Results 1 to 9 of 9

Thread: Rsyslog start stop and restart ?

  1. #1
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,113

    Default Rsyslog start stop and restart ?

    Hello.

    I am surprised that rsyslog start, stop and restart automatically.

    Have you any idea.
    It looks like if rsyslog use two different file configuration.

    Thank you for your help.



    Oct 2 16:21:48 LINUX-SRV kernel: imklog 5.4.0, log source = /proc/kmsg started.
    Oct 2 16:21:48 LINUX-SRV rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1688" x-info="http://www.rsyslog.com"] start
    Oct 2 16:21:48 LINUX-SRV kernel: [ 17.616106] type=1505 audit(1286029306.498:2): operation="profile_load" pid=1580 name=/bin/ping
    ............
    ............
    ............
    following messages not respecting the asked format (rsylog.conf).
    ............
    ............
    ............
    then rsyslog stop and restart with the correct format.

    Oct 2 16:21:55 LINUX-SRV kernel: [ 26.507284] end_request: I/O error, dev fd0, sector 0
    Oct 2 16:21:55 LINUX-SRV kernel: Kernel logging (proc) stopped.
    Oct 2 16:21:55 LINUX-SRV rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1688" x-info="http://www.rsyslog.com"] exiting on signal 15.
    2010-10-02T16:21:55.629234+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
    2010-10-02T16:21:55.629592+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="2961" x-info="http://www.rsyslog.com"] start
    2010-10-02T16:21:55.913670+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: [ 27.029292] [drm] nouveau 0000:02:00.0: Load detected on output C


    rsyslog.conf :


    # rsyslog v3: load input modules
    # If you do not load inputs, nothing happens!

    $ModLoad immark.so # provides --MARK-- message capability
    $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)

    $ModLoad imklog.so # kernel logging (may be also provided by /sbin/klogd),

    $klogConsoleLogLevel 1 # set log level 1 (same as in /etc/sysconfig/syslog).
    #
    # Use traditional log format by default. To change it for a single
    # file, append ";RSYSLOG_TraditionalFileFormat" to the filename.
    #
    #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    #
    #
    # NEW myFormat_02
    $template myFormat_02,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% SVRTY:%syslogseverity% TAG:%syslogtag% MSG:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
    $ActionFileDefaultTemplate myFormat_02
    #
    $IncludeConfig /var/run/rsyslog/additional-log-sockets.conf
    # nothing changed from initial install
    #
    $IncludeConfig /etc/rsyslog.d/*.conf
    # nothing changed from initial install
    #
    ###
    # print most important on tty10 and on the xconsole pipe
    #
    if ( \
    /* kernel up to warning except of firewall */ \
    ($syslogfacility-text == 'kern') and \
    ($syslogseverity <= 4 /* warning */ ) and not \
    ($msg contains 'IN=' and $msg contains 'OUT=') \
    ) or ( \
    /* up to errors except of facility authpriv */ \
    ($syslogseverity <= 3 /* errors */ ) and not \
    ($syslogfacility-text == 'authpriv') \
    ) \
    then /dev/tty10
    & |/dev/xconsole

    # Emergency messages to everyone logged on (wall)
    *.emerg *

    #######################################################################
    #
    # ANY MESSAGE RELATIVE TO NSS_LDAP
    #
    #######################################################################
    #
    :msg, contains, "nss_ldap" /var/log/openldap/nss_ldap_related.log
    & ~
    #
    #
    # firewall messages into separate file and stop their further processing
    #
    if ($syslogfacility-text == 'kern') and \
    ($msg contains 'IN=' and $msg contains 'OUT=') \
    then -/var/log/firewall
    & ~


    #
    # acpid messages into separate file and stop their further processing
    #
    # => all acpid messages for debuging (uncomment if needed):
    #if ($programname == 'acpid' or $syslogtag == '[acpid]:') then \
    # -/var/log/acpid
    #
    # => up to notice (skip info and debug)
    if ($programname == 'acpid' or $syslogtag == '[acpid]:') and \
    ($syslogseverity <= 5 /* notice */) \
    then -/var/log/acpid
    & ~


    #
    # NetworkManager into separate file and stop their further processing
    #
    if ($programname == 'NetworkManager') or \
    ($programname startswith 'nm-') \
    then -/var/log/NetworkManager
    & ~


