try adding nocopytruncate to your logrotate config, you may have some other
config that is setting copytruncate as the default.
David Lang
On Tue, 7 Sep 2021, Andrew via rsyslog wrote:
Date: Tue, 7 Sep 2021 07:30:27 +0930
From: Andrew via rsyslog <[email protected]>
To: Mariusz Kruk via rsyslog <[email protected]>
Cc: Andrew <[email protected]>
Subject: Re: [rsyslog] imfile-state file not returning to zero after logrotate
Hi Mariusz,
So at present, when rsyslog stops transferring the files, I do the
following (taken directly from my terminal):
[root@server1]# cd /var/lib/rsyslog
[root@server1 rsyslog]# ls -i /var/log/httpd/access.log
136571049 /var/log/httpd/access.log
[root@server1 rsyslog]# ls -al |grep 136571049
-rw-------. 1 root root 112 Aug 1 03:22 imfile-state:136571049
[root@server1 rsyslog]# cat imfile-state:136571049
{ "filename": "\/var\/log\/httpd\/error.log", "prev_was_nl": 0,
"curr_offs": 116061285, "strt_offs": 116061285 }
[root@server1 rsyslog]#
[root@server1 rsyslog]# service rsyslog stop
Redirecting to /bin/systemctl stop rsyslog.service
[root@server1 rsyslog]# vim imfile-state:136571049
[root@server1 rsyslog]# service rsyslog start
so as you can see, the httpd access log file retains the inode number
after rotate but the imfile-state:<inode> file is not being returned to
zero and I cant figure out why. I neglected to mention below in my
original post that in the logrotate config file for httpd, I have a
second section which sends a HUP to the running rsyslog. From other
reading, the hup should mean that rsyslog will notice that the file has
been emptied and zero the imfile-state file.
Regards,
Andrew.
On 9/1/21 5:24 PM, Mariusz Kruk via rsyslog wrote:
Well, with this logrotate setup the file should not get copied and
truncated but moved. Do you have copytruncate as a default rotate mode?
Have you verified the inode numbers on log files?
From
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html -
"The file monitor supports file rotation. To fully work, rsyslogd must
run while the file is rotated. Then, any remaining lines from the old
file are read and processed and when done with that, the new file is
being processed from the beginning. If rsyslogd is stopped during
rotation, the new file is read, but any not-yet-reported lines from
the previous file can no longer be obtained."
On 01.09.2021 04:07, S&A Hullick via rsyslog wrote:
Hi,
I have rsyslog set up to forward logs to a separate log repository on
another server and have some files that stop forwarding after log
rotate.
My issue is that the log file itself is copied to a separate file and
then emptied (truncated). Then, of course, rsyslog doesn't forward
until the size of the log file reaches the number in the imfile-state
file.
Can someone please suggest a setup where the state file will be
zeroed. My current configs for rsyslog and logrotate are as follows:
rsyslog:
rsyslogd: version 8.24.0-41.el7_7.2, config validation run (level 1),
master config /etc/rsyslog.conf
$InputFileName /var/log/httpd/access.log
$InputFileTag httpd_access:
$InputFileStateFile stats-httpd_access
$InputFileFacility local6
$InputRunFileMonitor
Logrotate (daily cycle):
"/var/log/httpd/access.log" {
weekly
create 640 root root
missingok
notifempty
sharedscripts
delaycompress
postrotate
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null
|| true
endscript
}
at present, after logrotate, I need to stop the rsyslogd, manually
zero the imfile-state file and restart rsyslogd. The log file will
then start being forwarded to the log server.
Kind regards,
Andrew.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
