selivan/rsyslog.conf

## rsyslog.conf
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog" PermitNonKernelFacility="on")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability
module(load="omrelp")  # provides support for RELP protocol
module(load="imfile")  # provides support for reading logs from files. Default mode: inotify.

###########################
#### GLOBAL DIRECTIVES ####
###########################

# Use traditional timestamp format.
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# High precision timestamps and timezoone information
# https://www.rsyslog.com/doc/v8-stable/configuration/templates.html#reserved-template-names
$ActionFileDefaultTemplate RSYSLOG_FileFormat

# Filter duplicated messages
# rsyslog guys do not recommend this feature: https://www.rsyslog.com/doc/v8-stable/configuration/action/rsconf1_repeatedmsgreduction.html#description
#$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

###################
#### TEMPLATES ####
###################

# Used for forwarding logs over network
# Support tags longer than 32 characters
# $.suffix variable is used to add file path if required
template (name="LongTagForwardFormat" type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%$.suffix%%msg:::sp-if-no-1st-sp%%msg%")

# Template to output only the message
template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")

##################
#### RULESETS ####
##################

# Ruleset to send messages to logserver

# Queue is used to save logs when the server is unavailable:
# http://www.rsyslog.com/doc/v8-stable/concepts/queues.html#disk-assisted-memory-queues
# Warning: message relative order can be disrupted on message transfer from queue after resuming network connectivity

# Disk-Assisted Memory Queue: queue.type="LinkedList" + queue.filename
# queue.size - max elements in memory
# queue.highwatermark - when to start saving to disk
# queue.lowwatermark - when to stop saving to disk
# queue.saveonshutdown - save on disk between rsyslog shutdown
# action.resumeInterval - interval to suspend action if destination can not be connected
# action.resumeRetryCount - number of retries for action, -1 = eternal
# action.reportSuspension
# action.reportSuspensionContinuation
# After each 10 retries, the interval is extended: (numRetries / 10 + 1) * Action.ResumeInterval
ruleset(name="sendToLogserver") {
    action(type="omrelp" Target="logserver.internal" Port="5140" Template="LongTagForwardFormat"
    queue.type="LinkedList" queue.size="10000" queue.filename="q_sendToLogserver"
    queue.highwatermark="9000" queue.lowwatermark="50" queue.maxdiskspace="500m" queue.saveonshutdown="on"
    action.resumeInterval="10" action.resumeRetryCount="-1"
    action.reportSuspension="on" action.reportSuspensionContinuation="on")

    # Failover server
    #$ActionExecOnlyWhenPreviousIsSuspended on
    #action(type="omrelp" Target="" Port="" Template="LongTagForwardFormat"
    #action.execOnlyWhenPreviousIsSuspended="on" queue.dequeuebatchsize="1")
    #$ActionExecOnlyWhenPreviousIsSuspended off
}

##################
#### INCLUDES ####
##################

$IncludeConfig /etc/rsyslog.d/*.conf
	# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

	#################
	#### MODULES ####
	#################

	module(load="imuxsock") # provides support for local system logging
	module(load="imklog" PermitNonKernelFacility="on") # provides kernel logging support
	#module(load="immark") # provides --MARK-- message capability
	module(load="omrelp") # provides support for RELP protocol
	module(load="imfile") # provides support for reading logs from files. Default mode: inotify.

	###########################
	#### GLOBAL DIRECTIVES ####
	###########################

	# Use traditional timestamp format.
	#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
	# High precision timestamps and timezoone information
	# https://www.rsyslog.com/doc/v8-stable/configuration/templates.html#reserved-template-names
	$ActionFileDefaultTemplate RSYSLOG_FileFormat

	# Filter duplicated messages
	# rsyslog guys do not recommend this feature: https://www.rsyslog.com/doc/v8-stable/configuration/action/rsconf1_repeatedmsgreduction.html#description
	#$RepeatedMsgReduction on

	#
	# Set the default permissions for all log files.
	#
	$FileOwner syslog
	$FileGroup adm
	$FileCreateMode 0640
	$DirCreateMode 0755
	$Umask 0022
	$PrivDropToUser syslog
	$PrivDropToGroup syslog

	#
	# Where to place spool and state files
	#
	$WorkDirectory /var/spool/rsyslog

	###################
	#### TEMPLATES ####
	###################

	# Used for forwarding logs over network
	# Support tags longer than 32 characters
	# $.suffix variable is used to add file path if required
	template (name="LongTagForwardFormat" type="string"
	string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%$.suffix%%msg:::sp-if-no-1st-sp%%msg%")

	# Template to output only the message
	template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")

	##################
	#### RULESETS ####
	##################

	# Ruleset to send messages to logserver

	# Queue is used to save logs when the server is unavailable:
	# http://www.rsyslog.com/doc/v8-stable/concepts/queues.html#disk-assisted-memory-queues
	# Warning: message relative order can be disrupted on message transfer from queue after resuming network connectivity

	# Disk-Assisted Memory Queue: queue.type="LinkedList" + queue.filename
	# queue.size - max elements in memory
	# queue.highwatermark - when to start saving to disk
	# queue.lowwatermark - when to stop saving to disk
	# queue.saveonshutdown - save on disk between rsyslog shutdown
	# action.resumeInterval - interval to suspend action if destination can not be connected
	# action.resumeRetryCount - number of retries for action, -1 = eternal
	# action.reportSuspension
	# action.reportSuspensionContinuation
	# After each 10 retries, the interval is extended: (numRetries / 10 + 1) * Action.ResumeInterval
	ruleset(name="sendToLogserver") {
	action(type="omrelp" Target="logserver.internal" Port="5140" Template="LongTagForwardFormat"
	queue.type="LinkedList" queue.size="10000" queue.filename="q_sendToLogserver"
	queue.highwatermark="9000" queue.lowwatermark="50" queue.maxdiskspace="500m" queue.saveonshutdown="on"
	action.resumeInterval="10" action.resumeRetryCount="-1"
	action.reportSuspension="on" action.reportSuspensionContinuation="on")

	# Failover server
	#$ActionExecOnlyWhenPreviousIsSuspended on
	#action(type="omrelp" Target="" Port="" Template="LongTagForwardFormat"
	#action.execOnlyWhenPreviousIsSuspended="on" queue.dequeuebatchsize="1")
	#$ActionExecOnlyWhenPreviousIsSuspended off
	}

	##################
	#### INCLUDES ####
	##################

	$IncludeConfig /etc/rsyslog.d/*.conf