Chad Geary via rsyslog
2018-11-27 02:49:16 UTC
Hello,
I've recently setup a new rsyslog server using a few modules (ommail
and ommysql specifically). I noticed my mail messages are not sent
(but queued) when starting rsyslogd with systemctl start rsyslog.
If I start rsyslog via '/usr/sbin/rsyslogd' the queued emails will be
sent (as will subsequent emails as defined by rsyslog.conf).
In both cases the mysql inserts are working as intended.
RHEL7.6
rsyslogd 8.24.0-34.el7, compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64
/etc/rsyslog.conf
# modules
$ModLoad imuxsock # local
$ModLoad imklog # kernel
$ModLoad ommail # email
$ModLoad ommysql # mysql
$ModLoad imtcp # tcp reception
$InputTCPServerRun 514
# daemon conf
$WorkDirectory /opt/rsyslog/work # db queue files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName dbq # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
# mail alert 1 - auth (failed pass)
$ActionMailSMTPServer [hidden]
$ActionMailFrom rsyslog@[hidden]
$ActionMailTo [hidden]
$template mailSubject1,"syslog: auth alert @ %hostname%"
$template mailBody1,"%msg%"
$ActionMailSubject mailSubject1
$ActionExecOnlyOnceEveryInterval 5
# all one line!
if $rawmsg contains 'Failed pass' then :ommail:;mailBody1
# allow other actions to continue
$ActionExecOnlyOnceEveryInterval 0
# mail alert 2 - sys (etc)
$ActionMailSMTPServer [hidden]
$ActionMailFrom [hidden]
$ActionMailTo [hidden]
$template mailSubject2,"syslog: sys alert @ %hostname%"
$template mailBody2,"%rawmsg%"
$ActionMailSubject mailSubject2
$ActionExecOnlyOnceEveryInterval 5
# all one line!
if ($rawmsg startswith 'Kernel' or $rawmsg startswith 'kernel' or $msg
contains 'mountd: refused' or $msg contains 'No space left') then
:ommail:;mailBody2
# allow other actions to continue
$ActionExecOnlyOnceEveryInterval 0
# filter/drop
:rawmsg, contains, "Connection from UDP" stop
:rawmsg, contains, "Received SNMP packet(s) " stop
# log everything else to db (haproxy)
*.* :ommysql:127.0.0.1,Syslog,[hidden],[hidden]
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I've recently setup a new rsyslog server using a few modules (ommail
and ommysql specifically). I noticed my mail messages are not sent
(but queued) when starting rsyslogd with systemctl start rsyslog.
If I start rsyslog via '/usr/sbin/rsyslogd' the queued emails will be
sent (as will subsequent emails as defined by rsyslog.conf).
In both cases the mysql inserts are working as intended.
RHEL7.6
rsyslogd 8.24.0-34.el7, compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64
/etc/rsyslog.conf
# modules
$ModLoad imuxsock # local
$ModLoad imklog # kernel
$ModLoad ommail # email
$ModLoad ommysql # mysql
$ModLoad imtcp # tcp reception
$InputTCPServerRun 514
# daemon conf
$WorkDirectory /opt/rsyslog/work # db queue files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName dbq # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
# mail alert 1 - auth (failed pass)
$ActionMailSMTPServer [hidden]
$ActionMailFrom rsyslog@[hidden]
$ActionMailTo [hidden]
$template mailSubject1,"syslog: auth alert @ %hostname%"
$template mailBody1,"%msg%"
$ActionMailSubject mailSubject1
$ActionExecOnlyOnceEveryInterval 5
# all one line!
if $rawmsg contains 'Failed pass' then :ommail:;mailBody1
# allow other actions to continue
$ActionExecOnlyOnceEveryInterval 0
# mail alert 2 - sys (etc)
$ActionMailSMTPServer [hidden]
$ActionMailFrom [hidden]
$ActionMailTo [hidden]
$template mailSubject2,"syslog: sys alert @ %hostname%"
$template mailBody2,"%rawmsg%"
$ActionMailSubject mailSubject2
$ActionExecOnlyOnceEveryInterval 5
# all one line!
if ($rawmsg startswith 'Kernel' or $rawmsg startswith 'kernel' or $msg
contains 'mountd: refused' or $msg contains 'No space left') then
:ommail:;mailBody2
# allow other actions to continue
$ActionExecOnlyOnceEveryInterval 0
# filter/drop
:rawmsg, contains, "Connection from UDP" stop
:rawmsg, contains, "Received SNMP packet(s) " stop
# log everything else to db (haproxy)
*.* :ommysql:127.0.0.1,Syslog,[hidden],[hidden]
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.