Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since upgrade to ubuntu20

[David Lang via rsyslog]

specifically look for 127.0.0.1 or localhost

If you can log anything that's local4 on the server to a single file (ideally 
using the template RSYSLOG_DebugFormat so we can see all the variables that are 
parsed from it) it may be easier to find the log than your current dynafile 
approach that puts them in different directories based on the hostname.

David Lang


On Fri, 19 Apr 2024, David Lang via rsyslog wrote:

Date: Fri, 19 Apr 2024 03:59:53 -0700 (PDT)
From: David Lang via rsyslog <rsyslog@lists.adiscon.com>
To: Ian Diddams via rsyslog <rsyslog@lists.adiscon.com>
Cc: David Lang <da...@lang.hm>
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
    upgrade to ubuntu20

Is there any chance that they are getting logged under a different hostname?

David Lang

On Fri, 19 Apr 2024, Ian Diddams via rsyslog wrote:

Date: Fri, 19 Apr 2024 09:24:03 +0000
From: Ian Diddams via rsyslog <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Cc: Ian Diddams <ian.didd...@celebrus.com>
Subject: Re: [rsyslog] [EXTERNAL] Re: imfile rsyslog config sporadic since
    upgrade to ubuntu20

Rsyslog tries very hard to not break backwards compatibility, so you 
should not have needed to change the config. There have been bugs over the 
years, but in >>general, a config should just keep working.

That of course makes perfect sense.  Though as it turned it - come the 
upgrade 18-> 20 ...  it didn’t work at all.


That seemed to fix matters - logs to Tlog.log on the client were
appearing in the central syslog log as well.
good, that should mean that the new style config is working

It should.

But ...  it ain't now....


other logs from the same systems?
other system logs handled by rsyslog.conf all work as expected.
Adding local4.* to that /var/log/node/Tlog.log works for
  logger -p local4.info TEST
AND
  that log gets held centrally.

But the app that wroites to /var/log/node/Tlog.log doesn’t use native 
local4.<whatever> ...  no idea what it does but it wortes direct to Tlog.log 
(that’s down to devs years ago etc Id imagine)


This is a good start. But at this point I am not understanding the 
problem. You say that with this config it is logging both locally and 
centrally as expected, what >>isn't working as expected?


No.

anything set up "as standard" in rsyslog.con f works, and logs centrally. 
As expected.

This Tlog.log is written to via some other means

There is a historical config (up to Ubuntu 18) where a rsyslog.d config 
file using imfile DID work and logged centrally

Then that stopped working on the upgrade to Ubuntu 20.
But we found that an different working configuration was required - so 
implemebnted that and the devs tell me it all then worked.

But a week or so ago that updated config stopped working.

ie the imfile stuff to capture a nmon standard rsyslog log no longer works.


based on your test, it sounds as if imfile is reading things, but not 
matching something else on your central system. can you provide more info 
about the config >>there?

You asked!  😉


#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by 
rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

$ModLoad imrelp
$InputRELPServerRun 514

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#$PrivDropToUser syslog
#$PrivDropToGroup adm

#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

$template 
syslog,"/var/log/external/%fromhost%/syslog-%$YEAR%%$MONTH%%$DAY%.log"
$template 
apacheError,"/var/log/external/%fromhost%/apache/%programname%-error-%$YEAR%%$MONTH%%$DAY%.log"
$template 
apacheAccess,"/var/log/external/%fromhost%/apache/%programname%-access-%$YEAR%%$MONTH%%$DAY%.log"
$template mailError, 
"/var/log/external/%fromhost%/mail/error-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeStd, 
"/var/log/external/%fromhost%/node/TStd-%$YEAR%%$MONTH%%$DAY%.log"
$template nodeTService, 
"/var/log/external/%fromhost%/node/TLog-%$YEAR%%$MONTH%%$DAY%.log"

local4.* ?nodeService
#& ~
& stop

local5.* ?nodeStd
#& ~
& stop

local7.* ?apacheError
#& ~
& stop

local6.* ?apacheAccess
#& ~
& stop

*.* ?syslog

That hasn’t changed for about 11 years.
That rsyslog central server is also recently upgraded to Ubuntu20 from 
Ubuntu18

FWIW Ive only talked about TLog - but TStd does the same thing (and has a 
similar imfile/local5 config on the client as top the imfile/local4)





Confidentiality notice: This email (and any attachment) is intended for the 
addressee(s) named above. It may contain information of a confidential or 
legally privileged nature. Unauthorised disclosure or use of this email (or 
any attachment) is prohibited and may be unlawful. If you are not the 
intended recipient, please delete the email from your systems, destroy any 
copies and inform the sender immediately. Privacy notice: To find information 
on how we collect, process and store data, please see our privacy statement 
on our website https://www.celebrus.com/privacy-statement Disclaimer: All 
attachments have been scanned for viruses. However, Celebrus Technologies Plc 
cannot accept liability for any loss or damage you may incur as a result of 
virus infection.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.