diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 16:27:18 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 16:27:18 +0000 |
commit | f7f20c3f5e0be02585741f5f54d198689ccd7866 (patch) | |
tree | 190d5e080f6cbcc40560b0ceaccfd883cb3faa01 /source/historical/multi_ruleset_legacy_format_samples.rst | |
parent | Initial commit. (diff) | |
download | rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.tar.xz rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.zip |
Adding upstream version 8.2402.0+dfsg.upstream/8.2402.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source/historical/multi_ruleset_legacy_format_samples.rst')
-rw-r--r-- | source/historical/multi_ruleset_legacy_format_samples.rst | 199 |
1 files changed, 199 insertions, 0 deletions
diff --git a/source/historical/multi_ruleset_legacy_format_samples.rst b/source/historical/multi_ruleset_legacy_format_samples.rst new file mode 100644 index 0000000..607f79f --- /dev/null +++ b/source/historical/multi_ruleset_legacy_format_samples.rst @@ -0,0 +1,199 @@ +Legacy Format Samples for Multiple Rulesets +=========================================== + +This chapter complements rsyslog's documentation of +:doc:`rulesets <../concepts/multi_ruleset>`. +While the base document focusses on RainerScript format, it +does not provide samples in legacy format. These are included +in this document. + +**Important:** do **not** use legacy ruleset definitions for new +configurations. Especially with rulesets, legacy format is extremely +hard to get right. The information in this page is included in order +to help you understand already existing configurations using the +ruleset feature. We even recommend to convert any such configs +to RainerScript format because of its increased robustness +and simplicity. + +Legacy ruleset support was available starting with version 4.5.0 +and 5.1.1. + +Split local and remote logging +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Let's say you have a pretty standard system that logs its local messages +to the usual bunch of files that are specified in the default +rsyslog.conf. As an example, your rsyslog.conf might look like this: + +:: + + # ... module loading ... + # The authpriv file has restricted access. + authpriv.* /var/log/secure + # Log all the mail messages in one place. + mail.* /var/log/maillog + # Log cron stuff + cron.* /var/log/cron + # Everybody gets emergency messages + *.emerg * + ... more ... + +Now, you want to add receive messages from a remote system and log these +to a special file, but you do not want to have these messages written to +the files specified above. The traditional approach is to add a rule in +front of all others that filters on the message, processes it and then +discards it: + +:: + + # ... module loading ... + # process remote messages + :fromhost-ip, isequal, "192.0.2.1" /var/log/remotefile + & ~ + # only messages not from 192.0.21 make it past this point + + # The authpriv file has restricted access. + authpriv.* /var/log/secure + # Log all the mail messages in one place. + mail.* /var/log/maillog + # Log cron stuff + cron.* /var/log/cron + # Everybody gets emergency messages + *.emerg * + ... more ... + +Note the tilde character, which is the discard action!. Also note that +we assume that 192.0.2.1 is the sole remote sender (to keep it simple). + +With multiple rulesets, we can simply define a dedicated ruleset for the +remote reception case and bind it to the receiver. This may be written +as follows: + +:: + + # ... module loading ... + # process remote messages + # define new ruleset and add rules to it: + $RuleSet remote + *.* /var/log/remotefile + # only messages not from 192.0.21 make it past this point + + # bind ruleset to tcp listener + $InputTCPServerBindRuleset remote + # and activate it: + $InputTCPServerRun 10514 + + # switch back to the default ruleset: + $RuleSet RSYSLOG_DefaultRuleset + # The authpriv file has restricted access. + authpriv.* /var/log/secure + # Log all the mail messages in one place. + mail.* /var/log/maillog + # Log cron stuff + cron.* /var/log/cron + # Everybody gets emergency messages + *.emerg * + ... more ... + +Here, we need to switch back to the default ruleset after we have +defined our custom one. This is why I recommend a different ordering, +which I find more intuitive. The sample below has it, and it leads to +the same results: + +:: + + # ... module loading ... + # at first, this is a copy of the unmodified rsyslog.conf + # The authpriv file has restricted access. + authpriv.* /var/log/secure + # Log all the mail messages in one place. + mail.* /var/log/maillog + # Log cron stuff + cron.* /var/log/cron + # Everybody gets emergency messages + *.emerg * + ... more ... + # end of the "regular" rsyslog.conf. Now come the new definitions: + + # process remote messages + # define new ruleset and add rules to it: + $RuleSet remote + *.* /var/log/remotefile + + # bind ruleset to tcp listener + $InputTCPServerBindRuleset remote + # and activate it: + $InputTCPServerRun 10514 + +Here, we do not switch back to the default ruleset, because this is not +needed as it is completely defined when we begin the "remote" ruleset. + +Now look at the examples and compare them to the single-ruleset +solution. You will notice that we do **not** need a real filter in the +multi-ruleset case: we can simply use "\*.\*" as all messages now means +all messages that are being processed by this rule set and all of them +come in via the TCP receiver! This is what makes using multiple rulesets +so much easier. + +Split local and remote logging for three different ports +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This example is almost like the first one, but it extends it a little +bit. While it is very similar, I hope it is different enough to provide +a useful example why you may want to have more than two rulesets. + +Again, we would like to use the "regular" log files for local logging, +only. But this time we set up three syslog/tcp listeners, each one +listening to a different port (in this example 10514, 10515, and 10516). +Logs received from these receivers shall go into different files. Also, +logs received from 10516 (and only from that port!) with "mail.\*" +priority, shall be written into a specif file and **not** be written to +10516's general log file. + +This is the config: + +:: + + # ... module loading ... + # at first, this is a copy of the unmodified rsyslog.conf + # The authpriv file has restricted access. + authpriv.* /var/log/secure + # Log all the mail messages in one place. + mail.* /var/log/maillog + # Log cron stuff + cron.* /var/log/cron + # Everybody gets emergency messages + *.emerg * + ... more ... + # end of the "regular" rsyslog.conf. Now come the new definitions: + + # process remote messages + + #define rulesets first + $RuleSet remote10514 + *.* /var/log/remote10514 + + $RuleSet remote10515 + *.* /var/log/remote10515 + + $RuleSet remote10516 + mail.* /var/log/mail10516 + & ~ + # note that the discard-action will prevent this messag from + # being written to the remote10516 file - as usual... + *.* /var/log/remote10516 + + # and now define listeners bound to the relevant ruleset + $InputTCPServerBindRuleset remote10514 + $InputTCPServerRun 10514 + + $InputTCPServerBindRuleset remote10515 + $InputTCPServerRun 10515 + + $InputTCPServerBindRuleset remote10516 + $InputTCPServerRun 10516 + +Note that the "mail.\*" rule inside the "remote10516" ruleset does not +affect processing inside any other rule set, including the default rule +set. + |