I am trying to get Rsyslog's imfile plugin working without any real success.
我试图让Rsyslog的imfile插件在工作中没有任何真正的成功。
Here is useful OS version information:
以下是有用的OS版本信息:
# cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)
And here is Rsyslog version information:
这里是Rsyslog版本信息:
# rsyslogd -v
rsyslogd 7.4.7, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
uuid support: Yes
See http://www.rsyslog.com for more information.
I tried both legacy and RainerScript format of the configuration. None of them works for me, sadly. I must be doing something completely wrong but I simply can not decide on what it could be.
我尝试了配置的遗留和RainerScript格式。遗憾的是,它们都不适合我。我一定是做了完全错误的事情,但我只是不能决定它到底是什么。
Here is my actual testing configuration (in RainerScript, the former legacy version I tested was exactly the same in it's meaning):
这是我的实际测试配置(在RainerScript中,我测试的前遗留版本在它的意义上完全相同):
# cat /etc/rsyslog.conf
global(
workDirectory = "/tmp"
)
module(
load = "imuxsock"
)
module(
load = "imjournal"
stateFile = "journal.state"
)
module(
load = "imfile"
pollingInterval = "10"
)
ruleset(name = "test-ruleset") {
if $syslogtag contains "test-syslogtag" then {
action(
type = "omfile"
file = "/tmp/test-file.log"
)
stop
}
}
input(
type = "imfile"
tag = "test-syslogtag"
stateFile = "test-input.state"
facility = "daemon"
severity = "debug"
file = "/tmp/test-input.in"
ruleset = "test-ruleset"
)
if prifilt("*.*") then {
action(
type = "omfile"
file = "/tmp/rsyslog-testing.log"
)
}
No warning nor error are produced by the Rsyslog with the above configuration but also nothing from the /tmp/test-input.in file is copied to the /tmp/test-file.log.
没有任何警告或错误是由Rsyslog以上述配置产生的,但也没有来自/tmp/测试输入。将文件复制到/tmp/test-file.log。
(I also double-checked the /var/log/audit/audit.log, of course, and ... nothing suspicious is there. Being desperate on what's going on, I also tried to setenforce 0 to switch SELinux off completely and to restart the Rsyslog afterwards. It did not helped so the root cause of the problem may not be SELinux-related issue.)
(我也检查了/var/log/audit/audit。log,当然,还有…没有什么可疑的。对于正在发生的事情非常绝望,我也试着用setenforce 0来完全关闭SELinux,然后再重新启动Rsyslog。它没有起到作用,因此问题的根本原因可能不是与selinux相关的问题。
Also, the test-input.state file is correctly created in the global workDirectory path (/tmp in this testing case). I also tried standard paths (logs in /var/log, state file in /var/lib/rsyslog) and it does not work either although all related files were created properly.
此外,测试输入。状态文件在全局工作目录路径中正确创建(/tmp在这个测试用例中)。我还尝试了标准路径(log in /var/log, state file in /var/lib/rsyslog),它也不工作,尽管所有相关的文件都是正确创建的。
What's weird: I can not see any change in the state file if I populate the input log file with some testing data even after Rsyslog restart using # systemctl restart rsyslog (it should update the state file by default).
奇怪的是:即使在Rsyslog重新启动使用# systemctl重启Rsyslog(默认情况下,它应该更新状态文件)之后,如果我用一些测试数据填充输入日志文件,我也看不到状态文件中的任何更改。
Just to point out: the imjournal and imuxsock plugins work and populate the fallback log file /tmp/rsyslog-testing.log correctly. Also manually running Rsyslog on foreground with -D and/or -d options did not helped me much to clarify why the imfile plugin does not work for me in this particular configuration.
只需指出:imjournal和imuxsock插件可以工作并填充回退日志文件/tmp/rsyslog-testing。正确记录。另外,在前台使用-D和/或-D选项手动运行Rsyslog并没有帮助我解释为什么imfile插件在这个特定的配置中不适合我。
So, could you please
所以,你能
- check my RainerScript syntax whether there is no obvious fault (I guess there is no such),
- 检查我的RainerScript语法是否没有明显的错误(我想没有这样的错误),
- show me some working
imfileplugin configuration on EL7? - 在EL7上显示一些工作的imfile插件配置?
Thank you very much.
非常感谢。
--
mjf
——mjf
1 个解决方案
#1
2
With a few minor changes it finaly started to work properly. I think the main root cause of the problem in my case must have been my testing it in the /tmp directory where Rsyslog does not seem to work properly for some reason on CentOS 7.
随着一些细微的变化,它终于开始正常工作了。我认为在我的案例中,问题的主要根源是我在/tmp目录中的测试,Rsyslog在CentOS 7中似乎没有正常工作。
(May it be the /tmp is populated by the File System Namespace even despite the fact that Systemd option PrivateTmp is not set to true in the Rsyslog unit file and this option should be set to false by default according to the Systemd manual page? This is higly unprobable, but I haven't managed myself to dig more further into it yet. If I find it out, I will update this answer.)
