Hi Rainer,
Before that, I would like to ask you to double blouble check my config, I know
i make mistakes, maybe you could spot it, and it will be fixed with simple
config update 😊
If config looks OK, I will submit github issue tracker ticket.
[root@all-logs centos]# egrep -v '^#|^$' /etc/rsyslog.conf
$FileOwner root
$FileGroup LOGS
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0027
$DirOwner root
$DirGroup LOGS
$ActionFileEnableSync on
$omfileForceChown on
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileEnableSync on
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
if $fromhost-ip != '127.0.0.1'
then {
stop
}
kern.* /dev/console
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.*
AND:
[root@all-logs centos]# egrep -v '^#|^$' /etc/rsyslog.d/01-remote.conf
$template
RemoteHost,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/all.log"
$template tplremote,"%timegenerated% %HOSTNAME%[%fromhost-ip%] %syslogtag%
%PROGRAMNAME% %syslogfacility-text%.%syslogseverity-text%
%msg:::drop-last-lf%\n"
$template tplaudit,"%msg:::drop-last-lf%\n"
if ($fromhost-ip != '127.0.0.1' and $programname != 'audispd') then
?RemoteHost;tplremote
$template
NovaAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/nova-all.log"
if ($programname contains 'nova') then ?NovaAll;tplremote
$template
CinderAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/cinder-all.log"
if ($programname contains 'cinder') then ?CinderAll;tplremote
$template
GlanceAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/glance-all.log"
if ($programname contains 'glance') then ?GlanceAll;tplremote
$template
NeutronAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/neutron-all.log"
if ($programname contains 'neutron') then ?NeutronAll;tplremote
$template
RabbitAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/rabbit-all.log"
if ($programname contains 'rabbit') then ?RabbitAll;tplremote
$template
KeystoneAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/keystone-all.log"
if ($programname contains 'keystone') then ?KeystoneAll;tplremote
$template
ZabbixAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/zabbix-all.log"
if ($programname contains 'zabbix') then ?ZabbixAll;tplremote
$template
SudoAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/sudo-all.log"
if ($programname contains 'sudo') then ?SudoAll;tplremote
$template
DHCPAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/dhcp-all.log"
if ($programname contains 'dhcp') then ?DHCPAll;tplremote
$template
HttpAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/httpd-all.log"
if ($programname contains 'http' or $programname contains 'apache') then
?HttpAll;tplremote
$template
HaproxyAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/haproxy-all.log"
if ($programname contains 'haproxy') then ?HaproxyAll;tplremote
$template YumAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/yum.log"
if ($programname contains 'yum') then ?YumAll;tplremote
$template
AuditAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/audit.log"
if ($programname contains 'audispd') then ?YumAll;tplaudit
$template
Kern,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/kernel.log"
kern.* ?Kern;tplremote
$template
Auth,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/secure.log"
authpriv.* ?Auth;tplremote
$template Mail,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/mail.log"
mail.* ?Mail;tplremote
$template Cron,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/cron.log"
cron.* ?Cron;tplremote
$template
Error,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/all-error.log"
*.error ?Error;tplremote
$template Boot,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/boot.log"
local7.* ?Boot;tplremote
[root@all-logs centos]#
Ruslanas Gžibovskis
Planned OOO:
2018-04-26 – 2018-05-01 – no access to internet
2018-08-23 – 2018-08-26 – no access to internet
2018-10-22 – 2018-10-26 – no access to internet.
-----Original Message-----
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer
Gerhards
Sent: Tuesday, March 6, 2018 1:57 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] rsyslog-server stops receiving messages after 30 sec
2018-03-06 12:53 GMT+01:00 Ruslanas Gžibovskis <ruslanas.gzibovs...@telia.lt>:
> Rainer, still same situation:
mhhh, that's strange. It would be best if you could open a github issue
tracker. We are currently reworking imfile, and having the issue will make sure
this gets reviewed as part of that effort.
