[rsyslog-notify] Forum Thread: Rsyslog silently discarding messages - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Thu Jul 28 10:59:15 CEST 2016 

User: liupjo 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26831#p26831

Message: 
----------
hello,

I have a rsyslogd server configured as following:

[code:2i1cnxfk]
# TCP Syslog Server:

$ModLoad imtcp.so         # load module
input(type="imtcp" port="6514" ruleset="r_dynamicFileNameFromHost")
input(type="imtcp" port="1514" ruleset="r_dynamicFileNameFromHost")

# UDP Syslog Server:
$ModLoad imudp.so         # provides UDP syslog reception
input(type="imudp" port="514" ruleset="r_dynamicFileNameFromHost")


### Templates
template (name="t_dynamicFileNameFromHost" type="string"
string="/var/log/remote/%FROMHOST%/%FROMHOST%.log")
template (name="t_dynamicFileNameTag" type="string"
string="/var/log/remote/%FROMHOST%/%FROMHOST%-%SYSLOGTAG%.log")

### Rulesets
ruleset(name="r_dynamicFileNameFromHost"){


        if      ($syslogtag contains '-apache')
        then    {
                action(type="omfile" dynaFile="t_dynamicFileNameTag"
fileGroup="logs-read_only" dirGroup="logs-read_only" dirCreateMode="0550"
fileCreateMode="0640")
                stop
        }

        action(type="omfile" dynaFile="t_dynamicFileNameFromHost"
fileGroup="logs-read_only" dirGroup="logs-read_only" dirCreateMode="0550"
fileCreateMode="0640")
}
[/code:2i1cnxfk]

and a cisco switch configured as following:
[code:2i1cnxfk]
logging origin-id hostname
logging facility local2
logging host 172.16.19.135 transport tcp port 6514
[/code:2i1cnxfk]

If I tcpdump from the rsyslog server I can see the switch message being
received correctly:
[code:2i1cnxfk]
tcpdump host 10.10.10.10 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

17:51:25.839146 IP 10.10.10.10.35510 >
172.16.19.135.syslog-tls: Flags [.], seq
3836212343:3836212436, ack 2902033284, win 4128, length 93

E....q......:.D........r...w....P..
O...<149>2635: Jul 28 07:51:24:
%SYS-5-CONFIG_I: Configured from console by user on console
17:51:25.839156 IP172.16.19.135.syslog-tls >
10.10.10.10.35510: Flags [.], ack 93, win
29200, length 0

E..(m.@.@.......:.D..r..........P.r.>l..
^C
2 packets captured
156 packets received by filter
0 packets dropped by kernel
[/code:2i1cnxfk]

However the deamon is not writing anything to file. I tried to restart it
gracefully to force a flush on disk but to no avail.

So I ran telnet from the switch to the rsyslogd server and it seems to work
as expected.

I turned on debug mode on rsyslogd by using [code:2i1cnxfk] export
RSYSLOG_DEBUGLOG[/code:2i1cnxfk] and [code:2i1cnxfk]export
RSYSLOG_DEBUG="DebugOnDemand NoStdOut"[/code:2i1cnxfk], but I could not see
anything relevant for that particular switch source on the debug output.
Not even the message being parsed or evaluated.
Then I ran strace on the rsyslogd process and relative threads and it was
showing rsyslogd ingesting the message from the tcp socket but not calling
open() or write() to any file afterwards.

Is there anything else I can look at to find out what's going on?

Details of rsyslogd here:

[code:2i1cnxfk]
rsyslogd 8.4.0, compiled with:
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.
[/code:2i1cnxfk]
Currently running on suse enterprise linux 12

More information about the rsyslog-notify mailing list