Rsyslog start stop and restart ?

English Applications
1

Hello.

I am surprised that rsyslog start, stop and restart automatically.

Have you any idea.
It looks like if rsyslog use two different file configuration.

Thank you for your help.

Oct 2 16:21:48 LINUX-SRV kernel: imklog 5.4.0, log source = /proc/kmsg started.
Oct 2 16:21:48 LINUX-SRV rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1688” x-info=“http://www.rsyslog.com”] start
Oct 2 16:21:48 LINUX-SRV kernel: 17.616106] type=1505 audit(1286029306.498:2): operation=“profile_load” pid=1580 name=/bin/ping



following messages not respecting the asked format (rsylog.conf).



then rsyslog stop and restart with the correct format.

Oct 2 16:21:55 LINUX-SRV kernel: 26.507284] end_request: I/O error, dev fd0, sector 0
Oct 2 16:21:55 LINUX-SRV kernel: Kernel logging (proc) stopped.
Oct 2 16:21:55 LINUX-SRV rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1688” x-info=“http://www.rsyslog.com”] exiting on signal 15.
2010-10-02T16:21:55.629234+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
2010-10-02T16:21:55.629592+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“2961” x-info=“http://www.rsyslog.com”] start
2010-10-02T16:21:55.913670+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: 27.029292] [drm] nouveau 0000:02:00.0: Load detected on output C

rsyslog.conf :

rsyslog v3: load input modules

If you do not load inputs, nothing happens!

$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)

$ModLoad imklog.so # kernel logging (may be also provided by /sbin/klogd),

$klogConsoleLogLevel 1 # set log level 1 (same as in /etc/sysconfig/syslog).

Use traditional log format by default. To change it for a single

file, append “;RSYSLOG_TraditionalFileFormat” to the filename.

#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

NEW myFormat_02

$template myFormat_02,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% SVRTY:%syslogseverity% TAG:%syslogtag% MSG:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%
"
$ActionFileDefaultTemplate myFormat_02

$IncludeConfig /var/run/rsyslog/additional-log-sockets.conf

nothing changed from initial install

$IncludeConfig /etc/rsyslog.d/*.conf

nothing changed from initial install

print most important on tty10 and on the xconsole pipe

if (
/* kernel up to warning except of firewall /
($syslogfacility-text == ‘kern’) and
($syslogseverity <= 4 / warning / ) and not
($msg contains ‘IN=’ and $msg contains ‘OUT=’)
) or (
/ up to errors except of facility authpriv /
($syslogseverity <= 3 / errors */ ) and not
($syslogfacility-text == ‘authpriv’)
)
then /dev/tty10
& |/dev/xconsole

Emergency messages to everyone logged on (wall)

*.emerg *

#######################################################################

ANY MESSAGE RELATIVE TO NSS_LDAP

#######################################################################

:msg, contains, “nss_ldap” /var/log/openldap/nss_ldap_related.log
& ~

firewall messages into separate file and stop their further processing

if ($syslogfacility-text == ‘kern’) and
($msg contains ‘IN=’ and $msg contains ‘OUT=’)
then -/var/log/firewall
& ~

acpid messages into separate file and stop their further processing

=> all acpid messages for debuging (uncomment if needed):

#if ($programname == ‘acpid’ or $syslogtag == ‘[acpid]:’) then \

-/var/log/acpid

=> up to notice (skip info and debug)

if ($programname == ‘acpid’ or $syslogtag == ‘[acpid]:’) and
($syslogseverity <= 5 /* notice */)
then -/var/log/acpid
& ~

NetworkManager into separate file and stop their further processing

if ($programname == ‘NetworkManager’) or
($programname startswith ‘nm-’)
then -/var/log/NetworkManager
& ~

#################################################################

DHCP - NAMED

#################################################################

DHCP into separate file and stop their further processing

if ($programname == ‘dhcpd’) and
( ($syslogseverity <= 4 /* warning */) or
($msg contains ‘/etc/dhcpd.conf’) )
then -/var/log/dhcp_dns/dhcp.log
& ~

if ($programname == ‘dhcpd’) and
($syslogseverity >= 5 /* notice */)
then -/var/log/dhcp_dns/dhcp_notice.log
& ~

NAMED into separate file and stop their further processing

if ($programname == ‘named’) and
( ($syslogseverity <= 4 /* warning */) or
($msg contains ‘/etc/named.conf’) )
then -/var/log/dhcp_dns/named.log
& ~

if ($programname == ‘named’) and
($syslogseverity >= 5 /* notice */)
then -/var/log/dhcp_dns/named_notice.log
& ~

