-Daedalus Posted February 8, 2019 Share Posted February 8, 2019 Agreed. Thanks very much for this one bonienl. Much appreciated. Quote Link to comment
jedimstr Posted February 9, 2019 Author Share Posted February 9, 2019 Extremely appreciated! Can't wait until 6.7 hits stable release. Quote Link to comment
ljm42 Posted February 10, 2019 Share Posted February 10, 2019 The syslog server in 6.7.0-rc3 works great! As an extension to this feature request, could we somehow leverage the /Tools/Syslog viewer to view files saved by the the syslog server? Quote Link to comment
dlandon Posted February 10, 2019 Share Posted February 10, 2019 24 minutes ago, ljm42 said: The syslog server in 6.7.0-rc3 works great! As an extension to this feature request, could we somehow leverage the /Tools/Syslog viewer to view files saved by the the syslog server? @bonienl I saw that one coming. Quote Link to comment
bonienl Posted February 10, 2019 Share Posted February 10, 2019 (edited) 8 hours ago, dlandon said: @bonienl I saw that one coming. I was waiting for it 😉 Made an enhancement to the syslog viewer. From the syslog viewer page you can view any log stored locally and download as zip file, if needed. Edited February 10, 2019 by bonienl Quote Link to comment
ljm42 Posted February 23, 2019 Share Posted February 23, 2019 The syslog server has a setting for "local syslog folder", but really it only lets you choose a share. Can we select an actual folder such as /mnt/user/system/log/ rather than throw the log files in the root of /mnt/user/system/ ? I wouldn't mind manually editing /boot/config/rsyslog.cfg as long as it won't break the gui Quote Link to comment
bonienl Posted February 23, 2019 Share Posted February 23, 2019 (edited) The current approach was chosen to ensure the folder exists when using the local syslog functionality and give the user the oppertunity to create a dedicated share/folder which preferably is located on the cache device only. You can make manual tweaks to change the destination folder. /boot/config/rsyslog.conf & /etc/rsyslog.conf change the value of parameter "$template remote" /boot/config/rsyslog.cfg change the value of parameter "server_folder" restart daemon: /etc/rc.d/rc.rsyslogd restart These manual changes need to be re-applied each time a change of the syslog settings in the GUI is done. Edited February 23, 2019 by bonienl Quote Link to comment
ljm42 Posted February 23, 2019 Share Posted February 23, 2019 24 minutes ago, bonienl said: These manual changes need to be re-applied each time a change of the syslog settings in the GUI is done. Thanks for this. Any chance the gui could detect when the value it reads from the file isn't what it expects, and just display the value in an input box instead? Just to prevent the gui from overwriting the file and having to remember to fix it Quote Link to comment
bonienl Posted February 23, 2019 Share Posted February 23, 2019 (edited) I added a <custom> entry. This allows the GUI to show that some "other" setting is used. When the file /boot/config/rsyslog.cfg is manually edited (=set custom destination folder), you can make a change in the GUI and the custom setting is automatically set in the appropriate files, with rsyslogd restarted and using the custom setting. You can however not set a custom folder in the GUI. This is on purpose 😙 Edited February 23, 2019 by bonienl Quote Link to comment
ljm42 Posted February 23, 2019 Share Posted February 23, 2019 44 minutes ago, bonienl said: I added a <custom> entry. This allows the GUI to show that some "other" setting is used. When the file /boot/config/rsyslog.cfg is manually edited (=set custom destination folder), you can make a change in the GUI and the custom setting is automatically set in the appropriate files, with rsyslogd restarted and using the custom setting. You can however not set a custom folder in the GUI. This is on purpose 😙 Thanks! I used the Bleeding Edge Toolkit: to install this and it works great. Now my logs are in a subdirectory of the system share. Quote Link to comment
ljm42 Posted February 24, 2019 Share Posted February 24, 2019 (edited) Hey @bonienl, In /etc/rsyslog.conf, would you consider copying this line: $IncludeConfig /etc/rsyslog.d/*.conf somewhere below the "$RuleSet remote" line, perhaps at line 127? The line does already exist elsewhere in the file, but it only seems to apply to the default ruleset and not the remote ruleset. This change will allow us to place custom ruleset files in /etc/rsyslog.d and have them apply to messages from remote systems. For instance, I created a "/etc/rsyslog.d/02-blocklist-extra.conf" file containing this one line: :msg,contains,"DHCPACK on" stop and it stopped logging certain DHCP messages from my router. But it has no effect without the $IncludeConfig line in the $RuleSet remote area. Tagging @dlandon because we talked about cleaning up these remote syslogs in another thread somewhere Edited February 24, 2019 by ljm42 Quote Link to comment
bonienl Posted February 24, 2019 Share Posted February 24, 2019 50 minutes ago, ljm42 said: In /etc/rsyslog.conf, would you consider copying this line: The placement of the IncludeConfig statement should apply to all. Have you tested this to work when added to the remote section? Quote Link to comment
ljm42 Posted February 24, 2019 Share Posted February 24, 2019 Just now, bonienl said: The placement of the IncludeConfig statement should apply to all. Have you tested this to work when added to the remote section? yes, the 02-blocklist-extra.conf file has no effect until I copy the IncludeConfig statement to the "$RuleSet remote" area. Actually, there are several duplicated lines in that section, I wonder if some of them can be removed? $DefaultRuleset local $RuleSet remote $FileOwner nobody $FileGroup users $FileCreateMode 0644 #*.* ?remote <-- needed? $InputUDPServerBindRuleset remote $UDPServerRun 514 $RuleSet remote <-- duplicated? $FileOwner nobody <-- duplicated? $FileGroup users <-- duplicated? $FileCreateMode 0644 <-- duplicated? $IncludeConfig /etc/rsyslog.d/*.conf <-- I added this *.* ?remote $InputUDPServerBindRuleset remote $UDPServerRun 514 Quote Link to comment