    #################################################################
    # #
    # DHCP - NAMED #
    #################################################################
    #
    # DHCP into separate file and stop their further processing
    #
    if ($programname == 'dhcpd') and \
    ( ($syslogseverity <= 4 /* warning */) or \
    ($msg contains '/etc/dhcpd.conf') ) \
    then -/var/log/dhcp_dns/dhcp.log
    & ~
    #
    #
    if ($programname == 'dhcpd') and \
    ($syslogseverity >= 5 /* notice */) \
    then -/var/log/dhcp_dns/dhcp_notice.log
    & ~
    #
    #
    # NAMED into separate file and stop their further processing
    #
    if ($programname == 'named') and \
    ( ($syslogseverity <= 4 /* warning */) or \
    ($msg contains '/etc/named.conf') ) \
    then -/var/log/dhcp_dns/named.log
    & ~
    #
    #
    if ($programname == 'named') and \
    ($syslogseverity >= 5 /* notice */) \
    then -/var/log/dhcp_dns/named_notice.log
    & ~
    #
    #
    #################################################################
    # #
    # SAMBA - LDAP #
    # #
    #################################################################
    #
    # SAMBA into separate file and stop their further processing
    #
    if ($programname == 'winbindd') \
    then -/var/log/samba/winbindd.log
    & ~
    #
    if ($programname == 'nmbd') \
    then -/var/log/samba/nmbd.log
    & ~
    #
    if ($programname == 'smbd') \
    then -/var/log/samba/smbd.log
    & ~
    #
    #
    # LDAP into separate file and stop their further processing
    #
    if ($programname == 'slapd') \
    then -/var/log/openldap/slapd.log
    & ~
    #
    if ($programname == 'ldap') \
    then -/var/log/openldap/ldap.log
    & ~
    #
    #
    #
    #################################################################
    # #
    # LE RESTE #
    # #
    #################################################################
    #
    #
    #
    # SMARTD
    #
    if ($programname == 'smartd') \
    then -/var/log/smartd.log
    & ~
    #
    # email-messages
    #
    mail.* -/var/log/mail
    mail.info -/var/log/mail.info
    mail.warning -/var/log/mail.warn
    mail.err /var/log/mail.err


    #
    # news-messages
    #
    news.crit -/var/log/news/news.crit
    news.err -/var/log/news/news.err
    news.notice -/var/log/news/news.notice


    #
    # Warnings in one file
    #
    *.=warning;*.=err -/var/log/warn
    *.crit /var/log/warn


    #
    # the rest in one file
    #
    *.*;mail.none;news.none -/var/log/messages


    #
    # Some foreign boot scripts require local7
    #
    local0,local1.* -/var/log/localmessages
    local2,local3.* -/var/log/localmessages
    local4,local5.* -/var/log/localmessages
    local6,local7.* -/var/log/localmessages

  2. #2
    Carlos E. R. NNTP User

    Default Re: Rsyslog start stop and restart ?

    On 2010-10-14 20:06, jcdole wrote:
    >
    > Hello.
    >
    > I am surprised that rsyslog start, stop and restart automatically.


    Well, rotate has to do that.

    >
    > Have you any idea.
    > It looks like if rsyslog use two different file configuration.


    Please explain.

    >
    > Thank you for your help.


    I'm not reading all the text below, unless you explain what should I look at.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  3. #3
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,113

    Default Re: Rsyslog start stop and restart ?

    Quote Originally Posted by Carlos E. R. View Post
    On 2010-10-14 20:06, jcdole wrote:
    >
    > Hello.
    >
    > I am surprised that rsyslog start, stop and restart automatically.


    Well, rotate has to do that.
    If I do consecutively service syslog stop, service syslog start, wait 2 minutes, service syslog stop, service syslog start and then I look to system log I can see
    2010-10-24T12:35:35.882185+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
    2010-10-24T12:35:35.882547+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="5563" x-info="http://www.rsyslog.com"] start


    and 15 seconds later


    010-10-24T12:50:34.616591+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: Kernel logging (proc) stopped.
    2010-10-24T12:50:34.617978+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="5563" x-info="http://www.rsyslog.com"] exiting on signal 15.
    2010-10-24T12:50:41.057863+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
    2010-10-24T12:50:41.058633+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="6026" x-info="http://www.rsyslog.com"] start

    2 minute later ( as I wait 2 minutes before a new stop start )

    2010-10-24T12:52:51.544739+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
    2010-10-24T12:52:51.545574+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="6100" x-info="http://www.rsyslog.com"] start

    and 15 seconds later

    2010-10-24T12:53:05.844081+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: Kernel logging (proc) stopped.
    2010-10-24T12:53:05.844160+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="6026" x-info="http://www.rsyslog.com"] exiting on signal 15.
    2010-10-24T12:53:06.544739+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
    2010-10-24T12:53:06.545574+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="6100" x-info="http://www.rsyslog.com"] start

    What rotate has to do with that ?


