Hi Rainer, Before that, I would like to ask you to double blouble check my config, I know i make mistakes, maybe you could spot it, and it will be fixed with simple config update 😊
If config looks OK, I will submit github issue tracker ticket. [root@all-logs centos]# egrep -v '^#|^$' /etc/rsyslog.conf $FileOwner root $FileGroup LOGS $FileCreateMode 0640 $DirCreateMode 0750 $Umask 0027 $DirOwner root $DirGroup LOGS $ActionFileEnableSync on $omfileForceChown on $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $ModLoad imudp $UDPServerRun 514 $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionFileEnableSync on $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state if $fromhost-ip != '127.0.0.1' then { stop } kern.* /dev/console *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* AND: [root@all-logs centos]# egrep -v '^#|^$' /etc/rsyslog.d/01-remote.conf $template RemoteHost,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/all.log" $template tplremote,"%timegenerated% %HOSTNAME%[%fromhost-ip%] %syslogtag% %PROGRAMNAME% %syslogfacility-text%.%syslogseverity-text% %msg:::drop-last-lf%\n" $template tplaudit,"%msg:::drop-last-lf%\n" if ($fromhost-ip != '127.0.0.1' and $programname != 'audispd') then ?RemoteHost;tplremote $template NovaAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/nova-all.log" if ($programname contains 'nova') then ?NovaAll;tplremote $template CinderAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/cinder-all.log" if ($programname contains 'cinder') then ?CinderAll;tplremote $template GlanceAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/glance-all.log" if ($programname contains 'glance') then ?GlanceAll;tplremote $template NeutronAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/neutron-all.log" if ($programname contains 'neutron') then ?NeutronAll;tplremote $template RabbitAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/rabbit-all.log" if ($programname contains 'rabbit') then ?RabbitAll;tplremote $template KeystoneAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/keystone-all.log" if ($programname contains 'keystone') then ?KeystoneAll;tplremote $template ZabbixAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/zabbix-all.log" if ($programname contains 'zabbix') then ?ZabbixAll;tplremote $template SudoAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/sudo-all.log" if ($programname contains 'sudo') then ?SudoAll;tplremote $template DHCPAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/dhcp-all.log" if ($programname contains 'dhcp') then ?DHCPAll;tplremote $template HttpAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/httpd-all.log" if ($programname contains 'http' or $programname contains 'apache') then ?HttpAll;tplremote $template HaproxyAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/haproxy-all.log" if ($programname contains 'haproxy') then ?HaproxyAll;tplremote $template YumAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/yum.log" if ($programname contains 'yum') then ?YumAll;tplremote $template AuditAll,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/audit.log" if ($programname contains 'audispd') then ?YumAll;tplaudit $template Kern,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/kernel.log" kern.* ?Kern;tplremote $template Auth,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/secure.log" authpriv.* ?Auth;tplremote $template Mail,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/mail.log" mail.* ?Mail;tplremote $template Cron,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/cron.log" cron.* ?Cron;tplremote $template Error,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/all-error.log" *.error ?Error;tplremote $template Boot,"/var/log/remote/%FROMHOST-IP%/%$YEAR%/%$MONTH%/%$DAY%/boot.log" local7.