Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RSyslog: users

templates not working on second-hop relay?

  

 
RSyslog users RSS feed   Index | Next | Previous | View Threaded


gkra at unnerving

Oct 11, 2011, 5:38 PM

Post #1 of 4 (303 views)
Permalink
templates not working on second-hop relay?
I'm currently using rsyslog 4.6.5, as packaged by IUS for CentOS 5.6.

I've replicated this problem on rsyslog 5.8.5, compiled from sources on CentOS 5.6 and Ubuntu 11.04.

I've been testing a configuration where there's two hops in my logging.

Basically, client -> local loghost -> archive loghost.

On the client, I'm using a template to add a tag to the start of the $msg property. On the servers, I then look for this tag for dynafile purposes, and use a second template to strip out the tag from $msg before it's written to file or passed to a database. On a simple client -> loghost setup, this works fine.

However, when I then added an archive loghost, which the local loghost relays everything to, none of the templates seem to be working.

The client config can be simplified to:

#---------------------------------------
$template SiteIDForwardFormat, "<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%[SITE:datacenter/dev]%msg:R,ERE,3,FIELD::sp-if-no-1st-sp%%msg%"

*.* @@loghost:1514;SiteIDForwardFormat
#---------------------------------------

The loghost config is, essentially:

#---------------------------------------
$ModLoad imtcp.so
$InputTCPServerRun 1514

$CreateDirs on

$template SiteIDTaggedMsg, "%timestamp% %hostname% %syslogtag%%msg:R,ERE,3,FIELD:(\[SITE:([-/a-zA-Z0-9]+)\] ){0,1}(.*)$--end%\n"

$template SiteIDTaggedPath, "/data/syslog/logs/%msg:R,ERE,2,BLANK:(\[SITE:([-/a-zA-Z0-9]+)\] ){0,1}(.*)$--end%/%hostname:::secpath-replace%/%$year%/%$month%/syslog.log"

*.* ?SiteIDTaggedPath;SiteIDTaggedMsg

*.* @@logarchive
#---------------------------------------

For all intents and purposes, the archive loghost has the exact same config as the local loghost, sans the @@logarchive action.

On the local loghost, messages are being properly filed into the expected dynafiles paths (/data/syslog/logs/datacenter/dev/hostname/year/month/syslog.log) and the "[SITE:something]" text is correctly removed from the messages written to the files.

On the archive loghost, however, the dynafiles are missing the site component (ending up as /data/syslog/logs/hostname/year/month/syslog.log), and all the messages in the files still have the "[SITE:something]" text prepended to the $msg property.

Why is the second (archive) log host not able to properly parse the messages with the templates? am I missing something, or is the relay step munging the event in such a way as the EREs are no longer working as I think they should?

Thanks for any help,

Gregory

--
Gregory K. Ruiz-Ade <gkra [at] unnerving>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


david at lang

Oct 11, 2011, 10:07 PM

Post #2 of 4 (298 views)
Permalink
Re: templates not working on second-hop relay? [In reply to]
On Tue, 11 Oct 2011, Gregory K. Ruiz-Ade wrote:

