[rsyslog-notify] Forum Thread: Re: Rsyslog not redirecting matched msg to file - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Tue Feb 17 01:12:11 CET 2015


User: Michiel 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25259#p25259

Message: 
----------
Thanks for so much for replying. This is driving me crazy.

My system is Ubuntu 14.04.1 LTS x64 and I have systemd-udevd as packaged
with udev.

Listing of /etc/rsyslog.d:

[code:2worx74e]
-rw-r--r-- 1 root root   52 Feb 17 00:43 00-debug.conf
-rw-r--r-- 1 root root  136 Feb 17 01:02 01-iptables.conf
-rw-r--r-- 1 root root 1660 Dec  9 13:29 50-default.conf
-rw-r--r-- 1 root root  242 Feb 12  2014 postfix.conf
[/code:2worx74e]

00-debug.conf:

[code:2worx74e]
*.* /var/log/rsyslog_debug.log;RSYSLOG_DebugFormat

[/code:2worx74e]

/var/log/rsyslog_debug.log:

[code:2worx74e]
Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 43,
syslogtag 'rsyslogd-2207:', programname: 'rsyslogd-2207',
APP-NAME: 'rsyslogd-2207', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:05:46', STRUCTURED-DATA: '-',
msg: 'error during parsing file (null), on or before line 63: STOP
is followed by unreachable statements!
 [try http://www.rsyslog.com/e/2207 ]'
escaped msg: 'error during parsing file (null), on or before line
63: STOP is followed by unreachable statements! [try
http://www.rsyslog.com/e/2207 ]'
inputname: rsyslogd rawmsg: 'error during parsing file (null), on
or before line 63: STOP is followed by unreachable statements!
 [try http://www.rsyslog.com/e/2207 ]'

Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 43,
syslogtag 'rsyslogd-2207:', programname: 'rsyslogd-2207',
APP-NAME: 'rsyslogd-2207', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:05:46', STRUCTURED-DATA: '-',
msg: 'error during parsing file (null), on or before line 63: STOP
is followed by unreachable statements!
 [try http://www.rsyslog.com/e/2207 ]'
escaped msg: 'error during parsing file (null), on or before line
63: STOP is followed by unreachable statements! [try
http://www.rsyslog.com/e/2207 ]'
inputname: rsyslogd rawmsg: 'error during parsing file (null), on
or before line 63: STOP is followed by unreachable statements!
 [try http://www.rsyslog.com/e/2207 ]'

Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
'rsyslogd', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:05:46', STRUCTURED-DATA: '-',
msg: 'rsyslogd's groupid changed to 104'
escaped msg: 'rsyslogd's groupid changed to 104'
inputname: rsyslogd rawmsg: 'rsyslogd's groupid changed to 104'

Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
'rsyslogd', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:05:46', STRUCTURED-DATA: '-',
msg: 'rsyslogd's userid changed to 101'
escaped msg: 'rsyslogd's userid changed to 101'
inputname: rsyslogd rawmsg: 'rsyslogd's userid changed to 101'
[/code:2worx74e]

If I remove the 'stop' statements, nothing seems to change about the debug
log output except that the error isn't mentioned anymore. I have another
machine sending SYN packets to the host in question, where I can see them
coming in as netfilter logs them to dmesg.

For reference:

[code:2worx74e]
Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
'rsyslogd', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:10:22', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="7.4.4"
x-pid="10057" x-info="http://www.rsyslog.com"] start'
escaped msg: ' [origin software="rsyslogd"
swVersion="7.4.4" x-pid="10057"
x-info="http://www.rsyslog.com"] start'
inputname: rsyslogd rawmsg: ' [origin software="rsyslogd"
swVersion="7.4.4" x-pid="10057"
x-info="http://www.rsyslog.com"] start'

Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
'rsyslogd', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:10:22', STRUCTURED-DATA: '-',
msg: 'rsyslogd's groupid changed to 104'
escaped msg: 'rsyslogd's groupid changed to 104'
inputname: rsyslogd rawmsg: 'rsyslogd's groupid changed to 104'

Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
'rsyslogd', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:10:22', STRUCTURED-DATA: '-',
msg: 'rsyslogd's userid changed to 101'
escaped msg: 'rsyslogd's userid changed to 101'
inputname: rsyslogd rawmsg: 'rsyslogd's userid changed to 101'

Debug line with all properties:
FROMHOST: 'myhost', fromhost-ip: '127.0.0.1',
HOSTNAME: 'myhost', PRI: 43,
syslogtag 'rsyslogd-2039:', programname: 'rsyslogd-2039',
APP-NAME: 'rsyslogd-2039', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 17 01:10:22', STRUCTURED-DATA: '-',
msg: 'Could no open output pipe '/dev/xconsole': No such file or
directory [try http://www.rsyslog.com/e/2039 ]'
escaped msg: 'Could no open output pipe '/dev/xconsole': No such
file or directory [try http://www.rsyslog.com/e/2039 ]'
inputname: rsyslogd rawmsg: 'Could no open output pipe
'/dev/xconsole': No such file or directory [try
http://www.rsyslog.com/e/2039 ]'
[/code:2worx74e]


More information about the rsyslog-notify mailing list