Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Rsyslog template (http://www.linux-archive.org/debian-user/315537-rsyslog-template.html)

James Zuelow 01-26-2010 10:13 PM

Rsyslog template
 
I have a Lenny server that is acting as a remote syslog server for a variety of devices.

Most of the devices are listed by hostname or IP address in their log entries. Other servers, or devices such as HP Procurve switches are listed by IP address. However I have nine D-Link DWL3200AP WAPs that do not have any sort of IP address or hostname associated with their log entries. So I get nice logs saying that the WAP has associated with a particular MAC address, but I do not know which WAP that was.

I think this is because the default rsyslog template does not include hostname or IP address unless the sending device sends it along.

Googling for "rsyslog default template" leads to lots of pages that mention it, but no pages that I saw that describe what it is other than the default template is hard coded into rsyslog. All I want is to get rsyslog to report the source IP address of a remote log entry. The rest would remain the same.

Does anyone know the default template for rsyslog, or a template that will always include the source IP address of a remote log entry?

Thanks

James

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Stan Hoeppner 01-26-2010 11:56 PM

Rsyslog template
 
James Zuelow put forth on 1/26/2010 5:13 PM:
> I have a Lenny server that is acting as a remote syslog server for a variety of devices.
>
> Most of the devices are listed by hostname or IP address in their log entries. Other servers, or devices such as HP Procurve switches are listed by IP address. However I have nine D-Link DWL3200AP WAPs that do not have any sort of IP address or hostname associated with their log entries. So I get nice logs saying that the WAP has associated with a particular MAC address, but I do not know which WAP that was.
>
> I think this is because the default rsyslog template does not include hostname or IP address unless the sending device sends it along.
>
> Googling for "rsyslog default template" leads to lots of pages that mention it, but no pages that I saw that describe what it is other than the default template is hard coded into rsyslog. All I want is to get rsyslog to report the source IP address of a remote log entry. The rest would remain the same.
>
> Does anyone know the default template for rsyslog, or a template that will always include the source IP address of a remote log entry?

Seems they put their network management eggs in the SNMP basket. Log into the
web interface of one of the units and look at the "Tools" tab. You can assign a
unique name there on each access point. I don't know if that will only show up
in SNMP data or if that name will also then be logged via syslog. Either way,
I'd def plug a unique name in here on each AP and reboot it.

Look at their network management utility, comes on a CD bundled with the AP.
It's geared toward SNMP. Also, look at your manual. It's where I found all
this info:
ftp://ftp.dlink.com/Wireless/dwl3200AP/Manual/dwl3200AP_Manual_104.zip

If you can't get syslog to do what you want, and you don't already have an SNMP
infrastructure/collector, now might be a good time to start building one. SNMP
is the standard for network device monitoring, not syslog--likely the reason
DLink put more effort into SNMP than syslog.

--
Stan



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Stan Hoeppner 01-27-2010 04:21 AM

Rsyslog template
 
James Zuelow put forth on 1/26/2010 7:19 PM:
>
>> -----Original Message-----
>> From: Stan Hoeppner [mailto:stan@hardwarefreak.com]
>> Sent: Tuesday, 26 January, 2010 15:57
>> To: debian-user@lists.debian.org
>> Subject: Re: Rsyslog template
>>
>>
>> Seems they put their network management eggs in the SNMP
>> basket. Log into the
>> web interface of one of the units and look at the "Tools"
>> tab. You can assign a
>> unique name there on each access point. I don't know if that
>> will only show up
>> in SNMP data or if that name will also then be logged via
>> syslog. Either way,
>> I'd def plug a unique name in here on each AP and reboot it.
>>
>> Look at their network management utility, comes on a CD
>> bundled with the AP.
>> It's geared toward SNMP. Also, look at your manual. It's
>> where I found all
>> this info:
>> ftp://ftp.dlink.com/Wireless/dwl3200AP/Manual/dwl3200AP_Manual_104.zip
>>
>> If you can't get syslog to do what you want, and you don't
>> already have an SNMP
>> infrastructure/collector, now might be a good time to start
>> building one. SNMP
>> is the standard for network device monitoring, not
>> syslog--likely the reason
>> DLink put more effort into SNMP than syslog.
>>
>> --
>> Stan
>
> Thanks for the comments. They are very odd devices.
>
> I have distinct hostnames set up, although you can only see them via telnet/ssh, not via the web browser. (Also, as far as I can tell you can only save the config via the web interface -- so you have to use both to fully configure one of these things.) Even with the system name set up, they do not put that information into their syslog messages.
>
> I already get SNMP info from them using OpenNMS. I do not want to install a specialty management suite just for them. Especially as the units I've received have come with different firmware revisions, and I would need two versions of their management software. They have one version for firmware 2.40 and another for firmware 2.50. When I had trouble getting 2.40 units to accept the 2.50 firmware, dlink tech support strongly discouraged even attempting to flash the firmware.
>
> So I'm more interested in getting rsyslog to work around their syslog quirks than trying to set up a SNMP trap based system. I know that rsyslog can create different files and even folders based on hostnames. I don't need such a complex system, I just need to know what the default rsyslog template looks like so that I can modify it by adding an IP address field into the mix.
>
> Cheers,
>
> James

