This is a similar post to one I've made on the rsyslog list that has received no responses after four days, so I figured I'd try here since the problem seems to be CentOS specific. This is also my second attempt to send it to this list as the first seems to have never showed up.
I am trying to test remote logging between two CentOS 6.3 systems and unable to get the client logs to show up on the server, using the RELP module.
First of all, the client is a stock install of CentOS 6.3 running rsyslog v5.8.10. I inherited the server, but the change logging that we keep indicates it is pretty much stock too, and it is v5.8.10 as well. On the server, I added to /etc/rsyslog.conf: $ModLoad imrelp $InputRELPServerRun 20514 And restarted the daemon: sudo service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] On the client, I added to /etc/rsyslog.conf: $ModLoad omrelp $WorkDirectory /var/spool/rsyslog $ActionQueueType LinkedList $ActionQueueFileName syslogfwd $ActionQueueMaxDiskSpace 10g $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on *.* :omrelp:xxx.xxx.xxx.xxx:20514 And restarted the daemon: sudo service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] Nothing ever showed up on the server, so I started going through the troubleshooting steps, which includes running the client in foreground mode and logging debug output: sudo service rsyslog stop sudo /sbin/rsyslogd -dn > /tmp/rsyslog.debug However, as soon as the service started in the foreground, log entries began showing up on the server. But when I stop the foreground service and restart it as a background service, the log entries quit showing up at the server.
I can change things around so that tcp is used instead of RELP, and everything works that way. The problem is specific to using RELP in the normal background mode. I also tested the above RELP configuration on two Debian Wheezy boxes, each running rsyslog v5.8.11, and everything worked as expected. So the problem seems to be specific to CentOS with RELP.
Has anyone gotten this to work on CentOS? Thanks, Nelson
On Feb 19, 2013, at 8:16 AM, Nelson Green nelsongreen84@hotmail.com wrote:
I can change things around so that tcp is used instead of RELP, and everything works that way. The problem is specific to using RELP in the normal background mode. I also tested the above RELP configuration on two Debian Wheezy boxes, each running rsyslog v5.8.11, and everything worked as expected. So the problem seems to be specific to CentOS with RELP.
Haven't tried it, but smells like selinux messing with you. Could also be a permissions problem on opening the port.
What specifically is TCP not capable of that RELP is? Just curious... looked at their webpage and it claims it's "reliable" but most of the internet hasn't found TCP to be very unreliable for decades...? (Reinventing the wheel?)
Oh! selinux (slap to forehead). Hadn't considered that. I've run into issues with it before, so good call. I'll see what I can figure out there. I'll be back in touch in a bit. Thanks!
One of the clients I want to monitor is a web server with a pretty heavy amount of logging. From what I've read, I will run the risk of losing messages from it or other clients that are trying to communicate at the same time. I'm hoping that RELP will mitigate that risk. I'm not too worried about losing web service messages, but my luck guarantees that an important log entry would be lost while an unimportant entry will always get through.
----------------------------------------
From: denverpilot@me.com Date: Tue, 19 Feb 2013 08:25:27 -0700 To: centos@centos.org Subject: Re: [CentOS] remote logging with rsyslog
On Feb 19, 2013, at 8:16 AM, Nelson Green nelsongreen84@hotmail.com wrote:
I can change things around so that tcp is used instead of RELP, and everything works that way. The problem is specific to using RELP in the normal background mode. I also tested the above RELP configuration on two Debian Wheezy boxes, each running rsyslog v5.8.11, and everything worked as expected. So the problem seems to be specific to CentOS with RELP.
Haven't tried it, but smells like selinux messing with you. Could also be a permissions problem on opening the port.
What specifically is TCP not capable of that RELP is? Just curious... looked at their webpage and it claims it's "reliable" but most of the internet hasn't found TCP to be very unreliable for decades...? (Reinventing the wheel?)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Feb 19, 2013, at 8:25 AM, Nathan Duehr denverpilot@me.com wrote: ----------------------------------------
From: denverpilot@me.com Date: Tue, 19 Feb 2013 08:25:27 -0700 To: centos@centos.org Subject: Re: [CentOS] remote logging with rsyslog
On Feb 19, 2013, at 8:16 AM, Nelson Green nelsongreen84@hotmail.com wrote:
I can change things around so that tcp is used instead of RELP, and everything works that way. The problem is specific to using RELP in the normal background mode. I also tested the above RELP configuration on two Debian Wheezy boxes, each running rsyslog v5.8.11, and everything worked as expected. So the problem seems to be specific to CentOS with RELP.
Haven't tried it, but smells like selinux messing with you. Could also be a permissions problem on opening the port.
Yep, that was it. Thanks for setting me straight.
And apologies for the top-posting reply previously. I pasted the reply and just wasn't paying attention. My mother raised me better than that.
On Feb 19, 2013, at 11:39 AM, Nelson Green nelsongreen84@hotmail.com wrote:
Yep, that was it. Thanks for setting me straight.
And apologies for the top-posting reply previously. I pasted the reply and just wasn't paying attention. My mother raised me better than that.
No problem, was just a hunch... happens all the time with selinux.
As far as top/bottom-posting goes, I'm sure the list has some policy but I've never gotten overly-concerned about it personally for years... life's too short to worry about it. :-)
Nate
From: denverpilot@me.com Date: Tue, 19 Feb 2013 15:57:27 -0700 To: centos@centos.org Subject: Re: [CentOS] remote logging with rsyslog [SOLVED]
On Feb 19, 2013, at 11:39 AM, Nelson Green nelsongreen84@hotmail.com wrote:
Yep, that was it. Thanks for setting me straight.
And apologies for the top-posting reply previously. I pasted the reply and just wasn't paying attention. My mother raised me better than that.
No problem, was just a hunch... happens all the time with selinux.
As far as top/bottom-posting goes, I'm sure the list has some policy but I've never gotten overly-concerned about it personally for years... life's too short to worry about it. :-)
Nate
Thanks! My thoughts too, but some people don't see it that way.
All the best, Nelson
-
Nathan Duehr -
Nelson Green