* ?Boot;tplremote [root@all-logs centos]# Ruslanas Gžibovskis Planned OOO: 2018-04-26 – 2018-05-01 – no access to internet 2018-08-23 – 2018-08-26 – no access to internet 2018-10-22 – 2018-10-26 – no access to internet. -----Original Message----- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Tuesday, March 6, 2018 1:57 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] rsyslog-server stops receiving messages after 30 sec 2018-03-06 12:53 GMT+01:00 Ruslanas Gžibovskis <ruslanas.gzibovs...@telia.lt>: > Rainer, still same situation: mhhh, that's strange. It would be best if you could open a github issue tracker. We are currently reworking imfile, and having the issue will make sure this gets reviewed as part of that effort. The better detail you can give on how to reproduce, the better the chances are we can cover and address it in a testbench test (which usually is the first step towards a fix). Just to set expectations straight, the work is scheduled for 8.34 but may roll into 8.35). Thanks, Rainer > > Local time: Tue Mar 6 13:52:41 EET 2018 > > [root@all-logs centos]# systemctl status rsyslog ● rsyslog.service - > System Logging Service > Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; disabled; vendor > preset: enabled) > Active: active (running) since Tue 2018-03-06 11:26:32 EET; 2h 20min ago > Docs: man:rsyslogd(8) > http://www.rsyslog.com/doc/ Main PID: 4708 (rsyslogd) > CGroup: /system.slice/rsyslog.service > └─4708 /usr/sbin/rsyslogd -n -iNONE > > Mar 06 13:42:39 all-logs.local rsyslogd[4708]: omelasticsearch: > checkConn failed after 1 attempts. [v8.33.0 try > http://www.rsyslog.com/e/2007 ] Mar 06 13:43:09 all-logs.local > rsyslogd[4708]: omelasticsearch: checkConn failed after 1 attempts. > [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06 13:43:39 > all-logs.local rsyslogd[4708]: omelasticsearch: checkConn failed after > 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06 > 13:44:09 all-logs.local rsyslogd[4708]: omelasticsearch: checkConn > failed after 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ] > Mar 06 13:44:39 all-logs.local rsyslogd[4708]: omelasticsearch: > checkConn failed after 1 attempts. [v8.33.0 try > http://www.rsyslog.com/e/2007 ] Mar 06 13:45:09 all-logs.local > rsyslogd[4708]: omelasticsearch: checkConn failed after 1 attempts. > [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06 13:45:39 > all-logs.local rsyslogd[4708]: omelasticsearch: checkConn failed after > 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ] Mar 06 > 13:46:09 all-logs.local rsyslogd[4708]: omelasticsearch: checkConn > failed after 1 attempts. [v8.33.0 try http://www.rsyslog.com/e/2007 ] > Mar 06 13:46:39 all-logs.local rsyslogd[4708]: omelasticsearch: > checkConn failed after 1 attempts. [v8.33.0 try > http://www.rsyslog.com/e/2007 ] Mar 06 13:47:09 all-logs.local > rsyslogd[4708]: omelasticsearch: checkConn failed after 1 attempts. > [v8.33.0 try http://www.rsyslog.com/e/2007 ] [root@all-logs centos]# > > Received: > Mar 6 11:27:11 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info > TEST Message to be written 1217 Mar 6 11:27:14 > 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be > written 1218 Mar 6 11:27:17 10.94.0.131[10.94.0.131] TESTAS: TESTAS > mail.info TEST Message to be written 1219 Mar 6 11:27:20 > 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be > written 1220 Mar 6 11:27:23 10.94.0.131[10.94.0.131] TESTAS: TESTAS > mail.info TEST Message to be written 1221 Mar 6 11:27:26 > 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be > written 1222 Mar 6 11:27:29 10.94.0.131[10.94.0.131] TESTAS: TESTAS > mail.info TEST Message to be written 1223 Mar 6 11:27:32 > 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST Message to be > written 1224 > > And last message number currently sent to server is: > TEST Message to be written 4058 > TEST Message to be written 4059 > > Versions: > [root@all-logs centos]# rsyslogd -v > rsyslogd 8.33.0, compiled with: > PLATFORM: x86_64-redhat-linux-gnu > PLATFORM (lsb_release -d): > FEATURE_REGEXP: Yes > GSSAPI