per the documentation page, rsyslog auto-generates the statefile name
http://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html
but you have to have WorkDirectory set to someplace the rsyslog has permissions
to write to. Are you sure your SELinux/AppArmor permissions let you write to
/var/spool/rsyslog? especially as user user/group syslog.syslog?
as far as rotating the file go, you should not copy+delete the file, you should
move the file, then HUP rsyslog and rsyslog will recreate the file as needed.
David Lang
On Mon, 25 Apr 2016, Muhammad Asif wrote:
Date: Mon, 25 Apr 2016 15:01:38 +0500
From: Muhammad Asif <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] rsyslog issue with new modsec_audit.log
Plz have a look.
http://pastebin.com/A38mwQc7
On Mon, Apr 25, 2016 at 12:38 PM, David Lang <[email protected]> wrote:
On Mon, 25 Apr 2016, Muhammad Asif wrote:
Hi Geeks,
In my case no state file is being created. Even when i set is it through
following error. I am using rsyslog-8.18.
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line
69: parameter 'statefile' deprecated but accepted, consider removing or
replacing it
are you mixing the legacy and new style syntax? can you show us your
config?
David Lang
On Mon, Apr 25, 2016 at 12:00 PM, Muhammad Asif <[email protected]>
wrote:
Dear Ashish, Thanks for reply. How you did this exactally. Any cron job or
some thing else?
Regards
M.Asif
On Fri, Apr 22, 2016 at 10:08 PM, Ashish Barmase <
[email protected]> wrote:
Hi Asif, not sure your's and mine problem is same, but look like I had
similar issue. I used to monitor catalina.out file of tomcat, but after
log
rotation runs of each day, the more logs stopped forwarding.
What I did was use a postroate action to delete the rsyslog stat file
and
restart the rsyslog, which did the trick.
Thanks,
Ashish
-----Original Message-----
From: [email protected] [mailto:
[email protected]] On Behalf Of Muhammad Asif
Sent: Friday, April 22, 2016 3:28 AM
To: rsyslog-users <[email protected]>
Subject: [rsyslog] rsyslog issue with new modsec_audit.log
Hi geeks,
We are facing a problem with modsec_audit.log. Let me discuss a
scenario.
On start of a day modsecurity create a file with name modsec_audit.log.
Throughout the day it contain 1000 logs which is sent by rsyslog to
remote server.
The next day modsecurity rename the previous file as modsec_audit.log.1
and create a new file modsec_audit.log. Now problem starts. Since
fIlename
is same so rsyslog pointer is stand at 1001 line. But first 1000 logs of
next day do not process.
How we can handle this issue.
REgards
M.Asif
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
