I've encountered something similar on an older version (5.8.8), but it was on output, not input. In my case, /var/log/messages would stop being written to after logrotate moved it and sent a HUP to rsyslogd. I reviewed the output of lsof and saw rsyslogd was holding onto open file handles to the rotated messages file (logrotate moved messages to messages.1 before running gzip against it). What was interesting was if I let this run for a couple of days, the file handles to messages.1 from the first day stayed open, and other file handles had messages.1 from the day after, and yet other handles were for /var/log/messages. I haven't been able to reproduce this in short tests though.
Do you see similar stale / open file handles referencing the rotated input file opened by rsyslogd? Abigail Edwards | Phone: 402.361.3064 | Cell: 402.813.7044 | Fax: 402.361.3164 | Solutionary | Relevant . Intelligent . Security On 6/22/12 10:28 AM, "James, Jason" <[email protected]> wrote: >Hello, >It appears that imfile will stop parsing/getting data from log files that >are rotated out. Is this a bug? Is there a directive I am missing? Even >after restarting rsyslog is will no longer pull data from the new log >file unless I remove the input state file. > > >rsyslog 5.8.12-stable > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Thomas Lau >Sent: Thursday, June 21, 2012 10:54 PM >To: rsyslog-users >Subject: Re: [rsyslog] severity discard > >David, I just want to put 0 - 5 severity log into mysql DB, 6-7 discard. >What's the right method to do that ? > >Thomas Lau >Senior Technology Analyst >Principle One Limited >27/F Kinwick Centre, 32 Hollywood Road, Central, Hong Kong >T +852 3555 2217 F +852 3555 2222 M +852 9880 1217 >Hong Kong . Singapore . Tokyo > > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of [email protected] >Sent: Friday, June 22, 2012 11:46 AM >To: rsyslog-users >Subject: Re: [rsyslog] severity discard > >no, your line gives two destinations. > >~ says to discard any message that matches the filter. > >you then put the lines to do something with the logs after that. > >there may be better ways to get what you are wanting, but you haven't >explained your entire logic. > >David Lang > >On Fri, 22 Jun 2012, Thomas Lau wrote: > >> Date: Fri, 22 Jun 2012 09:30:17 +0800 >> From: Thomas Lau <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] severity discard >> >> *.info;*.debug ~ :ommysql >> >> Like that ? >> >> Thomas Lau >> Senior Technology Analyst >> Principle One Limited >> 27/F Kinwick Centre, 32 Hollywood Road, Central, Hong Kong T +852 >> 3555 2217 F +852 3555 2222 M +852 9880 1217 Hong Kong . >> Singapore . Tokyo >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of [email protected] >> Sent: Friday, June 22, 2012 9:18 AM >> To: rsyslog-users >> Subject: Re: [rsyslog] severity discard >> >> this should work >> >> *.debug,*.info ~ >> >> David Lang >> >> On Fri, 22 Jun 2012, Thomas Lau wrote: >> >>> Date: Fri, 22 Jun 2012 08:56:05 +0800 >>> From: Thomas Lau <[email protected]> >>> Reply-To: rsyslog-users <[email protected]> >>> To: "[email protected]" <[email protected]> >>> Subject: [rsyslog] severity discard >>> >>> Dear All, >>> >>> Does anyone know how could I discard severity from 6 -7? >>> >>> 0 Emergency: system is unusable >>> 1 Alert: action must be taken immediately >>> 2 Critical: critical conditions >>> 3 Error: error conditions >>> 4 Warning: warning conditions >>> 5 Notice: normal but significant condition >>> 6 Informational: informational messages >>> 7 Debug: debug-level messages >>> >>> >>> Thomas Lau >>> Senior Technology Analyst >>> Principle One Limited >>> 27/F Kinwick Centre, 32 Hollywood Road, Central, Hong Kong >>> T +852 3555 2217 F +852 3555 2222 M +852 9880 1217 >>> Hong Kong . Singapore . Tokyo >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >_______________________________________________ >rsyslog mailing list >http://lists.adiscon.net/mailman/listinfo/rsyslog >http://www.rsyslog.com/professional-services/ >What's up with rsyslog? Follow https://twitter.com/rgerhards >_______________________________________________ >rsyslog mailing list >http://lists.adiscon.net/mailman/listinfo/rsyslog >http://www.rsyslog.com/professional-services/ >What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
