我试图站起来一个系统日志服务器接收来自一个networking设备的事件,但我似乎无法得到它实际login事件到磁盘。 我可以确认连接正在成功,rsyslogd正在获取事件,我只是不知道为什么它没有做任何事情。 唯一被logging的是rsyslogd本身的启动。
configuration和debugging输出如下,这最初是从rsyslog厨师食谱生成的,但我添加了一些调整,以解决它所抱怨的超级弃用的语法。
rsyslog.conf :
$MaxMessageSize 2k $PreserveFQDN off $ModLoad imuxsock $ModLoad imklog $ModLoad imtcp $InputTCPServerRun 514 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on $WorkDirectory /var/spool/rsyslog $FileOwner root $FileGroup root $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $IncludeConfig /etc/rsyslog.d/*.conf
rsyslog.d/* :
$DirGroup root $DirCreateMode 0755 $FileGroup root $template PerHostAuth,"/var/log/rsyslog/%HOSTNAME%/auth.log" $template PerHostCron,"/var/log/rsyslog/%HOSTNAME%/cron.log" $template PerHostSyslog,"/var/log/rsyslog/%HOSTNAME%/syslog" $template PerHostDaemon,"/var/log/rsyslog/%HOSTNAME%/daemon.log" $template PerHostKern,"/var/log/rsyslog/%HOSTNAME%/kern.log" $template PerHostLpr,"/var/log/rsyslog/%HOSTNAME%/lpr.log" $template PerHostUser,"/var/log/rsyslog/%HOSTNAME%/user.log" $template PerHostMail,"/var/log/rsyslog/%HOSTNAME%/mail.log" $template PerHostMailInfo,"/var/log/rsyslog/%HOSTNAME%/mail.info" $template PerHostMailWarn,"/var/log/rsyslog/%HOSTNAME%/mail.warn" $template PerHostMailErr,"/var/log/rsyslog/%HOSTNAME%/mail.err" $template PerHostNewsCrit,"/var/log/rsyslog/%HOSTNAME%/news.crit" $template PerHostNewsErr,"/var/log/rsyslog/%HOSTNAME%/news.err" $template PerHostNewsNotice,"/var/log/rsyslog/%HOSTNAME%/news.notice" $template PerHostDebug,"/var/log/rsyslog/%HOSTNAME%/debug" $template PerHostMessages,"/var/log/rsyslog/%HOSTNAME%/messages" auth,authpriv.* ?PerHostAuth *.*;auth,authpriv.none -?PerHostSyslog cron.* ?PerHostCron daemon.* -?PerHostDaemon kern.* -?PerHostKern lpr.* -?PerHostLpr mail.* -?PerHostMail user.* -?PerHostUser mail.info -?PerHostMailInfo mail.warn ?PerHostMailWarn mail.err ?PerHostMailErr news.crit ?PerHostNewsCrit news.err ?PerHostNewsErr news.notice -?PerHostNewsNotice *.=debug;\ auth,authpriv.none;\ news.none;mail.none -?PerHostDebug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -?PerHostMessages :fromhost-ip,!isequal,"127.0.0.1" stop *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log $SystemLogSocketName /run/systemd/journal/syslog
testing事件:
logger --server 127.0.0.1 --tcp --port 514 -p user.info test
rsyslogd的strace -f接收事件,但什么都不做:
[pid 32310] accept(5, {sa_family=AF_INET, sin_port=htons(59755), sin_addr=inet_addr("127.0.0.1")}, [16]) = 11 [pid 32310] rt_sigprocmask(SIG_BLOCK, [HUP], ~[KILL STOP TTIN RTMIN RT_1], 8) = 0 [pid 32310] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 12 [pid 32310] fstat(12, {st_mode=S_IFREG|0644, st_size=451, ...}) = 0 [pid 32310] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb290d18000 [pid 32310] read(12, "#\n# This file is managed by Chef"..., 4096) = 451 [pid 32310] close(12) = 0 [pid 32310] munmap(0x7fb290d18000, 4096) = 0 [pid 32310] rt_sigprocmask(SIG_SETMASK, ~[KILL STOP TTIN RTMIN RT_1], NULL, 8) = 0 [pid 32310] fcntl(11, F_GETFL) = 0x2 (flags O_RDWR) [pid 32310] fcntl(11, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 32310] epoll_ctl(10, EPOLL_CTL_ADD, 11, {EPOLLIN, {u32=2147497424, u64=140404628403664}}) = 0 [pid 32310] epoll_wait(10, {{EPOLLIN, {u32=2147497424, u64=140404628403664}}}, 128, -1) = 1 [pid 32310] recvfrom(11, "<14>Jul 7 22:41:54 stack: test\0", 131072, MSG_DONTWAIT, NULL, NULL) = 32 [pid 32310] gettimeofday({1467931314, 137777}, NULL) = 0 [pid 32310] epoll_wait(10, {{EPOLLIN, {u32=2147497424, u64=140404628403664}}}, 128, -1) = 1 [pid 32310] recvfrom(11, "", 131072, MSG_DONTWAIT, NULL, NULL) = 0 [pid 32310] epoll_ctl(10, EPOLL_CTL_DEL, 11, {EPOLLIN, {u32=2147497424, u64=140404628403664}}) = 0 [pid 32310] close(11) = 0 [pid 32310] epoll_wait(10,
你知道问题是什么? logger 。
然而, logger试图格式化通过networking发送的消息。
我无法理解这样一个简单的效用如何被打破。
我浪费了整整一天的时间,试图debugging一个完美有效的configuration 。
这是一个没有损坏的testing,不会浪费你的生命:
echo "<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts." | nc 127.0.0.1 514
编辑:现在这一天过去了,我不再显然不高兴了,我已经回去了,比较了logger发送的消息和上面从RFC中拉出的消息。 logging器生成的消息是:
<14>Jul 8 16:39:08 user: test
这是只是搞笑的错误。 适当的,等同的信息将是:
<14>1 2016-07-08T16:39:08.000000-07:00 syslog-01 myproc - - - user: test