Hi James,

It looks like you need to use an rsyslog template such as:
$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%


However, I can't figure out from the rsyslog docs how to change the default
template to that. On my Lenny system, the default template declaration is:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

You might try just commenting out the original you have, and entering something
like:
$ActionFileDefaultTemplate TraditionalFormat,%timegenerated% %HOSTNAME%
%syslogtag%%msg%


I don't know if that will work, but that's the first thing I'd try. If you
don't have DNS hostname entries for the APs' IP addresses, then I'd replace
"%HOSTNAME%" above with "%FROMHOST-IP%" which should just log the remote IP address.

If that doesn't work you'll need to bone up on the rsyslog docs, specifically
the section on templates. It's a bit confusing to me. It's as if the
documentation is written for folks who already have years of experience with
syslog and assumptions are made about the readers prior knowledge. For
instance, it tells you how to declare templates, but for the life of me I can't
figure out how you actually use them once you've declared them. The docs also
fail to state how declaring a new template affects the ActionFileDefaultTemplate.

IMHO the rsyslog documentation leaves much to be desired. In addition, I was
less than a fan of rsyslog after upgrading to Lenny and finding that rsyslog has
a virtual memory footprint of over 30MB(!) compared to only a few hundred
kilobytes for the old sysklogd. Rsyslog is a $deity d@mn memory hog, and
there's no good reason for that. Any syslogd should be miserly on resources.

The good news is that rsyslog is *optional* for Lenny. You have two other
choices for a syslog daemon. I upgraded from etch, and ran with the old
syslkogd for a while before replacing it with rsyslogd, which had to be done
manually. The *only* reason I did so was that the Lenny release notes almost
demanded that I install rsyslogd, as if sysklogd would break under Lenny, which
isn't the case. Apparently one of the Debian team has/had a stiffy for rsyslog
and they prodded us into using it. In my limited experience with it so far, I
see no advantage over the old syslogd.

So one option might be reverting back to syslkogd and work from there. There is
a current and supported sysklogd for Lenny. I'm not sure, but the default
configuration of sysklogd might do almost exactly what you want. You might also
want to look into syslog-ng although I have no experience with it.

Package: sysklogd
State: not installed
Version: 1.5-5
Priority: extra
Section: admin
Maintainer: Martin Schulze <joey@debian.org>
Uncompressed Size: 217k
Depends: libc6 (>= 2.7-1), klogd | linux-kernel-log-daemon
Conflicts: syslogd
Replaces: syslogd
Provides: syslogd, system-log-daemon
Description: System Logging Daemon
This package implements the system log daemon, which is an enhanced version of
the standard Berkeley utility program. It is
responsible for providing logging of messages received from programs and
facilities on the local host as well as from remote hosts.

Package: syslog-ng
State: not installed
Version: 2.0.9-4.1
Priority: extra
Section: admin
Maintainer: SZALAY Attila <sasa@debian.org>
Uncompressed Size: 434k
Depends: libc6 (>= 2.7-1), libevtlog0 (>= 0.2.3), libglib2.0-0 (>= 2.16.0),
lsb-base (>= 3.0-6)
Recommends: logrotate
Conflicts: linux-kernel-log-daemon, system-log-daemon
Provides: linux-kernel-log-daemon, system-log-daemon
Description: Next generation logging daemon
Syslog-ng tries to fill the gaps original syslogd's were lacking:
* powerful configurability
* filtering based on message content
* portability
* better network forwarding

