Re: [rsyslog] Antwort: Local logging gets disabled when the connection to syslog server breaks.

Tue, 18 Aug 2020 02:32:19 -0700 

Dear Cyril,

Thanks for your help.

The workaround suggested by you worked!! I changed the rsyslog setting at
client node to :

$ModLoad imfile
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
authpriv.*                                              /var/log/secure
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
mail.*                                                  -/var/log/maillog
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
cron.*                                                  /var/log/cron
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
auth.*        /var/log/audit/audit.log
&        @@172.17.xxx.xxx:11514
&        @@10.237.xxx.xxx:11514
& stop
kern.*        @@172.17.xxx.xxx:11514
&             @@10.237.xxx.xxx:11514
& stop
$FileCreateMode 0640

After that I stopped the rsyslog service at one of the server and checked
local logging using the logger command. However it would be really helpfull
if you could explain the reason behind this as well , also after shutting
down the syslog service at server, i can see following message at client
side, i think they are general retry message to try rebuilding the
connection with server:

Aug 18 12:25:37  rsyslogd[80041]: action 'action 4' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:25:37  rsyslogd[80041]: action 'action 4' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:25:37  rsyslogd[80041]: action 'action 1' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:25:37  rsyslogd[80041]: action 'action 1' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:28:08  rsyslogd[80041]: action 'action 1' suspended, next retry
is Tue Aug 18 12:28:38 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]
Aug 18 12:30:15  rsyslogd[80041]: action 'action 4' suspended, next retry
is Tue Aug 18 12:30:45 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]
Aug 18 12:32:22  rsyslogd[80041]: action 'action 10' suspended, next retry
is Tue Aug 18 12:32:52 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]
Aug 18 12:47:22  rsyslogd[80041]: action 'action 18' suspended, next retry
is Tue Aug 18 12:47:52 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]

On Tue, Aug 18, 2020 at 1:58 PM Cyril Stoll via rsyslog <
[email protected]> wrote:

>
> Hi Pratik Rana
>
> Have you tried linking the same ones together and then stopping execution
> like so:
>
> authpriv.*                              /var/log/secure
> &                                       @@172.17.XXX.XXX:11514
> &                                       @@10.237.XXX.XXX:11514
> & stop
> mail.*                                  -/var/log/maillog
> &                                       @@172.17.XXX.XXX:11514
> &                                       @@10.237.XXX.XXX:11514
> & stop
> .......
> ......
> ....
>
> and so on for all the facilities you are interested in.
>
> Best,
> Cyril
> --
> Universität Zürich
> Cyril Stoll
> Zentrale Informatik
> Stampfenbachstrasse 73
> CH-8006 Zürich
> Tel. +41 44 63 5 22 93
> www.zi.uzh.ch
>
>
>
> Von:    "PRATIK RANA via rsyslog" <[email protected]>
> An:     [email protected]
> Kopie:  "PRATIK RANA" <[email protected]>
> Datum:  18/08/2020 08:47
> Betreff:        [rsyslog] Local logging gets disabled when the connection
> to
>             syslog server breaks.
> Gesendet von:   "rsyslog" <[email protected]>
>
>
>
> Hi all,
>
> I have two syslog servers at different sites which are receiving logs from
> client nodes configured on various sites. All of my client nodes are
> configured to send logs to both of these syslog servers. But whenever my
> client node gets disconnected to any one of the server node, then the
> rsyslog service stops the local logging of the system(i.e is logging into
> /var/log/messages etc.) as well.
>
> Here is the rsyslog.conf configuration for my client nodes:
>
> $ModLoad imfile
> $ModLoad imuxsock # provides support for local system logging (e.g. via
> logger command)
> $ModLoad imjournal # provides access to the systemd journal
> $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
> $DefaultNetstreamDriver gtls
> $ActionSendStreamDriverAuthMode anon
> $ActionSendStreamDriverMode 1
> $WorkDirectory /var/lib/rsyslog
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $IncludeConfig /etc/rsyslog.d/*.conf
> $OmitLocalLogging on
> $IMJournalStateFile imjournal.state
> *.info;mail.none;authpriv.none;cron.none                /var/log/messages
> authpriv.*                                              /var/log/secure
> mail.*                                                  -/var/log/maillog
> cron.*                                                  /var/log/cron
> *.emerg                                                 :omusrmsg:*
> uucp,news.crit                                          /var/log/spooler
> local7.*                                                /var/log/boot.log
> *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
>   @@172.17. XXX.XXX :11514
> authpriv.*    @@172.17. XXX.XXX :11514
> auth.*        /var/log/audit/audit.log
> auth.*        @@172.17. XXX.XXX :11514
> kern.*        @@172.17. XXX.XXX :11514
> mail.*        @@172.17. XXX.XXX :11514
> cron.*        @@172.17. XXX.XXX :11514
> local7.*      @@172.17. XXX.XXX :11514
> *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
>   @@10.237. XXX.XXX :11514
> authpriv.*    @@10.237.XXX.XXX:11514
> auth.*        @@10.237. XXX.XXX :11514
> kern.*        @@10.237. XXX.XXX :11514
> mail.*        @@10.237. XXX.XXX :11514
> cron.*        @@10.237. XXX.XXX :11514
> local7.*      @@10.237. XXX.XXX :11514
> $FileCreateMode 0640
>
> --
> Regards,
> *PRATIK RANA*
> *Software Engineer*
> *NEC Technologies India*
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.



-- 
Regards,
*PRATIK RANA*
*Software Engineer*
*NEC Technologies India*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to