Is there any chance that they are getting logged under a different hostname?
David Lang
On Fri, 19 Apr 2024, Ian Diddams via rsyslog wrote:
Date: Fri, 19 Apr 2024 09:24:03 +0000
From: Ian Diddams via rsyslog <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Cc: Ian Diddams <ian.didd...@celebrus.com>
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
upgrade to ubuntu20
Rsyslog tries very hard to not break backwards compatibility, so you should not have
needed to change the config. There have been bugs over the years, but in
>>general, a config should just keep working.
That of course makes perfect sense. Though as it turned it - come the upgrade
18-> 20 ... it didn’t work at all.
That seemed to fix matters - logs to Tlog.log on the client were
appearing in the central syslog log as well.
good, that should mean that the new style config is working
It should.
But ... it ain't now....
other logs from the same systems?
other system logs handled by rsyslog.conf all work as expected.
Adding local4.* to that /var/log/node/Tlog.log works for
logger -p local4.info TEST
AND
that log gets held centrally.
But the app that wroites to /var/log/node/Tlog.log doesn’t use native
local4.<whatever> ... no idea what it does but it wortes direct to Tlog.log
(that’s down to devs years ago etc Id imagine)
This is a good start. But at this point I am not understanding the problem. You say
that with this config it is logging both locally and centrally as expected, what
>>isn't working as expected?
No.
anything set up "as standard" in rsyslog.con f works, and logs centrally. As
expected.
This Tlog.log is written to via some other means
There is a historical config (up to Ubuntu 18) where a rsyslog.d config file
using imfile DID work and logged centrally
Then that stopped working on the upgrade to Ubuntu 20.
But we found that an different working configuration was required - so
implemebnted that and the devs tell me it all then worked.
But a week or so ago that updated config stopped working.
ie the imfile stuff to capture a nmon standard rsyslog log no longer works.
based on your test, it sounds as if imfile is reading things, but not matching
something else on your central system. can you provide more info about the config
>>there?
You asked! 😉
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
$ModLoad imrelp
$InputRELPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#$PrivDropToUser syslog
#$PrivDropToGroup adm
#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
$template syslog,"/var/log/external/%fromhost%/syslog-%$YEAR%%$MONTH%%$DAY%.log"
$template
apacheError,"/var/log/external/%fromhost%/apache/%programname%-error-%$YEAR%%$MONTH%%$DAY%.log"
$template
apacheAccess,"/var/log/external/%fromhost%/apache/%programname%-access-%$YEAR%%$MONTH%%$DAY%.log"
$template mailError,
"/var/log/external/%fromhost%/mail/error-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeStd,
"/var/log/external/%fromhost%/node/TStd-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeTService,
"/var/log/external/%fromhost%/node/TLog-%$YEAR%%$MONTH%%$DAY%.log"
local4.* ?nodeService
#& ~
& stop
local5.* ?nodeStd
#& ~
& stop
local7.* ?apacheError
#& ~
& stop
local6.* ?apacheAccess
#& ~
& stop
*.* ?syslog
That hasn’t changed for about 11 years.
That rsyslog central server is also recently upgraded to Ubuntu20 from Ubuntu18
FWIW Ive only talked about TLog - but TStd does the same thing (and has a
similar imfile/local5 config on the client as top the imfile/local4)
Confidentiality notice: This email (and any attachment) is intended for the
addressee(s) named above. It may contain information of a confidential or
legally privileged nature. Unauthorised disclosure or use of this email (or any
attachment) is prohibited and may be unlawful. If you are not the intended
recipient, please delete the email from your systems, destroy any copies and
inform the sender immediately. Privacy notice: To find information on how we
collect, process and store data, please see our privacy statement on our
website https://www.celebrus.com/privacy-statement Disclaimer: All attachments
have been scanned for viruses. However, Celebrus Technologies Plc cannot accept
liability for any loss or damage you may incur as a result of virus infection.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