--
Stan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

James Zuelow 01-27-2010 04:55 PM

Rsyslog template
 
> -----Original Message-----
> From: Stan Hoeppner [mailto:stan@hardwarefreak.com]
> Sent: Tuesday, 26 January, 2010 20:22
> To: debian-user
> Cc: James Zuelow
> Subject: Re: Rsyslog template
> You might try just commenting out the original you have, and
> entering something
> like:
> $ActionFileDefaultTemplate TraditionalFormat,%timegenerated%
> %HOSTNAME%
> %syslogtag%%msg%

>
> I don't know if that will work, but that's the first thing
> I'd try. If you

Thanks Stan, that one worked. I should have read my dwww docs a bit more as that line is listed as one of the template examples on the rsyslog.conf page. It's a shame to have dwww installed and keep forgetting to search it...



> don't have DNS hostname entries for the APs' IP addresses,
> then I'd replace
> "%HOSTNAME%" above with "%FROMHOST-IP%" which should just log
> the remote IP address.
>


Interestingly I *do* see references to FROMHOST-IP and fromhost-ip on the web, but when I tried it here I lost hostname resolution in the log files and instead got **INVALID PROPERTY NAME**. However HOSTNAME will enter the IP address if there is not reverse DNS.

So the default template must be similar to the example TraditionalFormat, but without the %HOSTNAME% component. I was wondering if I would see double hostnames after adding it, but I do not so rsyslog must be smart enough to recognise it's presence and not repeat it if it is in the syslog message body. That's just a WAG on my part though.

But I am now getting IP address information on my DWL-3200AP units, and I have not had to revert to sysklogd, so I should be OK if sysklogd gets dropped from squeeze or squeeze+1 for whatever reason.

Cheers, and thanks again.

James Zuelow
Network Specialist
City and Borough of Juneau MIS (907)586-0236


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Stan Hoeppner 01-27-2010 08:14 PM

Rsyslog template
 
James Zuelow put forth on 1/27/2010 11:55 AM:
>> -----Original Message-----
>> From: Stan Hoeppner [mailto:stan@hardwarefreak.com]
>> Sent: Tuesday, 26 January, 2010 20:22
>> To: debian-user
>> Cc: James Zuelow
>> Subject: Re: Rsyslog template
>> You might try just commenting out the original you have, and
>> entering something
>> like:
>> $ActionFileDefaultTemplate TraditionalFormat,%timegenerated%
>> %HOSTNAME%
>> %syslogtag%%msg%

>>
>> I don't know if that will work, but that's the first thing
>> I'd try. If you
>
> Thanks Stan, that one worked. I should have read my dwww docs a bit more as that line is listed as one of the template examples on the rsyslog.conf page. It's a shame to have dwww installed and keep forgetting to search it...

Glad I could be of help. I'm no syslog expert. I just trudged my way through
the online docs and my own rsyslog.conf and made a best guess as to what might work.

>> don't have DNS hostname entries for the APs' IP addresses,
>> then I'd replace
>> "%HOSTNAME%" above with "%FROMHOST-IP%" which should just log
>> the remote IP address.
>>
>
>
> Interestingly I *do* see references to FROMHOST-IP and fromhost-ip on the web, but when I tried it here I lost hostname resolution in the log files and instead got **INVALID PROPERTY NAME**. However HOSTNAME will enter the IP address if there is not reverse DNS.

I got the "%FROMHOST-IP% property name from rsyslog.com's docs. It's likely
that Lenny is running a sufficiently old version of rsyslogd that the online
docs describe properties that aren't available in Lenny rsyslog, or that names
of properties have changed in newer rsyslog versions. The Lenny "man rsyslogd"
has zero information on properties. This is probably buried in another doc file
somewhere in the system, likely

/usr/share/doc/rsyslog-doc/html/

My Linux machines are all headless, and I've never bothered with trying to
symlink all the various html doc directories into lighty virtual directories
just to get access to them via a browser. That is a huge waste of OP time.
This penchant for html documentation is a PITA for administering headless
servers. Quite frankly, this really surprises me in the case or rsyslog. The
folks around the world most likely to be making serious use of rsyslog
capabilities (not casual use) are the most likely to be running a datacenter
full of headless servers without easy access to these html doc directories.
Plain text versions of all Debian/Linux system documentation should be included
by default. I'm guessing the rsyslog folks don't provide plain text only
documentation, and the Debian rsyslog maintainers didn't want to take the time
to create a plain text only version of the docs.

