thanks, As mentioned in my own reply, this was actually caused by a small syntax error. Now it works as expected. regards, Ole
On Wed, 11 Oct 2023 at 21:09, David Lang <[email protected]> wrote: > please post your full config (you can have rsyslog combine all include > files > into one file to see them as rsyslog does by starting rsyslog with -o > /path/to/file) > > It sounds as if you have additional imfile inputs that already specify > these > files, but without the full config, it's hard to guess what's actually > happening. > > David Lang > > On Wed, 11 Oct 2023, Ole Froslie via rsyslog wrote: > > > Date: Wed, 11 Oct 2023 14:04:07 +0200 > > From: Ole Froslie via rsyslog <[email protected]> > > To: [email protected] > > Cc: Ole Froslie <[email protected]> > > Subject: [rsyslog] Rsyslog error: imfile: wd 1 already in wdmap > > > > Hi all, > > I struggle with an rsyslog issue. > > > > I have set up the following config in /var/etc/rsyslog.d/ > > > > > > module(load="imfile") > > > > > > input(type="imfile" File="var/log/ipa_access_agg.log" > Tag="ipa-access-log" > > Facility="local0") > > > > input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/security" > > Tag="ipa-security-log" Facility="local0") > > > > input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/errors" > > Tag="ipa-errors-log" Facility="local0") > > > > input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/audit" > > Tag="ipa-audit-log" Facility="local0") > > > > input(type="imfile" File="/var/log/httpd/error_log" Tag="ipa-httpd-log" > > Facility="local0") > > > > input(type="imfile" File="/var/log/krb5kdc.log" Tag="ipa-krb-log" > Facility > > = "local0") > > > > > > #remove - from audit file > > > > if ($syslogfacility >=16 and $syslogtag=="ipa-audit-log" and $msg=="-") > > then stop > > > > # Forward local facilities > > > > if $syslogfacility >= 16 then @my_log_server_ip:514 > > > > Everything works fine except the first line , i.e. input(type="imfile" > > File="var/log/ipa_access_agg.log" Tag="ipa-access-log" Facility="local0") > > This particular line give me the following error message when running > > systemctl restart rsyslog, and logs are not sent from this file. The > others > > work fine. > > > > rsyslog.service - System Logging Service > > > > Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; *enabled*; > > preset: *enabled*) > > > > Active: *active (running)* since Wed 2023-10-11 13:58:24 CEST; 1s ago > > > > Docs: man:rsyslogd(8) > > > > https://www.rsyslog.com/doc/ > > > > Main PID: 97584 (rsyslogd) > > > > Tasks: 4 (limit: 23159) > > > > Memory: 1.3M > > > > CPU: 136ms > > > > CGroup: /system.slice/rsyslog.service > > > > └─97584 /usr/sbin/rsyslogd -n > > > > > > Oct 11 13:58:24 idm2.com4.net systemd[1]: Starting System Logging > Service... > > > > Oct 11 13:58:24 idm2.com4.net systemd[1]: Started System Logging > Service. > > > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: [origin > software="rsyslogd" > > swVersion="8.2102.0-117.el9" x-pid="97584" x-info=" > https://www.rsyslog.com";] > > start > > > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 1 already in > > wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175 > > <https://www.rsyslog.com/e/2175> ]* > > > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 2 already in > > wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175 > > <https://www.rsyslog.com/e/2175> ]* > > > > Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imjournal: journal files > > changed, reloading... [v8.2102.0-117.el9 try > https://www.rsyslog.com/e/0 > > <https://www.rsyslog.com/e/0> ]* > > > > > > When removing the particular line and restarting, the issue disappears. > > > > The particular file /var/log/ipa_access_agg.log is the ip-access log > > modified by a script, to make it more fit for purpose. > > The file: > > > > [my prompt]# ls -al /var/log/ipa_access_agg.log > > > > -rw-r--r--. 1 root root 5546055 Oct 11 12:18 /var/log/ipa_access_agg.log > > > > > > The file is subject to logrotate , using this config in > /etc/logrotate.d/: > > > > myprompt]# cat /etc/logrotate.d/ipa_access_agg > > > > /var/log/ipa_access_agg.log { > > > > daily > > > > missingok > > > > rotate 7 > > > > create > > > > } > > > > > > > > > > > > > > I have the exact same setup running without issues on another machine. > > > > Both machines run same rsyslog version, see error message below. > > > > Both machines run the same CentOS > > > > Operating System: CentOS Stream 9 > > > > CPE OS Name: cpe:/o:centos:centos:9 > > > > > > > > > > I have tried to google any clues, without success. > > > > > > Any ideas? > > > > > > regards, > > > > Ole > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
