MonitorWare Knowledge Base

I have v1.12.3 installed and mostly configured but I'm not seeing the files being created or anything logged since I added the templates. When I was logging everything to the defaults I could see both local and remotely generated messages. I now see the messages hit the daemon in -d mode, but there are no files created and I don't understand "logging to USERS". I'm also a little confused about %HOSTNAME% vs. %FROMHOST%.



rsyslog.conf



#####
#
#rsyslogd config file for
#myserver
#
#####


#
#Global Directives
#


$AllowedSender UDP, 127.0.0.1, 10.0.0.0/8
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/8


#
#Templates
#


$template Dynauth,"/var/log/%FROMHOST%/auth.log"
auth,authpriv.* ?Dynauth

$template Dynsys,"/var/log/%FROMHOST%/syslog"
*.*;auth,authpriv,cron,mail,local0.none -?Dynsys

$template Dyncron,"/var/log/%FROMHOST%/cron.log"
cron.* ?Dyncron

$template Dynacisco,"/var/log/%FROMHOST%/cisco.log"
local7.* ?Dynacisco

$template Dyndaemon,"/var/log/%FROMHOST%/daemon.log"
daemon.* -?Dyndaemon

$template Dynkern,"/var/log/%FROMHOST%/kern.log"
kern.* -?Dynkern

$template Dynlpr,"/var/log/%FROMHOST%/lpr.log"
lpr.* -?Dynlpr

$template Dynmail,"/var/log/%FROMHOST%/mail/mail.log"
mail.* -?Dynmail

$template Dynuser,"/var/log/%FROMHOST%/user.log"
user.* -?Dynuser

$template Dynuucp,"/var/log/%FROMHOST%/uucp.log"
uucp.* ?Dynuucp

$template Dynmailinfo,"/var/log/%FROMHOST%/mail/mail.info"
mail.info -?Dynmailinfo

$template Dynmailwarn,"/var/log/%FROMHOST%/mail/mail.warn"
mail.warn -?Dynmailwarn

$template Dynmailerr,"/var/log/%FROMHOST%/mail/mail.err"
mail.err ?Dynmailerr



debug output



Allowed UDP Senders:
127.0.0.1/32
10.0.0.0/8

Allowed TCP Senders:
127.0.0.1/32
10.0.0.0/8
-1208039744: logmsg: syslog.info<46>, flags 4, from '', msg [origin software="rsyslogd" swVersion="1.12.3" x-pid="4052"][x-configInfo udpReception="Yes" udpPort="514" tcpReception="Yes" tcpPort="514"] restart
-1208039744: Message has legacy syslog format.
-1208039744: No TAG in message, assuming that HOSTNAME is missing.
-1208039744: enqueueMsg: not yet running on multiple threads
-1208039744: Called fprintlog, logging to USERS
-1208039744: restarted.
-1208039744: Debugging enabled, SIGUSR1 to turn off debugging.
-1208039744: Worker thread started with state 0.
-1208039744: Listening on syslog UDP port.
-1208039744: Listening on syslog TCP port.
-1208039744: ----------------------------------------
Calling select, active file descriptors (max 5): 3 4 5
-1208042576: singleWorker: queue EMPTY, waiting for next message.
-1208039744: Select interrupted.
-1208039744: Listening on syslog UDP port.
-1208039744: Listening on syslog TCP port.
-1208039744: ----------------------------------------
Calling select, active file descriptors (max 5): 3 4 5
-1208039744: Select interrupted.
-1208039744: Listening on syslog UDP port.
-1208039744: Listening on syslog TCP port.
-1208039744: ----------------------------------------
Calling select, active file descriptors (max 5): 3 4 5
-1208039744:
Successful select, descriptor count = 1, Activity on: 5
-1208039744: Message from UDP inetd socket: #5, host: 10.128.48.8
-1208039744: Host name for your address (10.128.48. unknown.
-1208039744: Message length: 118, File descriptor: 5.
-1208039744: logmsg: local7.notice<189>, flags 2, from '10.128.48.8', msg 174: .Dec 28 13:33:27: %LINK-5-CHANGED: Interface GigabitEthernet1/0/10, changed state to administratively down
-1208039744: Message has legacy syslog format.
-1208039744: HOSTNAME contains invalid characters, assuming it to be a TAG.
-1208039744: EnqueueMsg signaled condition (0)
-1208039744: Listening on syslog UDP port.
-1208039744: Listening on syslog TCP port.
-1208039744: ----------------------------------------
Calling select, active file descriptors (max 5): 3 4 5
-1208039744:
Successful select, descriptor count = 1, Activity on: 5
-1208039744: Message from UDP inetd socket: #5, host: 10.128.48.8
-1208042576: Lone worker is running...
-1208042576: Called fprintlog, logging to USERS
-1208042576: Called fprintlog, logging to USERS
-1208042576: singleWorker: queue EMPTY, waiting for next message.
-1208039744: Host name for your address (10.128.48. unknown.
-1208039744: Message length: 94, File descriptor: 5.
-1208039744: logmsg: local7.notice<189>, flags 2, from '10.128.48.8', msg 175: .Dec 28 13:33:27: %SYS-5-CONFIG_I: Configured from console by vty0 (10.128.20.250)
-1208039744: Message has legacy syslog format.
-1208039744: HOSTNAME contains invalid characters, assuming it to be a TAG.
-1208039744: EnqueueMsg signaled condition (0)
-1208039744: Listening on syslog UDP port.
-1208039744: Listening on syslog TCP port.
-1208039744: ----------------------------------------
Calling select, active file descriptors (max 5): 3 4 5
-1208042576: Lone worker is running...
-1208042576: Called fprintlog, logging to USERS
-1208042576: Called fprintlog, logging to USERS
-1208042576: singleWorker: queue EMPTY, waiting for next message.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Hi,

before we go any further, please upgrade to the latest release - 1.12.3 is pretty old. Retry with 1.21.1 and let us know the results.

Rainer

I had a second look at what you posted. As it seems, that version does not support dynafiles. That's the problem.

Ok, that would explain it. I've just upgraded to 1.21.1 and I'm testing now. For some reason my install gets borked when I use the -n option on startup. It hangs the whole boot process.

Great, it's working as expected. Now I just have to start tweaking. I still don't understand why all of your docs say to use -n, but for me it hangs on start.

-n avoids auto-backgrounding. If that is good for you depends on your system and the way rsyslogd is integrated in the startup process. For most distros, I guess, it is NOT a good thing to have it. Where does the doc specifically recommend it? I'd appreciate a pointer to that.

-n should be used when you run rsyslogd interactively (most often in debug mode -d), because then you can control it from the terminal you started it on.

Rainer

All I did was read the man page while I was having problems and saw this. I had seen -n enough times in the forum so I interpreted it as being (almost) necessary for proper operation. What you just said though, seems exactly the opposite.

-n Avoid auto-backgrounding. This is needed especially if the
rsyslogd is started and controlled by init(8).