Mailing List Archive

Config format questions
Going through the documentation, I have a couple of questions which I'm
having difficulty finding answers to.  A few extra examples would make
it much clearer.

1. When using the "basic" format of selector+action, are you allowed to
use RainerScript for the action side? e.g. can you write

local0.*  action(type="omfile", dynaFile="myDest")

instead of

local0.*  ?myDest

I couldn't see any example which looks like the first form, and I
scanned most of the documentation, including
https://www.rsyslog.com/doc/v8-stable/configuration/examples.html and
https://www.rsyslog.com/doc/v8-stable/configuration/actions.html

Could you confirm that the first is valid?


2. Conversely, when you have a new-style ruleset with actions, like this
example at
https://www.rsyslog.com/doc/v8-stable/configuration/basic_structure.html#rulesets-and-rules

ruleset(name="rulesetname") {
action(type="omfile" file="/path/to/file")
action(type="..." ...)
/* and so on... */
}

How do you apply filters to the actions? Can you combine a RainerScript
action with a basic-style selector inside a ruleset, e.g.

ruleset(name="rulesetname") {
local0.* action(type="omfile" file="/path/to/file")
*.=critaction(type="..." ...)

and/or with a conditional expression, e.g.

ruleset(name="rulesetname") {
if $syslogfacility-text == 'local0' thenaction(type="omfile" file="/path/to/file")
if $syslogseverity-text == 'crit' thenaction(type="..." ...)

?

Again, I couldn't see any ruleset examples which look exactly like
this.  The closest I found was at
https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html#split-local-and-remote-logging
(but this uses basic append-to-file actions)


3. I note the following example at
https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#legacy-description


*.=crit :omusrmsg:rger
& root

It says this example sends to users "rger" and "root", implying that the
:omusrmsg: prefix is optional (not mentioned at
https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#list-of-users)

But I've also seen examples in real life configs like this:

:syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log
& stop

(that's from Ubuntu 18.04, /etc/rsyslog.d/21-cloudinit.conf)

Does this mean bare words like "root" are treated as usernames only if
there is no action of that name? Or vice versa?  Would it behave
differently if I happened to have a local user called "stop"?


4. Finally, I'd just like to point out possible confusion from
https://www.rsyslog.com/doc/v8-stable/configuration/sysklogd_format.html
which is near the beginning of the rsyslog documentation set.

At first glance it looks like a comprehensive list of features you can
use in this format, but it's not.  For example, it says you can redirect
with @host, but doesn't mention @@host for TCP.  It says you can append
to file, but not ?template.  Those features are mentioned in other pages
but are hard to find.

I did notice that this page talks about "syslog.conf" and "this
syslogd", not rsyslog.conf and rsyslogd.  It might be worth saying that
rsyslog implements a superset of these features, and adding a link to
the rsyslog-specific enhancements at:

https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#legacy-format

Regards,

Brian.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Config format questions [ In reply to ]
On Wed, 11 Sep 2019, Brian Candler via rsyslog wrote:

> Going through the documentation, I have a couple of questions which I'm
> having difficulty finding answers to.  A few extra examples would make
> it much clearer.

one thing the documentation suffers from is that the people writing it know too
much about rsyslog, so we miss documenting things that seem obvious to us.

The documentation is in a git repo (rsyslog-doc) and we would love to get
contributions from people who see gaps.

> 1. When using the "basic" format of selector+action, are you allowed to
> use RainerScript for the action side? e.g. can you write
>
> local0.*  action(type="omfile", dynaFile="myDest")
>
> instead of
>
> local0.*  ?myDest

yes, this is perfectly acceptable.

