I don't see anything obviously wrong. I think it would make sense to enable a debug log, see on this page:
http://www.rsyslog.com/doc/v8-stable/troubleshooting/debug.html#enabling-debug-via-rsyslog-conf Just as I see that you switched to reading imjournal: may it be related to the journal so that rsyslog actually does not see anything? The debug log will tell, but checking this might be a shortcut... HTH Rainer HTH 2017-07-20 16:59 GMT+02:00 Mike Schleif <mike+rsys...@mdsresource.net>: > Making changes to rsyslog.conf on Production server. Restart rsyslogd > _after_ successfully verifying conf lines with: > > /sbin/rsyslogd -f /etc/rsyslog.conf -N 1 > > No errors in conf. No errors on restart. > > HOWEVER, zero SSH (authpriv) logging to /var/log/secure, although all other > logging appears to work without incident. > > Change CONF back to pre-edit, verify conf (as above), stop rsyslogd, start > rsyslogd - everything works, EXCEPT no SSH logging. > > The only thing we found to resume SSH logging is a full reboot. This is a > Production server and reboots cannot be done willy-nilly. However, we MUST > have SSH logging functional. This whole scenario repeated as described two > times yesterday. > > Please, advise. Thank you. > > Details below: > > CentOS Linux release 7.3.1611 (Core) > rsyslog.x86_64 8.28.0-1.el7 > @rsyslog_v8 > rsyslog-mysql.x86_64 8.28.0-1.el7 > @rsyslog_v8 > > > /// OLD conf lines that work (if following NEW are not tried) /// > > # The imjournal module bellow is now used as a message source instead of > imuxsock. > $ModLoad imjournal # provides access to the systemd journal > $ModLoad imklog # reads kernel messages (the same are read from journald) > $ModLoad immark # provides --MARK-- message capability > # Generate Periodic Statistics of Internal Counters > module(load="impstats" interval="600" severity="7") > # Actually gather the data: > syslog.=debug /var/log/rsyslog-stats > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > $ModLoad ommysql.so # load MySQL output driver > # Provides UDP syslog reception > $ModLoad imudp # network reception > $UDPServerRun 514 > > > /// NEW conf lines that cause the problem /// > > # Provides access to the systemd journal > module(load="imjournal" StateFile="imjournal.state") > # Provides kernel logging support (previously done by rklogd) > module(load="imklog") > # Provides --MARK-- message capability > module(load="immark") > # Provides TCP syslog reception > # For parameters see http://www.rsyslog.com/doc/imtcp.html > # Needs to be done just once > module(load="imtcp") > input(type="imtcp" port="514") > # Provides UDP syslog reception > # For parameters see http://www.rsyslog.com/doc/imudp.html > # Needs to be done just once > module(load="imudp") > input(type="imudp" port="514") > # Provides support for local system logging (e.g. via logger command) > module(load="imuxsock" SysSock.FlowControl="off") > input(type="imuxsock" Socket="/vol1/chroot/dev/log") > # Program integration Output module > module(load="omprog") > action(type="omprog" template="RSYSLOG_TraditionalFileFormat") > # MySQL output driver > module(load="ommysql.so") > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.