Mailing List Archive

Antwort: Local logging gets disabled when the connection to syslog server breaks.
Hi Pratik Rana

Have you tried linking the same ones together and then stopping execution
like so:

authpriv.* /var/log/secure
& @@172.17.XXX.XXX:11514
& @@10.237.XXX.XXX:11514
& stop
mail.* -/var/log/maillog
& @@172.17.XXX.XXX:11514
& @@10.237.XXX.XXX:11514
& stop
.......
......
....

and so on for all the facilities you are interested in.

Best,
Cyril
--
Universit?t Z?rich
Cyril Stoll
Zentrale Informatik
Stampfenbachstrasse 73
CH-8006 Z?rich
Tel. +41 44 63 5 22 93
www.zi.uzh.ch



Von: "PRATIK RANA via rsyslog" <rsyslog@lists.adiscon.com>
An: rsyslog@lists.adiscon.com
Kopie: "PRATIK RANA" <pratik.capricon23@gmail.com>
Datum: 18/08/2020 08:47
Betreff: [rsyslog] Local logging gets disabled when the connection to
syslog server breaks.
Gesendet von: "rsyslog" <rsyslog-bounces@lists.adiscon.com>



Hi all,

I have two syslog servers at different sites which are receiving logs from
client nodes configured on various sites. All of my client nodes are
configured to send logs to both of these syslog servers. But whenever my
client node gets disconnected to any one of the server node, then the
rsyslog service stops the local logging of the system(i.e is logging into
/var/log/messages etc.) as well.

Here is the rsyslog.conf configuration for my client nodes:

$ModLoad imfile
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
*.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
@@172.17. XXX.XXX :11514
authpriv.* @@172.17. XXX.XXX :11514
auth.* /var/log/audit/audit.log
auth.* @@172.17. XXX.XXX :11514
kern.* @@172.17. XXX.XXX :11514
mail.* @@172.17. XXX.XXX :11514
cron.* @@172.17. XXX.XXX :11514
local7.* @@172.17. XXX.XXX :11514
*.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
@@10.237. XXX.XXX :11514
authpriv.* @@10.237.XXX.XXX:11514
auth.* @@10.237. XXX.XXX :11514
kern.* @@10.237. XXX.XXX :11514
mail.* @@10.237. XXX.XXX :11514
cron.* @@10.237. XXX.XXX :11514
local7.* @@10.237. XXX.XXX :11514
$FileCreateMode 0640

--
Regards,
*PRATIK RANA*
*Software Engineer*
*NEC Technologies India*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
Re: Antwort: Local logging gets disabled when the connection to syslog server breaks. [ In reply to ]
Dear Cyril,

Thanks for your help.

The workaround suggested by you worked!! I changed the rsyslog setting at
client node to :

$ModLoad imfile
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
authpriv.* /var/log/secure
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
mail.* -/var/log/maillog
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
cron.* /var/log/cron
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
&
@@172.17.xxx.xxx:11514
&
@@10.237.xxx.xxx:11514
& stop
auth.* /var/log/audit/audit.log
& @@172.17.xxx.xxx:11514
& @@10.237.xxx.xxx:11514
& stop
kern.* @@172.17.xxx.xxx:11514
& @@10.237.xxx.xxx:11514
& stop
$FileCreateMode 0640

After that I stopped the rsyslog service at one of the server and checked
local logging using the logger command. However it would be really helpfull
if you could explain the reason behind this as well , also after shutting
down the syslog service at server, i can see following message at client
side, i think they are general retry message to try rebuilding the
connection with server:

