which fix?
David Lang
On Wed, 14 Aug 2013, C. L. Martinez wrote:
Perfect!! ... It works. Many thanks David.
On Tue, Aug 13, 2013 at 8:12 PM, David Lang <[email protected]> wrote:
you should set a workdir and then the file names should not include a path.
It looks like rsyslog is picking up thepath from the file= portion of the
line and then using that same path for the statefile
try removing /tmp/ from the statefile (or from both, but set workdir="/tmp")
David Lang
On Tue, 13 Aug 2013, C. L. Martinez wrote:
On Tue, Aug 13, 2013 at 2:38 PM, C. L. Martinez <[email protected]>
wrote:
Yes, here is my config:
#rsyslog v7 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# Increasing Message size
$MaxMessageSize 64k
#### MODULES ####
# Input modules
module(load="imfile" pollingInterval="1")
input(type="imfile" file="/tmp/test.log" tag="testlog"
statefile="/tmp/testlog-state" facility="local6" severity="info")
#### RULES ####
# Default spool directory
$WorkDirectory /nsm/logs/rsyslog
$MainMsgQueueFileName mainq
$MainMsgQueueType LinkedList
$MainMsgQueueSaveOnShutDown on
$MainMsgQueueMaxDiskSpace 40g
$MainMsgQueueSize 8000000
#
# Rules for Suricata IDP Sensors
#
if $syslogtag == 'testlog' and $syslogfacility-text == 'local6' then {
action(type="omfwd" protocol="tcp" target="1.1.1.1" port="10514"
queue.filename="testfwd"
queue.maxdiskspace="10g"
queue.saveonshutdown="on"
queue.type="linkedlist"
queue.maxfilesize="5m"
action.resumeretrycount="-1")
stop
}
Uhmm workin in debug mode, appears this:
6626.816631405:7f3268492740: request term via SIGTTIN for input thread
'imfile' 0x66672700
6626.816691805:7f3266672700: imfile: terminating upon request of rsyslog
core
6626.816708737:7f3266672700: thrdStarter: usrThrdMain imfile -
0x7f3266672700 returned with iRet 0, exiting now.
6626.816742257:7f3268492740: input thread term: thread imfile returned
normally and is terminated
6626.816773618:7f3268492740: non-cancel input thread termination
succeeded for thread imfile 0x66672700
6626.816920021:7f3268492740: file stream /tmp/testlog-state params:
flush interval 0, async write 0
6626.816940541:7f3268492740: strm 0x7f32600008c0: file
3(/tmp/test.log) flush, buflen 1230
6626.816955401:7f3268492740: strm 0x7f3269cf0c70: file
-1(/tmp/testlog-state) flush, buflen 238
6626.816961413:7f3268492740: strmPhysWrite, stream 0x7f3269cf0c70, len 238
6626.816990376:7f3268492740: file '/tmp//tmp/testlog-state' opened as
#-1 with mode 384
6626.817009794:7f3268492740: strm 0x7f3269cf0c70: open error 2, file
'/tmp//tmp/testlog-state': No such file or directory
6626.817016393:7f3268492740: strm 0x7f3269cf0c70: file
-1(/tmp/testlog-state) closing
6626.817021792:7f3268492740: strm 0x7f3269cf0c70: file
-1(/tmp/testlog-state) flush, buflen 0 (no need to flush)
6626.817030462:7f3268492740: Called LogError, msg: imfile: could not
persist state file /tmp/testlog-state - data may be repeated on next
startup. Is WorkDirectory set?
6626.817057315:7f3268492740: main Q: qqueueAdd: entry added, size now
log 1, phys 1 entries
Why "/tmp" path is duplicated??
6626.816990376:7f3268492740: file '/tmp//tmp/testlog-state' opened as
#-1 with mode 384
6626.817009794:7f3268492740: strm 0x7f3269cf0c70: open error 2, file
'/tmp//tmp/testlog-state': No such file or directory
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
