please post your full config (you can have rsyslog combine all include files
into one file to see them as rsyslog does by starting rsyslog with -o
/path/to/file)
It sounds as if you have additional imfile inputs that already specify these
files, but without the full config, it's hard to guess what's actually
happening.
David Lang
On Wed, 11 Oct 2023, Ole Froslie via rsyslog wrote:
Date: Wed, 11 Oct 2023 14:04:07 +0200
From: Ole Froslie via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Ole Froslie <o...@com4.no>
Subject: [rsyslog] Rsyslog error: imfile: wd 1 already in wdmap
Hi all,
I struggle with an rsyslog issue.
I have set up the following config in /var/etc/rsyslog.d/
module(load="imfile")
input(type="imfile" File="var/log/ipa_access_agg.log" Tag="ipa-access-log"
Facility="local0")
input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/security"
Tag="ipa-security-log" Facility="local0")
input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/errors"
Tag="ipa-errors-log" Facility="local0")
input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/audit"
Tag="ipa-audit-log" Facility="local0")
input(type="imfile" File="/var/log/httpd/error_log" Tag="ipa-httpd-log"
Facility="local0")
input(type="imfile" File="/var/log/krb5kdc.log" Tag="ipa-krb-log" Facility
= "local0")
#remove - from audit file
if ($syslogfacility >=16 and $syslogtag=="ipa-audit-log" and $msg=="-")
then stop
# Forward local facilities
if $syslogfacility >= 16 then @my_log_server_ip:514
Everything works fine except the first line , i.e. input(type="imfile"
File="var/log/ipa_access_agg.log" Tag="ipa-access-log" Facility="local0")
This particular line give me the following error message when running
systemctl restart rsyslog, and logs are not sent from this file. The others
work fine.
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; *enabled*;
preset: *enabled*)
Active: *active (running)* since Wed 2023-10-11 13:58:24 CEST; 1s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 97584 (rsyslogd)
Tasks: 4 (limit: 23159)
Memory: 1.3M
CPU: 136ms
CGroup: /system.slice/rsyslog.service
└─97584 /usr/sbin/rsyslogd -n
Oct 11 13:58:24 idm2.com4.net systemd[1]: Starting System Logging Service...
Oct 11 13:58:24 idm2.com4.net systemd[1]: Started System Logging Service.
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: [origin software="rsyslogd"
swVersion="8.2102.0-117.el9" x-pid="97584" x-info="https://www.rsyslog.com";]
start
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 1 already in
wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175
<https://www.rsyslog.com/e/2175> ]*
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 2 already in
wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175
<https://www.rsyslog.com/e/2175> ]*
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imjournal: journal files
changed, reloading... [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0
<https://www.rsyslog.com/e/0> ]*
When removing the particular line and restarting, the issue disappears.
The particular file /var/log/ipa_access_agg.log is the ip-access log
modified by a script, to make it more fit for purpose.
The file:
[my prompt]# ls -al /var/log/ipa_access_agg.log
-rw-r--r--. 1 root root 5546055 Oct 11 12:18 /var/log/ipa_access_agg.log
The file is subject to logrotate , using this config in /etc/logrotate.d/:
myprompt]# cat /etc/logrotate.d/ipa_access_agg
/var/log/ipa_access_agg.log {
daily
missingok
rotate 7
create
}
I have the exact same setup running without issues on another machine.
Both machines run same rsyslog version, see error message below.
Both machines run the same CentOS
Operating System: CentOS Stream 9
CPE OS Name: cpe:/o:centos:centos:9
I have tried to google any clues, without success.
Any ideas?
regards,
Ole
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
