Linux
Rsyslog 不記錄事件
我試圖建立一個系統日誌伺服器來接收來自網路設備的事件,但我似乎無法讓它真正將事件記錄到磁碟。我可以確認連接已成功建立,並且 rsyslogd 正在獲取事件,我只是無法弄清楚為什麼它沒有對它做任何事情。唯一被記錄的是 rsyslogd 本身的啟動。
下面的配置和調試輸出,這最初是從 rsyslog chef cookbook 生成的,但我添加了一些調整來修復它抱怨的超級棄用語法。
rsyslog.conf
:$MaxMessageSize 2k $PreserveFQDN off $ModLoad imuxsock $ModLoad imklog $ModLoad imtcp $InputTCPServerRun 514 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on $WorkDirectory /var/spool/rsyslog $FileOwner root $FileGroup root $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $IncludeConfig /etc/rsyslog.d/*.conf
rsyslog.d/*
:$DirGroup root $DirCreateMode 0755 $FileGroup root $template PerHostAuth,"/var/log/rsyslog/%HOSTNAME%/auth.log" $template PerHostCron,"/var/log/rsyslog/%HOSTNAME%/cron.log" $template PerHostSyslog,"/var/log/rsyslog/%HOSTNAME%/syslog" $template PerHostDaemon,"/var/log/rsyslog/%HOSTNAME%/daemon.log" $template PerHostKern,"/var/log/rsyslog/%HOSTNAME%/kern.log" $template PerHostLpr,"/var/log/rsyslog/%HOSTNAME%/lpr.log" $template PerHostUser,"/var/log/rsyslog/%HOSTNAME%/user.log" $template PerHostMail,"/var/log/rsyslog/%HOSTNAME%/mail.log" $template PerHostMailInfo,"/var/log/rsyslog/%HOSTNAME%/mail.info" $template PerHostMailWarn,"/var/log/rsyslog/%HOSTNAME%/mail.warn" $template PerHostMailErr,"/var/log/rsyslog/%HOSTNAME%/mail.err" $template PerHostNewsCrit,"/var/log/rsyslog/%HOSTNAME%/news.crit" $template PerHostNewsErr,"/var/log/rsyslog/%HOSTNAME%/news.err" $template PerHostNewsNotice,"/var/log/rsyslog/%HOSTNAME%/news.notice" $template PerHostDebug,"/var/log/rsyslog/%HOSTNAME%/debug" $template PerHostMessages,"/var/log/rsyslog/%HOSTNAME%/messages" auth,authpriv.* ?PerHostAuth *.*;auth,authpriv.none -?PerHostSyslog cron.* ?PerHostCron daemon.* -?PerHostDaemon kern.* -?PerHostKern lpr.* -?PerHostLpr mail.* -?PerHostMail user.* -?PerHostUser mail.info -?PerHostMailInfo mail.warn ?PerHostMailWarn mail.err ?PerHostMailErr news.crit ?PerHostNewsCrit news.err ?PerHostNewsErr news.notice -?PerHostNewsNotice *.=debug;\ auth,authpriv.none;\ news.none;mail.none -?PerHostDebug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -?PerHostMessages :fromhost-ip,!isequal,"127.0.0.1" stop *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log $SystemLogSocketName /run/systemd/journal/syslog
測試事件:
logger --server 127.0.0.1 --tcp --port 514 -p user.info test
strace -f
rsyslogd 接收事件,但什麼也不做:[pid 32310] accept(5, {sa_family=AF_INET, sin_port=htons(59755), sin_addr=inet_addr("127.0.0.1")}, [16]) = 11 [pid 32310] rt_sigprocmask(SIG_BLOCK, [HUP], ~[KILL STOP TTIN RTMIN RT_1], 8) = 0 [pid 32310] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 12 [pid 32310] fstat(12, {st_mode=S_IFREG|0644, st_size=451, ...}) = 0 [pid 32310] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb290d18000 [pid 32310] read(12, "#\n# This file is managed by Chef"..., 4096) = 451 [pid 32310] close(12) = 0 [pid 32310] munmap(0x7fb290d18000, 4096) = 0 [pid 32310] rt_sigprocmask(SIG_SETMASK, ~[KILL STOP TTIN RTMIN RT_1], NULL, 8) = 0 [pid 32310] fcntl(11, F_GETFL) = 0x2 (flags O_RDWR) [pid 32310] fcntl(11, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 32310] epoll_ctl(10, EPOLL_CTL_ADD, 11, {EPOLLIN, {u32=2147497424, u64=140404628403664}}) = 0 [pid 32310] epoll_wait(10, {{EPOLLIN, {u32=2147497424, u64=140404628403664}}}, 128, -1) = 1 [pid 32310] recvfrom(11, "<14>Jul 7 22:41:54 stack: test\0", 131072, MSG_DONTWAIT, NULL, NULL) = 32 [pid 32310] gettimeofday({1467931314, 137777}, NULL) = 0 [pid 32310] epoll_wait(10, {{EPOLLIN, {u32=2147497424, u64=140404628403664}}}, 128, -1) = 1 [pid 32310] recvfrom(11, "", 131072, MSG_DONTWAIT, NULL, NULL) = 0 [pid 32310] epoll_ctl(10, EPOLL_CTL_DEL, 11, {EPOLLIN, {u32=2147497424, u64=140404628403664}}) = 0 [pid 32310] close(11) = 0 [pid 32310] epoll_wait(10,
你知道問題是什麼嗎?
logger
.但是
logger
,嘗試格式化它通過網路發送的消息被破壞了。我無法理解這樣一個簡單的實用程序是如何被破壞的。
我浪費了一整天的時間來調試一個完全有效的配置。
這是一個沒有破壞並且不會浪費你生命的測試:
echo "<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts." | nc 127.0.0.1 514
**編輯:**現在已經過了一天,我不再明顯不高興了,我回過頭來比較了發送的消息
logger
和上面我從RFC中提取的消息。logger生成的消息是:<14>Jul 8 16:39:08 user: test
這是非常可笑的錯誤。正確的等效消息是:
<14>1 2016-07-08T16:39:08.000000-07:00 syslog-01 myproc - - - user: test