How about the case for headless servers that don't run a web server at all? How
then does an admin access this html documentation for rsyslog? This is a sad
state of affairs IMO.

> So the default template must be similar to the example TraditionalFormat, but without the %HOSTNAME% component. I was wondering if I would see double hostnames after adding it, but I do not so rsyslog must be smart enough to recognise it's presence and not repeat it if it is in the syslog message body. That's just a WAG on my part though.

Yes, if you dig into /usr/share/doc/rsyslog-doc/examples/sample.conf it gets you
a little closer to understanding the templates. Not much though.

> But I am now getting IP address information on my DWL-3200AP units, and I have not had to revert to sysklogd, so I should be OK if sysklogd gets dropped from squeeze or squeeze+1 for whatever reason.

Glad you got it working. That's what it's all about. I doubt sysklogd and
syslog-ng will be going away any time soon. One thing Debian has always been
pretty good about is providing multiple choices for each software category. I
think this kinda goes hand in hand with the FSF philosophy of "software freedom".

--
Stan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Michael Biebl 02-02-2010 07:18 AM

Rsyslog template
 
On 27.01.2010 22:14, Stan Hoeppner wrote:

>
> /usr/share/doc/rsyslog-doc/html/
>
> My Linux machines are all headless, and I've never bothered with trying to
> symlink all the various html doc directories into lighty virtual directories
> just to get access to them via a browser. That is a huge waste of OP time.
> This penchant for html documentation is a PITA for administering headless
> servers. Quite frankly, this really surprises me in the case or rsyslog. The
> folks around the world most likely to be making serious use of rsyslog
> capabilities (not casual use) are the most likely to be running a datacenter
> full of headless servers without easy access to these html doc directories.
> Plain text versions of all Debian/Linux system documentation should be included
> by default. I'm guessing the rsyslog folks don't provide plain text only
> documentation, and the Debian rsyslog maintainers didn't want to take the time
> to create a plain text only version of the docs.
>
> How about the case for headless servers that don't run a web server at all? How
> then does an admin access this html documentation for rsyslog? This is a sad
> state of affairs IMO.

You can use lynx or w3m for viewing html files on the console or via SSH.
That said, the documentation of rsyslog can certainly be improved. Especially
the organization is lacking. There is a lot of documentation but not very well
structured or indexed.
Rsyslog upstream is looking for help here, especially with regard to docbook,
which would allow several output formats.
So anyone with experience in that area is most welcome.


Cheers,
Michael


--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Michael Biebl 02-02-2010 07:26 AM

Rsyslog template
 
On 27.01.2010 06:21, Stan Hoeppner wrote:
> less than a fan of rsyslog after upgrading to Lenny and finding that rsyslog has
> a virtual memory footprint of over 30MB(!) compared to only a few hundred
> kilobytes for the old sysklogd. Rsyslog is a $deity d@mn memory hog, and
> there's no good reason for that. Any syslogd should be miserly on resources.

You need to be careful with those numbers. That is virtual memory, which doesn't
tell you a lot, and is is basically due to rsyslog using modules.
The linux linker reserves 10Mb virtual memory per dlopened module.
The default debian rsyslog.conf comes with 2 modules loaded = 20Mb + 10 Mb for
the rsyslog main process = 30 Mb virtual memory.

What is more interesing is the resident or writable memory.

rsyslog uses 560 Kb of resident memory on my machine.

Cheers,
Michael


--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Stan Hoeppner 02-02-2010 07:34 AM

Rsyslog template
 
Michael Biebl put forth on 2/2/2010 2:18 AM:
> On 27.01.2010 22:14, Stan Hoeppner wrote:
>
>>
>> /usr/share/doc/rsyslog-doc/html/
>>
>> My Linux machines are all headless, and I've never bothered with trying to
>> symlink all the various html doc directories into lighty virtual directories
>> just to get access to them via a browser. That is a huge waste of OP time.
>> This penchant for html documentation is a PITA for administering headless
>> servers. Quite frankly, this really surprises me in the case or rsyslog. The
>> folks around the world most likely to be making serious use of rsyslog
>> capabilities (not casual use) are the most likely to be running a datacenter
>> full of headless servers without easy access to these html doc directories.
>> Plain text versions of all Debian/Linux system documentation should be included
>> by default. I'm guessing the rsyslog folks don't provide plain text only
>> documentation, and the Debian rsyslog maintainers didn't want to take the time
>> to create a plain text only version of the docs.
>>
>> How about the case for headless servers that don't run a web server at all? How
>> then does an admin access this html documentation for rsyslog? This is a sad
>> state of affairs IMO.
>
> You can use lynx or w3m for viewing html files on the console or via SSH.
> That said, the documentation of rsyslog can certainly be improved. Especially
> the organization is lacking. There is a lot of documentation but not very well
> structured or indexed.
> Rsyslog upstream is looking for help here, especially with regard to docbook,
> which would allow several output formats.
> So anyone with experience in that area is most welcome.