(可能是/tmp由文件系统名称空间填充,尽管Systemd选项PrivateTmp在Rsyslog单元文件中没有设置为true,并且根据Systemd手册页默认设置为false)。这是很不可能的,但我还没有进一步深入研究。如果我找到了,我会更新这个答案。
The other minor cause might have been incorrect filter written in RainerScript (my real testing instance contained a horrible typo I simply over-looked). So here is the resulting testing configuration that works like charm for me.
另一个小原因可能是用RainerScript编写的错误过滤器(我的实际测试实例中包含了一个非常糟糕的错误)。这里是测试配置,对我来说很有吸引力。
# cat /etc/rsyslog.conf
global(
workDirectory = "/var/lib/rsyslog"
)
module(
load = "imuxsock"
)
module(
load = "imjournal"
stateFile = "journal.state"
)
module(
load = "imfile"
pollingInterval = "10"
)
ruleset(name = "test-ruleset") {
if $programname == "test-syslogtag" then {
action(
type = "omfile"
file = "/var/log/test-file.log"
)
stop
}
}
input(
type = "imfile"
tag = "test-syslogtag:"
stateFile = "test-input.state"
facility = "daemon"
severity = "debug"
file = "/var/log/test-input.in"
ruleset = "test-ruleset"
)
if prifilt("*.*") then {
action(
type = "omfile"
file = "/var/log/rsyslog-testing.log"
)
}
A little hint for those not knowing it - the $syslogtag and the $programname seem to be close relatives: $syslogtag := $programname ":". You can easily find out all the $ prefixed variables you can match against by using RSYSLOG_DebugFormat output template which is already compiled in.
给那些不知道的人一点提示:$syslogtag和$programname似乎是近亲:$syslogtag:= $programname“:”。您可以通过使用已经编译的RSYSLOG_DebugFormat输出模板轻松地找到您可以匹配的所有$ prefixed变量。
I hope it helps.
我希望它有帮助。
--
mjf
——mjf
#1
2
With a few minor changes it finaly started to work properly. I think the main root cause of the problem in my case must have been my testing it in the /tmp directory where Rsyslog does not seem to work properly for some reason on CentOS 7.
随着一些细微的变化,它终于开始正常工作了。我认为在我的案例中,问题的主要根源是我在/tmp目录中的测试,Rsyslog在CentOS 7中似乎没有正常工作。
(May it be the /tmp is populated by the File System Namespace even despite the fact that Systemd option PrivateTmp is not set to true in the Rsyslog unit file and this option should be set to false by default according to the Systemd manual page? This is higly unprobable, but I haven't managed myself to dig more further into it yet. If I find it out, I will update this answer.)
(可能是/tmp由文件系统名称空间填充,尽管Systemd选项PrivateTmp在Rsyslog单元文件中没有设置为true,并且根据Systemd手册页默认设置为false)。这是很不可能的,但我还没有进一步深入研究。如果我找到了,我会更新这个答案。
The other minor cause might have been incorrect filter written in RainerScript (my real testing instance contained a horrible typo I simply over-looked). So here is the resulting testing configuration that works like charm for me.
另一个小原因可能是用RainerScript编写的错误过滤器(我的实际测试实例中包含了一个非常糟糕的错误)。这里是测试配置,对我来说很有吸引力。
# cat /etc/rsyslog.conf
global(
workDirectory = "/var/lib/rsyslog"
)
module(
load = "imuxsock"
)
module(
load = "imjournal"
stateFile = "journal.state"
)
module(
load = "imfile"
pollingInterval = "10"
)
ruleset(name = "test-ruleset") {
if $programname == "test-syslogtag" then {
action(
type = "omfile"
file = "/var/log/test-file.log"
)
stop
}
}
input(
type = "imfile"
tag = "test-syslogtag:"
stateFile = "test-input.state"
facility = "daemon"
severity = "debug"
file = "/var/log/test-input.in"
ruleset = "test-ruleset"
)
if prifilt("*.*") then {
action(
type = "omfile"
file = "/var/log/rsyslog-testing.log"
)
}
A little hint for those not knowing it - the $syslogtag and the $programname seem to be close relatives: $syslogtag := $programname ":". You can easily find out all the $ prefixed variables you can match against by using RSYSLOG_DebugFormat output template which is already compiled in.
给那些不知道的人一点提示:$syslogtag和$programname似乎是近亲:$syslogtag:= $programname“:”。您可以通过使用已经编译的RSYSLOG_DebugFormat输出模板轻松地找到您可以匹配的所有$ prefixed变量。
I hope it helps.
我希望它有帮助。
--
mjf
——mjf