centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
Dumb question...do you have librelp installed?
On Tue, Oct 29, 2013 at 2:08 PM, Mike Burger mburger@bubbanfriends.org wrote:
centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
Dumb question...do you have librelp installed?
Never a dumb question! I've done that way too many times. The rsyslog-relp Should have installed it. Just to be sure, I went and looked for /lib64/rsyslog/imrelp.so:
[root@scan ~]# ls -lh /lib64/rsyslog/imrelp.so -rwxr-xr-x. 1 root root 11K Sep 9 09:58 /lib64/rsyslog/imrelp.so [root@scan ~]#
-- Mike Burger http://www.bubbanfriends.org
"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Mauricio Tavares wrote:
On Tue, Oct 29, 2013 at 2:08 PM, Mike Burger mburger@bubbanfriends.org wrote:
centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
Dumb question...do you have librelp installed?
Never a dumb question! I've done that way too many times. The rsyslog-relp Should have installed it. Just to be sure, I went and looked for /lib64/rsyslog/imrelp.so:
[root@scan ~]# ls -lh /lib64/rsyslog/imrelp.so -rwxr-xr-x. 1 root root 11K Sep 9 09:58 /lib64/rsyslog/imrelp.so [root@scan ~]#
Oh, boy - here's a nasty thought (that I thought of, because I'd just run into it fighting fedora last week): you *might* try running depmod....
mark
"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
Damn it, Jack, I'm an explorer, not a SEAL team member!
On Tue, Oct 29, 2013 at 4:28 PM, m.roth@5-cent.us wrote:
Mauricio Tavares wrote:
On Tue, Oct 29, 2013 at 2:08 PM, Mike Burger mburger@bubbanfriends.org wrote:
centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
Dumb question...do you have librelp installed?
Never a dumb question! I've done that way too many times. The rsyslog-relp Should have installed it. Just to be sure, I went and looked for /lib64/rsyslog/imrelp.so:
[root@scan ~]# ls -lh /lib64/rsyslog/imrelp.so -rwxr-xr-x. 1 root root 11K Sep 9 09:58 /lib64/rsyslog/imrelp.so [root@scan ~]#
Oh, boy - here's a nasty thought (that I thought of, because I'd just run into it fighting fedora last week): you *might* try running depmod....
Running the risk of sounding more stupid than I already am, what would I be looking for using depmod? Is there a relp-related module that needs to be loaded? modprobe -l|grep relp shows nothing.
mark"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
Damn it, Jack, I'm an explorer, not a SEAL team member!
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Mauricio Tavares wrote:
On Tue, Oct 29, 2013 at 4:28 PM, m.roth@5-cent.us wrote:
Mauricio Tavares wrote:
On Tue, Oct 29, 2013 at 2:08 PM, Mike Burger mburger@bubbanfriends.org wrote:
centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
Dumb question...do you have librelp installed?
Never a dumb question! I've done that way too many times. The rsyslog-relp Should have installed it. Just to be sure, I went and looked for /lib64/rsyslog/imrelp.so:
[root@scan ~]# ls -lh /lib64/rsyslog/imrelp.so -rwxr-xr-x. 1 root root 11K Sep 9 09:58 /lib64/rsyslog/imrelp.so [root@scan ~]#
Oh, boy - here's a nasty thought (that I thought of, because I'd just run into it fighting fedora last week): you *might* try running depmod....
Running the risk of sounding more stupid than I already am, whatwould I be looking for using depmod? Is there a relp-related module that needs to be loaded? modprobe -l|grep relp shows nothing.
Just that it's possible that installing relp did *not* run depmod, and so when the system's loading modules, it might not know it's there.
mark
On Tue, Oct 29, 2013 at 2:08 PM, Mike Burger mburger@bubbanfriends.org wrote:
centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
Dumb question...do you have librelp installed?
Never a dumb question! I've done that way too many times. The rsyslog-relp Should have installed it. Just to be sure, I went and looked for /lib64/rsyslog/imrelp.so:
[root@scan ~]# ls -lh /lib64/rsyslog/imrelp.so -rwxr-xr-x. 1 root root 11K Sep 9 09:58 /lib64/rsyslog/imrelp.so [root@scan ~]#
Looking at http://www.rsyslog.com/doc/imrelp.html, I see two possible configuration options. The option you're using:
$ModLoad imrelp # needs to be done just once $InputRELPServerRun 20514
has some sort of note about being available in rsyslog 6.3.6+.
Since CentOS 6.4 comes with version 5.8.10-7, perhaps try using the other listed option, instead:
module(load="imrelp") # needs to be done just once input(type="imrelp" port="20514")
On Tue, Oct 29, 2013 at 4:33 PM, Mike Burger mburger@bubbanfriends.org wrote:
On Tue, Oct 29, 2013 at 2:08 PM, Mike Burger mburger@bubbanfriends.org wrote:
centos 6.4, setup to be syslog server. Doing remote syslog using tcp works fine, so now want to add relp. I installed the rsyslog-relp package and told rsyslog.conf to use it:
# RELP Syslog Server: $ModLoad imrelp # provides RELP syslog reception $InputRELPServerRun 20514
when I restart rsyslog I am told it does not like my InputRELPServerRun line:
Oct 28 13:43:54 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="7102" x-info="http://www.rsyslog.com"] start Oct 28 13:43:54 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 23:"$InputRELPServerRun 20514"
Any clues?
