0

I have next config: 

module( load="impstats"
        interval="300"
        severity="7"
        log.syslog="off"
        log.file="/var/log/rsyslog-stats.log"
)

dyn_stats(name="msg_per_host" resettable="off" maxCardinality="3000" unusedMetricLife="86400")
set $.inc_status = dyn_inc("msg_per_host", $hostname)

if ($.inc_status != 0) then { 
    action(name="dyn_stat_inc_error" type="omfile" file="/dev/null" template="DynStatsError")
}

module(load="imuxsock")
input( type="imuxsock" socket="/dev/log")

module(load="imudp")
input( type="imudp" port="514")

$WorkDirectory /var/lib/rsyslog

module( load="builtin:omfile" template="RSYSLOG_TraditionalFileFormat")

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

# Templates
$template RemoteHost,"/var/log/syslog/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%-syslog.log"

# Remote Logging
$RuleSet remote
*.* ?RemoteHost

$InputUDPServerBindRuleset remote
$UDPServerRun 514

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @rsyslog_storage:514

and I want to get metrics by IP addresses... but, it doesn't work in that way.

on official documentation it looks a bit tricky: manual documentaion on official site another one page on official site

as I understand, it should work... but in logs I see it:

/var/tmp/rsyslog # cat /var/log/rsyslog-stats.log 
Fri Mar 22 13:45:47 2019: global: origin=dynstats msg_per_host.ops_overflow=0 msg_per_host.new_metric_add=0 msg_per_host.no_metric=0 msg_per_host.metrics_purged=0 msg_per_host.ops_ignored=0 msg_per_host.purge_triggered=0 
Fri Mar 22 13:45:47 2019: msg_per_host: origin=dynstats.bucket 
Fri Mar 22 13:45:47 2019: resource-usage: origin=impstats utime=29199 stime=6257 maxrss=5008 minflt=1800 majflt=0 inblock=0 oublock=0 nvcsw=117 nivcsw=6 openfiles=6 
Fri Mar 22 13:45:47 2019: main Q: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0

which is not correct, cause I'm sending alerts with logger, and without set $.inc_status = and if... it shows all messages fine. but doesn't show counters for the IP addresses.

/var/tmp/rsyslog # rsyslogd -v
rsyslogd 8.40.0, compiled with:
    PLATFORM:               x86_64-alpine-linux-musl
    PLATFORM (lsb_release -d):      
    FEATURE_REGEXP:             Yes
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    memory allocator:           system default
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
    systemd support:            No
    Number of Bits in RainerScript integers: 64

See https://www.rsyslog.com for more information.

what is wrong? why it doens't work?

Psychozoic
  • 273
  • 2
  • 4
  • 13

1 Answers1

0

I found problem: dyn_inc function should be added to ruleset!

but, this is a bit awkward, cause i want to get global metrics...

now my config looks like this: 

$WorkDirectory /var/lib/rsyslog

module( load="impstats"
        interval="300"
        severity="7"
        ruleset="remote"
        log.file="/var/log/rsyslog-stats.log"
)

module(load="imuxsock")
input( type="imuxsock" socket="/dev/log")

module(load="imudp")
input( type="imudp" port="514" ruleset="remote")

module( load="builtin:omfile"
        template="RSYSLOG_TraditionalFileFormat"
)

dyn_stats(name="msg_per_host" resettable="off" maxCardinality="3000" unusedMetricLife="86400")


*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

# Templates
template(name="RemoteHost" type="list") {
    constant(value="/var/log/syslog/")
    property(name="timegenerated" dateFormat="year")
    constant(value="-")
    property(name="timegenerated" dateFormat="month")
    constant(value="-")
    property(name="timegenerated" dateFormat="day")
    constant(value="/")
    property(name="fromhost-ip")
    constant(value="-syslog.log")
    property(name="$.logpath")
}


ruleset(name="remote") {
    set $.inc_status = dyn_inc("msg_per_host", $fromhost-ip);

    if ($.inc_status != 0) then { 
        action(name="dyn_stat_inc_error" type="omfile" file="/dev/null")
    }
    action(type="omfile" DynaFile="RemoteHost")
}

also, one questions is open - is it possible to show statistics for received bytes? cause there could be the case, when some server in network send 20 messages with 1kb data, and another one 10 messages with 3kb data...

Psychozoic
  • 273
  • 2
  • 4
  • 13