    >
    > It looks like if rsyslog use two different file configuration.
    >
    Please explain.
    I'm not reading all the text below, unless you explain what should I look at.
    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)
    In example above, the format I want is preserved ( you can see my mark : SVRTY: TAG: MSG: )

    But at startup all message are in standard syslog format during less than a minute until syslog stop and restart automaticaly

    Oct 2 16:21:48 LINUX-SRV kernel: imklog 5.4.0, log source = /proc/kmsg started.
    Oct 2 16:21:48 LINUX-SRV rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1688" x-info="http://www.rsyslog.com"] start

    .................
    .................
    .................

    Message during first minute startup

    .................
    .................
    .................
    Then rsyslog stop and restart with the correct format.

    Oct 2 16:21:55 LINUX-SRV kernel: [ 26.507284] end_request: I/O error, dev fd0, sector 0
    Oct 2 16:21:55 LINUX-SRV kernel: Kernel logging (proc) stopped.
    Oct 2 16:21:55 LINUX-SRV rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1688" x-info="http://www.rsyslog.com"] exiting on signal 15.
    2010-10-02T16:21:55.629234+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
    2010-10-02T16:21:55.629592+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software="rsyslogd" swVersion="5.4.0" x-pid="2961" x-info="http://www.rsyslog.com"] start
    2010-10-02T16:21:55.913670+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: [ 27.029292] [drm] nouveau 0000:02:00.0: Load detected on output C


    Thank you for helping me

    JC DOLE

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Rsyslog start stop and restart ?

    On 2010-10-24 14:06, jcdole wrote:
    >
    > Carlos E. R.;2238144 Wrote:
    >> On 2010-10-14 20:06, jcdole wrote:
    >>>
    >>> Hello.
    >>>
    >>> I am surprised that rsyslog start, stop and restart automatically.

    >>
    >> Well, rotate has to do that.



    I thought that I had replied to this, but I do not see my reply. Even if it
    is late, I'll try.

    ....


    > What rotate has to do with that ?


    Rotate can restart the syslog daemon when it does its job. But seeing what
    you wrote, it doesn't match.

    ....
    ....

    > Thank you for helping me


    I'm sorry, but I have no idea what might be happening there.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  5. #5
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Rsyslog start stop and restart ?

    What is the question? It seems you are not interested in why rsyslog is restarting (due to logrotate usually) but you are asking why the format is different while it's not running.

    I would guess it due to the kernel buffering the log entries until a syslog daemon collects them again. You'd have to look at the rsyslog code to be sure.

  6. #6
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,113

    Default Re: Rsyslog start stop and restart ?

    Hello

    Quote Originally Posted by ken_yap View Post
    What is the question? It seems you are not interested in why rsyslog is restarting (due to logrotate usually) but you are asking why the format is different while it's not running.

    I would guess it due to the kernel buffering the log entries until a syslog daemon collects them again. You'd have to look at the rsyslog code to be sure.
    I can understand that logrotate does some job.

    There are 2 problems :

    First : Automatic START-STOP
    If I start my computer for five minutes, stop and rerstart my computer 3 or 4 times, rsyslog stop during the first 15 seconds and restart automatically.

    Nov 24 16:36:49 jc-toshiba kernel: imklog 5.4.0, log source = /proc/kmsg started.
    Nov 24 16:36:49 jc-toshiba rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1882" x-info="http://www.rsyslog.com"] start
    Nov 24 16:36:49 jc-toshiba kernel: [ 19.248075] type=1505 audit(1290613007.285:2): operation="profile_load" pid=1759 name=/bin/ping
    Nov 24 16:36:49 jc-toshiba kernel: [ 19.342221] type=1505 audit(1290613007.379:3): operation="profile_load" pid=1760 name=/sbin/klogd
    ...................................
    ...................................
    Some messages
    ...................................
    ...................................
    Nov 24 16:37:02 jc-toshiba ifup-dhcp: eth0 IP address: 192.168.130.65/24
    Nov 24 16:37:02 jc-toshiba kernel: Kernel logging (proc) stopped.
    Nov 24 16:37:02 jc-toshiba rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1882" x-info="http://www.rsyslog.com"] exiting on signal 15.