Dumb question...do you have librelp installed?
Never a dumb question! I've done that way too many times. The rsyslog-relp Should have installed it. Just to be sure, I went and looked for /lib64/rsyslog/imrelp.so:
[root@scan ~]# ls -lh /lib64/rsyslog/imrelp.so -rwxr-xr-x. 1 root root 11K Sep 9 09:58 /lib64/rsyslog/imrelp.so [root@scan ~]#
Looking at http://www.rsyslog.com/doc/imrelp.html, I see two possible configuration options. The option you're using:
$ModLoad imrelp # needs to be done just once $InputRELPServerRun 20514
has some sort of note about being available in rsyslog 6.3.6+.
Since CentOS 6.4 comes with version 5.8.10-7, perhaps try using the other listed option, instead:
module(load="imrelp") # needs to be done just once input(type="imrelp" port="20514")
Really? I thought it was the other way around, since the config I am using is under "Legacy Configuration Directives:". After all, this
# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
works without any issues. But, let's try it anyway:
# RELP Syslog Server: # $ModLoad imrelp # provides RELP syslog reception # start a RELP syslog server at port 20514 # $InputRELPServerRun 20514 module(load="imrelp") # needs to be done just once input(type="imrelp" port="20514")
It seems not to like it
Oct 31 17:23:43 scan kernel: imklog 5.8.10, log source = /proc/kmsg started. Oct 31 17:23:43 scan rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="8252" x-info="http://www.rsyslog.com"] start Oct 31 17:23:43 scan rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ] Oct 31 17:23:43 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 24:"module(load="imrelp") # needs to be done just once" Oct 31 17:23:43 scan rsyslogd: warning: selector line without actions will be discarded Oct 31 17:23:43 scan rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ] Oct 31 17:23:43 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 25:"input(type="imrelp" port="20514")" Oct 31 17:23:43 scan rsyslogd: warning: selector line without actions will be discarded Oct 31 17:23:43 scan rsyslogd-2124: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
-- Mike Burger http://www.bubbanfriends.org
"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Oct 31, 2013 at 05:25:50PM -0400, Mauricio Tavares wrote:
Oct 31 17:23:43 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 24:"module(load="imrelp") # needs to be done just once"
Do 'rsyslogd -n -N1 -d' and you might get a better diagnostic (eg missing libraries or incompatible libraries)
Stephen Harris wrote:
On Thu, Oct 31, 2013 at 05:25:50PM -0400, Mauricio Tavares wrote:
Oct 31 17:23:43 scan rsyslogd: the last error occured in /etc/rsyslog.conf, line 24:"module(load="imrelp") # needs to be done just once"
Do 'rsyslogd -n -N1 -d' and you might get a better diagnostic (eg missing libraries or incompatible libraries)
Or ldd /sbin/rsyslogd.
mark
On Thu, Oct 31, 2013 at 05:43:28PM -0400, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Do 'rsyslogd -n -N1 -d' and you might get a better diagnostic (eg missing libraries or incompatible libraries)
Or ldd /sbin/rsyslogd.
No, that's not good enough. rsyslogd loads modules dynamically and they don't show in the ldd output. Further, if the dependent module is the wrong version then the code might abort with missing function linkages.
You can only see this by actually running the programming. The options I provided basically tells rsyslogd to do a config check with debug mode turned on.
[
On Thu, Oct 31, 2013 at 6:23 PM, Stephen Harris lists@spuddy.org wrote:
On Thu, Oct 31, 2013 at 05:43:28PM -0400, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Do 'rsyslogd -n -N1 -d' and you might get a better diagnostic (eg missing libraries or incompatible libraries)
Or ldd /sbin/rsyslogd.
No, that's not good enough. rsyslogd loads modules dynamically and they don't show in the ldd output. Further, if the dependent module is the wrong version then the code might abort with missing function linkages.
You can only see this by actually running the programming. The options I provided basically tells rsyslogd to do a config check with debug mode turned on.
