Mailing List Archive: RSyslog: users

Simplistic testing

Index | Next | Previous | View Threaded

Gerrard.Geldenhuis at worldpay

Jul 17, 2012, 6:34 AM

Post #1 of 3 (243 views)
Permalink

Simplistic testing

Hi
I were doing some very simplistic testing ( lazy testing is probably
more accurate ). I need to send logs to a remote black box device to
which I have no access. In order to see if remote logging would work I
ran nc -l 514 on a temporary box and sure enough I could see the log
messages being send it even works grantly with the -u flag in nc to test
over udp.

Next I wanted to test local caching in case of a downed black box. A
down server in my testing case would be the lack of nc listening on tcp
514. I then created a few log messages which I could see being logged
locally. I then expected these same log messages to appear when I
started nc but that did not happen. Instead if I continue creating log
events I see the new log events but not the ones that I expected to be
cached locally.

Versions: Red Hat 5.8 box which comes with rsyslog-3.22.1-7.el5

My relevant /etc/rsyslog.conf:
# Default values
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ModLoad imklog
$ModLoad imuxsock

# From the web howto:
$WorkDirectory /var/lib/rsyslog # Default locaction for spool
files
$ActionQueueType LinkedList # Use asynchronous processing
$ActionQueueFileName remoteservercache # Sets cache file name and
enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert
failure
$ActionQueueSaveOnShutdown on # Save in-memory data if rsyslog
shuts down

kern.* @@logserver:514
& /var/log/kernel.log

Possibly the rsyslog deamon can't write to /var/lib/rsyslog. Where would
that failure be logged? I created the directory and gave it 755
permissions and it is owned root:root

So two questions: Would my assumptions about how nc would receive logs
be correct and if so what else would be causing the failure of local
caching?

Regards

Gerrard Geldenhuis | IT Operations |WorldPay
M +44 772 448 7979
gerrard.geldenhuis [at] worldpay

david at lang

Jul 17, 2012, 11:14 AM

Post #2 of 3 (235 views)
Permalink

Re: Simplistic testing [In reply to]

On Tue, 17 Jul 2012, Gerrard Geldenhuis wrote:

> Hi
> I were doing some very simplistic testing ( lazy testing is probably
> more accurate ). I need to send logs to a remote black box device to
> which I have no access. In order to see if remote logging would work I
> ran nc -l 514 on a temporary box and sure enough I could see the log
> messages being send it even works grantly with the -u flag in nc to test
> over udp.
>
> Next I wanted to test local caching in case of a downed black box. A
> down server in my testing case would be the lack of nc listening on tcp
> 514. I then created a few log messages which I could see being logged
> locally. I then expected these same log messages to appear when I
> started nc but that did not happen. Instead if I continue creating log
> events I see the new log events but not the ones that I expected to be
> cached locally.
>
> Versions: Red Hat 5.8 box which comes with rsyslog-3.22.1-7.el5

first off, 3.22 is ancient, even 4.x is old enough to have dropped off of
support. you really should upgrade to at least 5.x if not 6.x or see if
Red Hat will support you on such an old version.

> My relevant /etc/rsyslog.conf:
> # Default values
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $ModLoad imklog
> $ModLoad imuxsock
>
> # From the web howto:
> $WorkDirectory /var/lib/rsyslog # Default locaction for spool
> files
> $ActionQueueType LinkedList # Use asynchronous processing
> $ActionQueueFileName remoteservercache # Sets cache file name and
> enables disk mode
> $ActionResumeRetryCount -1 # infinite retries on insert
> failure
> $ActionQueueSaveOnShutdown on # Save in-memory data if rsyslog
> shuts down
>
> kern.* @@logserver:514
> & /var/log/kernel.log
>
> Possibly the rsyslog deamon can't write to /var/lib/rsyslog. Where would
> that failure be logged?

start rsyslog with the debug flag and look at the output, any permission
errors should show up at startup (or at the very least, when the first
messages are logged)

> I created the directory and gave it 755
> permissions and it is owned root:root

this may or may not be right depending on your config (since you didn't
give us your entire config we can't be sure)

> So two questions: Would my assumptions about how nc would receive logs
> be correct and if so what else would be causing the failure of local
> caching?

This is an area of rsyslog that has been modified and improved
significantly since the 3.x days. That may be part of your problem.

David Lang

Gerrard.Geldenhuis at worldpay

Jul 18, 2012, 2:13 AM

Post #3 of 3 (239 views)
Permalink

Re: Simplistic testing [In reply to]

> > Versions: Red Hat 5.8 box which comes with rsyslog-3.22.1-7.el5
>
> first off, 3.22 is ancient, even 4.x is old enough to have
> dropped off of support. you really should upgrade to at least
> 5.x if not 6.x or see if Red Hat will support you on such an
> old version.

Aggreed, I would really like it if Red Hat could be a bit more current
with regards to packages it uses. Any convenient link to the latest RPM?

>
> > My relevant /etc/rsyslog.conf:
> > # Default values
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ModLoad
> > imklog $ModLoad imuxsock
> >
> > # From the web howto:
> > $WorkDirectory /var/lib/rsyslog # Default locaction
> for spool
> > files
> > $ActionQueueType LinkedList # Use asynchronous
> processing
> > $ActionQueueFileName remoteservercache # Sets cache file name and
> > enables disk mode
> > $ActionResumeRetryCount -1 # infinite retries on insert
> > failure
> > $ActionQueueSaveOnShutdown on # Save in-memory
> data if rsyslog
> > shuts down
> >
> > kern.* @@logserver:514
> > & /var/log/kernel.log
> >
> > Possibly the rsyslog deamon can't write to /var/lib/rsyslog. Where
> > would that failure be logged?
>
> start rsyslog with the debug flag and look at the output, any
> permission errors should show up at startup (or at the very
> least, when the first messages are logged)
>
> > I created the directory and gave it 755 permissions and it is owned
> > root:root
>
> this may or may not be right depending on your config (since
> you didn't give us your entire config we can't be sure)

I did not think a listing of the rest of the logs that I log would be
relevent but here you are:

*.info;mail.none;authpriv.none;cron.none
/var/log/messages
authpriv.* /var/log/secure
mail.*
-/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler

>
> > So two questions: Would my assumptions about how nc would
> receive logs
> > be correct and if so what else would be causing the failure
> of local
> > caching?
>
> This is an area of rsyslog that has been modified and
> improved significantly since the 3.x days. That may be part
> of your problem.
>

Probably... a link to latest and greatest packaged versions deb/rpm on
the website would be very usefull to help poor souls like me use later
versions and ask questions about bugs that has been fixed.

Regards

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads