Removing full path from statefile option ...
On Wed, Aug 14, 2013 at 9:28 AM, David Lang <[email protected]> wrote: > which fix? > > David Lang > > On Wed, 14 Aug 2013, C. L. Martinez wrote: > >> Perfect!! ... It works. Many thanks David. >> >> On Tue, Aug 13, 2013 at 8:12 PM, David Lang <[email protected]> wrote: >>> >>> you should set a workdir and then the file names should not include a >>> path. >>> It looks like rsyslog is picking up thepath from the file= portion of the >>> line and then using that same path for the statefile >>> >>> try removing /tmp/ from the statefile (or from both, but set >>> workdir="/tmp") >>> >>> David Lang >>> >>> >>> >>> >>> On Tue, 13 Aug 2013, C. L. Martinez wrote: >>> >>>> On Tue, Aug 13, 2013 at 2:38 PM, C. L. Martinez <[email protected]> >>>> wrote: >>>>> >>>>> >>>>> Yes, here is my config: >>>>> >>>>> #rsyslog v7 config file >>>>> >>>>> # if you experience problems, check >>>>> # http://www.rsyslog.com/troubleshoot for assistance >>>>> >>>>> # Increasing Message size >>>>> $MaxMessageSize 64k >>>>> >>>>> >>>>> #### MODULES #### >>>>> >>>>> # Input modules >>>>> module(load="imfile" pollingInterval="1") >>>>> >>>>> input(type="imfile" file="/tmp/test.log" tag="testlog" >>>>> statefile="/tmp/testlog-state" facility="local6" severity="info") >>>>> >>>>> >>>>> #### RULES #### >>>>> >>>>> # Default spool directory >>>>> $WorkDirectory /nsm/logs/rsyslog >>>>> $MainMsgQueueFileName mainq >>>>> $MainMsgQueueType LinkedList >>>>> $MainMsgQueueSaveOnShutDown on >>>>> $MainMsgQueueMaxDiskSpace 40g >>>>> $MainMsgQueueSize 8000000 >>>>> >>>>> >>>>> # >>>>> # Rules for Suricata IDP Sensors >>>>> # >>>>> if $syslogtag == 'testlog' and $syslogfacility-text == 'local6' then { >>>>> action(type="omfwd" protocol="tcp" target="1.1.1.1" >>>>> port="10514" >>>>> queue.filename="testfwd" >>>>> queue.maxdiskspace="10g" >>>>> queue.saveonshutdown="on" >>>>> queue.type="linkedlist" >>>>> queue.maxfilesize="5m" >>>>> action.resumeretrycount="-1") >>>>> stop >>>>> } >>>>> >>>> >>>> Uhmm workin in debug mode, appears this: >>>> >>>> 6626.816631405:7f3268492740: request term via SIGTTIN for input thread >>>> 'imfile' 0x66672700 >>>> 6626.816691805:7f3266672700: imfile: terminating upon request of rsyslog >>>> core >>>> 6626.816708737:7f3266672700: thrdStarter: usrThrdMain imfile - >>>> 0x7f3266672700 returned with iRet 0, exiting now. >>>> 6626.816742257:7f3268492740: input thread term: thread imfile returned >>>> normally and is terminated >>>> 6626.816773618:7f3268492740: non-cancel input thread termination >>>> succeeded for thread imfile 0x66672700 >>>> 6626.816920021:7f3268492740: file stream /tmp/testlog-state params: >>>> flush interval 0, async write 0 >>>> 6626.816940541:7f3268492740: strm 0x7f32600008c0: file >>>> 3(/tmp/test.log) flush, buflen 1230 >>>> 6626.816955401:7f3268492740: strm 0x7f3269cf0c70: file >>>> -1(/tmp/testlog-state) flush, buflen 238 >>>> 6626.816961413:7f3268492740: strmPhysWrite, stream 0x7f3269cf0c70, len >>>> 238 >>>> 6626.816990376:7f3268492740: file '/tmp//tmp/testlog-state' opened as >>>> #-1 with mode 384 >>>> 6626.817009794:7f3268492740: strm 0x7f3269cf0c70: open error 2, file >>>> '/tmp//tmp/testlog-state': No such file or directory >>>> 6626.817016393:7f3268492740: strm 0x7f3269cf0c70: file >>>> -1(/tmp/testlog-state) closing >>>> 6626.817021792:7f3268492740: strm 0x7f3269cf0c70: file >>>> -1(/tmp/testlog-state) flush, buflen 0 (no need to flush) >>>> 6626.817030462:7f3268492740: Called LogError, msg: imfile: could not >>>> persist state file /tmp/testlog-state - data may be repeated on next >>>> startup. Is WorkDirectory set? >>>> 6626.817057315:7f3268492740: main Q: qqueueAdd: entry added, size now >>>> log 1, phys 1 entries >>>> >>>> Why "/tmp" path is duplicated?? >>>> >>>> 6626.816990376:7f3268492740: file '/tmp//tmp/testlog-state' opened as >>>> #-1 with mode 384 >>>> 6626.817009794:7f3268492740: strm 0x7f3269cf0c70: open error 2, file >>>> '/tmp//tmp/testlog-state': No such file or directory >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T >>>> LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