Ok, I feel like I might be over my depth, so I will paste the output for rsyslogd -n -N1 -d verbatim:
[root@scan ~]# rsyslogd -n -N1 -d
1968.098225700:7f2b4eda1700: rsyslogd 5.8.10 startup, compatibility mode 0, module path '', cwd:/root 1968.098315213:7f2b4eda1700: caller requested object 'net', not found (iRet -3003) 1968.098322100:7f2b4eda1700: Requested to load module 'lmnet' 1968.098325697:7f2b4eda1700: loading module '/lib64/rsyslog/lmnet.so' 1968.098408322:7f2b4eda1700: module of type 2 being loaded. 1968.098412080:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.098417576:7f2b4eda1700: source file conf.c requested reference for module 'lmnet', reference count now 1 1968.098428589:7f2b4eda1700: rsyslog runtime initialized, version 5.8.10, current users 1 1968.098451066:7f2b4eda1700: source file syslogd.c requested reference for module 'lmnet', reference count now 2 1968.098458441:7f2b4eda1700: GenerateLocalHostName uses 'scan' 1968.098463085:7f2b4eda1700: omfile: using transactional output interface. 1968.098475209:7f2b4eda1700: module of type 1 being loaded. 1968.098481810:7f2b4eda1700: module of type 1 being loaded. 1968.098485492:7f2b4eda1700: entry point 'beginTransaction' not present in module 1968.098488083:7f2b4eda1700: entry point 'endTransaction' not present in module 1968.098492241:7f2b4eda1700: source file omfwd.c requested reference for module 'lmnet', reference count now 3 1968.098499962:7f2b4eda1700: module of type 1 being loaded. 1968.098504212:7f2b4eda1700: entry point 'doHUP' not present in module 1968.098506651:7f2b4eda1700: entry point 'beginTransaction' not present in module 1968.098508958:7f2b4eda1700: entry point 'endTransaction' not present in module 1968.098512225:7f2b4eda1700: module of type 1 being loaded. 1968.098515467:7f2b4eda1700: entry point 'doHUP' not present in module 1968.098517743:7f2b4eda1700: entry point 'beginTransaction' not present in module 1968.098520080:7f2b4eda1700: entry point 'endTransaction' not present in module 1968.098522730:7f2b4eda1700: module of type 1 being loaded. 1968.098525960:7f2b4eda1700: entry point 'doHUP' not present in module 1968.098528312:7f2b4eda1700: entry point 'beginTransaction' not present in module 1968.098530564:7f2b4eda1700: entry point 'endTransaction' not present in module 1968.098533412:7f2b4eda1700: module of type 1 being loaded. 1968.098537275:7f2b4eda1700: entry point 'doHUP' not present in module 1968.098539610:7f2b4eda1700: entry point 'beginTransaction' not present in module 1968.098541881:7f2b4eda1700: entry point 'endTransaction' not present in module 1968.098545292:7f2b4eda1700: rfc5424 parser init called 1968.098547668:7f2b4eda1700: GetParserName addr 0x7f2b4edc28e0 1968.098549950:7f2b4eda1700: module of type 3 being loaded. 1968.098553508:7f2b4eda1700: Parser 'rsyslog.rfc5424' added to list of available parsers. 1968.098559148:7f2b4eda1700: rfc3164 parser init called 1968.098561793:7f2b4eda1700: module of type 3 being loaded. 1968.098564672:7f2b4eda1700: Parser 'rsyslog.rfc3164' added to list of available parsers. 1968.098567351:7f2b4eda1700: Parser 'rsyslog.rfc5424' added to default parser set. 1968.098569650:7f2b4eda1700: Parser 'rsyslog.rfc3164' added to default parser set. 1968.098572232:7f2b4eda1700: rsyslog standard file format strgen init called, compiled with version 5.8.10 1968.098575525:7f2b4eda1700: module of type 4 being loaded. 1968.098577851:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.098581123:7f2b4eda1700: Strgen 'RSYSLOG_FileFormat' added to list of available strgens. 1968.098583924:7f2b4eda1700: traditional file format strgen init called, compiled with version 5.8.10 1968.098586428:7f2b4eda1700: module of type 4 being loaded. 1968.098588842:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.098591534:7f2b4eda1700: Strgen 'RSYSLOG_TraditionalFileFormat' added to list of available strgens. 1968.098594155:7f2b4eda1700: rsyslog standard (network) forward format strgen init called, compiled with version 5.8.10 1968.098596840:7f2b4eda1700: module of type 4 being loaded. 1968.098599159:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.098601895:7f2b4eda1700: Strgen 'RSYSLOG_ForwardFormat' added to list of available strgens. 1968.098605205:7f2b4eda1700: rsyslog traditional (network) forward format strgen init called, compiled with version 5.8.10 1968.098607808:7f2b4eda1700: module of type 4 being loaded. 1968.098610240:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.098613037:7f2b4eda1700: Strgen 'RSYSLOG_TraditionalForwardFormat' added to list of available strgens. 1968.098652738:7f2b4eda1700: deque option n, optarg '' 1968.098655392:7f2b4eda1700: deque option N, optarg '1' rsyslogd: version 5.8.10, config validation run (level 1), master config /etc/rsyslog.conf 1968.098668287:7f2b4eda1700: Called LogError, msg: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option. 1968.098707457:7f2b4eda1700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 1968.098711555:7f2b4eda1700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option. 1968.098737008:7f2b4eda1700: template bound to strgen 'RSYSLOG_FileFormat' 1968.098740515:7f2b4eda1700: template bound to strgen 'RSYSLOG_TraditionalFileFormat' 1968.098746481:7f2b4eda1700: template bound to strgen 'RSYSLOG_ForwardFormat' 1968.098749410:7f2b4eda1700: template bound to strgen 'RSYSLOG_TraditionalForwardFormat' 1968.098768184:7f2b4eda1700: rsyslog 5.8.10 - called init() 1968.098792175:7f2b4eda1700: cfline: '$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)' 1968.098800935:7f2b4eda1700: Requested to load module 'imuxsock' 1968.098806146:7f2b4eda1700: loading module '/lib64/rsyslog/imuxsock.so' 1968.098949335:7f2b4eda1700: imuxsock version 5.8.10 initializing 1968.098974673:7f2b4eda1700: module of type 0 being loaded. 1968.098979275:7f2b4eda1700: cfline: '$ModLoad imklog # provides kernel logging support (previously done by rklogd)' 1968.098982991:7f2b4eda1700: Requested to load module 'imklog' 1968.098985597:7f2b4eda1700: loading module '/lib64/rsyslog/imklog.so' 1968.099044440:7f2b4eda1700: module of type 0 being loaded. 1968.099047835:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.099051908:7f2b4eda1700: cfline: '$ModLoad imudp' 1968.099055127:7f2b4eda1700: Requested to load module 'imudp' 1968.099057956:7f2b4eda1700: loading module '/lib64/rsyslog/imudp.so' 1968.099093145:7f2b4eda1700: source file imudp.c requested reference for module 'lmnet', reference count now 4 1968.099105522:7f2b4eda1700: module of type 0 being loaded. 1968.099110380:7f2b4eda1700: cfline: '$UDPServerRun 514' 1968.099114443:7f2b4eda1700: doGetWord: get newval '514' (len 3), hdlr 0x7f2b4d53c5e0 1968.099116925:7f2b4eda1700: Trying to open syslog UDP ports at *:514. 1968.099600828:7f2b4eda1700: cfline: '$ModLoad imtcp' 1968.099606268:7f2b4eda1700: Requested to load module 'imtcp' 1968.099609355:7f2b4eda1700: loading module '/lib64/rsyslog/imtcp.so' 1968.099642463:7f2b4eda1700: source file imtcp.c requested reference for module 'lmnet', reference count now 5 1968.099646652:7f2b4eda1700: caller requested object 'netstrm', not found (iRet -3003) 1968.099652259:7f2b4eda1700: Requested to load module 'lmnetstrms' 1968.099655404:7f2b4eda1700: loading module '/lib64/rsyslog/lmnetstrms.so' 1968.099696061:7f2b4eda1700: doing nsselClassInit 1968.099700541:7f2b4eda1700: doing nspollClassInit 1968.099704550:7f2b4eda1700: module of type 2 being loaded. 1968.099707063:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.099709935:7f2b4eda1700: source file imtcp.c requested reference for module 'lmnetstrms', reference count now 1 1968.099713067:7f2b4eda1700: caller requested object 'tcps_sess', not found (iRet -3003) 1968.099715484:7f2b4eda1700: Requested to load module 'lmtcpsrv' 1968.099718238:7f2b4eda1700: loading module '/lib64/rsyslog/lmtcpsrv.so' 1968.099756680:7f2b4eda1700: source file tcps_sess.c requested reference for module 'lmnetstrms', reference count now 2 1968.099762335:7f2b4eda1700: source file tcpsrv.c requested reference for module 'lmnet', reference count now 6 1968.099765259:7f2b4eda1700: source file tcpsrv.c requested reference for module 'lmnetstrms', reference count now 3 1968.099770709:7f2b4eda1700: module of type 2 being loaded. 1968.099773218:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.099775968:7f2b4eda1700: source file imtcp.c requested reference for module 'lmtcpsrv', reference count now 1 1968.099778858:7f2b4eda1700: source file imtcp.c requested reference for module 'lmtcpsrv', reference count now 2 1968.099796166:7f2b4eda1700: module of type 0 being loaded. 1968.099800411:7f2b4eda1700: cfline: '$InputTCPServerRun 514' 1968.099804611:7f2b4eda1700: doGetWord: get newval '514' (len 3), hdlr 0x7f2b4d338740 1968.099809022:7f2b4eda1700: cfline: '$ModLoad imrelp # provides RELP syslog reception' 1968.099812244:7f2b4eda1700: Requested to load module 'imrelp' 1968.099814913:7f2b4eda1700: loading module '/lib64/rsyslog/imrelp.so' 1968.099895315:7f2b4eda1700: source file imrelp.c requested reference for module 'lmnet', reference count now 7 1968.099901408:7f2b4eda1700: module of type 0 being loaded. 1968.099903992:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.099907655:7f2b4eda1700: cfline: '$InputRELPServerRun 20514' 1968.099911807:7f2b4eda1700: doGetWord: get newval '20514' (len 5), hdlr 0x7f2b4cd2ad30 1968.099915983:7f2b4eda1700: ENGINE SetEnableCmd in syslog cmd state: 0 1968.099918620:7f2b4eda1700: ENGINE SetEnableCmd out syslog cmd state: 3, iRet 0 1968.099922360:7f2b4eda1700: relp server 0x7f2b4f91f580 constructed 1968.099926327:7f2b4eda1700: creating relp tcp listen socket on port 20514 1968.099972979:7f2b4eda1700: cfline: '$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat' 1968.099978180:7f2b4eda1700: doGetWord: get newval 'RSYSLOG_TraditionalFileFormat' (len 29), hdlr (nil) 1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' 1968.100012146:7f2b4eda1700: requested to include config file '/etc/rsyslog.d/remote-hosts.conf' 1968.100026459:7f2b4eda1700: cfline: '$template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log"' 1968.100036475:7f2b4eda1700: cfline: '*.