solace_rsyslog.conf

# Aaron's Solace Configuration for rsyslog
# GitHub: aaron-613
# Last tested against rsyslogd v8.24.0
# Uses almost all RainerScript (advanced) with some legacy ("basic") config

# Useful: https://docs.solace.com/System-and-Software-Maintenance/Monitoring-Events-Using-Syslog.htm
# Useful for debugging config: rsyslogd -N1 -d

# Provides TCP syslog reception
#module(load="imtcp" MaxSessions="500" threads="2")
module(load="imptcp" threads="2")
input(type="imptcp" Name="SolaceDev"  Port="51400" Ruleset="sol-rsyslog" RateLimit.Interval="0" RateLimit.Burst="0")
input(type="imptcp" Name="SolaceTest" Port="51401" Ruleset="sol-rsyslog" RateLimit.Interval="0" RateLimit.Burst="0")
input(type="imptcp" Name="SolaceProd" Port="51402" Ruleset="sol-rsyslog" RateLimit.Interval="0" RateLimit.Burst="0")

# allows directories to be created with rwxr-xr-x and files with rw-r--r-- permissions
# old school:
$umask 0000
$FileCreateMode 0644
$DirCreateMode 0755
# new way, doesn't seem to work?!
#module(load="builtin:omfile" DirCreateMode="0755" FileCreateMode="0644")


# where are the Solace logs getting put?
template(name="CmdLog"    type="string" string="/var/log/solace/%HOSTNAME%/command.log")
template(name="ShowLog"   type="string" string="/var/log/solace/%HOSTNAME%/show.log")
template(name="EventLog"  type="string" string="/var/log/solace/%HOSTNAME%/event.log")
template(name="AuthLog"   type="string" string="/var/log/solace/%HOSTNAME%/auth.log")
template(name="SystemLog" type="string" string="/var/log/solace/%HOSTNAME%/system.log")
template(name="AlertLog"  type="string" string="/var/log/solace/alerts.log")
template(name="NoticeLog" type="string" string="/var/log/solace/notice.log")

# This next bit will parse out the VPN name from the VPN and CLIENT logs so I can make per-VPN directories
# https://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html
# It's field #4 because there's a leading/padded space in %msg
template(name="extractVpn" type="string" string="%msg:F,32:4%")
template(name="VpnLog"     type="string" string="/var/log/solace/%HOSTNAME%/%$!vpn%/event.log")



# Solace Command logs with ms timestamps -- have removed the severity as everything is 'info' with command logs
 template(name="CmdLogFormat" type="string" string="%TIMESTAMP:1:23:date-rfc3339%%TIMESTAMP:27:$:date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
# millisecond timestamp format for solace event logs
#template(name="EventLogFormat" type="string" string="%TIMESTAMP:1:23:date-rfc3339%%TIMESTAMP:27:$:date-rfc3339% <%syslogfacility-text%.%syslogpriority-text%> %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
template(name="EventLogFormat" type="string" string="%TIMESTAMP:1:23:date-rfc3339%%TIMESTAMP:27:$:date-rfc3339% <%syslogseverity-text%> %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")


ruleset (name="sol-rsyslog") {
  # command logs
  if ($syslogfacility-text == 'local1') then {
    # if they're show commands, redirect to another log
    if (($msg startswith ' CLI' and ($msg contains '> show ' or $msg contains '# show ')) or
        ($msg startswith ' SEMP' and ($msg contains '> show ' or $msg contains '  show '))) then {
      ?ShowLog; CmdLogFormat
      stop
    } else {
      # they are config commands, so log 'em!
      ?CmdLog; CmdLogFormat
      stop
    }
  }

  # system.log  (kinda useless in my opinion, since they're a subset of event log)
  if ($syslogfacility-text == 'local4') then {
    ?SystemLog; EventLogFormat
    stop
  }