> I couldn't see any example which looks like the first form, and I
> scanned most of the documentation, including
> https://www.rsyslog.com/doc/v8-stable/configuration/examples.html and
> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html
>
> Could you confirm that the first is valid?
>
>
> 2. Conversely, when you have a new-style ruleset with actions, like this
> example at
> https://www.rsyslog.com/doc/v8-stable/configuration/basic_structure.html#rulesets-and-rules
>
> ruleset(name="rulesetname") {
> action(type="omfile" file="/path/to/file")
> action(type="..." ...)
> /* and so on... */
> }
>
> How do you apply filters to the actions? Can you combine a RainerScript
> action with a basic-style selector inside a ruleset, e.g.
>
> ruleset(name="rulesetname") {
> local0.* action(type="omfile" file="/path/to/file")
> *.=critaction(type="..." ...)
>
> and/or with a conditional expression, e.g.
>
> ruleset(name="rulesetname") {
> if $syslogfacility-text == 'local0' thenaction(type="omfile"
> file="/path/to/file")
> if $syslogseverity-text == 'crit' thenaction(type="..." ...)

yep, you can mix and match, and action can be in the new action() format, or it
can be in the legacy format (filename, or ?template)

> 3. I note the following example at
> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#legacy-description
>
>
> *.=crit :omusrmsg:rger
> & root
>
> It says this example sends to users "rger" and "root", implying that the
> :omusrmsg: prefix is optional (not mentioned at
> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#list-of-users)

hmm, I don't see how the :omusrmsg: is optional, but that may be a very old
legacy thing (in plain syslog, could you give a username instead of a file
path?)

> But I've also seen examples in real life configs like this:
>
> :syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log
> & stop
>
> (that's from Ubuntu 18.04, /etc/rsyslog.d/21-cloudinit.conf)
>
> Does this mean bare words like "root" are treated as usernames only if
> there is no action of that name? Or vice versa?  Would it behave
> differently if I happened to have a local user called "stop"?

that is an interesting question, I suspect that since stop has a special
meaning, it would not be overridden by a user named stop, but I would advise
against using bare usernames.

>
> 4. Finally, I'd just like to point out possible confusion from
> https://www.rsyslog.com/doc/v8-stable/configuration/sysklogd_format.html
> which is near the beginning of the rsyslog documentation set.
>
> At first glance it looks like a comprehensive list of features you can
> use in this format, but it's not.  For example, it says you can redirect
> with @host, but doesn't mention @@host for TCP.  It says you can append
> to file, but not ?template.  Those features are mentioned in other pages
> but are hard to find.
>
> I did notice that this page talks about "syslog.conf" and "this
> syslogd", not rsyslog.conf and rsyslogd.  It might be worth saying that
> rsyslog implements a superset of these features, and adding a link to
> the rsyslog-specific enhancements at:
>
> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#legacy-format

good point, would you be willing to submit patches with wording that makes sense
to you?

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Config format questions [ In reply to ]
On 11/09/2019 18:55, David Lang wrote:
>
>> 3. I note the following example at
>> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#legacy-description
>>
>>
>> *.=crit  :omusrmsg:rger
>> &  root
>>
>> It says this example sends to users "rger" and "root", implying that
>> the :omusrmsg: prefix is optional (not mentioned at
>> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#list-of-users)
>
> hmm, I don't see how the :omusrmsg: is optional, but that may be a
> very old legacy thing (in plain syslog, could you give a username
> instead of a file path?)
>
I found the answer in tools/omusrmsg.c:

        if(!strncmp((char*) p, ":omusrmsg:", sizeof(":omusrmsg:") - 1)) {
                p += sizeof(":omusrmsg:") - 1; /* eat indicator
sequence  (-1 because of '\0'!) */
        } else {
                if(!*p || !((*p >= 'a' && *p <= 'z') || (*p >= 'A' &&
*p <= 'Z')
           || (*p >= '0' && *p <= '9') || *p == '_' || *p == '.' || *p
== '*')) {
ABORT_FINALIZE(RS_RET_CONFLINE_UNPROCESSED);
                } else {
                        LogMsg(0, RS_RET_OUTDATED_STMT, LOG_WARNING,
                                "action '%s' treated as ':omusrmsg:%s'
- please "
                                "use ':omusrmsg:%s' syntax instead,
'%s' will "
                                "not be supported in the future",
                                p, p, p, p);
                        bHadWarning = 1;
                }
        }

Probably best to change the doc to use the new format.

>>
>> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html#legacy-format
>>
>
> good point, would you be willing to submit patches with wording that
> makes sense to you?

As time allows, I will.

Regards,

Brian.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.