> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rahul Bhat > Sent: Thursday, January 24, 2013 12:11 PM > To: [email protected] > Subject: Re: [rsyslog] Hi - Rsyslog run in debug mode only > > > Any ideas are welcome :)
Ah, that's too few info. Can you send me the complete strace? I am not so interested in single calls, but rather in the sequence (as I try to re-construct a kind of debug log from it). What I see below doesn't look like the problem cause. Rainer > > From: [email protected] > > To: [email protected] > > Date: Wed, 23 Jan 2013 15:36:26 +0100 > > Subject: Re: [rsyslog] Hi - Rsyslog run in debug mode only > > > > > > > > > Rainer : > > > Actually, I am a bit puzzled. Can you try running an strace of an > > > instance in > non-debug mode? Maybe this provides some insight... > > Comment - Hi , I was able to run the strace and here is the output from the > same . I believe rsyslogd is missing or not able to find some libraries. > > > > more service.txt.29923 |grep > > "(No" > > > > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > directory) > > > > open("/usr/lib64/tls/x86_64/libz.so.1", > > O_RDONLY) = -1 ENOENT (No such file or directory) > > stat("/usr/lib64/tls/x86_64", 0x7fff79ac2440) = -1 ENOENT (No such > > file or directory) open("/usr/lib64/tls/libz.so.1", O_RDONLY) = -1 > > ENOENT (No such file or directory) open("/usr/lib64/x86_64/libz.so.1", > > O_RDONLY) = -1 ENOENT (No such file or directory) > > stat("/usr/lib64/x86_64", 0x7fff79ac2440) = -1 ENOENT (No such file or > > directory) open("/usr/lib64/tls/libpthread.so.0", > > O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/lib64/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file > > or directory) open("/usr/lib64/tls/libdl.so.2", O_RDONLY) = -1 ENOENT > > (No such file or directory) open("/usr/lib64/libdl.so.2", > > O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/lib64/tls/librt.so.1", O_RDONLY) = -1 ENOENT (No such file > > or directory) open("/usr/lib64/librt.so.1", O_RDONLY) = -1 ENOENT (No > > such file or directory) open("/usr/lib64/tls/libestr.so.0", O_RDONLY) > > = -1 ENOENT (No such file or directory) > > open("/usr/lib64/tls/libjson.so.0", O_RDONLY) = -1 ENOENT (No such > > file or directory) open("/usr/lib64/tls/libee.so.0", O_RDONLY) = -1 > > ENOENT (No such file or directory) open("/usr/lib64/tls/libm.so.6", > > O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/lib64/libm.so.6", O_RDONLY) = -1 ENOENT (No such file or > > directory) open("/usr/lib64/tls/libgcc_s.so.1", O_RDONLY) = -1 ENOENT > > (No such file or directory) open("/usr/lib64/libgcc_s.so.1", O_RDONLY) > > = -1 ENOENT (No such file or directory) > > open("/usr/lib64/tls/libc.so.6", > > O_RDONLY) = -1 ENOENT (No such file or directory) > > open("/usr/lib64/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or > > directory) open("/usr/lib64/tls/libnet.so.1", O_RDONLY) = -1 ENOENT > > (No such file or directory) open("/usr/lib64/libnet.so.1", O_RDONLY) = > > -1 ENOENT (No such file or directory) open("/var/run/rsyslogd.pid", > > O_RDONLY) = -1 ENOENT (No such file or directory) [root@mob2l720k > > strace]# gzip > > service.txt.29923 [root@mob2l720k strace]# ls -ltr > > > > > From: [email protected] > > > To: [email protected] > > > Date: Wed, 23 Jan 2013 07:44:52 +0000 > > > Subject: Re: [rsyslog] Hi - Rsyslog run in debug mode only > > > > > > > > > > > > > -----Original Message----- > > > > From: [email protected] [mailto:rsyslog- > > > > [email protected]] On Behalf Of Rahul Bhat > > > > Sent: Wednesday, January 23, 2013 12:41 AM > > > > To: [email protected] > > > > Subject: Re: [rsyslog] Hi - Rsyslog run in debug mode only > > > > > > > > > > > > > > > > Hi Rado/Rainer,I tried running the rsyslog -n but nothing happened > > > > , I didn't have any output . So we have the same issue , spoofing > > > > and forwarding runs only with debug mode -dn and rest nothing > > > > works.Any ideas are welcome > > > > > > Actually, I am a bit puzzled. Can you try running an strace of an > > > instance in > non-debug mode? Maybe this provides some insight... > > > > > > Rainer > > > > > > > > > Date: Tue, 15 Jan 2013 13:55:27 +0200 > > > > > From: [email protected] > > > > > To: [email protected] > > > > > Subject: Re: [rsyslog] Hi - Rsyslog run in debug mode only > > > > > > > > > > Hi Rahul, > > > > > > > > > > > > > > > 2013/1/15 Rahul Bhat <[email protected]> > > > > > > > > > > > > > > > > > > > > > > > hi radu, thanks for checking !! I am using -dn option