Thanks for the tips wrt lynx and w3m. However, this rant motivated me to go
ahead and symlink /usr/share/doc/ to a Lighty virtual directory shortly after I
sent the rant above. I assumed I'll probably run into this html doc problem
again so I took the Nike commercial advice. ;)

I don't really have any experience in this documentation area, and I don't have
much knowledge of rsyslog (obviously), or I'd pony up and volunteer.

--
Stan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Stan Hoeppner 02-02-2010 08:53 AM

Rsyslog template
 
Michael Biebl put forth on 2/2/2010 2:26 AM:
> On 27.01.2010 06:21, Stan Hoeppner wrote:
>> less than a fan of rsyslog after upgrading to Lenny and finding that rsyslog has
>> a virtual memory footprint of over 30MB(!) compared to only a few hundred
>> kilobytes for the old sysklogd. Rsyslog is a $deity d@mn memory hog, and
>> there's no good reason for that. Any syslogd should be miserly on resources.
>
> You need to be careful with those numbers. That is virtual memory, which doesn't
> tell you a lot, and is is basically due to rsyslog using modules.
> The linux linker reserves 10Mb virtual memory per dlopened module.
> The default debian rsyslog.conf comes with 2 modules loaded = 20Mb + 10 Mb for
> the rsyslog main process = 30 Mb virtual memory.
>
> What is more interesing is the resident or writable memory.
>
> rsyslog uses 560 Kb of resident memory on my machine.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1109 root 20 0 36220 1524 1068 S 0 0.4 1:07.17 rsyslogd

1524 on mine. So what's the significance of the large VIRT footprint, if any?
The reason this jumped out and grabbed my attention is that rsyslog on Lenny has
the largest VIRT footprint of *any* process on my system, including all of the
postfix daemons, lighttpd, the rouundcube php-cgi process (which is a bit of a
hog), postgrey, the samba daemons, the dovecot daemons, everything.

This just seemed really strange to me. Many of these other processes use
modules, and they don't have the huge VIRT footprint. Or am I thinking of the
wrong kind of modules?

--
Stan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Tzafrir Cohen 02-02-2010 10:58 AM

Rsyslog template
 
On Tue, Feb 02, 2010 at 02:34:58AM -0600, Stan Hoeppner wrote:
> Michael Biebl put forth on 2/2/2010 2:18 AM:
> > On 27.01.2010 22:14, Stan Hoeppner wrote:
> >
> >>
> >> /usr/share/doc/rsyslog-doc/html/
> >>
> >> My Linux machines are all headless, and I've never bothered with trying to
> >> symlink all the various html doc directories into lighty virtual directories
> >> just to get access to them via a browser. That is a huge waste of OP time.
> >> This penchant for html documentation is a PITA for administering headless
> >> servers. Quite frankly, this really surprises me in the case or rsyslog. The
> >> folks around the world most likely to be making serious use of rsyslog
> >> capabilities (not casual use) are the most likely to be running a datacenter
> >> full of headless servers without easy access to these html doc directories.
> >> Plain text versions of all Debian/Linux system documentation should be included
> >> by default. I'm guessing the rsyslog folks don't provide plain text only
> >> documentation, and the Debian rsyslog maintainers didn't want to take the time
> >> to create a plain text only version of the docs.
> >>
> >> How about the case for headless servers that don't run a web server at all? How
> >> then does an admin access this html documentation for rsyslog? This is a sad
> >> state of affairs IMO.
> >
> > You can use lynx or w3m for viewing html files on the console or via SSH.
> > That said,

[snip]

>
> Thanks for the tips wrt lynx and w3m. However, this rant motivated me to go
> ahead and symlink /usr/share/doc/ to a Lighty virtual directory shortly after I
> sent the rant above. I assumed I'll probably run into this html doc problem
> again so I took the Nike commercial advice. ;)

aptitude install dwww

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 10:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.