Kerberos 5 support: Yes > FEATURE_DEBUG (debug build, slow code): No > 32bit Atomic operations supported: Yes > 64bit Atomic operations supported: Yes > memory allocator: system default > Runtime Instrumentation (slow code): No > uuid support: Yes > systemd support: Yes > Number of Bits in RainerScript integers: 64 > > See http://www.rsyslog.com for more information. > [root@all-logs centos]# yum repolist > Loaded plugins: fastestmirror > Loading mirror speeds from cached hostfile > * base: mirror.vpsnet.com > * epel: mirrors.colocall.net > * extras: mirror.vpsnet.com > * updates: mirror.vpsnet.com > repo id repo name > > status > base/7/x86_64 CentOS-7 - Base > > 9,591 > epel/x86_64 Extra Packages > for Enterprise Linux 7 - x86_64 > 12,358 > extras/7/x86_64 CentOS-7 - > Extras > 392 > rsyslog_v8/7/x86_64 Adiscon > CentOS-7 - local packages for x86_64 > 1,519 > updates/7/x86_64 CentOS-7 - > Updates > 1,962 > repolist: 25,822 > [root@all-logs centos]# > > > > > -----Original Message----- > From: Ruslanas Gžibovskis > Sent: Tuesday, March 6, 2018 11:28 AM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: RE: [rsyslog] rsyslog-server stops receiving messages after > 30 sec > > Found: http://www.rsyslog.com/rhelcentos-rpms/ updated, doing same check. > > > > -----Original Message----- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Ruslanas Gžibovskis > Sent: Tuesday, March 6, 2018 11:23 AM > To: Rainer Gerhards <rgerha...@hq.adiscon.com>; rsyslog-users > <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] rsyslog-server stops receiving messages after > 30 sec > > > > Hm, need to check with CentOS 😊 and RHEL 😊 > > Ok, thanks for support. > > -----Original Message----- > From: Rainer Gerhards [mailto:rgerha...@hq.adiscon.com] > Sent: Tuesday, March 6, 2018 11:20 AM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Cc: Ruslanas Gžibovskis <ruslanas.gzibovs...@telia.lt> > Subject: Re: [rsyslog] rsyslog-server stops receiving messages after > 30 sec > > TBH, I won't look any further at this until you run 8.33.0 ;-) It doesn't > help to debug ever and ever again old bugs... > > Raienr > > 2018-03-06 9:57 GMT+01:00 Ruslanas Gžibovskis <rusla...@lpic.lt>: >> I will check if missed, at the moment I found rsyslog sprpped (logs >> are mising of course :) ) >> >> At the moment I have executed: ]# i=0; while true ; do logger -n IP >> -P >> 514 -t TESTAS -p mail.info "TEST Message to be written $i" ; echo $i >> ; >> i=$((i+1)) ; sleep 3; done >> >> and now it is 10:56 my time >> >> and last logs I see: >> >> Mar 6 10:27:26 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info >> TEST Message to be written 23 Mar 6 10:27:29 >> 10.94.0.131[10.94.0.131] >> TESTAS: TESTAS mail.info TEST Message to be written 24 Mar 6 >> 10:27:32 10.94.0.131[10.94.0.131] TESTAS: TESTAS mail.info TEST >> Message to be written 25 >> >> and cycle now says : >> 612 >> 613 >> 614 >> 615 >> 616 >> >> will check after lunch, what will be written to log... >> >> On Tue, 6 Mar 2018 at 09:37 Rainer Gerhards >> <rgerha...@hq.adiscon.com> >> wrote: >> >>> This strongly reminds me on an old bug where flush did not work properly... >>> >>> Rainer >>> >>> 2018-03-06 3:14 GMT+01:00 David Lang <da...@lang.hm>: >>> > are any logs lost? or is it just that they are getting written in bursts? >>> > >>> > Davdi Lang >>> > >>> > _______________________________________________ >>> > rsyslog mailing list >>> > http://lists.adiscon.net/mailman/listinfo/rsyslog >>> > http://www.rsyslog.com/professional-services/ >>> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>> > myriad >>> of >>> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>> > you DON'T LIKE THAT. >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>> you DON'T LIKE THAT. >>> >> -- >> >> Ruslanas Gžibovskis >> +370 6030 7030 >> RHCE: 130-192-255 >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >> THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.