for > > > > > > debug mode. I didn't use -n only mode, I can try. But how can > > > > > > I check the difference b/w the two modes ( treat me new to > > > > > > rsyslog ) > > > > > > > > > > > > > > > I wasn't thinking about anything fancy, just that if you start > > > > > it with -dn, it's not only debug mode, it's also foreground. So > > > > > to narrow things down, you can try just with -n and see what > happens. > > > > > > > > > > > > > > > > I modified rulesets/modules/tempates and nothing happens :( > > Date: > > > > > > Tue, 15 Jan 2013 13:09:10 +0200 > > > > > > > From: [email protected] > > > > > > > To: [email protected] > > > > > > > Subject: Re: [rsyslog] Hi - Rsyslog run in debug mode only > > > > > > > > > > > > > > Hi Rahul, > > > > > > > > > > > > > > I've never used UDP spoofing, so my best bet is to check out > > > > > > > the differences between debug and non-debug: > > > > > > > - when you start it with debug, do you use -n? If yes, what > > > > > > > happens if > > > > > > you > > > > > > > only do rsyslog -n? > > > > > > > - do you drop privileges in your config? > > > > > > > > > > > > > > Best regards, > > > > > > > Radu > > > > > > > > > > > > > > 2013/1/15 Rahul Bhat <[email protected]> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Dear Friends , > > > > > > > > Hope you doing great !!I came across this mailing list > > > > > > > > while trying to configure the rsyslog v 7.2.4 with > > > > > > > > spoofing using - > > > > > > > > http://www.rsyslog.com/doc/omudpspoof.html. Thanks for > > > > > > > > making the information available. Unfortunately, I have a > > > > > > > > problem with the rsyslog config and have been trying to > > > > > > > > sort it out for sometime now. I have > > > > > > Linux > > > > > > > > rsyslog server which needs to send the logs to the central > > > > > > > > syslog > > > > > > server > > > > > > > > keeping the originator Ip unchanged hence I am using > spooofing. > > > > > > > > Current conf parameter regarding spoofing: $ModLoad > > > > > > > > omudpspoof $template spoofaddr,"%fromhost-ip%" > > > > > > > > $template spooftemplate,"%rawmsg%" > > > > > > > > $ActionOMUDPSpoofSourceNameTemplate spoofaddr > > > > > > > > $ActionOMUDPSpoofTargetHost 10.xxx.xxx.xx > > > > > > > > $ActionOMUDPSpoofTargetPort 514 > > > > $ActionOMUDPSpoofSourcePortStart > > > > > > > > 514 $ActionOMUDPSpoofSourcePortEnd 514 > > > > > > > > *.* :omudpspoof:;spooftemplate My rsyslog config works > > > > > > > > well when i am running the debug mode but as > > > > > > soon > > > > > > > > as i go back to non-debug mode, i don't see the logs being > > > > > > > > forwarded > > > > > > to the > > > > > > > > syslog server.All works well in debug but i don't > > > > > > > > understand how and > > > > > > which > > > > > > > > entries should i change for corrective action. If you have > > > > > > > > some time , would appreciate any ideas . > > > > > > > > Thanks Rahul > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > rsyslog mailing list > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > http://www.rsyslog.com/professional-services/ > > > > > > > > What's up with rsyslog? Follow > > > > > > > > https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC > > > > > > > > mailing list, posts are ARCHIVED by a > > > > > > myriad > > > > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > > > > > > > POST if you DON'T LIKE THAT. > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > rsyslog mailing list > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > http://www.rsyslog.com/professional-services/ > > > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > > > NOTE > > > > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > > > > myriad > > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > > > > > POST if you DON'T LIKE THAT. > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com/professional-services/ > > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > > NOTE > > > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > > > > > > NOT POST if you DON'T LIKE THAT. > > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com/professional-services/ > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > NOTE > > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > > myriad of sites > > > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > > DON'T LIKE THAT. > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: > > > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