Aug 18 12:25:37 rsyslogd[80041]: action 'action 4' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:25:37 rsyslogd[80041]: action 'action 4' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:25:37 rsyslogd[80041]: action 'action 1' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:25:37 rsyslogd[80041]: action 'action 1' resumed (module
'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
Aug 18 12:28:08 rsyslogd[80041]: action 'action 1' suspended, next retry
is Tue Aug 18 12:28:38 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]
Aug 18 12:30:15 rsyslogd[80041]: action 'action 4' suspended, next retry
is Tue Aug 18 12:30:45 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]
Aug 18 12:32:22 rsyslogd[80041]: action 'action 10' suspended, next retry
is Tue Aug 18 12:32:52 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]
Aug 18 12:47:22 rsyslogd[80041]: action 'action 18' suspended, next retry
is Tue Aug 18 12:47:52 2020 [v8.24.0-34.el7 try
http://www.rsyslog.com/e/2007 ]

On Tue, Aug 18, 2020 at 1:58 PM Cyril Stoll via rsyslog <
rsyslog@lists.adiscon.com> wrote:

>
> Hi Pratik Rana
>
> Have you tried linking the same ones together and then stopping execution
> like so:
>
> authpriv.* /var/log/secure
> & @@172.17.XXX.XXX:11514
> & @@10.237.XXX.XXX:11514
> & stop
> mail.* -/var/log/maillog
> & @@172.17.XXX.XXX:11514
> & @@10.237.XXX.XXX:11514
> & stop
> .......
> ......
> ....
>
> and so on for all the facilities you are interested in.
>
> Best,
> Cyril
> --
> Universität Zürich
> Cyril Stoll
> Zentrale Informatik
> Stampfenbachstrasse 73
> CH-8006 Zürich
> Tel. +41 44 63 5 22 93
> www.zi.uzh.ch
>
>
>
> Von: "PRATIK RANA via rsyslog" <rsyslog@lists.adiscon.com>
> An: rsyslog@lists.adiscon.com
> Kopie: "PRATIK RANA" <pratik.capricon23@gmail.com>
> Datum: 18/08/2020 08:47
> Betreff: [rsyslog] Local logging gets disabled when the connection
> to
> syslog server breaks.
> Gesendet von: "rsyslog" <rsyslog-bounces@lists.adiscon.com>
>
>
>
> Hi all,
>
> I have two syslog servers at different sites which are receiving logs from
> client nodes configured on various sites. All of my client nodes are
> configured to send logs to both of these syslog servers. But whenever my
> client node gets disconnected to any one of the server node, then the
> rsyslog service stops the local logging of the system(i.e is logging into
> /var/log/messages etc.) as well.
>
> Here is the rsyslog.conf configuration for my client nodes:
>
> $ModLoad imfile
> $ModLoad imuxsock # provides support for local system logging (e.g. via
> logger command)
> $ModLoad imjournal # provides access to the systemd journal
> $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
> $DefaultNetstreamDriver gtls
> $ActionSendStreamDriverAuthMode anon
> $ActionSendStreamDriverMode 1
> $WorkDirectory /var/lib/rsyslog
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $IncludeConfig /etc/rsyslog.d/*.conf
> $OmitLocalLogging on
> $IMJournalStateFile imjournal.state
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> authpriv.* /var/log/secure
> mail.* -/var/log/maillog
> cron.* /var/log/cron
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local7.* /var/log/boot.log
> *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
> @@172.17. XXX.XXX :11514
> authpriv.* @@172.17. XXX.XXX :11514
> auth.* /var/log/audit/audit.log
> auth.* @@172.17. XXX.XXX :11514
> kern.* @@172.17. XXX.XXX :11514
> mail.* @@172.17. XXX.XXX :11514
> cron.* @@172.17. XXX.XXX :11514
> local7.* @@172.17. XXX.XXX :11514
> *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
> @@10.237. XXX.XXX :11514
> authpriv.* @@10.237.XXX.XXX:11514
> auth.* @@10.237. XXX.XXX :11514
> kern.* @@10.237. XXX.XXX :11514
> mail.* @@10.237. XXX.XXX :11514
> cron.* @@10.237. XXX.XXX :11514
> local7.* @@10.237. XXX.XXX :11514
> $FileCreateMode 0640
>
> --
> Regards,
> *PRATIK RANA*
> *Software Engineer*
> *NEC Technologies India*
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.