#################################################################

SAMBA - LDAP

#################################################################

SAMBA into separate file and stop their further processing

if ($programname == ‘winbindd’)
then -/var/log/samba/winbindd.log
& ~

if ($programname == ‘nmbd’)
then -/var/log/samba/nmbd.log
& ~

if ($programname == ‘smbd’)
then -/var/log/samba/smbd.log
& ~

LDAP into separate file and stop their further processing

if ($programname == ‘slapd’)
then -/var/log/openldap/slapd.log
& ~

if ($programname == ‘ldap’)
then -/var/log/openldap/ldap.log
& ~

#################################################################

LE RESTE

#################################################################

SMARTD

if ($programname == ‘smartd’)
then -/var/log/smartd.log
& ~

email-messages

mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err

news-messages

news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice

Warnings in one file

.=warning;.=err -/var/log/warn
*.crit /var/log/warn

the rest in one file

.;mail.none;news.none -/var/log/messages

Some foreign boot scripts require local7

local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages

2

On 2010-10-14 20:06, jcdole wrote:
>
> Hello.
>
> I am surprised that rsyslog start, stop and restart automatically.

Well, rotate has to do that.

>
> Have you any idea.
> It looks like if rsyslog use two different file configuration.

Please explain.

>
> Thank you for your help.

I’m not reading all the text below, unless you explain what should I look at.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

3

If I do consecutively service syslog stop, service syslog start, wait 2 minutes, service syslog stop, service syslog start and then I look to system log I can see
2010-10-24T12:35:35.882185+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
2010-10-24T12:35:35.882547+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“5563” x-info=“http://www.rsyslog.com”] start

and 15 seconds later

010-10-24T12:50:34.616591+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: Kernel logging (proc) stopped.
2010-10-24T12:50:34.617978+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“5563” x-info=“http://www.rsyslog.com”] exiting on signal 15.
2010-10-24T12:50:41.057863+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
2010-10-24T12:50:41.058633+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“6026” x-info=“http://www.rsyslog.com”] start

2 minute later ( as I wait 2 minutes before a new stop start )

2010-10-24T12:52:51.544739+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
2010-10-24T12:52:51.545574+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“6100” x-info=“http://www.rsyslog.com”] start

and 15 seconds later

2010-10-24T12:53:05.844081+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: Kernel logging (proc) stopped.
2010-10-24T12:53:05.844160+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“6026” x-info=“http://www.rsyslog.com”] exiting on signal 15.
2010-10-24T12:53:06.544739+02:00 LINUX-SRV SVRTY:6 TAG:kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
2010-10-24T12:53:06.545574+02:00 LINUX-SRV SVRTY:6 TAG:rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“6100” x-info=“http://www.rsyslog.com”] start

What rotate has to do with that ?

>
> It looks like if rsyslog use two different file configuration.
>
Please explain.
I’m not reading all the text below, unless you explain what should I look at.
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

In example above, the format I want is preserved ( you can see my mark : SVRTY: TAG: MSG: )

But at startup all message are in standard syslog format during less than a minute until **syslog stop and restart automaticaly
**
Oct 2 16:21:48 LINUX-SRV kernel: imklog 5.4.0, log source = /proc/kmsg started.
Oct 2 16:21:48 LINUX-SRV rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1688” x-info=“http://www.rsyslog.com”] start



Message during first minute startup




Then rsyslog stop and restart with the correct format.

Oct 2 16:21:55 LINUX-SRV kernel: 26.507284] end_request: I/O error, dev fd0, sector 0
Oct 2 16:21:55 LINUX-SRV kernel: Kernel logging (proc) stopped.
Oct 2 16:21:55 LINUX-SRV rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1688” x-info=“http://www.rsyslog.com”] exiting on signal 15.
2010-10-02T16:21:55.629234+02:00 LINUX-SRV SVRTY:6 **TAG:**kernel: MSG: imklog 5.4.0, log source = /proc/kmsg started.
2010-10-02T16:21:55.629592+02:00 LINUX-SRV SVRTY:6 **TAG:**rsyslogd: MSG: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“2961” x-info=“http://www.rsyslog.com”] start
2010-10-02T16:21:55.913670+02:00 LINUX-SRV SVRTY:6 **TAG:**kernel: MSG: 27.029292] [drm] nouveau 0000:02:00.0: Load detected on output C

Thank you for helping me

JC DOLE

4

On 2010-10-24 14:06, jcdole wrote:
>
> Carlos E. R.;2238144 Wrote:
>> On 2010-10-14 20:06, jcdole wrote:
>>>
>>> Hello.
>>>
>>> I am surprised that rsyslog start, stop and restart automatically.
>>
>> Well, rotate has to do that.

I thought that I had replied to this, but I do not see my reply. Even if it
is late, I’ll try.

> What rotate has to do with that ?

Rotate can restart the syslog daemon when it does its job. But seeing what
you wrote, it doesn’t match.


