[rsyslog-notify] Forum Thread: rsyslog not processing "some" logs? - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Mon Mar 27 18:18:08 CEST 2017 

User: ZillaG 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=27227#p27227

Message: 
----------
I have multiple configuration files in /etc/rsyslog.d that have this
format.

[code:2lr5hldi]input(type="imfile"
    File="/var/log/artim/artim-decision.log*"
    Facility="local3"
    Tag="artim-decision:"
   
startmsg.regex="^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}"
    escapeLF="off"
)

if $programname == 'artim-decision:' then {
    action(
        type="omfwd"
        Target="elk-server.domain.com"
        Port="5514"
        Protocol="udp"
        template="jsonLogTemplate"
        RebindInterval="100"
    )
    stop
}
[/code:2lr5hldi]

I have one configuration file for each log file type in the directory that
has the following contents. So I have a configuration file for the
artim-decision.log*, one for artim-learing.log*, etc.

[code:2lr5hldi]# ls /var/log/artim
artim-contact.log        artim-learning.log.6     
artim-ui-admin.log.2
artim-decision-exec.log  artim-learning.log.7     
artim-ui-admin.log.3
artim-decision-lock.log  artim-learning.log.8     
artim-ui-admin.log.4
artim-decision.log       artim-learning.log.9     
artim-ui-admin.log.5
artim-decision.log.1     artim-notification.log   
artim-ui-admin.log.6
artim-learning.log       artim-notification.out   
artim-ui-admin.log.7
artim-learning.log.1     artim-profile.log        
artim-ui-admin.log.8
artim-learning.log.10    artim-sessionmonitor.log 
artim-ui-admin.log.9
artim-learning.log.2     artim-sessionmonitor.out 
migrator.log
artim-learning.log.3     artim-ui-admin.log       
OrgUserManager.log
artim-learning.log.4     artim-ui-admin.log.1     
syncutility.log
artim-learning.log.5    
artim-ui-admin.log.10[/code:2lr5hldi]

My /etc/rsyslog.conf file has the following lines...

[code:2lr5hldi]*.info;mail.none;auth,authpriv.none;cron.none;local3.none,local4.none,local5.non
e                /var/log/messages
(snip)
local3.* @elk-server.domain.com:5514;jsonLogTemplate
local4.* @elk-server.domain.com:5514;jsonLogTemplate
local5.*
@elk-server.domain.com:5514;jsonLogTemplate[/code:2lr5hldi]

Why am I able to send some logs out, but NOT others? Here's my
/var/spool/rsyslog contents for example. I expect to see a state file for
each of he files above correct?

[code:2lr5hldi]# ls /var/spool/rsyslog/
imfile-state:-var-log-artim-artim-decision.log
imfile-state:-var-log-artim-artim-decision.log.1
imfile-state:-var-log-artim-artim-learning.log
imfile-state:-var-log-artim-artim-learning.log.2
imfile-state:-var-log-artim-artim-learning.log.3
imfile-state:-var-log-artim-artim-learning.log.4
imfile-state:-var-log-artim-artim-learning.log.7

imfile-state:-var-log-artim-artim-learning.log.9[/code:2lr5hldi]

[code:2lr5hldi]$ rsyslogd -version
rsyslogd 8.25.0, compiled with:
	PLATFORM:				x86_64-redhat-linux-gnu
	PLATFORM (lsb_release -d):		
	FEATURE_REGEXP:				Yes
	GSSAPI Kerberos 5 support:		No
	FEATURE_DEBUG (debug build, slow code):	No
	32bit Atomic operations supported:	Yes
	64bit Atomic operations supported:	Yes
	memory allocator:			system default
	Runtime Instrumentation (slow code):	No
	uuid support:				Yes
	Number of Bits in RainerScript integers: 64[/code:2lr5hldi]

More information about the rsyslog-notify mailing list