Hello,
I'm observing this odd problem on my v7 server where a template like this:
$template
DailyPerHostLogs-syslog,"/var/log/central-log-server/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
will sometimes produce a result like this:
/var/log/central-log-server/172.16.16.3
`-- 2014
`-- 08
`-- 14
`-- syslog.log
/var/log/central-log-server/172.16.16.4
`-- 2014
`-- 08
`-- 14
`-- syslog.log
/var/log/central-log-server/172.16.16.5
`-- 2014
`-- 08
`-- 14
`-- syslog.log
I've seen it happen twice so far in two days, but I am not sure what causes
this hiccup (in both cases it was rather short lived).
I can provide useful information for the most recent incident only.
Before I do that, let me explain how the setup looks like. I have one v7 server
accepting messages from 4 clients, all being v5 rsyslog daemons, via TCP. The
communication link between the v7 server and v5 clients is a secure VPN
connection. v7 server acts as a VPN server, and v5 clients are VPN clients.
It appears that this odd hiccup happened right after the v7 server was rebooted
and VPN links with the v5 clients were restored. In my system logs I can see
that those directories with IP addresses instead of host names and syslog.log
files in them were created exactly at the same hour and minute (18:50) when VPN
links were restored. This corresponds in both v7 server system log files, and
the v5 clients.
However, only for 3 of 4 servers host name directories were created as IP
addresses, and of a dozen of templates that represent basically the default set
of rules found in a stock configuration only one that produces syslog.log was
affected. Also, for the 172.16.16.3 syslog.log wasn't even written to. It's
empty. While *.4 and *.5 contain a small number of lines that look like this:
Aug 14 18:29:43 172.16.16.4 ovpn-client-vpnserver[28397]: last message
repeated 2 times
Then apparently things were back to normal and v7 server continued logging as
configured by the template(s).
On the v5 clients queues are configured explicitly like this:
$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
For example, on *.5 queue file was created again at exactly 18:50:
-rw------- 1 syslog syslog 277K Aug 14 18:50 fwdRule1.00000017
but its contents shows various messages, not just VPN related. Their number is
also bigger than what was written to
/var/log/central-log-server/172.16.16.5/2014/08/14/syslog.log.
On the v7 server, however, I did not configure a queue in any custom way.
I think this is all I got. Let me know if you need more information.
Is this common? Can this somehow be prevented? What happened there?
Ivan
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