> Thank you for helping me

I’m sorry, but I have no idea what might be happening there.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

5

What is the question? It seems you are not interested in why rsyslog is restarting (due to logrotate usually) but you are asking why the format is different while it’s not running.

I would guess it due to the kernel buffering the log entries until a syslog daemon collects them again. You’d have to look at the rsyslog code to be sure.

6

Hello

I can understand that logrotate does some job.

There are 2 problems :

First : Automatic START-STOP
If I start my computer for five minutes, stop and rerstart my computer 3 or 4 times, rsyslog stop during the first 15 seconds and restart automatically.

Nov 24 16:36:49 jc-toshiba kernel: imklog 5.4.0, log source = /proc/kmsg started.
Nov 24 16:36:49 jc-toshiba rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1882” x-info=“http://www.rsyslog.com”] start
Nov 24 16:36:49 jc-toshiba kernel: 19.248075] type=1505 audit(1290613007.285:2): operation=“profile_load” pid=1759 name=/bin/ping
Nov 24 16:36:49 jc-toshiba kernel: 19.342221] type=1505 audit(1290613007.379:3): operation=“profile_load” pid=1760 name=/sbin/klogd


Some messages


Nov 24 16:37:02 jc-toshiba ifup-dhcp: eth0 IP address: 192.168.130.65/24
Nov 24 16:37:02 jc-toshiba kernel: Kernel logging (proc) stopped.
Nov 24 16:37:02 jc-toshiba rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1882” x-info=“http://www.rsyslog.com”] exiting on signal 15.

NOTE :
Same behavior if I start and restart rsyslog service.
(service syslog restart)

Secondly : Text formatting
During the first 15 seconds, the text does not respect the configuration file

/etc/rsyslog.conf :$template myFormat_02,"==>>> %TIMESTAMP:::date-rfc3339% {%HOSTNAME%} {SVRTY: %syslogseverity%} {TAG: %syslogtag%}
{MSG:}%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%
"
$ActionFileDefaultTemplate myFormat_02

Before the stop/restart :
Nov 24 16:36:49 jc-toshiba kernel: imklog 5.4.0, log source = /proc/kmsg started.
Nov 24 16:36:49 jc-toshiba rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1882” x-info=“http://www.rsyslog.com”] start
Nov 24 16:36:49 jc-toshiba kernel: 19.248075] type=1505 audit(1290613007.285:2): operation=“profile_load” pid=1759 name=/bin/ping
Nov 24 16:36:49 jc-toshiba kernel: 19.342221] type=1505 audit(1290613007.379:3): operation=“profile_load” pid=1760 name=/sbin/klogd


Some messages

After the restart :

==>>> 2010-11-24T16:37:02.906596+01:00 {jc-toshiba} {SVRTY: 6} {TAG: kernel:}
{MSG} imklog 5.4.0, log source = /proc/kmsg started.
==>>> 2010-11-24T16:37:02.906650+01:00 {jc-toshiba} {SVRTY: 6} {TAG: rsyslogd:}
{MSG} [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“3392” x-info=“http://www.rsyslog.com”] start
==>>> 2010-11-24T16:37:03.250874+01:00 {jc-toshiba} {SVRTY: 6} {TAG: auditd[3459]:}
{MSG} Started dispatcher: /sbin/audispd pid: 3461
==>>> 2010-11-24T16:37:03.285504+01:00 {jc-toshiba} {SVRTY: 7} {TAG: audispd:}
{MSG} priority_boost_parser called with: 4
==>>> 2010-11-24T16:37:03.285516+01:00 {jc-toshiba} {SVRTY: 7} {TAG: audispd:}
{MSG} max_restarts_parser called with: 10
==>>> 2010-11-24T16:37:03.286132+01:00 {jc-toshiba} {SVRTY: 3} {TAG: audispd:}
{MSG} No plugins found, exiting

You can see the various enhancement : ==>>> , { }, {TAG: },
{MSG}

Your comments are welcome

JC DOLE

7

Well, obviously rsyslog isn’t running when the computer starts from cold so until it is running, messages are buffered up by the kernel, and written to the log when it gets going.

As for the format difference, I’ve already given you my best theory. I don’t see it here so I have no personal experience with it.

8

So is there some sort of problem with this???

9

If it was really running as you tell, You will see only the two first line line with :

Nov 24 16:36:49 jc-toshiba kernel: imklog 5.4.0, log source = /proc/kmsg started.
Nov 24 16:36:49 jc-toshiba rsyslogd: [origin software=“rsyslogd” swVersion=“5.4.0” x-pid=“1882” x-info=“http://www.rsyslog.com”] start

An then the flow of messages emptying the queue first, without any interruption until you stop the system.

With this version ( 11.3 ), on my system, syslog stop after 15 seconds and restart, and from the point of view of RSYSLOG peoples it is an unwanted behaviour.