--
Regards,
*PRATIK RANA*
*Software Engineer*
*NEC Technologies India*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Antwort: Local logging gets disabled when the connection to syslog server breaks. [ In reply to ]
The problem is that you have not de-coupled the flow of actions from
each other. So when the forwarding blocks, rsyslog cannot process the
others until it times out. You decouple via queues. I guess this
resource might be useful for you:

https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/

Feedback would be appreciated as we currently think about doing some
new, up-to-the point short demos to answer questions like yours.

Rainer

El mar., 18 ago. 2020 a las 11:31, PRATIK RANA via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Dear Cyril,
>
> Thanks for your help.
>
> The workaround suggested by you worked!! I changed the rsyslog setting at
> client node to :
>
> $ModLoad imfile
> $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
> $DefaultNetstreamDriver gtls
> $ActionSendStreamDriverAuthMode anon
> $ActionSendStreamDriverMode 1
> $WorkDirectory /var/lib/rsyslog
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $IncludeConfig /etc/rsyslog.d/*.conf
> $OmitLocalLogging on
> $IMJournalStateFile imjournal.state
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> &
> @@172.17.xxx.xxx:11514
> &
> @@10.237.xxx.xxx:11514
> & stop
> authpriv.* /var/log/secure
> &
> @@172.17.xxx.xxx:11514
> &
> @@10.237.xxx.xxx:11514
> & stop
> mail.* -/var/log/maillog
> &
> @@172.17.xxx.xxx:11514
> &
> @@10.237.xxx.xxx:11514
> & stop
> cron.* /var/log/cron
> &
> @@172.17.xxx.xxx:11514
> &
> @@10.237.xxx.xxx:11514
> & stop
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local7.* /var/log/boot.log
> &
> @@172.17.xxx.xxx:11514
> &
> @@10.237.xxx.xxx:11514
> & stop
> auth.* /var/log/audit/audit.log
> & @@172.17.xxx.xxx:11514
> & @@10.237.xxx.xxx:11514
> & stop
> kern.* @@172.17.xxx.xxx:11514
> & @@10.237.xxx.xxx:11514
> & stop
> $FileCreateMode 0640
>
> After that I stopped the rsyslog service at one of the server and checked
> local logging using the logger command. However it would be really helpfull
> if you could explain the reason behind this as well , also after shutting
> down the syslog service at server, i can see following message at client
> side, i think they are general retry message to try rebuilding the
> connection with server:
>
> Aug 18 12:25:37 rsyslogd[80041]: action 'action 4' resumed (module
> 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
> Aug 18 12:25:37 rsyslogd[80041]: action 'action 4' resumed (module
> 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
> Aug 18 12:25:37 rsyslogd[80041]: action 'action 1' resumed (module
> 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
> Aug 18 12:25:37 rsyslogd[80041]: action 'action 1' resumed (module
> 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
> Aug 18 12:28:08 rsyslogd[80041]: action 'action 1' suspended, next retry
> is Tue Aug 18 12:28:38 2020 [v8.24.0-34.el7 try
> http://www.rsyslog.com/e/2007 ]
> Aug 18 12:30:15 rsyslogd[80041]: action 'action 4' suspended, next retry
> is Tue Aug 18 12:30:45 2020 [v8.24.0-34.el7 try
> http://www.rsyslog.com/e/2007 ]
> Aug 18 12:32:22 rsyslogd[80041]: action 'action 10' suspended, next retry
> is Tue Aug 18 12:32:52 2020 [v8.24.0-34.el7 try
> http://www.rsyslog.com/e/2007 ]
> Aug 18 12:47:22 rsyslogd[80041]: action 'action 18' suspended, next retry