> I'm currently using rsyslog 4.6.5, as packaged by IUS for CentOS 5.6.
>
> I've replicated this problem on rsyslog 5.8.5, compiled from sources on CentOS 5.6 and Ubuntu 11.04.
>
> I've been testing a configuration where there's two hops in my logging.
>
> Basically, client -> local loghost -> archive loghost.
>
> On the client, I'm using a template to add a tag to the start of the $msg property. On the servers, I then look for this tag for dynafile purposes, and use a second template to strip out the tag from $msg before it's written to file or passed to a database. On a simple client -> loghost setup, this works fine.
>
> However, when I then added an archive loghost, which the local loghost relays everything to, none of the templates seem to be working.
>
> The client config can be simplified to:
>
> #---------------------------------------
> $template SiteIDForwardFormat, "<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%[SITE:datacenter/dev]%msg:R,ERE,3,FIELD::sp-if-no-1st-sp%%msg%"
>
> *.* @@loghost:1514;SiteIDForwardFormat
> #---------------------------------------
>
> The loghost config is, essentially:
>
> #---------------------------------------
> $ModLoad imtcp.so
> $InputTCPServerRun 1514
>
> $CreateDirs on
>
> $template SiteIDTaggedMsg, "%timestamp% %hostname% %syslogtag%%msg:R,ERE,3,FIELD:(\[SITE:([-/a-zA-Z0-9]+)\] ){0,1}(.*)$--end%\n"
>
> $template SiteIDTaggedPath, "/data/syslog/logs/%msg:R,ERE,2,BLANK:(\[SITE:([-/a-zA-Z0-9]+)\] ){0,1}(.*)$--end%/%hostname:::secpath-replace%/%$year%/%$month%/syslog.log"
>
> *.* ?SiteIDTaggedPath;SiteIDTaggedMsg
>
> *.* @@logarchive
> #---------------------------------------
>
> For all intents and purposes, the archive loghost has the exact same config as the local loghost, sans the @@logarchive action.
>
> On the local loghost, messages are being properly filed into the expected dynafiles paths (/data/syslog/logs/datacenter/dev/hostname/year/month/syslog.log) and the "[SITE:something]" text is correctly removed from the messages written to the files.
>
> On the archive loghost, however, the dynafiles are missing the site component (ending up as /data/syslog/logs/hostname/year/month/syslog.log), and all the messages in the files still have the "[SITE:something]" text prepended to the $msg property.
>
> Why is the second (archive) log host not able to properly parse the messages with the templates? am I missing something, or is the relay step munging the event in such a way as the EREs are no longer working as I think they should?
>
> Thanks for any help,

I think that what you end up doing is manipulating the logfile too much on
the relay system.

make a temporary output file on the relay system to log with the debug
format (RSYSLOG_DEBUG IIRC) and you will see everything that is arriving,
then decide if you need to manipulate it more before sending it on to the
archive server.

remember that each step in the process is working with what it was sent,
not what the software originally wrote to the log.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


gkra at unnerving

Oct 12, 2011, 10:51 AM

Post #3 of 4 (302 views)
Permalink
Re: templates not working on second-hop relay? [In reply to]
On Tue, Oct 11, 2011 at 10:07:41PM -0700, david [at] lang wrote:

> I think that what you end up doing is manipulating the logfile too
> much on the relay system.

The only manipulations which should be happening on the relay system
should be limited to the file writing action, using the dynafile
template and the format template. The following action relaying to the
archive server should have no manipulations applied.

> make a temporary output file on the relay system to log with the
> debug format (RSYSLOG_DEBUG IIRC) and you will see everything that
> is arriving, then decide if you need to manipulate it more before
> sending it on to the archive server.

I'm setting this up on my relay server right now. Hopefully you're right
and the answer will jump out at me. :)

> remember that each step in the process is working with what it was
> sent, not what the software originally wrote to the log.

Right, so the relay server should contain the modified $msg format sent
from the client, and since the relay action itself (*.* @@logarchive)
contains no further manipulations, it *should* just pass through as-is,
without further manipulations...

At any rate, to the debugging logfile I go!

Thanks,

Gregory

--
Gregory K. Ruiz-Ade <gkra [at] unnerving>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


gkra at unnerving

Oct 12, 2011, 4:40 PM

Post #4 of 4 (302 views)
Permalink
Re: templates not working on second-hop relay? [In reply to]
Okay, the solution was actually simpler than I thought.

Basically, on the loghost that was relaying to an archive logger, I
needed to define a custom template for the relaying, which would ensure
the syslog events would be sent out exactly as they were coming in. This
ended up being rather simple.

The original template from the rsyslog clients is:

$template SiteIDForwardFormat, "<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%[SITE:sitename]%msg:::sp-if-no-1st-sp%%msg%"

To forward these properly and unmolested to the archive loghost, I
needed to run them through this template on the relay host:

$template SiteIDRelayFormat, "<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg%"

Then, the relay action was split up into a couple actions to make sure
things were forwarded correctly to the archive loghost:

:msg, startswith, "[SITE:" @@logarchive:1514;SiteIDRelayFormat
:msg, !startswith, "[SITE:" @@logarchive:1514;SiteIDForwardFormat

I.e., anything that's already tagged gets relayed with the relay format,
and anything that's not has the tag added and is forwarded on.

Thanks for the suggestion of the debug log; running both the relay and
the archiver with debug logging is what led me to the solution.

Gregory

--
Gregory K. Ruiz-Ade <gkra [at] unnerving>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

RSyslog users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.