Mailing List Archive

activation of module imptcp failed
Hi,

I am getting an error saying 'activation of module imptcp failed'. So far I
have not been able to pinpoint the problem. Here are the details:

[root@HOSTNAME rsyslog.d]# cat ../rsyslog.conf
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

module(load="imptcp")

# Provides UDP syslog reception
$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually
not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

This is a sample file in /etc/rsyslog.d directory:

[root@HOSTNAME rsyslog.d]# cat veeam.conf
input(type="imptcp" port="8518" ruleset="veeam")
ruleset(name="veeam"
queue.type="fixedArray"
queue.size="250000"
queue.dequeueBatchSize="4096"
queue.workerThreads="4"
queue.workerThreadMinimumMessages="60000"

) {
$FileOwner splunk
$FileGroup splunk
$DirOwner splunk
$DirGroup splunk
$DirCreateMode 0755
$FileCreateMode 0640

$Template
veeam-logs,"/opt/data/syslog/veeam/%HOSTNAME%/veeam_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
*.*-?veeam-logs
}

This is the error:

[root@HOSTNAME rsyslog.d]# systemctl status -l --no-pager rsyslog
? rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor
preset: enabled)
Active: active (running) since Tue 2020-09-15 10:15:36 EDT; 1min 43s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 24237 (rsyslogd)
CGroup: /system.slice/rsyslog.service
+-24237 /usr/sbin/rsyslogd -n

Sep 15 10:15:36 HOSTNAME systemd[1]: Starting System Logging Service...
Sep 15 10:15:36 HOSTNAME rsyslogd[24237]: [origin software="rsyslogd"
swVersion="8.24.0-52.el7_8.2" x-pid="24237" x-info="http://www.rsyslog.com"]
start

*Sep 15 10:15:36 HOSTNAME rsyslogd[24237]: activation of module imptcp
failed [v8.24.0-52.el7_8.2 try http://www.rsyslog.com/e/2077
<http://www.rsyslog.com/e/2077> ]*Sep 15 10:15:36 HOSTNAME systemd[1]:
Started System Logging Service.

Although imptcp module is not activated, I see them in netstat:

[root@HOSTNAME rsyslog.d]# netstat -plan | grep -i rsyslog
tcp 0 0 0.0.0.0:8515 0.0.0.0:* LISTEN
23903/rsyslogd
tcp 0 0 0.0.0.0:8517 0.0.0.0:* LISTEN
23903/rsyslogd
tcp 0 0 0.0.0.0:8518 0.0.0.0:* LISTEN
23903/rsyslogd
tcp 0 0 0.0.0.0:8519 0.0.0.0:* LISTEN
23903/rsyslogd
tcp 0 0 0.0.0.0:8521 0.0.0.0:* LISTEN
23903/rsyslogd
tcp 0 0 0.0.0.0:8522 0.0.0.0:* LISTEN
23903/rsyslogd
tcp 0 0 0.0.0.0:9514 0.0.0.0:* LISTEN
23903/rsyslogd
tcp 0 0 0.0.0.0:9515 0.0.0.0:* LISTEN
23903/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:*
24237/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:*
23903/rsyslogd
unix 2 [ ] DGRAM 1003094 23903/rsyslogd
unix 2 [ ] DGRAM 1026522 24237/rsyslogd
[root@HOSTNAME rsyslog.d]#

Version is:

[root@HOSTNAME rsyslog.d]# rpm -qa | grep -i rsyslog
rsyslog-8.24.0-52.el7_8.2.x86_64
rsyslog-gnutls-8.24.0-52.el7_8.2.x86_64
[root@HOSTNAME rsyslog.d]#

Any help about why I am receiving the error about the imptcp module? What
is odd that exact same config in another server is working fine.

Thanks,
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: activation of module imptcp failed [ In reply to ]
The module is called imtcp, not imptcp ;)



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [EXTERNAL] Re: activation of module imptcp failed [ In reply to ]
>ARP The module is called imtcp, not imptcp ;)
Actually, both exist.

>SC *Sep 15 10:15:36 HOSTNAME rsyslogd[24237]: activation of module imptcp failed [v8.24.0-52.el7_8.2 try https://urldefense.com/v3/__http:/www.rsyslog.com/e/2077__;!!PcPv50trKLWG!lNwBpglve15HXSxoxYSC8r-EG-AjxARNQZwgombitHNk_gGbh16clPsu3SgikOS0KASWpg$
Apologies for the url-mangling, corporate security defenses are at work here...
The link (https://www.rsyslog.com/?s=error+2077) however, might give you some clues: the socket is failing to bind. At a guess, you either are trying to bind to a socket that is already being listened on by some other program, you have the same port in your configuration twice, or you already have rsyslog running outside of the system service, which means you can't have a second one listening on the same ports.
Although that last option really is just a specific version of the first option.

Looking at your output, I see multiple process ids called 'rsyslogd' listening on ports, and in your systemd status only process 24237 is listed. I'd recommend completely stopping all rsyslogd instances and restarting it through systemd if you can afford to.

Regards,
Lennard Klein



This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [EXTERNAL] Re: activation of module imptcp failed [ In reply to ]
Turned out to be selinux. Logs were not helpful at all.

Thanks for helping!

On Wed, Sep 16, 2020, 13:23 Lennard Klein via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> >ARP The module is called imtcp, not imptcp ;)
> Actually, both exist.
>
> >SC *Sep 15 10:15:36 HOSTNAME rsyslogd[24237]: activation of module imptcp
> failed [v8.24.0-52.el7_8.2 try
> https://urldefense.com/v3/__http:/www.rsyslog.com/e/2077__;!!PcPv50trKLWG!lNwBpglve15HXSxoxYSC8r-EG-AjxARNQZwgombitHNk_gGbh16clPsu3SgikOS0KASWpg$
> Apologies for the url-mangling, corporate security defenses are at work
> here...
> The link (https://www.rsyslog.com/?s=error+2077) however, might give you
> some clues: the socket is failing to bind. At a guess, you either are
> trying to bind to a socket that is already being listened on by some other
> program, you have the same port in your configuration twice, or you already
> have rsyslog running outside of the system service, which means you can't
> have a second one listening on the same ports.
> Although that last option really is just a specific version of the first
> option.
>
> Looking at your output, I see multiple process ids called 'rsyslogd'
> listening on ports, and in your systemd status only process 24237 is
> listed. I'd recommend completely stopping all rsyslogd instances and
> restarting it through systemd if you can afford to.
>
> Regards,
> Lennard Klein
>
>
>
> This email is from Equinix (EMEA) B.V. or one of its associated companies
> in the territory from where this email has been sent. This email, and any
> files transmitted with it, contains information which is confidential, is
> solely for the use of the intended recipient and may be legally privileged.
> If you have received this email in error, please notify the sender and
> delete this email immediately. Equinix (EMEA) B.V.. Registered Office:
> Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The
> Netherlands No. 57577889.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.