I updated my maillog processing tool to make use of journalctl. This is working well and I can now see the "missing" maillog entries with my tool. This is a great step in the right direction.
I have rsyslog running which looks like it might be redundant -- based on the serverfault post you supplied. I will try running without rsyslog and see what happens. I am aware of the systemd journal rate limits from CentOS 7. I will do additional research to know when I hit these limits and make needed adjustments if I do. Thanks for your help Christian! I am now able to accomplish my goals using journalctl. I am more than willing to collect data to help determine why the three minutes of log data is not making it to /var/log/maillog. To be honest, I do not know how to "... find out how your syslog daemon gets the messages from the systemd journal.". Greg Sims On Sun, Jul 12, 2020 at 3:51 PM Christian Kivalo <ml+postfix-us...@valo.at> wrote: > > > On 2020-07-13 00:10, Greg Sims wrote: > > Thank you Christian. I am running on CentOS 8.2 and the name of the > > service is "postfix.service". When I enter: > > > >> journalctl -u postfix.service --since="2020-07-12 03:06:00" > >> --until="2020-07-12 03:11:00" > > I see all of the missing data that should be in /var/log/maillog -- > > almost 50,000 records. You discovered a way to gain access to the > > missing data! > > > > The big question for me continues to be, why did this data not make it > > to /var/log/maillog? > You'd have to find out how your syslog daemon get the messages from the > systemd journal. What syslog daemon do you have installed? > Be aware that systemd journal has some rate limits which can lead to > loss of log messages, see the man 5 journald.conf > > I found this > > https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald > which covers rsyslog on centos 7. There is an import module for systemd > journal. > > On my server rsyslog is configured to create a log socket at > /var/spool/postfix/dev/log and ignore systemd journal and that works > well for my use case. > > > Greg Sims > > > > On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo > > <ml+postfix-us...@valo.at> wrote: > > > >> On 2020-07-12 23:01, Greg Sims wrote: > >>> Nothing Christian: > >>> > >>>> [root@mail0 postfix]# journalctl -u postfix@-.service > >>>> --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" > >>>> -- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun > >> 2020-07-12 > >>>> 15:50:00 CDT. -- > >>>> -- No entries -- > >> Maybe your systemd unit is named slightly different as in debian, > >> postfix@-.service is what tab completion makes for me... > >> > >> Is there anything in journalctl? What does systemctl status postfix > >> show? > >> > >> You can have postfix log to a file as described in > >> http://www.postfix.org/MAILLOG_README.html first and then fix your > >> logging. > >> > >> -- > >> Christian Kivalo > > -- > Christian Kivalo >
