Mailing List Archive

Hi all,
I struggle with an rsyslog issue.

I have set up the following config in /var/etc/rsyslog.d/


module(load="imfile")


input(type="imfile" File="var/log/ipa_access_agg.log" Tag="ipa-access-log"
Facility="local0")

input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/security"
Tag="ipa-security-log" Facility="local0")

input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/errors"
Tag="ipa-errors-log" Facility="local0")

input(type="imfile" File="/var/log/dirsrv/slapd-COM4-NET/audit"
Tag="ipa-audit-log" Facility="local0")

input(type="imfile" File="/var/log/httpd/error_log" Tag="ipa-httpd-log"
Facility="local0")

input(type="imfile" File="/var/log/krb5kdc.log" Tag="ipa-krb-log" Facility
= "local0")


#remove - from audit file

if ($syslogfacility >=16 and $syslogtag=="ipa-audit-log" and $msg=="-")
then stop

# Forward local facilities

if $syslogfacility >= 16 then @my_log_server_ip:514

Everything works fine except the first line , i.e. input(type="imfile"
File="var/log/ipa_access_agg.log" Tag="ipa-access-log" Facility="local0")
This particular line give me the following error message when running
systemctl restart rsyslog, and logs are not sent from this file. The others
work fine.

rsyslog.service - System Logging Service

Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; *enabled*;
preset: *enabled*)

Active: *active (running)* since Wed 2023-10-11 13:58:24 CEST; 1s ago

Docs: man:rsyslogd(8)

https://www.rsyslog.com/doc/

Main PID: 97584 (rsyslogd)

Tasks: 4 (limit: 23159)

Memory: 1.3M

CPU: 136ms

CGroup: /system.slice/rsyslog.service

??97584 /usr/sbin/rsyslogd -n


Oct 11 13:58:24 idm2.com4.net systemd[1]: Starting System Logging Service...

Oct 11 13:58:24 idm2.com4.net systemd[1]: Started System Logging Service.

Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: [origin software="rsyslogd"
swVersion="8.2102.0-117.el9" x-pid="97584" x-info="https://www.rsyslog.com"]
start

Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 1 already in
wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175
<https://www.rsyslog.com/e/2175> ]*

Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imfile: wd 2 already in
wdmap! [v8.2102.0-117.el9 try https://www.rsyslog.com/e/2175
<https://www.rsyslog.com/e/2175> ]*

Oct 11 13:58:24 idm2.com4.net rsyslogd[97584]: *imjournal: journal files
changed, reloading... [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0
<https://www.rsyslog.com/e/0> ]*


When removing the particular line and restarting, the issue disappears.

The particular file /var/log/ipa_access_agg.log is the ip-access log
modified by a script, to make it more fit for purpose.
The file:

[my prompt]# ls -al /var/log/ipa_access_agg.log

-rw-r--r--. 1 root root 5546055 Oct 11 12:18 /var/log/ipa_access_agg.log


The file is subject to logrotate , using this config in /etc/logrotate.d/:

myprompt]# cat /etc/logrotate.d/ipa_access_agg

/var/log/ipa_access_agg.log {

daily

missingok

rotate 7

create

}






I have the exact same setup running without issues on another machine.

Both machines run same rsyslog version, see error message below.

Both machines run the same CentOS

Operating System: CentOS Stream 9

CPE OS Name: cpe:/o:centos:centos:9




I have tried to google any clues, without success.


Any ideas?


regards,

Ole
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.