What version of rsyslog are you using?
--
Pavel Levshin
06.11.2013 21:02, G Jones:
I left rsyslog running overnight to see if it stopped writing to the
file again, the last entry it shows happened at 16:49.56, I used kill
-HUP and after the process finally stopped I rechecked the file.
Nothing changed. However, I didn't realize that, for some reason,
rsyslog decided that 16:49 was the end of a day and created a new file
dated for 11/6 with it's first entry starting at 16:50 on 11/5 (which
will need to be addressed as well since this also happened with my
last config). I checked the newly created (though incorrectly dated)
file and the last entry it shows is for 2013-11-05 at 18:23:52. On the
relay side, I've checked my SIEM and the last received entry came in
right before I sent rsyslog the kill command.
What I fail to see here is why rsyslog will relay messages but not
write those same messages to a file or simply stop writing them all
together. Then there's the issue of what constitutes the end of a day
before rsyslog creates a new file.
On Tue, Nov 5, 2013 at 5:19 PM, David Lang <[email protected]> wrote:
some of it is probably buffering on the output, if you send rsyslog a kill
-HUP it will flush all data and close the files. Check and see if this gets
the data in them as you expect.
David Lang
On Tue, 5 Nov 2013, G Jones wrote:
Date: Tue, 5 Nov 2013 16:25:03 -0800
From: G Jones <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] rsyslog writing to file lagging behind relayed logs
Hello, new to the list and to Rsyslog.
I have an Rsyslog machine I'm standing up on CentOS x64 to replace
some Kiwi log servers. I need to be able to receive syslog on TCP and
UDP, relay them to my SIEM and also store those logs locally on each
Rsyslog machine. Relaying is working just fine. The problem is with
the local files. I noticed that the files being written for each host
I recieve is lagging behind by minutes to upwards of a full day
behind. I'm running a tcpdump on both the rsyslog machine and the SIEM
and can see when the logs are received on both, however running a tail
-f on the files show that those entries are lagging behind. It gets
progressively worse as time goes on. They start out in near perfect
sync for the first couple of minutes, then the messages start to lag
horribly.
I just tried using this config, modified a bit for my environment:
# Modules$ModLoad imtcp
$ModLoad imudp
$ModLoad imuxsock
$ModLoad imklog# Templates# log every host in its own directory
$template
RemoteHost,"/var/opt/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"###
Rulesets# Local Logging
$RuleSet local
kern.* /var/log/messages
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
# use the local RuleSet as default if not specified otherwise
$DefaultRuleset local
# Remote Logging
$RuleSet remote
*.* ?RemoteHost
# Send messages we receive to SIEM
*.* @a.b.c.d:1514
### Listeners
# bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
# and activate it:
$InputTCPServerRun 1514
$InputUDPServerBindRuleset remote
$UDPServerRun 514
This particular config does exactly the same thing: I can watch syslog
messages come in, but they're not being written to the log file until
much later, if at all. Any thoughts as to why this is happening?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
