On Tue, 17 Jul 2012, Gerrard Geldenhuis wrote:
Hi I were doing some very simplistic testing ( lazy testing is probably more accurate ). I need to send logs to a remote black box device to which I have no access. In order to see if remote logging would work I ran nc -l 514 on a temporary box and sure enough I could see the log messages being send it even works grantly with the -u flag in nc to test over udp.Next I wanted to test local caching in case of a downed black box. A down server in my testing case would be the lack of nc listening on tcp 514. I then created a few log messages which I could see being logged locally. I then expected these same log messages to appear when I started nc but that did not happen. Instead if I continue creating log events I see the new log events but not the ones that I expected to be cached locally. Versions: Red Hat 5.8 box which comes with rsyslog-3.22.1-7.el5
first off, 3.22 is ancient, even 4.x is old enough to have dropped off of support. you really should upgrade to at least 5.x if not 6.x or see if Red Hat will support you on such an old version.
My relevant /etc/rsyslog.conf: # Default values $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ModLoad imklog $ModLoad imuxsock # From the web howto: $WorkDirectory /var/lib/rsyslog # Default locaction for spool files $ActionQueueType LinkedList # Use asynchronous processing $ActionQueueFileName remoteservercache # Sets cache file name and enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # Save in-memory data if rsyslog shuts down kern.* @@logserver:514 & /var/log/kernel.log Possibly the rsyslog deamon can't write to /var/lib/rsyslog. Where would that failure be logged?
start rsyslog with the debug flag and look at the output, any permission errors should show up at startup (or at the very least, when the first messages are logged)
I created the directory and gave it 755 permissions and it is owned root:root
this may or may not be right depending on your config (since you didn't give us your entire config we can't be sure)
So two questions: Would my assumptions about how nc would receive logs be correct and if so what else would be causing the failure of local caching?
This is an area of rsyslog that has been modified and improved significantly since the 3.x days. That may be part of your problem.
David Lang
WorldPay (UK) Limited, Company No. 07316500. Registered Office: 55 Mansell Street, London E1 8AN Authorised and regulated by the Financial Services Authority. ‘WorldPay Group’ means WorldPay (UK) Limited and its affiliates from time to time. A reference to an “affiliate” means any Subsidiary Undertaking, any Parent Undertaking and any Subsidiary Undertaking of any such Parent Undertaking and reference to a “Parent Undertaking” or a “Subsidiary Undertaking” is to be construed in accordance with section 1162 of the Companies Act 2006, as amended. DISCLAIMER: This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the WorldPay Group, are confidential and solely for the use of the intended recipient. If you are not the intended recipient (or authorised to receive for the intended recipient), you have received this email in error and any review, use, distribution or disclosure of its content is strictly prohibited. If you have received this email in error please notify the sender immediately by replying to this message. Please then delete this email and destroy any copies of it. Messages sent to and from the WorldPay Group may be monitored to ensure compliance with internal policies and to protect our business. Emails are not necessarily secure. The WorldPay Group does not accept responsibility for changes made to this message after it was sent. Please note that neither the WorldPay Group nor the sender accepts any responsibility for viruses and it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. Anyone who communicates with us by email is taken to accept these risks. Opinions, conclusions and other information contained in this message that do not relate to the official business of the WorldPay Group shall not be understood as endorsed or given by it.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
