Home / server / Questions / 497635
Accepted
Bart B
Asked: 2013-04-10 05:43:44 +0800 CST

Errors using new rsyslog template syntax on RHEL6

  • 772

I'm migrating our rsyslog config from an old server to a new one, and thought I'd use the opportunity to tidy up our config. The old config used "legacy" template definitions, and the rsyslog doc on templates recommend replacing such definitions with the new template syntax, so that's what I tried to do.

I simply cannot get it to work, and the errors I am getting when trying to start rsyslog make no sense. So, it seems like I have fundamentally misunderstood the rsyslog docs, or there is something funny about the rsyslog package included in RHEL6.

This is the legacy template I am trying to update:

$template secureTemplate,"INSERT INTO var_log_secure (received_at, source_ip, source_hostname, logged_at, severity, service, message, severity_int, syslogtag) VALUES ('%timegenerated:::date-rfc3339%', '%fromhost-ip%', '%hostname%', '%timereported:::date-rfc3339%', '%syslogseverity-text%', '%programname%', '%msg%', '%syslogseverity%', '%syslogtag%')",STDSQL

This is my attempt at that same template in the new syntax having read the rsyslog docs:

template(name="secureTemplate" type="string" option.stdsql="on"
  string="INSERT INTO var_log_secure (received_at, source_ip, source_hostname, logged_at, severity, service, message, severity_int, syslogtag) values ('%timegenerated:::date-rfc3339%', '%fromhost-ip%', '%hostname%', '%timereported:::date-rfc3339%', '%syslogseverity-text%', '%programname%', '%msg%', '%syslogseverity%', '%syslogtag%')"
)

These are the errors I get on rsyslog startup:

rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="4491" x-info="http://www.rsyslog.com"] start
 rsyslogd-3000:unknown priority name "stdsql="on"" [try http://www.rsyslog.com/e/3000 ]
 rsyslogd:the last error occured in /etc/rsyslog.conf, line 49:"template(name="secureTemplate" type="string" option.stdsql="on""
 rsyslogd:warning: selector line without actions will be discarded
 rsyslogd-3000:unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
 rsyslogd:the last error occured in /etc/rsyslog.conf, line 50:"  string="INSERT INTO var_log_secure (received_at, source_ip, source_hostname, logged_at, severity, service, message, severity_int, syslogtag) values ('%timegenerated:::date-rfc3339%', '%fromhost-ip%', '%hostname%', '%timereported:::date-rfc3339%', '%syslogseverity-text%', '%programname%', '%msg%', '%syslogseverity%', '%syslogtag%')""
 rsyslogd:warning: selector line without actions will be discarded
 rsyslogd-3000:unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
 rsyslogd:the last error occured in /etc/rsyslog.conf, line 51:")"
 rsyslogd:warning: selector line without actions will be discarded
 rsyslogd-3003: Could not find template 'secureTemplate' - action disabled
 [try http://www.rsyslog.com/e/3003 ]
 rsyslogd:the last error occured in /etc/rsyslog.conf, line 55:"then    :ompgsql:127.0.0.1,rsyslog,rsyslog,+Without-Goodbye-22+;secureTemplate"
 rsyslogd:warning: selector line without actions will be discarded
 rsyslogd-2124:CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
 rsyslogd:EMERGENCY CONFIGURATION ACTIVATED - fix rsyslog config file!
rhel6

3 Answers

  1. Best Answer

    Well, the answer is rather simple (and probably unsatisfactory). The new syntax is not supported in this old version. You need at least v6, but to use all features v7 is required. So far, Red Hat does not ship these for RHEL. As an alternative, you can use the rsyslog rpm packages: http://www.rsyslog.com/rhelcentos-rpms/

    Please also note that the doc on http://www.rsyslog.com/doc is always for the MOST CURRENT version. However, each version has its own doc set. It is obviously better to refer to the doc set that accompanies your version. Most distros do not install it by default, but there usually is a package named along the lines of rsyslog-doc.

    • 8

  2. As of September 2015 there are rsyslog7 packages available in RHEL6. The current version of rsyslog is 8.11, but this one is at least closer to current.

    To install, you first have to remove your rsyslog package:

    # rpm -e --nodeps rsyslog
# yum -y install rsyslog7
    • 7

  3. You can add the rsyslog yum repo and then update rsyslog directly so you don't have to uninstall it.

    cd /etc/yum.repos.d/
wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
yum update rsyslog

    ...

    Updating:
rsyslog                                    x86_64                               8.35.0-2.el6

    Repo file for reference:

    cat rsyslog.repo 
[rsyslog_v8]
name=Adiscon CentOS-$releasever - local packages for $basearch
baseurl=http://rpms.adiscon.com/v8-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1

    Credits:

    http://osengineer.blogspot.com/2014/01/install-rsyslog7-to-centos6.html https://www.rsyslog.com/rhelcentos-rpms/

    • 0