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs' 1968.100041040:7f2b4eda1700: - traditional PRI filter 1968.100043926:7f2b4eda1700: symbolic name: info ==> 6 1968.100048715:7f2b4eda1700: symbolic name: none ==> 16 1968.100051913:7f2b4eda1700: symbolic name: mail ==> 16 1968.100054998:7f2b4eda1700: symbolic name: none ==> 16 1968.100057973:7f2b4eda1700: symbolic name: authpriv ==> 80 1968.100060946:7f2b4eda1700: symbolic name: none ==> 16 1968.100063867:7f2b4eda1700: symbolic name: cron ==> 72 1968.100068676:7f2b4eda1700: tried selector action for builtin-file: 0 1968.100073239:7f2b4eda1700: Module builtin-file processed this config line. 1968.100077973:7f2b4eda1700: template: 'RSYSLOG_TraditionalFileFormat' assigned 1968.100080827:7f2b4eda1700: template: 'DailyPerHostLogs' assigned 1968.100087269:7f2b4eda1700: action 1 queue: save on shutdown 1, max disk space allowed 0 1968.100092589:7f2b4eda1700: action 1 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.100095980:7f2b4eda1700: Action 0x7f2b4f9213d0: queue 0x7f2b4f921510 created 1968.100099786:7f2b4eda1700: selector line successfully processed 1968.100109845:7f2b4eda1700: cfline: '*.info;mail.none;authpriv.none;cron.none /var/log/messages' 1968.100112890:7f2b4eda1700: - traditional PRI filter 1968.100115267:7f2b4eda1700: symbolic name: info ==> 6 1968.100118618:7f2b4eda1700: symbolic name: none ==> 16 1968.100121468:7f2b4eda1700: symbolic name: mail ==> 16 1968.100316527:7f2b4eda1700: symbolic name: none ==> 16 1968.100320157:7f2b4eda1700: symbolic name: authpriv ==> 80 1968.100323162:7f2b4eda1700: symbolic name: none ==> 16 1968.100326009:7f2b4eda1700: symbolic name: cron ==> 72 1968.100338830:7f2b4eda1700: file stream messages params: flush interval 0, async write 0 1968.100342285:7f2b4eda1700: tried selector action for builtin-file: 0 1968.100344873:7f2b4eda1700: Module builtin-file processed this config line. 1968.100350149:7f2b4eda1700: template: 'RSYSLOG_TraditionalFileFormat' assigned 1968.100354033:7f2b4eda1700: action 2 queue: save on shutdown 1, max disk space allowed 0 1968.100357904:7f2b4eda1700: action 2 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.100361117:7f2b4eda1700: Action 0x7f2b4f921f40: queue 0x7f2b4f922030 created 1968.100364965:7f2b4eda1700: cfline: 'authpriv.* /var/log/secure' 1968.100367557:7f2b4eda1700: selector line successfully processed 1968.100369985:7f2b4eda1700: - traditional PRI filter 1968.100372304:7f2b4eda1700: symbolic name: * ==> 255 1968.100375541:7f2b4eda1700: symbolic name: authpriv ==> 80 1968.100382141:7f2b4eda1700: file stream secure params: flush interval 0, async write 0 1968.100385187:7f2b4eda1700: tried selector action for builtin-file: 0 1968.100387576:7f2b4eda1700: Module builtin-file processed this config line. 1968.100390545:7f2b4eda1700: template: 'RSYSLOG_TraditionalFileFormat' assigned 1968.100393637:7f2b4eda1700: action 3 queue: save on shutdown 1, max disk space allowed 0 1968.100397187:7f2b4eda1700: action 3 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.100405944:7f2b4eda1700: Action 0x7f2b4f922a30: queue 0x7f2b4f922b20 created 1968.100409473:7f2b4eda1700: cfline: 'mail.* -/var/log/maillog' 1968.100411956:7f2b4eda1700: selector line successfully processed 1968.100414263:7f2b4eda1700: - traditional PRI filter 1968.100416523:7f2b4eda1700: symbolic name: * ==> 255 1968.100419627:7f2b4eda1700: symbolic name: mail ==> 16 1968.100427617:7f2b4eda1700: file stream maillog params: flush interval 0, async write 0 1968.100430701:7f2b4eda1700: tried selector action for builtin-file: 0 1968.100433018:7f2b4eda1700: Module builtin-file processed this config line. 1968.100435928:7f2b4eda1700: template: 'RSYSLOG_TraditionalFileFormat' assigned 1968.100438956:7f2b4eda1700: action 4 queue: save on shutdown 1, max disk space allowed 0 1968.100442388:7f2b4eda1700: action 4 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.100445469:7f2b4eda1700: Action 0x7f2b4f923680: queue 0x7f2b4f923770 created 1968.100448696:7f2b4eda1700: cfline: 'cron.