MonitorWare Knowledge Base

[timeflux]

Hi all,

I have a problem with imfile. I searched the forum and Google too but didn't find anything.

What I'm trying to do is to log .bash_history logs for a few users including root. The rsyslog client appears to send the new commands to the server as soon as the user logs out at least within 10 seconds.

However, one or more of below happen randomly at the same time.

1) rsyslog sometimes doesn't send the new commands
2) rsyslog sometimes sends them but they are sent truncated for some reason. For example: command in .bash_history is "pink floyd", rsyslog sends "ink floyd". Command is "one beautiful command", rsyslog sends "l command". There seems to be an issue in strm.ReadLine(). Didn't check much.
3) rsyslog sometimes sends the entire .bash_history file over and over again whenever a user logs out, instead of sending just the new commands.

I'm running 5.4.0 rpm version (i rpm built with a custom spec file to mass deploy) on RHEL5.3 32 bit arch with below rsyslog.conf file on the client side:

# ---- rsyslog client config ----
$ModLoad imuxsock
$ModLoad imklog
$ModLoad immark
$ModLoad imfile

# work settings for spool files
$WorkDirectory /rsyslog # where to place spool files
$ActionQueueFileName .rsysLog # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1g space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

# -- begin .bash_history files
# root:
$InputFileName /root/.bash_history
$InputFileTag root_bash:
$InputFileStateFile root_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor

# user1:
$InputFileName /home/user1/.bash_history
$InputFileTag user1_bash:
$InputFileStateFile user1_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor

# user2:
$InputFileName /home/user2/.bash_history
$InputFileTag user1_bash:
$InputFileStateFile user2_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputRunFileMonitor

$InputFilePollInterval 10
# -- end .bash_history

# log local here

[ cut ]

# log to rsyslog server
*.info;authpriv.*;mail.none;cron.none @@server:port
-------------------

The rsyslog server logs whatever it receives and it doesn't receive the full command or it sometimes doesn't receive anything at all, which implies that this problem is definitely on the client side and within imfile.c or stream.c.

If there is another way to accomplish above, please let me know. Everything seems to be working perfectly except from .bash_history logs. By the way, if it makes any difference HISTSIZE is set to 1000 and the .bash_history files that are being monitored by rsyslog have 1000 lines. This means the bash history files will have 1000 lines at all times and to make room for the new entries, some entries will be removed from the top of the file automatically by bash to fix it to 1000 lines.

I also tried 4.6.0 but I had different problems there so I've been trying to work on 5.4.0 for quite some time.

Any help is greatly appreciated.

Murat

[rgerhards]

I think this simply does not work. imfile was written for regular log files. Regular log files are files that are appended to (they grow), but no data is being removed from them. The whole logic is keeping track of newly written data.

[timeflux]

I think this simply does not work. imfile was written for regular log files. Regular log files are files that are appended to (they grow), but no data is being removed from them. The whole logic is keeping track of newly written data.

Is there a way to make imfile module to "delete" the file right after it gets the data off of it?

If it deletes .bash_history file in this case right after getting the data and sending to the server, then it would be perfect because the file would be no more and next time a user logs in and out it would be regenerated and processed by rsyslog.

[rgerhards]

no, I am sorry. I do not see a solution with current code...

[timeflux]

no, I am sorry. I do not see a solution with current code...

No problem. I've modified the code (5.4.0) and now it deletes the log file after sending the logs to rsyslog server and also before deleting, it takes a local backup of it (with a unique dest filename), just in case.

$InputFileName /root/.bash_history
$InputFileTag root_bash:
$InputFileStateFile root_bash_log
$InputFileSeverity notice
$InputFileFacility user
$InputFileDeleteOnClose 1
$InputFileCopyDirectory /var/log/sessions
$InputRunFileMonitor

[the_new_guy]

Might I asked what you did to the code in order for it to delete the file after uploading them to the syslog server?