I'm trying to configure Rsyslog 5.8.10 on CentOS 6.4 to send Apache's error and access logs to a remote server. It's working, but I have a couple questions.
UPDATE: A, B and C are the only ones pending an answer.
A) I would like to use as few queues (and resources) as possible. I send error logs to server A, send access logs to server A, send both logs in one stream to server B. Should I specify one queue per external service (2 queues) or one queue per stream (3 queues, as I have now)? This is what I have:
$ActionResumeInterval 10
$ActionQueueSize 100000
$ActionQueueDiscardMark 97500
$ActionQueueHighWaterMark 80000
$ActionQueueType LinkedList
$ActionQueueFileName logglyaccessqueue
$ActionQueueCheckpointInterval 100
$ActionQueueMaxDiskSpace 1g
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ActionQueueTimeoutEnqueue 10
$ActionQueueDiscardSeverity 0
if $syslogtag startswith 'www-access' then @@logs-01.loggly.com:514;logglyaccess
$ActionResumeInterval 10
$ActionQueueSize 100000
$ActionQueueDiscardMark 97500
$ActionQueueHighWaterMark 80000
$ActionQueueType LinkedList
$ActionQueueFileName logglyerrorsqueue
$ActionQueueCheckpointInterval 100
$ActionQueueMaxDiskSpace 1g
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ActionQueueTimeoutEnqueue 10
$ActionQueueDiscardSeverity 0
if $syslogtag startswith 'www-errors' then @@logs-01.loggly.com:514;logglyerrors
$DefaultNetstreamDriverCAFile /etc/syslog.papertrail.crt # trust these CAs
$ActionSendStreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS
$ActionSendStreamDriverAuthMode x509/name # authenticate by hostname
$ActionResumeInterval 10
$ActionQueueSize 100000
$ActionQueueDiscardMark 97500
$ActionQueueHighWaterMark 80000
$ActionQueueType LinkedList
$ActionQueueFileName papertrailqueue
$ActionQueueCheckpointInterval 100
$ActionQueueMaxDiskSpace 1g
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ActionQueueTimeoutEnqueue 10
$ActionQueueDiscardSeverity 0
*.* @@logs.papertrailapp.com:XXXXX;papertrailstandard & ~
B) Does a queue block get used over and over by every send
action that follows it or only by the first one or only until it encounters a send
followed by a discard action (~)?
C) How do I reset a queue block so that an upcoming send action does not use a queue at all?
D) Does a TLS block get used over and over by every send
action that follows it or only by the first one or only until it encounters a send
followed by a discard action (~)?
E) How do I reset a TLS block so that an upcoming send action does not use TLS at all?
F) If I run rsyslog -N1
I get:
rsyslogd -N1
rsyslogd: version 5.8.10, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option.
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock
rsyslogd: End of config validation run. Bye.
Where do I place the -c5 so that it doesnt run in compatibility mode anymore?
just fill in the ones i know
D) yes, for all following ones, unless E) is invoked.
E) is
:omusrmsg:0
before the next send ($ActionSendStreamDriverMode 0
is deprecated)Re: where to place '-c5' -- CentOS uses /etc/sysconfig/rsyslog as the configuration file for rsyslog's startup arguments, so you need to add '-c5' as the first argument to the SYSLOGD_OPTIONS= line, i.e.
Sorry for not answering all other questions you raised. I think it would have been much better if you asked them as separate, since in the current form it would require considerable time to provide answer to each and every item in your question.