* /var/log/cron' 1968.100451097:7f2b4eda1700: selector line successfully processed 1968.100453302:7f2b4eda1700: - traditional PRI filter 1968.100455467:7f2b4eda1700: symbolic name: * ==> 255 1968.100458413:7f2b4eda1700: symbolic name: cron ==> 72 1968.100464067:7f2b4eda1700: file stream cron params: flush interval 0, async write 0 1968.100468278:7f2b4eda1700: tried selector action for builtin-file: 0 1968.100470690:7f2b4eda1700: Module builtin-file processed this config line. 1968.100473583:7f2b4eda1700: template: 'RSYSLOG_TraditionalFileFormat' assigned 1968.100476493:7f2b4eda1700: action 5 queue: save on shutdown 1, max disk space allowed 0 1968.100479801:7f2b4eda1700: action 5 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.100482832:7f2b4eda1700: Action 0x7f2b4f9242e0: queue 0x7f2b4f9243d0 created 1968.100485964:7f2b4eda1700: cfline: '*.emerg *' 1968.100488328:7f2b4eda1700: selector line successfully processed 1968.100490520:7f2b4eda1700: - traditional PRI filter 1968.100492771:7f2b4eda1700: symbolic name: emerg ==> 0 1968.100496120:7f2b4eda1700: tried selector action for builtin-file: -2001 1968.100498513:7f2b4eda1700: tried selector action for builtin-pipe: -2001 1968.100501115:7f2b4eda1700: tried selector action for builtin-fwd: -2001 1968.100503671:7f2b4eda1700: tried selector action for builtin-shell: -2001 1968.100506105:7f2b4eda1700: tried selector action for builtin-discard: -2001 1968.100508473:7f2b4eda1700: write-alltried selector action for builtin-usrmsg: 0 1968.100511713:7f2b4eda1700: Module builtin-usrmsg processed this config line. 1968.100514509:7f2b4eda1700: template: ' WallFmt' assigned 1968.100517274:7f2b4eda1700: action 6 queue: save on shutdown 1, max disk space allowed 0 1968.100520531:7f2b4eda1700: action 6 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.100523584:7f2b4eda1700: Action 0x7f2b4f924880: queue 0x7f2b4f924990 created 1968.100526750:7f2b4eda1700: cfline: 'uucp,news.crit /var/log/spooler' 1968.100529111:7f2b4eda1700: selector line successfully processed 1968.100531313:7f2b4eda1700: - traditional PRI filter 1968.100533497:7f2b4eda1700: symbolic name: crit ==> 2 1968.100536375:7f2b4eda1700: symbolic name: uucp ==> 64 1968.100579136:7f2b4eda1700: symbolic name: news ==> 56 1968.100589029:7f2b4eda1700: file stream spooler params: flush interval 0, async write 0 1968.100592175:7f2b4eda1700: tried selector action for builtin-file: 0 1968.100594550:7f2b4eda1700: Module builtin-file processed this config line. 1968.100597714:7f2b4eda1700: template: 'RSYSLOG_TraditionalFileFormat' assigned 1968.100600906:7f2b4eda1700: action 7 queue: save on shutdown 1, max disk space allowed 0 1968.100604296:7f2b4eda1700: action 7 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.100607309:7f2b4eda1700: Action 0x7f2b4f925540: queue 0x7f2b4f925630 created 1968.100610736:7f2b4eda1700: cfline: 'local7.* /var/log/boot.log' 1968.100613204:7f2b4eda1700: selector line successfully processed 1968.100615541:7f2b4eda1700: - traditional PRI filter 1968.100617779:7f2b4eda1700: symbolic name: * ==> 255 1968.100620765:7f2b4eda1700: symbolic name: local7 ==> 184 1968.100626945:7f2b4eda1700: file stream boot.log params: flush interval 0, async write 0 1968.100631069:7f2b4eda1700: tried selector action for builtin-file: 0 1968.100633460:7f2b4eda1700: Module builtin-file processed this config line. 1968.100636258:7f2b4eda1700: template: 'RSYSLOG_TraditionalFileFormat' assigned 1968.100639026:7f2b4eda1700: action 8 queue: save on shutdown 1, max disk space allowed 0 1968.100642282:7f2b4eda1700: action 8 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 1968.101180183:7f2b4eda1700: Action 0x7f2b4f926170: queue 0x7f2b4f9262b0 created 1968.101188700:7f2b4eda1700: selector line successfully processed 1968.101201865:7f2b4eda1700: Called LogError, msg: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark 1968.101208987:7f2b4eda1700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 1968.101211492:7f2b4eda1700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark 1968.101221548:7f2b4eda1700: Requested to load module 'immark' 1968.101224827:7f2b4eda1700: loading module '/lib64/rsyslog/immark.so' 1968.101265964:7f2b4eda1700: module of type 0 being loaded. 1968.101270679:7f2b4eda1700: Called LogError, msg: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200 1968.101274964:7f2b4eda1700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 1968.101277396:7f2b4eda1700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200 1968.101283011:7f2b4eda1700: Called LogError, msg: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock 1968.101290588:7f2b4eda1700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 1968.101293058:7f2b4eda1700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock 1968.101297470:7f2b4eda1700: Requested to load module 'imuxsock' 1968.101300039:7f2b4eda1700: Module 'imuxsock' already loaded rsyslogd: End of config validation run. Bye. [root@scan ~]#
Some questions (yes! I am digressing):
1) 1014.836258644:7f6aec9cb700: Called LogError, msg: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option.
