[rsyslog-notify] Forum Thread: Re: odd behavour of rsyslogd -N1 - (Mode 'reply')

Wed Jul 13 06:47:21 CEST 2016

User: atticus 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26771#p26771

Message: 
----------
Rainer, thank you very much for your reply.  I now understand how the
include statement from the generic rsyslog.conf in /etc was interacting
with my "customized" rsyslog.conf in /etc/rsyslog.d.  I also now understand
how the ryslogd works.  If I may on to another thorny issue.  Now I've
begun testing, and my scenario is server 1 is generating messages to server
2 (the true rsyslog server) who will write a file locally and onfwd to
another server.  I am testing the first part from server 1 to server 2.

Nothing looks like it’s getting forwarded from server 1 192.168.1.100 to
test server 2 192.168.1.101.  A tcpdump on server 1 does not show any
packets being sent from it to server 2.  Oddly enough, I saw both udp and
tcp packets being forwarded from server 1 to server 2 earlier today but not
now.  I would very much appreciate if you have any thoughts on this.

FYI, I have also restarts rsyslog on both servers several times.

Here is a brief except from Server 1 rsyslog.conf

Server 1 (source of messages)

I’ve added this to the server 1 rsyslog.conf to fwd to my rsyslog server 2

*.*
action(type="omfile" file="/var/log/messages"
template="RSYSLOG_FileFormat")
action(type="omfile" file="/var/log/file1" template="RSYSLOG_FileFormat")
action(type="omfwd"
target="192.168.1.101"
protocol="udp"
port="514"
template="RSYSLOG_ForwardFormat")
#
#
action(type="omfwd"
target="192.168.1.101"
protocol="tcp"
port="10154"
template="RSYSLOG_ForwardFormat")

#################################################

in the rsyslog server 2, I have
module(load="imudp")
module(load="imtcp")
input(type="imtcp" port="10514" ruleset="one")
input(type="imudp" port="514" ruleset="one")

a few omfwd actions  

action(type="omfile" file="/var/log/file3" template="RSYSLOG_FileFormat")

On server 1 I do see updates to var/log/messages, so if the forward actions
from server 1 to server 2 are working, I should see messages being sent to
192.168.101 and showing up in file 3, which I don’t.  A tcpdump in server 2
does not show any messages being sent from server 1 to server 2.

Here are the last set of impstats on 192.168.1.100 if it helps.  I couldn’t
tell if these give me any hints.  I have more research to do on this.

Day/Date: imuxsock: submitted=84 ratelimit.discarded=0
ratelimit.numratelimiters=0
Day/Date: action 1: processed=76 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 2: processed=10 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 3: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=0      
Day/Date: action 4: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=0      
Day/Date: action 5: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=0      
Day/Date: action 6: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=0      
Day/Date: action 7: processed=86 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 8: processed=86 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 9: processed=86 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 10: processed=86 failed=0 suspended=1
suspended.duration=60 resume      d=0
Day/Date: action 11: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 12: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 13: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 14: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: action 15: processed=0 failed=0 suspended=0 suspended.duration=0
resumed=      0
Day/Date: imudp(*:514): submitted=0
Day/Date: imudp(*:514): submitted=0
Day/Date: imtcp(10514): submitted=0
Day/Date: resource-usage: utime=4000 stime=4000 maxrss=6620 minflt=932
majflt=0 inb      lock=0 oublock=688 nvcsw=124 nivcsw=3
Day/Date: action 11 queue[DA]: size=0 enqueued=0 full=0 discarded.full=0
discarded.      nf=0 maxqsize=0
Day/Date: action 11 queue: size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0       maxqsize=0
Day/Date: action 12 queue[DA]: size=0 enqueued=0 full=0 discarded.full=0
discarded.      nf=0 maxqsize=0
Day/Date: action 12 queue: size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0       maxqsize=0
Day/Date: action 13 queue[DA]: size=0 enqueued=0 full=0 discarded.full=0
discarded.      nf=0 maxqsize=0
Day/Date: action 13 queue: size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0       maxqsize=0
Day/Date: action 14 queue[DA]: size=0 enqueued=0 full=0 discarded.full=0
discarded.      nf=0 maxqsize=0
Day/Date: action 14 queue: size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0       maxqsize=0
Day/Date: fwd1[DA]: size=0 enqueued=0 full=0 discarded.full=0
discarded.nf=0 maxqsi      ze=0
Day/Date: fwd1: size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0      
Day/Date: main Q: size=0 enqueued=86 full=0 discarded.full=0 discarded.nf=0
maxqsiz      e=46
Day/Date: imudp(w0): called.recvmmsg=0 called.recvmsg=0 msgs.received=0