On Sat, 12 Dec 2015, Alec Swan wrote:
Thanks, Ciprian. I ran rsyslogd -dn and I can see that imfile is reading changes from cassandra.log, but it's not sending them to elasticsearch until I restart. Thoughts?Rsyslog trace before restart doesn't have any omelasticsearch logs: ... 5623.332950664:imfile.c : DDDD: imfile: in_processEvent (wd=2) event Mask='0x00000002' 5623.332954364:imfile.c : DDDD: imfile: wd 2 got file 0x7ffe24002190, dir -1 5623.332965540:imfile.c : strm 0x7ffe240057c0: file 7 read 0 bytes 5623.332978458:imfile.c : stream checking for file change on '/var/log/cassandra/cassandra.log', inode 264465/264465 5623.332982339:imfile.c : DDDDD: readLine returns[-2026]: '(null)' [*ppCStr 0x7ffe24026850] Rsyslog after restart which causes logs to be sent to elasticsearch: ... 6033.733447868:action 2 queue:Reg/w0: omelasticsearch: result doAction: -2121 (bulkmode 1) 6033.733450384:action 2 queue:Reg/w0: omelasticsearch: endTransaction init 6033.733482066:action 2 queue:Reg/w0: omelasticsearch: endTransaction, batch: '{"index":{"_index": "logstash-2015.12.12","_type":"cassandra"}} { "@timestamp": "2015-12-12T21:33:53.484399+00:00", "host": "m0051948", "severity": "notice", "facility": "local2", "syslogtag": "cassandra", "filename": "cassandra.log", "message": "Enqueuing flush of Memtable-local@518770933(84\/840 serialized\/live bytes, 4 ops)", "log_time": "21:26:55,179", "log_level": "INFO" } {"index":{"_index": "logstash-2015.12.12","_type":"cassandra"}}
there should be something in the logs about the elasticsearch action, do you have it named? (name= in the action statement)
are you saying that when rsyslog starts, it doesn't send, but if you restart it, it then sends normally? or are you saying that nothing goes through until you do a restart, then onebatch of messages get through and nothing beyond that until you do a restart again?
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