> is Tue Aug 18 12:47:52 2020 [v8.24.0-34.el7 try
> http://www.rsyslog.com/e/2007 ]
>
> On Tue, Aug 18, 2020 at 1:58 PM Cyril Stoll via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> >
> > Hi Pratik Rana
> >
> > Have you tried linking the same ones together and then stopping execution
> > like so:
> >
> > authpriv.* /var/log/secure
> > & @@172.17.XXX.XXX:11514
> > & @@10.237.XXX.XXX:11514
> > & stop
> > mail.* -/var/log/maillog
> > & @@172.17.XXX.XXX:11514
> > & @@10.237.XXX.XXX:11514
> > & stop
> > .......
> > ......
> > ....
> >
> > and so on for all the facilities you are interested in.
> >
> > Best,
> > Cyril
> > --
> > Universität Zürich
> > Cyril Stoll
> > Zentrale Informatik
> > Stampfenbachstrasse 73
> > CH-8006 Zürich
> > Tel. +41 44 63 5 22 93
> > www.zi.uzh.ch
> >
> >
> >
> > Von: "PRATIK RANA via rsyslog" <rsyslog@lists.adiscon.com>
> > An: rsyslog@lists.adiscon.com
> > Kopie: "PRATIK RANA" <pratik.capricon23@gmail.com>
> > Datum: 18/08/2020 08:47
> > Betreff: [rsyslog] Local logging gets disabled when the connection
> > to
> > syslog server breaks.
> > Gesendet von: "rsyslog" <rsyslog-bounces@lists.adiscon.com>
> >
> >
> >
> > Hi all,
> >
> > I have two syslog servers at different sites which are receiving logs from
> > client nodes configured on various sites. All of my client nodes are
> > configured to send logs to both of these syslog servers. But whenever my
> > client node gets disconnected to any one of the server node, then the
> > rsyslog service stops the local logging of the system(i.e is logging into
> > /var/log/messages etc.) as well.
> >
> > Here is the rsyslog.conf configuration for my client nodes:
> >
> > $ModLoad imfile
> > $ModLoad imuxsock # provides support for local system logging (e.g. via
> > logger command)
> > $ModLoad imjournal # provides access to the systemd journal
> > $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
> > $DefaultNetstreamDriver gtls
> > $ActionSendStreamDriverAuthMode anon
> > $ActionSendStreamDriverMode 1
> > $WorkDirectory /var/lib/rsyslog
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> > $IncludeConfig /etc/rsyslog.d/*.conf
> > $OmitLocalLogging on
> > $IMJournalStateFile imjournal.state
> > *.info;mail.none;authpriv.none;cron.none /var/log/messages
> > authpriv.* /var/log/secure
> > mail.* -/var/log/maillog
> > cron.* /var/log/cron
> > *.emerg :omusrmsg:*
> > uucp,news.crit /var/log/spooler
> > local7.* /var/log/boot.log
> > *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
> > @@172.17. XXX.XXX :11514
> > authpriv.* @@172.17. XXX.XXX :11514
> > auth.* /var/log/audit/audit.log
> > auth.* @@172.17. XXX.XXX :11514
> > kern.* @@172.17. XXX.XXX :11514
> > mail.* @@172.17. XXX.XXX :11514
> > cron.* @@172.17. XXX.XXX :11514
> > local7.* @@172.17. XXX.XXX :11514
> > *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none
> > @@10.237. XXX.XXX :11514
> > authpriv.* @@10.237.XXX.XXX:11514
> > auth.* @@10.237. XXX.XXX :11514
> > kern.* @@10.237. XXX.XXX :11514
> > mail.* @@10.237. XXX.XXX :11514
> > cron.* @@10.237. XXX.XXX :11514
> > local7.* @@10.237. XXX.XXX :11514
> > $FileCreateMode 0640
> >
> > --
> > Regards,
> > *PRATIK RANA*
> > *Software Engineer*
> > *NEC Technologies India*
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> > LIKE THAT.
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
>
>
>
> --
> Regards,
> *PRATIK RANA*
> *Software Engineer*
> *NEC Technologies India*
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.