But I thought
[root@scan ~]# cat /etc/sysconfig/rsyslog # Options for rsyslogd # Syslogd options are deprecated since rsyslog v3. # If you want to use them, switch to compatibility mode 2 by "-c 2" # See rsyslogd(8) for more details # SYSLOGD_OPTIONS="-c 5" SYSLOGD_OPTIONS="-c5" [root@scan ~]#
(I did try both) would do the trick.
2) Why do I see a lot of
1968.098537275:7f2b4eda1700: entry point 'doHUP' not present in module 1968.098539610:7f2b4eda1700: entry point 'beginTransaction' not present in module 1968.098541881:7f2b4eda1700: entry point 'endTransaction' not present in module [...] 1968.099047835:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module
messages?
3) I take this is the part I am loading relp:
1968.099809022:7f2b4eda1700: cfline: '$ModLoad imrelp # provides RELP syslog reception' 1968.099812244:7f2b4eda1700: Requested to load module 'imrelp' 1968.099814913:7f2b4eda1700: loading module '/lib64/rsyslog/imrelp.so' 1968.099895315:7f2b4eda1700: source file imrelp.c requested reference for module 'lmnet', reference count now 7 1968.099901408:7f2b4eda1700: module of type 0 being loaded. 1968.099903992:7f2b4eda1700: entry point 'isCompatibleWithFeature' not present in module 1968.099907655:7f2b4eda1700: cfline: '$InputRELPServerRun 20514' 1968.099911807:7f2b4eda1700: doGetWord: get newval '20514' (len 5), hdlr 0x7f2b4cd2ad30 1968.099915983:7f2b4eda1700: ENGINE SetEnableCmd in syslog cmd state: 0 1968.099918620:7f2b4eda1700: ENGINE SetEnableCmd out syslog cmd state: 3, iRet 0 1968.099922360:7f2b4eda1700: relp server 0x7f2b4f91f580 constructed 1968.099926327:7f2b4eda1700: creating relp tcp listen socket on port 20514 1968.099972979:7f2b4eda1700: cfline: '$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat' 1968.099978180:7f2b4eda1700: doGetWord: get newval 'RSYSLOG_TraditionalFileFormat' (len 29), hdlr (nil)
I do not see any error messages here. Am I looking at the wrong place?
4) Why it does not like immark? And why this backward compatibility layer is being added?
1968.101221548:7f2b4eda1700: Requested to load module 'immark' 1968.101224827:7f2b4eda1700: loading module '/lib64/rsyslog/immark.so' 1968.101265964:7f2b4eda1700: module of type 0 being loaded. 1968.101270679:7f2b4eda1700: Called LogError, msg: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200
5) is imuxsock loaded by default?
1968.101293058:7f2b4eda1700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock 1968.101297470:7f2b4eda1700: Requested to load module 'imuxsock' 1968.101300039:7f2b4eda1700: Module 'imuxsock' already loaded
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, Nov 01, 2013 at 05:32:53PM -0400, Mauricio Tavares wrote:
1968.101297470:7f2b4eda1700: Requested to load module 'imuxsock' 1968.101300039:7f2b4eda1700: Module 'imuxsock' already loaded
Well the good news is that the libraries are all good. There's no failure there. I think it's a compatibility issue causing a module to be loaded twice. Try running rsyslogd -n -N1 (without the "-d"). That might give you some more readable format data
Hmm, do you have $ActionFileDefaultTemplate in your config twice?
Check also the /etc/rsyslogd.d/*.conf files (possibly /etc/rsyslog.d/remote-hosts.conf ) for issues.
On Fri, Nov 1, 2013 at 5:42 PM, Stephen Harris lists@spuddy.org wrote:
On Fri, Nov 01, 2013 at 05:32:53PM -0400, Mauricio Tavares wrote:
1968.101297470:7f2b4eda1700: Requested to load module 'imuxsock' 1968.101300039:7f2b4eda1700: Module 'imuxsock' already loaded
Well the good news is that the libraries are all good. There's no failure there. I think it's a compatibility issue causing a module to be loaded twice. Try running rsyslogd -n -N1 (without the "-d"). That might give you some more readable format data
And a much smaller output:
[root@scan log]# rsyslogd -n -N1 rsyslogd: version 5.8.10, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option. rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200 rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock rsyslogd: End of config validation run. Bye. [root@scan log]#
Hmm, do you have $ActionFileDefaultTemplate in your config twice?
Don't think so:
[root@scan log]# fgrep ActionFileDefaultTemplate /etc/rsyslog.conf $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat [root@scan log]#
Is it me or it feels like there is another config file being read, which would explain duplicates? but, if it not /etc/rsyslog.* nor /etc/sysconfig/rsyslog, I do not know where it is.
Check also the /etc/rsyslogd.d/*.conf files (possibly /etc/rsyslog.d/remote-hosts.conf ) for issues.
