Rsyslog.conf

Home » CentOS » Rsyslog.conf
CentOS 29 Comments

I was looking at the manpage for rsyslog.conf, primarily because I need to filter my manager’s new fedora 22 logs coming to our loghost, because of the bug that I forwarded (if it gets through).

At any rate, I am surprised: under selectors, I see that ” The keywords error, warn and panic are deprecated and should not be used anymore.”

Huh?

If I only want warn or more severe, how am I supposed to filter – write a much more elaborate RE?

mark

29 thoughts on - Rsyslog.conf

  • Looking at the same manpage, it seems that these selectors are not really being removed, just renamed. The old names are being deprecated.

    Instead of Use
    ========== ==warn warning err error panic emerg

    Best regards

    Dave Windsor AdP/TEF7

    —–Original Message—

  • Sorry for the top post, Outlook defaults strike again…..

    Best regards

    Dave Windsor AdP/TEF7

  • Windsor Dave (AdP/TEF7) wrote:
    Thanks. I didn’t see that.

    Unfortunately, it still didn’t solve the problem (my manager’s newly-upgraded fedora from 20->22, and according to the bugzilla bug, the systemd developers want *all* logs, and they’re dumping *everything* from auditd, all successes by root jobs, cron, everything – fine, I suppose, for someone debugging systemd….)

    mark

  • Am 22.07.2015 um 17:41 schrieb Windsor Dave (AdP/TEF7) :

    Outlook forces you to write above ? :-)

  • Perhaps I should say instead that it “strongly encourages” top posting, and all our internal emails follow that convention.

    It’s habit-forming…. :-)

    Best regards

    Dave Windsor AdP/TEF7

  • Well, my habit for regular e-mail exchange is “top posting” thus the person reads my message thus is right to the point why this particular message message was sent in a first place… But when mail lists are concerned, I do an opposite, that is I follow mail lists conventions. I
    never thought about rationale behind them, I’m just following them. I
    believe, if some day someone gives reasons why top posting is bad in case of mail lists it will really be great. The only reason I can come up with myself would be: whoever reads message received through mail lists usually has no idea about previous exchange in this thread, thus needs all exchange in chronological order. Which I’m not certain is a good reason, so those who know and insists strongly about “no top posting” are encouraged to give others the reasons behind that. Again, I’m not “top posting” on the lists. However, _this_ (“top posting”) is my regular way in private exchange (and it has good reasons behind it).

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Windsor Dave (AdP/TEF7) wrote:

    Yeah, and it’s an M$ innovation I *really* dislike. I’ve had disagreements with my wife about that. What was it, Lookout, er Outlook ’08 that did that?

    The *real* issue is that the way email traditionally was, with bottom posting, or intercollation, made it *readable*, and esp. if you come into a thread late, you could figure out what was going on.

    I don’t know of any written language on the planet that reads from the bottom up… and if *anyone* doesn’t top post, like a lot of us, it makes it unreadable (up, down, up, down, down, up….)… which is why the generally-agreed convention on every mailing list I’m on is traditional format.

    mark “Kill Bill….”

  • Am 23.07.2015 um 16:34 schrieb Valeri Galtsev :

    well, as you wrote: … because in conventional spelling systems of western languages, text is written from the top to the bottom (applies also for reading). To rephrase it: the “usability” is higher while reading bottom posted messages. Furthermore stripping is normally done more (footers, disclaimers etc. disappears)
    when bottom posted. This cleans the context additionally …

    The problem gets worse when both styles are mixed. Try to read a correspondence from a year ago in such a style. Its horrible …

    :-)


  • The main reason actually is chronological order. But not just for the reply .. but for IN-LINE posting.

    In a discussion where you need to make points in-line and where you only need some of and not all of the other posts, something that happens frequently on mailing lists, it is very much easier to read that type of collaborated message in chronological order.

    I mean, you don’t read a book or a newspaper article or a blog post from bottom to top, right? Why would you read communications from bottom to top? And it is not really even bottom to top. If you take 4 emails of
    10 lines each (and 40 lines total) .. it is 75% down to 100% (original mail)… then up to 50% and read down to 75% (2nd mail), then up to 25%
    and read down to 50%, then up to 0% and read down to 25%. What if someone made you read blog posts that way, or books or newspaper articles?

  • and all our internal emails follow that convention. disagreements that?
    posting, or intercollation, made it *readable*, and esp. if you come into

    “Come to the thread late” argument is the only rationale for “no top posting” in case of mail lists I can figure myself. Plus to have all messages in some standard format.

    I hope, the following will make piece between you and your wife. In regular e-mail exchange both parties are constantly “in sync”, thus understand what previous statements this particular message deals with. Therefore I personally find it advantageous in private exchange to have new information – i.e. message I’m writing – be right at the top of current e-mail. This is my current message I want my recipient to read
    (but the rest of exchange is after it as well for recipient’s convenience). I can say many bad words about Microsoft, but this rationale for private mail exchange is something I will not blame them about.

    So far I collected two arguments to not “top post” on mail lists:

    1. standardized format of all messages with answers (like the whole thread in front of your eyes, and it is always in the same format)

    2. easier reading for “new comers” to the thread: in chronological order.

    Any others rationales?

    Valeri

    bottom up… and if *anyone* doesn’t top post, like a lot of us, it makes generally-agreed convention on every mailing list I’m on is traditional format.

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • OK, the shortest I can re-formulate your message is: on mail lists we are collectively writing the book for someone else to read (much less communicating with each other in real time ;-) Any accepted convention is better than no convention: save everybody’s time. Suits me (as far as mail lists are concerned).

