hi, We found the fault. Syntax error , there is a missing / in front of var/log/...... It was not caught by running the syntax check rsyslogd -f /etc/rsyslog.conf -N1 Regards, Ole Frøslie
On Wed, 11 Oct 2023 at 14:04, Ole Froslie <o...@com4.no> wrote: > Hi all, > I struggle with an rsyslog issue. > > I have set up the following config in /var/etc/rsyslog.d/ > > > module(load="imfile") > > > input(type="imfile" File="var/log/ipa_access_agg.log" Tag="ipa-access-log" > Facility="local0") > > input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/security" > Tag="ipa-security-log" Facility="local0") > > input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/errors" > Tag="ipa-errors-log" Facility="local0") > > input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/audit" > Tag="ipa-audit-log" Facility="local0") > > input(type="imfile" File="/var/log/httpd/error_log" Tag="ipa-httpd-log" > Facility="local0") > > input(type="imfile" File="/var/log/krb5kdc.log" Tag="ipa-krb-log" Facility > = "local0") > > > #remove - from audit file > > if ($syslogfacility >=16 and $syslogtag=="ipa-audit-log" and $msg=="-") > then stop > > # Forward local facilities > > if $syslogfacility >= 16 then @my_log_server_ip:514 > > Everything works fine except the first line , i.e. input(type="imfile" > File="var/log/ipa_access_agg.log" Tag="ipa-access-log" Facility="local0") > This particular line give me the following error message when running > systemctl restart rsyslog, and logs are not sent from this file. The others > work fine. > > rsyslog.service - System Logging Service > > Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; *enabled*; > preset: *enabled*) > > Active: *active (running)* since Wed 2023-10-11 13:58:24 CEST; 1s ago > > Docs: man:rsyslogd(8) > > https://www.rsyslog.com/doc/ > > Main PID: 97584 (rsyslogd) > > Tasks: 4 (limit: 23159) > > Memory: 1.3M > > CPU: 136ms > > CGroup: /system.slice/rsyslog.service > > └─97584 /usr/sbin/rsyslogd -n > > > Oct 11 13:58:24 idm2.com4.net systemd[1]: Starting System Logging > Service... > > Oct 11 13:58:24 idm2.com4.net systemd[1]: Started System Logging Service. > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: [origin > software="rsyslogd" swVersion="8.2102.0-117.el9" x-pid="97584" x-info=" > https://www.rsyslog.com";] start > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 1 already in > wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175 > <https://www.rsyslog.com/e/2175> ]* > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 2 already in > wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175 > <https://www.rsyslog.com/e/2175> ]* > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imjournal: journal files > changed, reloading... [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 > <https://www.rsyslog.com/e/0> ]* > > > When removing the particular line and restarting, the issue disappears. > > The particular file /var/log/ipa_access_agg.log is the ip-access log > modified by a script, to make it more fit for purpose. > The file: > > [my prompt]# ls -al /var/log/ipa_access_agg.log > > -rw-r--r--. 1 root root 5546055 Oct 11 12:18 /var/log/ipa_access_agg.log > > > The file is subject to logrotate , using this config in /etc/logrotate.d/: > > myprompt]# cat /etc/logrotate.d/ipa_access_agg > > /var/log/ipa_access_agg.log { > > daily > > missingok > > rotate 7 > > create > > } > > > > > > > I have the exact same setup running without issues on another machine. > > Both machines run same rsyslog version, see error message below. > > Both machines run the same CentOS > > Operating System: CentOS Stream 9 > > CPE OS Name: cpe:/o:centos:centos:9 > > > > > I have tried to google any clues, without success. > > > Any ideas? > > > regards, > > Ole > > > > > > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