bonienl Posted February 24, 2019 Share Posted February 24, 2019 1 hour ago, ljm42 said: Actually, there are several duplicated lines in that section, I wonder if some of them can be removed? Hmm, these duplicates should not exist. $DefaultRuleset local $RuleSet remote $FileOwner nobody $FileGroup users $FileCreateMode 0644 #*.* ?remote $InputTCPServerBindRuleset remote $InputTCPServerRun 514 $InputUDPServerBindRuleset remote $UDPServerRun 514 In the syslog settings disable local server and remove the remote IP address, this should cleanup the file. Then re-apply the original settings. Quote Link to comment
bonienl Posted February 24, 2019 Share Posted February 24, 2019 I added the "includeConfig" option and changed to 0666 mode. Quote Link to comment
-Daedalus Posted February 24, 2019 Share Posted February 24, 2019 On 2/23/2019 at 6:57 PM, bonienl said: You can however not set a custom folder in the GUI. This is on purpose 😙 Why was this, out of interest? I'd ideally like to put output from this on /system/logs, but instead the logs will be on the root of the /system share, which isn't wonderful from an organisational standpoint. I imagine I'm not the only one who would do this. It also seems a little much to have to great a logs share solely for this. nit-picking I'll grant you, but I figure this is the time for it, seeing as it's newly-added. Quote Link to comment
ljm42 Posted February 24, 2019 Share Posted February 24, 2019 3 hours ago, bonienl said: In the syslog settings disable local server and remove the remote IP address, this should cleanup the file. 2 hours ago, bonienl said: I added the "includeConfig" option and changed to 0666 mode. Thanks @bonienl! I disabled / enabled the service and updated to the latest code. Now this is the tail end of my rsyslog.conf: $DefaultRuleset local $RuleSet remote $FileOwner nobody $FileGroup users $FileCreateMode 0666 $IncludeConfig /etc/rsyslog.d/*.conf *.* ?remote $InputUDPServerBindRuleset remote $UDPServerRun 514 And my custom rules are working. Thanks! Quote Link to comment
dlandon Posted February 25, 2019 Share Posted February 25, 2019 7 hours ago, ljm42 said: Hey @bonienl, In /etc/rsyslog.conf, would you consider copying this line: $IncludeConfig /etc/rsyslog.d/*.conf somewhere below the "$RuleSet remote" line, perhaps at line 127? The line does already exist elsewhere in the file, but it only seems to apply to the default ruleset and not the remote ruleset. This change will allow us to place custom ruleset files in /etc/rsyslog.d and have them apply to messages from remote systems. For instance, I created a "/etc/rsyslog.d/02-blocklist-extra.conf" file containing this one line: :msg,contains,"DHCPACK on" stop and it stopped logging certain DHCP messages from my router. But it has no effect without the $IncludeConfig line in the $RuleSet remote area. Do these rules apply to all logs? I Want to filter some messages from my router. It is flooded with extraneous messages. Quote Link to comment
ljm42 Posted February 25, 2019 Share Posted February 25, 2019 1 hour ago, dlandon said: Do these rules apply to all logs? I Want to filter some messages from my router. It is flooded with extraneous messages. yep! The simple "property-based filters" like in my example apply to all sources. If you want something that applies only to one source (i.e. the router) then I think you'd need to use "expression-based filters" where you can have complex if statements. I haven't tried that yet. This page has more info: https://www.rsyslog.com/doc/v8-stable/configuration/filters.html Quote Link to comment
dlandon Posted February 25, 2019 Share Posted February 25, 2019 I've set it up as you suggested, but it is not working for me yet. I'll wait for the next release with the fixes. Quote Link to comment
bonienl Posted February 25, 2019 Share Posted February 25, 2019 17 hours ago, -Daedalus said: Why was this, out of interest? The current implementation ensures the user selects a folder which does already exist. This is mandatory for the service to work. Quote Link to comment
ljm42 Posted February 25, 2019 Share Posted February 25, 2019 (edited) On 2/25/2019 at 2:21 AM, dlandon said: I've set it up as you suggested, but it is not working for me yet. I'll wait for the next release with the fixes. If you've added the additional "$IncludeConfig /etc/rsyslog.d/*.conf" line, then there could be an issue with your rule. For instance, I was trying to block this line: Feb 9 16:01:48 192.168.10.1 dhcpd: DHCPREQUEST for 192.168.10.40 (192.168.10.1) from ... and at first I tried this: :msg,startswith,"dhcpd: DHCPREQUEST for" stop but it turns out that "dhcpd" is the application, the msg doesn't start until " DHCPREQUEST". So this rule worked: :msg,startswith," DHCPREQUEST for" stop Also, I believe you have to restart the rsyslogd service after editing any of these files: /etc/rc.d/rc.rsyslogd restart Edited February 27, 2019 by ljm42 Quote Link to comment
dlandon Posted February 25, 2019 Share Posted February 25, 2019 25 minutes ago, ljm42 said: If you've added the additional "$IncludeConfig /etc/rsyslog.d/*.conf" line, then there could be an issue with your rule. For instance, I was trying to block this line: Ok. It seems I did have an issue like this. I changed the rule and we'll see how it works. I'm extremely grateful for the syslog server capability and now with being able to filter a large number of extraneous messages from the router log, I can finally read it. I can't scroll back in the log on the router because it refreshes a lot and starts all over at the top when it does. I really like the idea of keeping server logs in a more permanent place and current in case of an unplanned shutdown. Thanks @ljm42 for all your help here. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.