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Am 23.07.2015 um 18:06 schrieb “Valeri Galtsev” :

    I consider email as an asynchronous communication, therefore “book style convention” is recommended.

  • Leon Fauster wrote:

    Yup. We’re writing electronic *mail*, not text messages (here, you’ve got
    140 char, tell me everything you know….), and you don’t have a two-line pager screen…. I see it as a slo-mo group conversation, and top-posting is like the person who suddenly utters a nonsequitur, louder than everyone else is speaking….

    mark

  • Physically dragging the thread back on topic…

    I really am going crazy, trying to deal with the hourly logs from the loghost. We’ve got 170+ servers and workstations… but a *very* large percentage of what’s showing up is from his bloody new fedora 22, with its idiot systemd logging of *ever* selinux message to /var/log/messages.

    I tried creating a rule, /etc/rsyslog.d/audit.conf, that reads:

    if $msg contains “audit” and $msg,contains,’res=success’ then –

    but that seemed to send *everything* to /dev/null. That was my best guess, based on googling (yahooing?) and man pages. Can anyone tell me what’s wrong with that syntax?

    mark

  • systemctl enable auditd systemctl start auditd

    Now your SELinux (and other audit) logs are going to
    /var/log/audit/audit.log.

  • Jonathan Billings wrote:

    Um, no. That was where I started this thread – my manager updated his fedora box from 20 to 22, and there’s a bug about it
    <https://bugzilla.redhat.com/show_bug.cgi?id27379>, where it appears that the systemd folks have demanded *all* logs, and are multicast spitting out the selinux logs *als0* to /var/log/messages.

    And I just checked, and yes, auditd is running.

    So I’m back to trying to find the correct syntax to filter all the successes seen by auditd from getting to messages….

    mark

  • There’s ~4 aspects to that bug so it’s just going to have to settle out, with the main one being comment 25 where systemd-journald is enabling audit and inappropriately mixing data with different discretion levels.

  • It originates from early Usenet practice where it had some useful purpose given the way Usenet feeds were typically consumed and forwarded. Generally Usenet News servers maintained posts for a limited period of time. If you did not connect to obtain the news-feed within that window then all earlier posts were ‘lost’ to you. Thus encapsulating the entire discussion in chronological order in each reply compensated for the technological (storage) limits prevalent in the 1980/90s.

    The orthodox justification for bottom-posting is often exemplified by tag lines similar in content to the following:

    However, forcing your correspondents to wade through an interminable wall of text that regurgitates the previous thread before getting to the point of the message arguably interferes with proper understanding no less than top-posting does. I am unaware of any scientific study that purports to support either position. So, in the absence of that I conclude:

    De gustibus non est disputandum.

    At this point the practice, particularly for archived mailing lists, is little more than dogmatic adherence to a style that serves only to distinguish the ‘in group’ from the ‘other’.

  • And Lennart blames Linus[1] for why he gets hate mail.

    We are giving RHEL-7 a pass on this iteration. We have installed it on a couple of test hosts and are not favourably impressed with much of the user interface. At least not from the sys-admin side of things. This is not to imply that there is nothing good in 7. There are at lot of improvements that we certainly value. But it is too early in systemd development for us to waste time debugging somebody else’s pipe-dream on our dime.

    We will see what 8 offers and decide then whether to move to something else.

    [1]. https://plus.google.com/app/basic/stream/z13rdjryqyn1xlt3522sxpugoz3gujbhh04

  • Indeed. And thanks to Linus we have Linux kernel. And thanks to Lennart we have config files polluted with XML tags.

    Good for you. I started installing CentOS 7 on all new workstations (but we do pass on Linux on all new servers in favor of FreeBSD – number crunchers and maybe workstations have to be Linux though…)

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • For what it’s worth, the problem described at the beginning of this thread doesn’t happen in RHEL7. Yet. Supposedly systemd is being rebased in 7.2 so we’ll see.

    This is why Fedora exists, to work out all these kinds of problems before it hits an enterprise OS.

  • There’s no XML in the systemd configuration language. You might be thinking of launchd.

  • Jonathan Billings wrote:

    Ok, this is frustrating. May I take it, then, that no one has written the conditional filters described in the rsyslog manual?

    I’ve tried several variations, such as if $msg contains ‘audit’ and $msg contains ‘res=success’ then –
    which resulted in *all* messages going to /dev/null, even though everything I find in googling (or I should say what little I find in googling) suggests that should work.

    mark

  • There is absolutely no need to include irrelevant text when replying to a posting. Trim and Cut were sensible skills acquired by some of us in the 1980’s and 1990’s. Pertinent points pleases people perpetually.

  • Precisely. A small amount of effort by the sender makes the discussion easier to follow for the many recipients.

  • Every email sent to this list includes the following in the headers:

    List-Archive: <http://lists.CentOS.org/pipermail/CentOS/>

    People should trim any included text (and properly quote whatever they leave in place). If someone needs more context the list archives can supply that extra detail.

    Stuart

  • We’ve had this in our RHEL6 and now our RHEL7 rsyslog.conf:

    # Ignore OpenAFS errors
    :msg, contains, “byte-range lock/unlock ignored” ~
    :msg, contains, “byte-range locks only enforced for processes on this machine” ~

    I’m seeing warnings in the logs that this is an old syntax on RHEL7, but it still works.


    Jonathan Billings

  • Add to the above that on every phone I’ve ever used, new texts appear below older ones (no top posting there either).

    -chuck