On 2020-07-13 02:08, Greg Sims wrote:
I updated my maillog processing tool to make use of journalctl. This
is working well and I can now see the "missing" maillog entries with
my tool. This is a great step in the right direction.
That sounds great.
I have rsyslog running which looks like it might be redundant -- based
on the serverfault post you supplied. I will try running without
rsyslog and see what happens.
I am aware of the systemd journal rate limits from CentOS 7. I will
do additional research to know when I hit these limits and make needed
adjustments if I do.
I added this to /etc/system/journal.conf.d/journald.conf and it works
for me.
[Journal]
RateLimitIntervalSec=1s
RateLimitBurst=0
Thanks for your help Christian! I am now able to accomplish my goals
using journalctl.
I am more than willing to collect data to help determine why the three
minutes of log data is not making it to /var/log/maillog. To be
honest, I do not know how to "... find out how your syslog daemon gets
the messages from the systemd journal.".
Greg Sims
On Sun, Jul 12, 2020 at 3:51 PM Christian Kivalo
<ml+postfix-us...@valo.at> wrote:
On 2020-07-13 00:10, Greg Sims wrote:
Thank you Christian. I am running on CentOS 8.2 and the name of
the
service is "postfix.service". When I enter:
journalctl -u postfix.service --since="2020-07-12 03:06:00"
--until="2020-07-12 03:11:00"
I see all of the missing data that should be in /var/log/maillog
--
almost 50,000 records. You discovered a way to gain access to the
missing data!
The big question for me continues to be, why did this data not
make it
to /var/log/maillog?
You'd have to find out how your syslog daemon get the messages from
the
systemd journal. What syslog daemon do you have installed?
Be aware that systemd journal has some rate limits which can lead to
loss of log messages, see the man 5 journald.conf
I found this
https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald
which covers rsyslog on centos 7. There is an import module for
systemd
journal.
On my server rsyslog is configured to create a log socket at
/var/spool/postfix/dev/log and ignore systemd journal and that works
well for my use case.
Greg Sims
On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo
<ml+postfix-us...@valo.at> wrote:
On 2020-07-12 23:01, Greg Sims wrote:
Nothing Christian:
[root@mail0 postfix]# journalctl -u postfix@-.service
--since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00"
-- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun
2020-07-12
15:50:00 CDT. --
-- No entries --
Maybe your systemd unit is named slightly different as in debian,
postfix@-.service is what tab completion makes for me...
Is there anything in journalctl? What does systemctl status
postfix
show?
You can have postfix log to a file as described in
http://www.postfix.org/MAILLOG_README.html first and then fix
your
logging.
--
Christian Kivalo
--
Christian Kivalo
--
Christian Kivalo