I really have nobody else but rsyslog.conf here:
[root@scan log]# ls -ld /etc/rsyslog.* -rw-r--r--. 1 root root 3276 Nov 3 23:54 /etc/rsyslog.conf drwxr-xr-x. 2 root root 4096 Oct 6 12:46 /etc/rsyslog.d You have mail in /var/spool/mail/root [root@scan log]#
Probably should split and create a few files in rsyslog.d but not today. ;)
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote:
I really have nobody else but rsyslog.conf here:[root@scan log]# ls -ld /etc/rsyslog.*
Don't use the "d" flag to "ls"; that'll stop it looking inside directories.
The debug output showed it reading a file from /etc/rsyslog.d/remote-hosts.conf
1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' 1968.100012146:7f2b4eda1700: requested to include config file '/etc/rsyslog.d/remote-hosts.conf'
On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris lists@spuddy.org wrote:
On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote:
I really have nobody else but rsyslog.conf here:[root@scan log]# ls -ld /etc/rsyslog.*
Don't use the "d" flag to "ls"; that'll stop it looking inside directories.
Sorry; I meant ls -lh
The debug output showed it reading a file from /etc/rsyslog.d/remote-hosts.conf
1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' 1968.100012146:7f2b4eda1700: requested to include config file '/etc/rsyslog.d/remote-hosts.conf'
You are right. To add insult to injury I created that file (to grab the log files from a few other machines. Still need to make it nicer, but good enough to test):
[root@scan log]# cat /etc/rsyslog.d/remote-hosts.conf # Log remote messages by date & hostname $template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log" *.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs [root@scan log]#
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Nov 4, 2013 at 5:08 PM, Mauricio Tavares raubvogel@gmail.com wrote:
On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris lists@spuddy.org wrote:
On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote:
I really have nobody else but rsyslog.conf here:[root@scan log]# ls -ld /etc/rsyslog.*
Don't use the "d" flag to "ls"; that'll stop it looking inside directories.
Sorry; I meant ls -lhThe debug output showed it reading a file from /etc/rsyslog.d/remote-hosts.conf
1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' 1968.100012146:7f2b4eda1700: requested to include config file '/etc/rsyslog.d/remote-hosts.conf'
You are right. To add insult to injury I created that file (tograb the log files from a few other machines. Still need to make it nicer, but good enough to test):
[root@scan log]# cat /etc/rsyslog.d/remote-hosts.conf # Log remote messages by date & hostname $template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log" *.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs [root@scan log]#
Resurrecting this old thread of mine, I had time again to play with this. Still clueless but saw this in /var/log/audit/audit.log:
9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157483): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35df0 a2=10 a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1396031288.687:157484): avc: denied { name_bind } for pid=9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157484): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35d90 a2=1c a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
What is this
denied { name_bind } for pid=9069 comm="rsyslogd" src=20514
is trying to tell me? I know that syslog is only currently allowed by selinux to use 514 and 6514,
[root@scan ~]# semanage port -l| grep syslog syslogd_port_t tcp 6514 syslogd_port_t udp 514, 6514 [root@scan ~]#
But I also thought that there would be a given port after which selinux did not care. Or something. or it would be rally hard to start sessions as a lame user connecting to other machines. ;)
Out of desperation, I tried
[root@scan ~]# semanage port -a -t syslogd_port_t -p tcp 20514 Killed [root@scan ~]#
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 03/28/2014 03:19 PM, Mauricio Tavares wrote:
On Mon, Nov 4, 2013 at 5:08 PM, Mauricio Tavares raubvogel@gmail.com wrote:
On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris lists@spuddy.org wrote:
On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote:
I really have nobody else but rsyslog.conf here:[root@scan log]# ls -ld /etc/rsyslog.*
Don't use the "d" flag to "ls"; that'll stop it looking inside directories.
Sorry; I meant ls -lhThe debug output showed it reading a file from /etc/rsyslog.d/remote-hosts.conf
1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf' 1968.100012146:7f2b4eda1700: requested to include config file '/etc/rsyslog.d/remote-hosts.conf'
You are right. To add insult to injury I created that file (tograb the log files from a few other machines. Still need to make it nicer, but good enough to test):
[root@scan log]# cat /etc/rsyslog.d/remote-hosts.conf # Log remote messages by date & hostname $template DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log" *.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs [root@scan log]#
Resurrecting this old thread of mine, I had time again to playwith this. Still clueless but saw this in /var/log/audit/audit.log:
9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157483): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35df0 a2=10 a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1396031288.687:157484): avc: denied { name_bind } for pid=9069 comm="rsyslogd" src=20514 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1396031288.687:157484): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7febd9a35d90 a2=1c a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
What is this
denied { name_bind } for pid=9069 comm="rsyslogd" src=20514
is trying to tell me? I know that syslog is only currently allowed by selinux to use 514 and 6514,
[root@scan ~]# semanage port -l| grep syslog syslogd_port_t tcp 6514 syslogd_port_t udp 514, 6514 [root@scan ~]#
But I also thought that there would be a given port after which selinux did not care. Or something. or it would be rally hard to start sessions as a lame user connecting to other machines. ;)
Out of desperation, I tried
[root@scan ~]# semanage port -a -t syslogd_port_t -p tcp 20514 Killed [root@scan ~]#
That was the correct thing to do. Not sure why it got killed?
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Daniel J Walsh -
m.roth@5-cent.us -
Mauricio Tavares -
Mike Burger -
Stephen Harris