 AM, Jiří Vymazal via rsyslog wrote:
>> Well, you have to specify on which socket imuxsock will listen,
>> otherwise it cannot know where to listen. You are not creating any
>> socket by this, unless you explicitly configure otherwise.
>
> I guess I incorrectly assumed that these two entries would setup a
> default socket since I didn't specify one:
>
> module(load="imuxsock")
> input(type="imuxsock" ruleset="local")
>
> It only seems to be an issue when I specify the ruleset option. If I
> leave the entry just as 'input(type="imuxsock")' rsyslog seems to be
> happy to apply default settings.
Well... this might actually be bug in imuxsock... or somewhere else;
another note to backlog :-) .

>
>
>> I would blame the rsyslog documentation here for not mentioning this
>> (if I am mistaken please correct me) I will open a PR to fix it when
>> I find time for it.
>
> Awesome, thank you.
>
>> By default you probably want to listen on something like "/dev/log",
>> with this parameter the input should work, and you should be able to
>> specify ruleset for each imuxsock input.
>>
>> Something like 'input(type="imuxsock" ruleset="local"
>> Socket="/dev/log")' should work for you.
>
> Thanks. Pretending that I am not attempting to apply a ruleset, are
> these two lines equivalent:
>
> input(type="imuxsock" Socket="/dev/log" ruleset="local")
> input(type="imuxsock")
>
> In other words, will explicitly specifying /dev/log leave out some
> other messages that would ordinarily be picked up by not specifying a
> socket and allowing rsyslog to automatically apply those settings?
TBH that depends on few things, mainly on where and how was your
specific rsyslog built. By default imuxsock considers "/var/run/log" on
BSD and "/dev/log" elsewhere its default socket to listen. But the
'_PATH_LOG' variable can be overridden during build, so I cannot
guarantee this. Another things are systemd and journal, I am not exactly
sure how it works but in the end things like "run/systemd/journal" can
end listened to (provided that they exist). That is about all which can
be considered default.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.

--
Jiří Vymazal
Software Engineer
RedHat, Inc.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Loading...