search

JPvRiel / docker-rsyslog

Rsyslog server with multiple input listeners (UDP/TCP/RELP) and outputs (file/kafka/syslog).
23 stars 12 forks source link

Not able to get custom input conf working #3

Open bhanupraveeng opened 3 years ago

bhanupraveeng commented 3 years ago

Hello,

I have a gc log file which i need to get lines from and output to syslog. I had put ,my conf file under "/opt/rsyslog/conf/gc.conf"

gc.conf

module(load = "imfile")
input(
    type = "imfile" 
    file = "/var/rsyslog/gclog.log" 
    Tag = "gclog"
    addMetadata="on"
    escapelf="off"
    startmsg.regex="^<exclusive-start"
    #endmsg.regex="^<exclusive-end"
    )
:programname, contains, "gclog" /var/rsyslog/gcfilteroutput.log

Mounted my folder as " - /opt/rsyslog/conf:/etc/rsyslog.d/input" in docker-compose.yml file

after starting container, my conf file will be under /input folder. so when i update "gclog.log" file, new lines should be displayed under syslog messages. But its not working. Please let me know if i am doing anything worng?

Same conf is working on general rsyslog without docker.

Thanks, Bhanu

JPvRiel commented 3 years ago

Hi @bhanupraveeng, somehow I missed github notifications about this, so excuse the delayed reply.

Unfortunately, the way I built the container with confd and the rsyslogd rule-set processing isn't quite as flexible as a dropping an extra config file in without aligning it with existing rule-set structure.

I did cater for user provided custom config (not templated via confd) for outputs. As per the README, the extended outputs config needed to be available at /etc/rsyslog.d/output/extra and would then be automatically added to an output rule-set and queues.

If, after such a delay from me, you'd still like this feature, let me know and I can try adding a /etc/rsyslog.d/input/extra that gives you the flexibility you'd like.

For stability and traceability reasons, I thought it's better to split the rsyslog processing into multiple rule-sets given that, without doing so, everything runs under one main rule-set and a single queue by default, and that causes a bit of pain with rsyslogd impstats when you're trying to narrow down what part of your setup has performance problems or bugs.

Also, one more tip, but form what I understand, it's ill advised to mix new rainerscript config syntax with the older syntax. Your example starts with rainerscript, but then this line here is the legacy way?:

:programname, contains, "gclog" /var/rsyslog/gcfilteroutput.log

That may work, but the rsyslog docs I read suggested users often run into bugs when mixing both config formats.

rgerhards commented 3 years ago

Also, one more tip, but form what I understand, it's ill advised to mix new rainerscript config syntax with the older syntax. Your example starts with rainerscript, but then this line here is the legacy way?:

:programname, contains, "gclog" /var/rsyslog/gcfilteroutput.log

That may work, but the rsyslog docs I read suggested users often run into bugs when mixing both config formats.

Not really. It is perfectly fine to mix and match BUT the advise is not to do any complex things with the old style syntax. For simple things like writing a log file with no "extras" (like queues, permission parameters, etc) the old style syntax IMHO is still the best and most understandable.

The problem begins when you use old-style for example to assign queues. This is ugly and most folks get it wrong initially. Here, the new action() config object is much clearer.

This is discussed in the doc here: https://www.rsyslog.com/doc/master/configuration/conf_formats.html

HTH and thx for the great work on containers!