The better detail you can give on how to reproduce, the better the chances are
we can cover and address it in a testbench test (which usually is the first
step towards a fix).
Just to set expectations straight, the work is scheduled for 8.34 but may roll
into 8.35).
Thanks,
Rainer
>
> Local time: Tue Mar 6 13:52:41 EET 2018
>
> [root@all-logs centos]# systemctl status rsyslog ● rsyslog.service -
> System Logging Service
> Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; disabled; vendor
> preset: enabled)
> Active: active (running) since Tue 2018-03-06 11:26:32 EET; 2h 20min ago
> Docs: man:rsyslogd(8)
> http://www.rsyslog.com/doc/ Main PID: 4708 (rsyslogd)
> CGroup: /system.slice/rsyslog.service
> └─4708 /usr/sbin/rsyslogd -n -iNONE
>
> Mar 06 13:42:39 all-logs.local rsyslogd[4708]: omelasticsearch:
> checkConn failed after 1 attempts. [v8.33.0 try
> http://www.rsyslog.com/e/2007 ] Mar 06 13:43:09 all-logs.local
> rsyslogd[4708]: omelasticsearch: checkConn failed after 1 attempts.
> [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06 13:43:39
> all-logs.local rsyslogd[4708]: omelasticsearch: checkConn failed after
> 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06
> 13:44:09 all-logs.local rsyslogd[4708]: omelasticsearch: checkConn
> failed after 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ]
> Mar 06 13:44:39 all-logs.local rsyslogd[4708]: omelasticsearch:
> checkConn failed after 1 attempts. [v8.33.0 try
> http://www.rsyslog.com/e/2007 ] Mar 06 13:45:09 all-logs.local
> rsyslogd[4708]: omelasticsearch: checkConn failed after 1 attempts.
> [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06 13:45:39
> all-logs.local rsyslogd[4708]: omelasticsearch: checkConn failed after
> 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06
> 13:46:09 all-logs.local rsyslogd[4708]: omelasticsearch: checkConn
> failed after 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ]
> Mar 06 13:46:39 all-logs.local rsyslogd[4708]: omelasticsearch:
> checkConn failed after 1 attempts. [v8.33.0 try
> http://www.rsyslog.com/e/2007 ] Mar 06 13:47:09 all-logs.local
> rsyslogd[4708]: omelasticsearch: checkConn failed after 1 attempts.
> [v8.33.0 try http://www.rsyslog.com/e/2007 ] [root@all-logs centos]#
>
> Received:
> Mar 6 11:27:11 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info
> TEST Message to be written 1217 Mar 6 11:27:14
> 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be
> written 1218 Mar 6 11:27:17 10.94.0.131[10.94.0.131] TESTAS: TESTAS
> mail.info TEST Message to be written 1219 Mar 6 11:27:20
> 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be
> written 1220 Mar 6 11:27:23 10.94.0.131[10.94.0.131] TESTAS: TESTAS
> mail.info TEST Message to be written 1221 Mar 6 11:27:26
> 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be
> written 1222 Mar 6 11:27:29 10.94.0.131[10.94.0.131] TESTAS: TESTAS
> mail.info TEST Message to be written 1223 Mar 6 11:27:32
> 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be
> written 1224
>
> And last message number currently sent to server is:
> TEST Message to be written 4058
> TEST Message to be written 4059
>
> Versions:
> [root@all-logs centos]# rsyslogd -v
> rsyslogd 8.33.0, compiled with:
> PLATFORM: x86_64-redhat-linux-gnu
> PLATFORM (lsb_release -d):
> FEATURE_REGEXP: Yes
> GSSAPI Kerberos 5 support: Yes
> FEATURE_DEBUG (debug build, slow code): No
> 32bit Atomic operations supported: Yes
> 64bit Atomic operations supported: Yes
> memory allocator: system default
> Runtime Instrumentation (slow code): No
> uuid support: Yes
> systemd support: Yes
> Number of Bits in RainerScript integers: 64
>
> See http://www.rsyslog.com for more information.
