Hi
Am running rsyslog 7.6.2 on a 64-bit Linux server (OEL 6.4). This is a
centralized syslog server
that is currently accepting events from 15 Windows servers and 2 Linux servers.
Events are logged to a separate file per host (via DynaFile) and I am using TLS
encryption and the
digital signing feature. My configuration is detailed below.
My problem is that the gtstate files associated with my servers appear to be
getting constantly
updated. My understanding was that, by default, this particular file is only
ever created/updated
when the rsyslog process is either stopped or sent a SIGHUP. But neither of
those conditions are
true. It just seems to be getting updated in tandem with the gtsig file! Is
that normal?
But my biggest problem is that the file descriptors associated with the gtstate
file
(under /proc/rsyslogd pid/fd) dont seem to be getting cleared down! It
creates a new one each
time the file is accessed (which I guess is normal) but these are then just
left lying around. The
net result is that after a while, the system limit on the number of open files
is exceeded and
rsyslog just crashes!
Obviously not usable in that state. Seems the only solution would be to switch
off digital signing
which is not really ideal as this is quite important to us.
Just wondering if anybody can shed any light as to why this may be happening?
Thanks is advance,
Dan
****CONFIGURATION****
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /root/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /root/rsyslog/syslogserver-cert.pem
$DefaultNetstreamDriverKeyFile /root/rsyslog/syslogserver-key.pem
### TEMPLATES ###
# Use a per host logfile when writing to disk
template(name="logfile" type="string" string="/logs/%fromhost:F,46:1%-messages")
# Template for writing Linux rsyslog system messages to disk
template(name="syslogmsg2disk" type="string"
string="%syslogfacility%.%syslogpriority% %
timereported:::date-rfc3339% %fromhost:F,46:1% %syslogtag%
%msg:::drop-last-lf%\n")
# Template for writing Windows snare messages to disk
template(name="snaremsg2disk" type="string"
string="%syslogfacility%.%syslogpriority% %
timereported:::date-rfc3339% %fromhost:F,46:1%
%syslogtag%%msg:::drop-last-lf%\n")
#### MODULES ####
module(load="imuxsock") # provides support for local system logging (e.g. via
logger command)
module(load="imklog") # provides kernel logging support (previously done by
rklogd)
module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1"
StreamDriver.AuthMode="anon") # provides encrypted TCP syslog reception
# Provides TCP syslog reception for Linux servers (regular rsyslog messages)
input(type="imtcp" port="10514" ruleset="linuxremote1")
# Provides UDP syslog reception for Windows servers (messages sent via Snare)
input(type="imtcp" port="20514" ruleset="windowsremote1")
### RULESETS ###
ruleset(name="linuxremote1") {
action(type="omfile" DynaFile="logfile"
template="syslogmsg2disk"
sig.provider="gt"
sig.timestampService="http://stamper.ee.guardtime.net/gt-signingservice";
sig.keepTreeHashes="on"
sig.keepRecordHashes="on"
)
}
ruleset(name="windowsremote1") {
action(type="omfile" DynaFile="logfile"
template="snaremsg2disk"
sig.provider="gt"
sig.timestampService="http://stamper.ee.guardtime.net/gt-signingservice";
sig.keepTreeHashes="on"
sig.keepRecordHashes="on"
)
}
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not
required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
--
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
