Hi all,
I struggle with an rsyslog issue.
I have set up the following config in /var/etc/rsyslog.d/
module(load="imfile")
input(type="imfile" File="var/log/ipa_access_agg.log" Tag="ipa-access-log"
Facility="local0")
input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/security"
Tag="ipa-security-log" Facility="local0")
input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/errors"
Tag="ipa-errors-log" Facility="local0")
input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/audit"
Tag="ipa-audit-log" Facility="local0")
input(type="imfile" File="/var/log/httpd/error_log" Tag="ipa-httpd-log"
Facility="local0")
input(type="imfile" File="/var/log/krb5kdc.log" Tag="ipa-krb-log" Facility
= "local0")
#remove - from audit file
if ($syslogfacility >=16 and $syslogtag=="ipa-audit-log" and $msg=="-")
then stop
# Forward local facilities
if $syslogfacility >= 16 then @my_log_server_ip:514
Everything works fine except the first line , i.e. input(type="imfile"
File="var/log/ipa_access_agg.log" Tag="ipa-access-log" Facility="local0")
This particular line give me the following error message when running
systemctl restart rsyslog, and logs are not sent from this file. The others
work fine.
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; *enabled*;
preset: *enabled*)
Active: *active (running)* since Wed 2023-10-11 13:58:24 CEST; 1s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 97584 (rsyslogd)
Tasks: 4 (limit: 23159)
Memory: 1.3M
CPU: 136ms
CGroup: /system.slice/rsyslog.service
└─97584 /usr/sbin/rsyslogd -n
Oct 11 13:58:24 idm2.com4.net systemd[1]: Starting System Logging Service...
Oct 11 13:58:24 idm2.com4.net systemd[1]: Started System Logging Service.
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: [origin software="rsyslogd"
swVersion="8.2102.0-117.el9" x-pid="97584" x-info="https://www.rsyslog.com";]
start
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 1 already in
wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175
<https://www.rsyslog.com/e/2175> ]*
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 2 already in
wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175
<https://www.rsyslog.com/e/2175> ]*
Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imjournal: journal files
changed, reloading... [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0
<https://www.rsyslog.com/e/0> ]*
When removing the particular line and restarting, the issue disappears.
The particular file /var/log/ipa_access_agg.log is the ip-access log
modified by a script, to make it more fit for purpose.
The file:
[my prompt]# ls -al /var/log/ipa_access_agg.log
-rw-r--r--. 1 root root 5546055 Oct 11 12:18 /var/log/ipa_access_agg.log
The file is subject to logrotate , using this config in /etc/logrotate.d/:
myprompt]# cat /etc/logrotate.d/ipa_access_agg
/var/log/ipa_access_agg.log {
daily
missingok
rotate 7
create
}
I have the exact same setup running without issues on another machine.
Both machines run same rsyslog version, see error message below.
Both machines run the same CentOS
Operating System: CentOS Stream 9
CPE OS Name: cpe:/o:centos:centos:9
I have tried to google any clues, without success.
Any ideas?
regards,
Ole
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
