Well I have it working "sort of" Instead of the *.* /var/log/debugformat;RSYSLOG_DebugFormat being at the end of the config I put it before my templates and that created the file. So somewhere in the conglomerate of my config the template structure is not working correctly for debugging. That being said I can now try and find the cause of my original issue.
I am getting entries from a known host that is already doing logging, but appears to be fragments. Weird. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Tuesday, June 04, 2013 8:38 AM To: rsyslog-users Subject: Re: [rsyslog] Debug not working On Tue, 4 Jun 2013, Josh Bitto wrote: > Thank you all for the input, but I still am not getting a file output > of my debug file. Nothing writes to it. I tried deleting it and seeing > if it would be recreated and it doesn't even do that. ahh, I didn't catch that you weren't getting output from your debug line. if you start rsyslog with the debug flag ( -dn , d to run in debug mode, n to not go into the background) you will get a ton of output, check it to see what it complains about when it tries to write to the file. David Lang > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Boylan, James > Sent: Tuesday, June 04, 2013 3:54 AM > To: rsyslog-users > Subject: Re: [rsyslog] Debug not working > > If you decide to start using fromhost or fromhost-ip as a standard part of > your template I highly recommend installing nscd (For *nix, or your OS > equivalent) so that the DNS queries are cache. Otherwise you can put a > considerable amount of extra load onto your DNS servers. > > -James > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of David Lang > Sent: Tuesday, June 04, 2013 1:35 AM > To: rsyslog-users > Subject: Re: [rsyslog] Debug not working > > On Mon, 3 Jun 2013, Eric wrote: > >> Maybe a health check from a load balancer? I know I had to set specific >> discard rules for the host (F5) that was executing the health check, >> otherwise I'd get random spam like this. >> >> Eric >> >> On Jun 3, 2013, at 2:23 PM, Josh Bitto <[email protected]> wrote: >> >> I am trying to run a debug to track down an issue that I'm having, and it >> isn't creating the file. >> >> This is the line that I have in my config. >> >> *.* /var/log/debugformat;RSYSLOG_DebugFormat >> >> >> The reason why I'm trying to do a debug is I'm getting a directory that has >> no real host name. I have my config setup on templates and based on Hosts >> that come in they get assigned to a specific directory. >> >> So that being said I get a directory (which is supposed to be legit host >> names that I have on my network. >> >> Example: >> /hosts/host1 >> /hosts/host2 >> /hosts/host3...etc. >> >> But I am picking up one that I have no idea what it is /hosts/last >> >> And the contents of the folder is a file named success and the contents of >> the file is "last message repeated 3 times" >> They have time stamps and it just repeats over and over. I don't believe I >> have an error in my config, but I could be wrong. Any suggestions? > > you have some system on your network that is set to collapse duplicate > messages into 'last message repeated X times' logs, and when it's sending > that out, it doesn't bother to put it's hostname in the message, so when the > central box gets it, it follows the parsing rule and can't tell that 'last' > is not a hostname. > > Since you are loggign in debug format, you should be able to see the fromhost > or fromhost-ip, which will tell you which box is doing this. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
