I am pretty sure that rsyslog spits out some error messages ... that your conf doesn't record at all. As a first troubleshooting step, add
syslog.* /var/log/syslogd.log to a top spot in rsyslog.conf. Restart rsyslogd and see what comes up in that file. I suspect that the (ancient) version you have does not support what you use. Error message will help find that (but I need to say that in ancient days, error messages were far less good than they are today ;)). Rainer 2014-09-25 17:07 GMT+02:00 John Jones <[email protected]>: > Hello to the list: > > I have a remote host sending apache_{error,access}.log files to the > rsyslog-server, and that's all fine and good. > What I'm having trouble with is that the apache traffic is sending the > same traffic to /var/log/messages. > > I suspect it's the /etc/rsyslog.d/watchfile.conf that I created, and here > are the contents: > $ModLoad imfile > # apache error.log > $InputFileName /var/log/apache2/error.log > $InputFileTag error: > $InputFileStateFile state_file_error_apache > $InputFileFacility local6 > $InputRunFileMonitor > $InputFilePollInterval 10 > > # apache access.log > $InputFileName /var/log/apache2/access.log > $InputFileTag access: > $InputFileStateFile state_file_access_apache > $InputFileFacility local6 > $InputRunFileMonitor > $InputFilePollInterval 10 > > if $programname == 'access' then @rsyslog-server:514 > & ~ > if $programname == 'errors' then @rsyslog-server:514 > & ~ > > The rsyslogd version on this host (from stock CentOS 5.10 repo) is: > rsyslogd 3.22.1, compiled with: > FEATURE_REGEXP: Yes > FEATURE_LARGEFILE: Yes > FEATURE_NETZIP (message compression): Yes > GSSAPI Kerberos 5 support: Yes > FEATURE_DEBUG (debug build, slow code): No > Atomic operations supported: Yes > Runtime Instrumentation (slow code): No > > > I changed InputFileFacility to local6 after reading this < > http://kb.monitorware.com/rsyslog-message-duplicates- > t12273.html?hilit=duplicates&sid=9666af8003d631d35d5603149b6d54fb#p24305> > - no change. > I added $InputFileFacility local6 to the watchfile after reviewing > http://kb.monitorware.com/rsyslog-message-duplicates- > t12273.html?hilit=duplicates#p24303 > but it's not known to me if I have to do that for each watched file? > > > The /etc/rsyslog.conf on this host seems sparse with: > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > $ModLoad imklog > $ModLoad imuxsock > *.info;mail.none;authpriv.none;cron.none /var/log/messages > authpriv.* /var/log/secure > mail.* -/var/log/maillog > cron.* /var/log/cron > *.emerg * > uucp,news.crit /var/log/spooler > local7.* /var/log/boot.log > *.* @rsyslog-server::514 > > It is not clear to me if this is the|an issue. > > I tried variations on > local6.=info /var/log/apache2/error.log > & ~ > local6.=error /var/log/apache2/access.log > & ~ > in the watchfile.conf but it didn't correct the problem. > > I do see "{host} access" and "{host} error" in the /var/log/messages > so I suspect it's a trivial matter. > > Examined references are > http://kb.monitorware.com/post24302....licates#p24302 < > http://kb.monitorware.com/post24302.html?hilit=duplicates#p24302> > https://access.redhat.com/discussions/650853 > and several dozen search-engine results. > > Anything I try just seems to make it messier. > Can some one help this new rsyslog user out? > > Thank you for your time. > > -- > John Jones > Cirrhus9.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
