Correct rsyslog.conf.

etc/rsyslog.conf

@@ -1,72 +1,127 @@
-# rsyslog configuration file
-#
-# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
-# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
-# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+# Load modules.
+module(load="imudp")
+module(load="imtcp")
+module(load="builtin:omfile" dirCreateMode="0750" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0640" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd")
 
 
-#### Global directives ####
-
-# Sets the directory that rsyslog uses for work files.
-$WorkDirectory /var/lib/rsyslog
-
-# Sets default permissions for all log files.
-$FileOwner root
-$FileGroup adm
-$FileCreateMode 0640
-$DirCreateMode 0755
-$Umask 0022
-
-# Check config syntax on startup and abort if unclean (default off).
-#$AbortOnUncleanConfig on
-
-# Reduce repeating messages (default off).
-#$RepeatedMsgReduction on
+# Global configuration.
+global(
+  workDirectory="/var/lib/rsyslog"
+  #stdlog.channelspec="on"
+  maxMessageSize="16K"
+  senders.keepTrack="on"
+  senders.timeoutAfter="2419200"
+  senders.reportGoneAway="on"
+  senders.reportNew="on"
+)
 
 
-#### Modules ####
+# Inputs.
+input(type="imudp" port="25414" ruleset="syslog")
+input(type="imudp" port="25415" ruleset="httplog")
+input(type="imtcp" port="25414" ruleset="syslog")
 
-# Provides --MARK-- message capability.
-module(load="immark")
 
-# Provides support for local system logging (e.g. via logger command).
-module(load="imuxsock")
+# Rulesets.
+ruleset(name="syslog") {
+  set $.host = tolower(field($hostname, ".", 1));
+  set $.domain = tolower(re_extract($hostname, '[^.]+\\.(.*)', 0, 1, "unknown_domain"));
+  if ($app-name != "") then {
+    set $.proc = $app-name;
+    if ($procid != "" and $procid != "-") then {
+      set $.proc = '[' & $procid & ']';
+    }
+  } else {
+    set $.proc = '-';
+  }
+  if ($msgid != "") then {
+    set $.id = $msgid;
+  } else {
+    set $.id = '-';
+  }
 
-# Reads kernel messages.
-module(load="imklog")
+  template(name="LogLineSingleHost" type="string" string="%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
+  template(name="LogLineAllHosts" type="string" string="%timereported:::date-utc,date-rfc3339% %hostname% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
 
-#### Config files ####
+# FIXME: Log each facility to the AllHosts logs.  Compression?
+  if prifilt("auth.*,authpriv.*") then {
+    action(type="omfile" file="/tmp/log/AllHosts/auth" template="LogLineAllHosts" zipLevel="6" asyncWriting="on" flushInterval="5" ioBufferSize="64k" )
+  } else if ... then {
 
-# Include all config files in /etc/rsyslog.d/.
+
+
+  template(name="LogFileeSingleHost" type="string" string="/tmp/logs/%$.host%/
+%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
+
+
+
+    if prifilt("*.info") then {
+        action(type="omfile" file="/var/log/info.log")
+    }
+}
+
+
+
+
+#template(name="SyslogLineFormat" type="list") {
+#  property(name="timereported" dateFormat="rfc3339" caseConversion="lower")		# Timestamp yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
+#  constant(value=" ")
+#  property(name="hostname")								# Hostname
+#  constant(value=" ")
+#  property(name="syslogfacility")							# Facility
+#  constant(value=".")
+#  property(name="syslogpriority")							# Log priority
+#  constant(value=" ")
+#  property(name="syslogtag")								# Syslog tag
+#  constant(value=": ")
+#  property(name="msg")									# Message content
+#  constant(value="\n")
+#}
+
+
+
+
+#template(name="LogHostFile" type="string" string="/mnt/Data/logs/%HOSTNAME:::escape-cc,secpath-replace%/
+#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
+# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
+
+#template(name="LogAllHostsFile" type="string" string="/mnt/Data/logs/AllHosts/
+#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
+# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
+
+
+
+
+#VMWare: RFC 5424
+
+
+
+# Parser.
+#parser(
+#  name="FIXME"
+#  type="pmnormalize"
+#  rule=[
+#    "rule=:<%pri:number%> %fromhost-ip:ipv4% %hostname:word% %syslogtag:char-to:\\x3a%: %msg:rest%",
+#    "rule=:<%pri:number%> %hostname:word% %fromhost-ip:ipv4% %syslogtag:char-to:\\x3a%: %msg:rest%"
+#  ]
+#)
+
+
+# Rules
+#ruleset(name="outp" parser="custom.pmnormalize") {
+#   action(type="omfile" File="/tmp/output")
+#}
+
+
+# Outputs.
+action(type="omfile" file="/tmp/messages" template="LogLineSingleHost")
+
+
+
+# Include additional configurations.
 include(file="/etc/rsyslog.d/*.conf" mode="optional")
 
-#### Rules ####
 
-*.*							/var/log/everything
-
-# Log all kernel messages to kern.log.
-kern.*							/var/log/kern.log
-
-# Log anything (except mail) of level info or higher.
-# Don't log private authentication messages!
-# NOTE: The minus sign in front of filename disables buffer flush.
-*.info;authpriv.none;cron.none;kern.none;mail.none	-/var/log/messages
-
-# The authpriv file has restricted access.
-authpriv.*						/var/log/auth.log
-
-# Log all the mail messages in one place.
-mail.*							-/var/log/mail.log
-
-# Log cron stuff.
-cron.*							-/var/log/cron.log
-
-# Everybody gets emergency messages.
-*.emerg							:omusrmsg:*
-
-# Log all kernel messages to the console.
-# Logging much else clutters up the screen.
-#kern.*							/dev/console
 
 
 ### Examples ####
@@ -86,11 +141,3 @@ cron.*							-/var/log/cron.log
 #	action.resumeRetryCount="-1"
 #	action.resumeInterval="30"
 #)
-
-# Receive messages from remote host via UDP
-# for parameters see http://www.rsyslog.com/doc/imudp.html
-#module(load="imudp")  # needs to be done just once
-#input(
-#	type="imudp"
-#	port="514"
-#)