I am indebted to everyone for helping in this issue. I think issue was due to invalid json strings so we made some architectural changes to fix the issue. Thanks again.
On Mon, Apr 25, 2016 at 10:51 PM, David Lang <[email protected]> wrote: > per the documentation page, rsyslog auto-generates the statefile name > > http://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html > > but you have to have WorkDirectory set to someplace the rsyslog has > permissions to write to. Are you sure your SELinux/AppArmor permissions let > you write to /var/spool/rsyslog? especially as user user/group > syslog.syslog? > > as far as rotating the file go, you should not copy+delete the file, you > should move the file, then HUP rsyslog and rsyslog will recreate the file > as needed. > > David Lang > > On Mon, 25 Apr 2016, Muhammad Asif wrote: > > Date: Mon, 25 Apr 2016 15:01:38 +0500 >> From: Muhammad Asif <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] rsyslog issue with new modsec_audit.log >> >> >> Plz have a look. >> http://pastebin.com/A38mwQc7 >> >> >> On Mon, Apr 25, 2016 at 12:38 PM, David Lang <[email protected]> wrote: >> >> On Mon, 25 Apr 2016, Muhammad Asif wrote: >>> >>> Hi Geeks, >>> >>>> >>>> In my case no state file is being created. Even when i set is it through >>>> following error. I am using rsyslog-8.18. >>>> >>>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line >>>> 69: parameter 'statefile' deprecated but accepted, consider removing or >>>> replacing it >>>> >>>> >>> are you mixing the legacy and new style syntax? can you show us your >>> config? >>> >>> David Lang >>> >>> >>> On Mon, Apr 25, 2016 at 12:00 PM, Muhammad Asif <[email protected]> >>> >>>> wrote: >>>> >>>> Dear Ashish, Thanks for reply. How you did this exactally. Any cron job >>>> or >>>> >>>>> some thing else? >>>>> >>>>> Regards >>>>> M.Asif >>>>> >>>>> On Fri, Apr 22, 2016 at 10:08 PM, Ashish Barmase < >>>>> [email protected]> wrote: >>>>> >>>>> Hi Asif, not sure your's and mine problem is same, but look like I had >>>>> >>>>>> similar issue. I used to monitor catalina.out file of tomcat, but >>>>>> after >>>>>> log >>>>>> rotation runs of each day, the more logs stopped forwarding. >>>>>> >>>>>> What I did was use a postroate action to delete the rsyslog stat file >>>>>> and >>>>>> restart the rsyslog, which did the trick. >>>>>> >>>>>> Thanks, >>>>>> Ashish >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] [mailto: >>>>>> [email protected]] On Behalf Of Muhammad Asif >>>>>> Sent: Friday, April 22, 2016 3:28 AM >>>>>> To: rsyslog-users <[email protected]> >>>>>> Subject: [rsyslog] rsyslog issue with new modsec_audit.log >>>>>> >>>>>> Hi geeks, >>>>>> >>>>>> We are facing a problem with modsec_audit.log. Let me discuss a >>>>>> scenario. >>>>>> On start of a day modsecurity create a file with name >>>>>> modsec_audit.log. >>>>>> Throughout the day it contain 1000 logs which is sent by rsyslog to >>>>>> remote server. >>>>>> The next day modsecurity rename the previous file as >>>>>> modsec_audit.log.1 >>>>>> and create a new file modsec_audit.log. Now problem starts. Since >>>>>> fIlename >>>>>> is same so rsyslog pointer is stand at 1001 line. But first 1000 logs >>>>>> of >>>>>> next day do not process. >>>>>> >>>>>> How we can handle this issue. >>>>>> >>>>>> REgards >>>>>> M.Asif >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>>> WELL: >>>>>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >>>>>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>>>> LIKE >>>>>> THAT. >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>> myriad >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T LIKE THAT. >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>>> _______________________________________________ >>>> >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
