I removed rsyslog using yum, rebooted the VM and made sure postfix was running. I then sent five emails from a remote VM using SMTP. I can see the postfix logs using journalctl. This set of postfix logs do not make it to /var/log/maillog. The five emails were delivered. I'm not sure if this is the expected behavior.
Apache is also running on this VM. I performed "tail /var/log/httpd/access_log" and can see Apache logging. Greg Sims www.RayStedman.org On Sun, Jul 12, 2020 at 5:08 PM Greg Sims <[email protected]> wrote: > I updated my maillog processing tool to make use of journalctl. This is > working well and I can now see the "missing" maillog entries with my tool. > This is a great step in the right direction. > > I have rsyslog running which looks like it might be redundant -- based on > the serverfault post you supplied. I will try running without rsyslog and > see what happens. > > I am aware of the systemd journal rate limits from CentOS 7. I will do > additional research to know when I hit these limits and make needed > adjustments if I do. > > Thanks for your help Christian! I am now able to accomplish my goals > using journalctl. > > I am more than willing to collect data to help determine why the three > minutes of log data is not making it to /var/log/maillog. To be honest, I > do not know how to "... find out how your syslog daemon gets the messages > from the systemd journal.". > > Greg Sims > > On Sun, Jul 12, 2020 at 3:51 PM Christian Kivalo <[email protected]> > wrote: > >> >> >> On 2020-07-13 00:10, Greg Sims wrote: >> > Thank you Christian. I am running on CentOS 8.2 and the name of the >> > service is "postfix.service". When I enter: >> > >> >> journalctl -u postfix.service --since="2020-07-12 03:06:00" >> >> --until="2020-07-12 03:11:00" >> > I see all of the missing data that should be in /var/log/maillog -- >> > almost 50,000 records. You discovered a way to gain access to the >> > missing data! >> > >> > The big question for me continues to be, why did this data not make it >> > to /var/log/maillog? >> You'd have to find out how your syslog daemon get the messages from the >> systemd journal. What syslog daemon do you have installed? >> Be aware that systemd journal has some rate limits which can lead to >> loss of log messages, see the man 5 journald.conf >> >> I found this >> >> https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald >> which covers rsyslog on centos 7. There is an import module for systemd >> journal. >> >> On my server rsyslog is configured to create a log socket at >> /var/spool/postfix/dev/log and ignore systemd journal and that works >> well for my use case. >> >> > Greg Sims >> > >> > On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo >> > <[email protected]> wrote: >> > >> >> On 2020-07-12 23:01, Greg Sims wrote: >> >>> Nothing Christian: >> >>> >> >>>> [root@mail0 postfix]# journalctl -u [email protected] >> >>>> --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" >> >>>> -- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun >> >> 2020-07-12 >> >>>> 15:50:00 CDT. -- >> >>>> -- No entries -- >> >> Maybe your systemd unit is named slightly different as in debian, >> >> [email protected] is what tab completion makes for me... >> >> >> >> Is there anything in journalctl? What does systemctl status postfix >> >> show? >> >> >> >> You can have postfix log to a file as described in >> >> http://www.postfix.org/MAILLOG_README.html first and then fix your >> >> logging. >> >> >> >> -- >> >> Christian Kivalo >> >> -- >> Christian Kivalo >> >