  # event log
  if ($syslogfacility-text == 'local3') then {
    # if they have annoying login/logout message generated by monitoring apps, put in another file
    if ($msg startswith ' SYSTEM: SYSTEM_AUTHENTICATION_SESSION_OPENED' or
        $msg startswith ' SYSTEM: SYSTEM_AUTHENTICATION_SESSION_CLOSED' or
        $msg startswith ' SYSTEM: SYSTEM_AUTHENTICATION_SESSION_DENIED' or
        $msg startswith ' SYSTEM: SYSTEM_CLIENT_CONNECT_AUTH_FAIL' or
        $msg startswith ' SYSTEM: SYSTEM_SSL_CONNECTION_REJECTED') then {
      ?AuthLog; EventLogFormat
      #stop
    } else {
      # valid events, put in the log!  This is the "raw" data
      ?EventLog; EventLogFormat
    }

#   Numerical   |   Severity
#        Code   |
#   ------------+------------------------------------------
#           0   |   Emergency: system is unusable
#           1   |   Alert: action must be taken immediately
#           2   |   Critical: critical conditions
#           3   |   Error: error conditions
#           4   |   Warning: warning conditions
#           5   |   Notice: normal but significant condition
#           6   |   Informational: informational messages
#           7   |   Debug: debug-level messages
#

    # now do some filtering and make an alertable log
    # note that the message variable $msg actually has a space at the beginning
    # for the alert.log, emit WARN or higher, and anything with CLEAR or UP, e.g. SYSTEM_HA_ACT_STATE_UP

    # SYSTEM level stuff, no VPN name.  Log all the interesting things 
    if ($msg startswith ' SYSTEM: ') then {
      if ($syslogseverity <= 5 or            /* log if sev is notice or higher */
          $msg contains '_CLEAR: ' or        /* put CLEAR events into the alerts log */
          $msg contains '_UP: ' or           /* and UP events */
          $msg contains '_ENABLE: ') then {  /* and ENABLE.  This way I can write something to correlate if need be */
        ?AlertLog; EventLogFormat
        stop
      }
    } else {
      # these are VPN or CLIENT level event logs

# OPTIONAL: make separate directories for EACH VPN, and use the per-VPN template,
# uncomment the next two lines. Separate folders per-VPN are useful in large
# appliance environments where the combined event.log rolls too fast by keeping
# things separate, but maybe be careful of # of open file handles!
      #set $!vpn = exec_template("extractVpn");
      #?VpnLog; EventLogFormat
# ####

      # now for the alert log of interesting things...
      # all logs of warning or higher
      # all SolCache events
      # all VPN bridge events
      # but ignore these...
      #     client apps failing to connect to a queue (might be noisy)
      #     ignore VPN state changes
      #     igore VPN_SERVICE_LISTEN_PORT_STATE_CHANGE and VPN_SERVICE_SMF_STATE_CHANGE
      # the weird _DOWN[:_] one is b/c there's an event SYSTEM_CHASSIS_POWER_MODULE_DOWN_INFO that's info
      if ($syslogseverity <= 4 or
          $msg contains '_CLEAR: ' or
          $msg contains '_UP: ' or
          $msg contains '_ENABLE: ' or
          $msg contains '_DOWN[:_]' or
          $msg startswith ' VPN: VPN_SOLCACHE_' or                        /* all SolCache events */
          $msg startswith ' VPN: VPN_BRIDGING_LINK_' and                  /* all VPN bridge link (up/down/reject) events */
          not (
            $msg startswith ' CLIENT: CLIENT_CLIENT_BIND_FAILED: ' or  /* ignore client bind WARNs */
            $msg startswith ' VPN: VPN_VPN_STATE_CHANGE:' or           /* ignore VPN state change events */
            $msg startswith ' VPN: VPN_SERVICE_'                       /* ignore VPN_SERVICE state change events */
          )) then {
        ?AlertLog; EventLogFormat
        stop
      }
    }
  }
}