syslog message not being forwarded to central log server

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


syslog message not being forwarded to central log server

Postby Cyr » Thu Jun 29, 2017 12:30 pm

Hi,

I've a strange issue here:

I've configured rsyslog to forward messages of facility local7 to both a central server and a local file:

Code: Select all
local7.* /var/log/apache2/error.log
local7.* @10.8.0.35:10514


And, when I use the command "logger -p local7.info test3", I can see the message being written to the local file and being sent to the central server:

tcpdump (content removed. Only timestamp can be used):

Code: Select all
12:02:56.943711 IP webserver.39822 > central-log.10514: UDP, length 45   (local7 facility)
12:03:18.093553 IP webserver.41143 > central-log.10514: UDP, length 167 (user facility)

local file for local7 facility:

Code: Select all
Jun 29 12:02:56 xxxxxxxxxxx: test3 (this message is seen with tcpdump)
[Thu Jun 29 12:03:17 2017] xxxxxxx: Smartmatch is experimental at xxxxxxxxxxxxxxx. (this message is not seen with tcpdump)


local file for user facility:

Code: Select all
Jun 29 12:03:18 xxxxxx xxxxxxxxx[8746]: [Notice]xxxxxxxxxxxxxx (this is the second message shown in tcpdump hereabove)


However, when I configure apache2 to use local7 syslog facility for its error log (ErrorLog syslog:local7), I can only see these logs being written to the local file.

I've run rsyslogd with the -N3 and -N1 option to make sure my configuration files are ok.

I'm wondering if something in apache's error log format doesn't make rsyslog ignore them for forwarding. So, I've enabled rsyslog's debug and have obtained log lines for the user facility message (which is correctly written to a local file and forwarded to the central server) and the log lines for the local7 facility message (which is, incorrectly, only written to the local file). Can someone make any sense of these log lines?

log lines for the user facility message:

Code: Select all
4654.894921531:7f6b1cc2b700: scriptExec: batch of 1 elements, active (nil), active[0]:1
4654.894937174:7f6b1cc2b700:     PRIFILT 'user.*'
4654.894985262:7f6b1cc2b700:     pmask:  X FF  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X
4654.895431656:7f6b1cc2b700: batch: item 0 PRIFILT 1
4654.895445006:7f6b1cc2b700: scriptExec: batch of 1 elements, active 0x7f6b180008e0, active[0]:1
4654.895456896:7f6b1cc2b700:     ACTION 0x1933130 [builtin:omfwd:@10.8.0.35:10514]
4654.895482293:7f6b1cc2b700: RRRR: execAct [builtin:omfwd]: batch of 1 elements, active 0x7f6b180008e0
4654.895495390:7f6b1cc2b700: Called action(NotAllMark), processing batch[0] via 'builtin:omfwd'
4654.895507407:7f6b1cc2b700: Called action(Batch), logging to builtin:omfwd
4654.895523067:7f6b1cc2b700: submitBatch: enter, nElem 1
4654.895535377:7f6b1cc2b700: tryDoAction 0x1933130, pnElem 1, nElem 1
4654.895546894:7f6b1cc2b700: omfwd: beginTransaction
4654.895558531:7f6b1cc2b700: Action 0x1933130 transitioned to state: itx
4654.895570094:7f6b1cc2b700: entering actionCalldoAction(), state: itx
4654.895582104:7f6b1cc2b700:  10.8.0.35:10514/udp
4654.895823798:7f6b1cc2b700: Action 0x1933130 transitioned to state: rdy
4654.895846598:7f6b1cc2b700: action 0x1933130 call returned 0


log lines for the local7 facility message:

Code: Select all
4654.896508625:7f6b1cc2b700: scriptExec: batch of 1 elements, active (nil), active[0]:1
4654.896520209:7f6b1cc2b700:     PRIFILT 'local7.*'
4654.896556953:7f6b1cc2b700:     pmask:  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X FF  X  X
4654.896889748:7f6b1cc2b700: batch: item 0 PRIFILT 0
4654.896902191:7f6b1cc2b700: scriptExec: batch of 1 elements, active 0x7f6b180008e0, active[0]:0
4654.896913939:7f6b1cc2b700:     ACTION 0x1946790 [builtin:omfwd:@10.8.0.35:10514]
4654.896939115:7f6b1cc2b700: RRRR: execAct [builtin:omfwd]: batch of 1 elements, active 0x7f6b180008e0
4654.896951345:7f6b1cc2b700: Called action(Batch), logging to builtin:omfwd
4654.896963879:7f6b1cc2b700: submitBatch: enter, nElem 1
4654.896975380:7f6b1cc2b700: tryDoAction 0x1946790, pnElem 1, nElem 1
4654.897116358:7f6b1cc2b700: ruleset.ProcessMsg() returns 0
4654.897132235:7f6b1cc2b700: regular consumer finished, iret=0, szlog 0 sz phys 1
4654.897146115:7f6b1cc2b700: DeleteProcessedBatch: we deleted 1 objects and enqueued 0 objects
4654.897158612:7f6b1cc2b700: doDeleteBatch: delete batch from store, new sizes: log 0, phys 0


Best regards,

Cyrille
Cyr
New
 
Posts: 2
Joined: Thu Jun 29, 2017 11:35 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: syslog message not being forwarded to central log server

Postby dlang » Thu Jun 29, 2017 12:39 pm

use the template RSYSLOG_DebugFormat and look in there for the apache error logs.

That will show you what is actually being written and how it's parsed. Once you have an example of one of the logs that isn't being handled the way you expect it to be, we can then look at your config and figure out why not.
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: syslog message not being forwarded to central log server

Postby Cyr » Thu Jun 29, 2017 2:17 pm

dlang wrote:use the template RSYSLOG_DebugFormat and look in there for the apache error logs.

That will show you what is actually being written and how it's parsed. Once you have an example of one of the logs that isn't being handled the way you expect it to be, we can then look at your config and figure out why not.


Ho, thanks for this info about the DebugFormat template. I didn't know about it.

And, it helped me discover that the problem was in apache eventualy. It seems my apache 2.4 doesn't support the "ErrorLog syslog" directive: replacing it by "ErrorLog "|/usr/bin/logger -t apache2 -i -p local7.err"" solved the issue.

Thanks for the help dlang,

Cyrille
Cyr
New
 
Posts: 2
Joined: Thu Jun 29, 2017 11:35 am

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 3 guests

cron