On Tue, Aug 13, 2013 at 2:38 PM, C. L. Martinez <[email protected]> wrote: > Yes, here is my config: > > #rsyslog v7 config file > > # if you experience problems, check > # http://www.rsyslog.com/troubleshoot for assistance > > # Increasing Message size > $MaxMessageSize 64k > > > #### MODULES #### > > # Input modules > module(load="imfile" pollingInterval="1") > > input(type="imfile" file="/tmp/test.log" tag="testlog" > statefile="/tmp/testlog-state" facility="local6" severity="info") > > > #### RULES #### > > # Default spool directory > $WorkDirectory /nsm/logs/rsyslog > $MainMsgQueueFileName mainq > $MainMsgQueueType LinkedList > $MainMsgQueueSaveOnShutDown on > $MainMsgQueueMaxDiskSpace 40g > $MainMsgQueueSize 8000000 > > > # > # Rules for Suricata IDP Sensors > # > if $syslogtag == 'testlog' and $syslogfacility-text == 'local6' then { > action(type="omfwd" protocol="tcp" target="1.1.1.1" port="10514" > queue.filename="testfwd" > queue.maxdiskspace="10g" > queue.saveonshutdown="on" > queue.type="linkedlist" > queue.maxfilesize="5m" > action.resumeretrycount="-1") > stop > } >
Uhmm workin in debug mode, appears this: 6626.816631405:7f3268492740: request term via SIGTTIN for input thread 'imfile' 0x66672700 6626.816691805:7f3266672700: imfile: terminating upon request of rsyslog core 6626.816708737:7f3266672700: thrdStarter: usrThrdMain imfile - 0x7f3266672700 returned with iRet 0, exiting now. 6626.816742257:7f3268492740: input thread term: thread imfile returned normally and is terminated 6626.816773618:7f3268492740: non-cancel input thread termination succeeded for thread imfile 0x66672700 6626.816920021:7f3268492740: file stream /tmp/testlog-state params: flush interval 0, async write 0 6626.816940541:7f3268492740: strm 0x7f32600008c0: file 3(/tmp/test.log) flush, buflen 1230 6626.816955401:7f3268492740: strm 0x7f3269cf0c70: file -1(/tmp/testlog-state) flush, buflen 238 6626.816961413:7f3268492740: strmPhysWrite, stream 0x7f3269cf0c70, len 238 6626.816990376:7f3268492740: file '/tmp//tmp/testlog-state' opened as #-1 with mode 384 6626.817009794:7f3268492740: strm 0x7f3269cf0c70: open error 2, file '/tmp//tmp/testlog-state': No such file or directory 6626.817016393:7f3268492740: strm 0x7f3269cf0c70: file -1(/tmp/testlog-state) closing 6626.817021792:7f3268492740: strm 0x7f3269cf0c70: file -1(/tmp/testlog-state) flush, buflen 0 (no need to flush) 6626.817030462:7f3268492740: Called LogError, msg: imfile: could not persist state file /tmp/testlog-state - data may be repeated on next startup. Is WorkDirectory set? 6626.817057315:7f3268492740: main Q: qqueueAdd: entry added, size now log 1, phys 1 entries Why "/tmp" path is duplicated?? 6626.816990376:7f3268492740: file '/tmp//tmp/testlog-state' opened as #-1 with mode 384 6626.817009794:7f3268492740: strm 0x7f3269cf0c70: open error 2, file '/tmp//tmp/testlog-state': No such file or directory _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