> [root@all-logs centos]# yum repolist
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile
> * base: mirror.vpsnet.com
> * epel: mirrors.colocall.net
> * extras: mirror.vpsnet.com
> * updates: mirror.vpsnet.com
> repo id repo name
>
> status
> base/7/x86_64 CentOS-7 - Base
>
> 9,591
> epel/x86_64 Extra Packages
> for Enterprise Linux 7 - x86_64
> 12,358
> extras/7/x86_64 CentOS-7 -
> Extras
> 392
> rsyslog_v8/7/x86_64 Adiscon
> CentOS-7 - local packages for x86_64
> 1,519
> updates/7/x86_64 CentOS-7 -
> Updates
> 1,962
> repolist: 25,822
> [root@all-logs centos]#
>
>
>
>
> -----Original Message-----
> From: Ruslanas Gžibovskis
> Sent: Tuesday, March 6, 2018 11:28 AM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: RE: [rsyslog] rsyslog-server stops receiving messages after
> 30 sec
>
> Found: http://www.rsyslog.com/rhelcentos-rpms/ updated, doing same check.
>
>
>
> -----Original Message-----
> From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of
> Ruslanas Gžibovskis
> Sent: Tuesday, March 6, 2018 11:23 AM
> To: Rainer Gerhards <rgerha...@hq.adiscon.com>; rsyslog-users
> <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] rsyslog-server stops receiving messages after
> 30 sec
>
>
>
> Hm, need to check with CentOS 😊 and RHEL 😊
>
> Ok, thanks for support.
>
> -----Original Message-----
> From: Rainer Gerhards [mailto:rgerha...@hq.adiscon.com]
> Sent: Tuesday, March 6, 2018 11:20 AM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Ruslanas Gžibovskis <ruslanas.gzibovs...@telia.lt>
> Subject: Re: [rsyslog] rsyslog-server stops receiving messages after
> 30 sec
>
> TBH, I won't look any further at this until you run 8.33.0 ;-) It doesn't
> help to debug ever and ever again old bugs...
>
> Raienr
>
> 2018-03-06 9:57 GMT+01:00 Ruslanas Gžibovskis <rusla...@lpic.lt>:
>> I will check if missed, at the moment I found rsyslog sprpped (logs
>> are mising of course :) )
>>
>> At the moment I have executed: ]# i=0; while true ; do logger -n IP
>> -P
>> 514 -t TESTAS -p mail.info "TEST Message to be written $i" ; echo $i
>> ;
>> i=$((i+1)) ; sleep 3; done
>>
>> and now it is 10:56 my time
>>
>> and last logs I see:
>>
>> Mar 6 10:27:26 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info
>> TEST Message to be written 23 Mar 6 10:27:29
>> 10.94.0.131[10.94.0.131]
>> TESTAS: TESTAS mail.info TEST Message to be written 24 Mar 6
>> 10:27:32 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST
>> Message to be written 25
>>
>> and cycle now says :
>> 612
>> 613
>> 614
>> 615
>> 616
>>
>> will check after lunch, what will be written to log...
>>
>> On Tue, 6 Mar 2018 at 09:37 Rainer Gerhards
>> <rgerha...@hq.adiscon.com>
>> wrote:
>>
>>> This strongly reminds me on an old bug where flush did not work properly...
>>>
>>> Rainer
>>>
>>> 2018-03-06 3:14 GMT+01:00 David Lang <da...@lang.hm>:
>>> > are any logs lost? or is it just that they are getting written in bursts?
>>> >
>>> > Davdi Lang
>>> >
>>> > _______________________________________________
>>> > rsyslog mailing list
>>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> > http://www.rsyslog.com/professional-services/
>>> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> > myriad
>>> of
>>> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>> > you DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>> you DON'T LIKE THAT.
>>>
>> --
>>
>> Ruslanas Gžibovskis
>> +370 6030 7030
>> RHCE: 130-192-255
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
>> THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