    NOTE :
    Same behavior if I start and restart rsyslog service.
    (service syslog restart)

    Secondly : Text formatting
    During the first 15 seconds, the text does not respect the configuration file
    /etc/rsyslog.conf :$template myFormat_02,"==>>> %TIMESTAMP:::date-rfc3339% {%HOSTNAME%} {SVRTY: %syslogseverity%} {TAG: %syslogtag%} \n{MSG:}%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
    $ActionFileDefaultTemplate myFormat_02
    Before the stop/restart :
    Nov 24 16:36:49 jc-toshiba kernel: imklog 5.4.0, log source = /proc/kmsg started.
    Nov 24 16:36:49 jc-toshiba rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1882" x-info="http://www.rsyslog.com"] start
    Nov 24 16:36:49 jc-toshiba kernel: [ 19.248075] type=1505 audit(1290613007.285:2): operation="profile_load" pid=1759 name=/bin/ping
    Nov 24 16:36:49 jc-toshiba kernel: [ 19.342221] type=1505 audit(1290613007.379:3): operation="profile_load" pid=1760 name=/sbin/klogd
    ...................................
    ...................................
    Some messages

    After the restart :

    ==>>> 2010-11-24T16:37:02.906596+01:00 {jc-toshiba} {SVRTY: 6} {TAG: kernel:}
    {MSG} imklog 5.4.0, log source = /proc/kmsg started.
    ==>>> 2010-11-24T16:37:02.906650+01:00 {jc-toshiba} {SVRTY: 6} {TAG: rsyslogd:}
    {MSG} [origin software="rsyslogd" swVersion="5.4.0" x-pid="3392" x-info="http://www.rsyslog.com"] start
    ==>>> 2010-11-24T16:37:03.250874+01:00 {jc-toshiba} {SVRTY: 6} {TAG: auditd[3459]:}
    {MSG} Started dispatcher: /sbin/audispd pid: 3461
    ==>>> 2010-11-24T16:37:03.285504+01:00 {jc-toshiba} {SVRTY: 7} {TAG: audispd:}
    {MSG} priority_boost_parser called with: 4
    ==>>> 2010-11-24T16:37:03.285516+01:00 {jc-toshiba} {SVRTY: 7} {TAG: audispd:}
    {MSG} max_restarts_parser called with: 10
    ==>>> 2010-11-24T16:37:03.286132+01:00 {jc-toshiba} {SVRTY: 3} {TAG: audispd:}
    {MSG} No plugins found, exiting

    You can see the various enhancement : ==>>> , { }, {TAG: },
    {MSG}

    Your comments are welcome

    JC DOLE

  7. #7
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Rsyslog start stop and restart ?

    Well, obviously rsyslog isn't running when the computer starts from cold so until it is running, messages are buffered up by the kernel, and written to the log when it gets going.

    As for the format difference, I've already given you my best theory. I don't see it here so I have no personal experience with it.

  8. #8
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,814

    Default Re: Rsyslog start stop and restart ?

    So is there some sort of problem with this????

  9. #9
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,113

    Default Re: Rsyslog start stop and restart ?

    Quote Originally Posted by ken_yap View Post
    Well, obviously rsyslog isn't running when the computer starts from cold so until it is running, messages are buffered up by the kernel, and written to the log when it gets going.

    As for the format difference, I've already given you my best theory. I don't see it here so I have no personal experience with it.
    If it was really running as you tell, You will see only the two first line line with :

    Nov 24 16:36:49 jc-toshiba kernel: imklog 5.4.0, log source = /proc/kmsg started.
    Nov 24 16:36:49 jc-toshiba rsyslogd: [origin software="rsyslogd" swVersion="5.4.0" x-pid="1882" x-info="http://www.rsyslog.com"] start

    An then the flow of messages emptying the queue first, without any interruption until you stop the system.

    With this version ( 11.3 ), on my system, syslog stop after 15 seconds and restart, and from the point of view of RSYSLOG peoples it is an unwanted behaviour.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •