I left rsyslog running overnight to see if it stopped writing to the file again, the last entry it shows happened at 16:49.56, I used kill -HUP and after the process finally stopped I rechecked the file. Nothing changed. However, I didn't realize that, for some reason, rsyslog decided that 16:49 was the end of a day and created a new file dated for 11/6 with it's first entry starting at 16:50 on 11/5 (which will need to be addressed as well since this also happened with my last config). I checked the newly created (though incorrectly dated) file and the last entry it shows is for 2013-11-05 at 18:23:52. On the relay side, I've checked my SIEM and the last received entry came in right before I sent rsyslog the kill command.
What I fail to see here is why rsyslog will relay messages but not write those same messages to a file or simply stop writing them all together. Then there's the issue of what constitutes the end of a day before rsyslog creates a new file. On Tue, Nov 5, 2013 at 5:19 PM, David Lang <[email protected]> wrote: > some of it is probably buffering on the output, if you send rsyslog a kill > -HUP it will flush all data and close the files. Check and see if this gets > the data in them as you expect. > > David Lang > > On Tue, 5 Nov 2013, G Jones wrote: > >> Date: Tue, 5 Nov 2013 16:25:03 -0800 >> From: G Jones <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: [email protected] >> Subject: [rsyslog] rsyslog writing to file lagging behind relayed logs >> >> >> Hello, new to the list and to Rsyslog. >> >> I have an Rsyslog machine I'm standing up on CentOS x64 to replace >> some Kiwi log servers. I need to be able to receive syslog on TCP and >> UDP, relay them to my SIEM and also store those logs locally on each >> Rsyslog machine. Relaying is working just fine. The problem is with >> the local files. I noticed that the files being written for each host >> I recieve is lagging behind by minutes to upwards of a full day >> behind. I'm running a tcpdump on both the rsyslog machine and the SIEM >> and can see when the logs are received on both, however running a tail >> -f on the files show that those entries are lagging behind. It gets >> progressively worse as time goes on. They start out in near perfect >> sync for the first couple of minutes, then the messages start to lag >> horribly. >> >> I just tried using this config, modified a bit for my environment: >> >> >> # Modules$ModLoad imtcp >> $ModLoad imudp >> $ModLoad imuxsock >> $ModLoad imklog# Templates# log every host in its own directory >> $template >> RemoteHost,"/var/opt/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"### >> Rulesets# Local Logging >> $RuleSet local >> kern.* /var/log/messages >> *.info;mail.none;authpriv.none;cron.none /var/log/messages >> authpriv.* /var/log/secure >> mail.* -/var/log/maillog >> cron.* /var/log/cron >> *.emerg * >> uucp,news.crit /var/log/spooler >> local7.* /var/log/boot.log >> # use the local RuleSet as default if not specified otherwise >> $DefaultRuleset local >> # Remote Logging >> $RuleSet remote >> *.* ?RemoteHost >> # Send messages we receive to SIEM >> *.* @a.b.c.d:1514 >> ### Listeners >> # bind ruleset to tcp listener >> $InputTCPServerBindRuleset remote >> # and activate it: >> $InputTCPServerRun 1514 >> $InputUDPServerBindRuleset remote >> $UDPServerRun 514 >> >> This particular config does exactly the same thing: I can watch syslog >> messages come in, but they're not being written to the log file until >> much later, if at all. Any thoughts as to why this is happening? >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
