IDPA: Error extra characters in config line ignored: while configuration of remote logging (syslog forwarding) on ACM

Summary: Error "extra characters in config line ignored: '*' [v8.2106.0] " while configuration of remote logging (syslog forwarding) on ACM. The issue pertains to the configuration of remote logging (syslog forwarding) on ACM. An error message 'extra characters in the configuration line ignored: '*' [v8.2106.0]' is encountered when attempting to restart the rsyslog service, which prevents log forwarding to the remote server. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

When attempting to restart the rsyslog service using the below command the operation fails. 
systemctl restart

Upon checking the status of rsyslog with the below command an error message is displayed: 
systemctl status rsyslog
  
error: extra characters in config line ignored: ‘’ [v8.2106.0]"

This error prevents logs from being forwarded to the remote server. The issue is traced back to an extraneous '*' in the /etc/rsyslog.conf file that must be removed. 
# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2024-04-02 14:32:04 UTC; 6s ago
     Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
  Process: 27195 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 40849 ExecStartPre=/usr/sbin/rsyslog-service-prepare (code=exited, status=0/SUCCESS)
Main PID: 40853 (rsyslogd)
    Tasks: 10 (limit: 512)
   CGroup: /system.slice/rsyslog.service
           └─40853 /usr/sbin/rsyslogd -n -iNONE
Apr 02 14:32:04 acm-8300-crk systemd[1]: Starting System Logging Service...
Apr 02 14:32:04 acm-8300-crk systemd[1]: Started System Logging Service.
Apr 02 14:32:04 acm-8300-crk rsyslogd[40853]: error: extra characters in config line ignored: '*' [v8.2106.0]
Apr 02 14:32:04 acm-8300-crk rsyslogd[40853]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2106.0 try  https://www.rsyslog.com/e/2307 ]
Apr 02 14:32:04 acm-8300-crk rsyslogd[40853]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2106.0]
Apr 02 14:32:04 acm-8300-crk rsyslogd[40853]: origin software="rsyslogd" swVersion="8.2106.0" x-pid="40853" x-info="[https://www.rsyslog.com start
 

Cause

The error is caused by an extra asterisk ('*') present in the /etc/rsyslog.conf file. This should be removed for the proper configuration and functioning of syslog forwarding.

Resolution

1.Verify the rsyslog package is installed: 
acm:~ # rpm -qa |grep rsyslog
rsyslog-8.24.0-3.39.1.x86_64
2.Verify the rsyslog service is enabled: 
acm:~ # systemctl is-enabled rsyslog
enabled
3.Open /etc/rsyslog.conf in a text editor.
             Remove the '*' from the below line and add the Syslog entry. 
$template RemoteLogs,"/data01/logs/ESX/%HOSTNAME%/%PROGRAMNAME%.log"* =>Extra
$template RemoteLogs,"/data01/logs/ESX/%HOSTNAME%/%PROGRAMNAME%.log" 
*.*  ?RemoteLogs  
&~
           After changes 
$template RemoteLogs,"/data01/logs/ESX/%HOSTNAME%/%PROGRAMNAME%.log"
$template RemoteLogs,"/data01/logs/ESX/%HOSTNAME%/%PROGRAMNAME%.log" 
 *.* @xxx.xxx.xxx.xxx:514 
 &~ 
             where xxx.xxx.xxx.xxx is the IP address of the remote logging host. 
4. Save and close the file.  
:wq!
5. Restart the rsyslog process by typing the following command: 
# systemctl restart rsyslog

Affected Products

Integrated Data Protection Appliance Family

Products

Integrated Data Protection Appliance Software
Article Properties
Article Number: 000225742
Article Type: Solution
Last Modified: 20 June 2024
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.