Search code examples
fileloggingpluginscentos7rsyslog

Rsyslog's imfile plugin not working on CentOS 7?

I am trying to get Rsyslog's imfile plugin working without any real success.

Here is useful OS version information:

# cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)

And here is Rsyslog version information:

# rsyslogd -v
rsyslogd 7.4.7, compiled with:
        FEATURE_REGEXP:                         Yes
        FEATURE_LARGEFILE:                      No
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes

See http://www.rsyslog.com for more information.

I tried both legacy and RainerScript format of the configuration. None of them works for me, sadly. I must be doing something completely wrong but I simply can not decide on what it could be.

Here is my actual testing configuration (in RainerScript, the former legacy version I tested was exactly the same in it's meaning):

# cat /etc/rsyslog.conf
global(
    workDirectory = "/tmp"
) 

module(
    load = "imuxsock"
)

module(
    load = "imjournal"
    stateFile = "journal.state"
)

module(
    load = "imfile"
    pollingInterval = "10"
)

ruleset(name = "test-ruleset") {
    if $syslogtag contains "test-syslogtag" then {
        action(
            type = "omfile"
            file = "/tmp/test-file.log"
        )
        stop
    }
}

input(
    type = "imfile"
    tag = "test-syslogtag"
    stateFile = "test-input.state"
    facility = "daemon"
    severity = "debug"
    file = "/tmp/test-input.in"
    ruleset = "test-ruleset"
)

if prifilt("*.*") then {
    action(
        type = "omfile"
        file = "/tmp/rsyslog-testing.log"
    )
}

No warning nor error are produced by the Rsyslog with the above configuration but also nothing from the /tmp/test-input.in file is copied to the /tmp/test-file.log.

(I also double-checked the /var/log/audit/audit.log, of course, and ... nothing suspicious is there. Being desperate on what's going on, I also tried to setenforce 0 to switch SELinux off completely and to restart the Rsyslog afterwards. It did not helped so the root cause of the problem may not be SELinux-related issue.)

Also, the test-input.state file is correctly created in the global workDirectory path (/tmp in this testing case). I also tried standard paths (logs in /var/log, state file in /var/lib/rsyslog) and it does not work either although all related files were created properly.

What's weird: I can not see any change in the state file if I populate the input log file with some testing data even after Rsyslog restart using # systemctl restart rsyslog (it should update the state file by default).

Just to point out: the imjournal and imuxsock plugins work and populate the fallback log file /tmp/rsyslog-testing.log correctly. Also manually running Rsyslog on foreground with -D and/or -d options did not helped me much to clarify why the imfile plugin does not work for me in this particular configuration.

So, could you please

  1. check my RainerScript syntax whether there is no obvious fault (I guess there is no such),
  2. show me some working imfile plugin configuration on EL7?

Thank you very much.

--
mjf

Solution

  • With a few minor changes it finaly started to work properly. I think the main root cause of the problem in my case must have been my testing it in the /tmp directory where Rsyslog does not seem to work properly for some reason on CentOS 7.

    (May it be the /tmp is populated by the File System Namespace even despite the fact that Systemd option PrivateTmp is not set to true in the Rsyslog unit file and this option should be set to false by default according to the Systemd manual page? This is higly unprobable, but I haven't managed myself to dig more further into it yet. If I find it out, I will update this answer.)

    The other minor cause might have been incorrect filter written in RainerScript (my real testing instance contained a horrible typo I simply over-looked). So here is the resulting testing configuration that works like charm for me.

    # cat /etc/rsyslog.conf
global(
    workDirectory = "/var/lib/rsyslog"
)

module(
    load = "imuxsock"
)

module(
    load = "imjournal"
    stateFile = "journal.state"
)

module(
    load = "imfile"
    pollingInterval = "10"
)

ruleset(name = "test-ruleset") {
    if $programname == "test-syslogtag" then {
        action(
            type = "omfile"
            file = "/var/log/test-file.log"
        )
        stop
    }
}

input(
    type = "imfile"
    tag = "test-syslogtag:"
    stateFile = "test-input.state"
    facility = "daemon"
    severity = "debug"
    file = "/var/log/test-input.in"
    ruleset = "test-ruleset"
)

if prifilt("*.*") then {
    action(
        type = "omfile"
        file = "/var/log/rsyslog-testing.log"
    )
}

    A little hint for those not knowing it - the $syslogtag and the $programname seem to be close relatives: $syslogtag := $programname ":". You can easily find out all the $ prefixed variables you can match against by using RSYSLOG_DebugFormat output template which is already compiled in.

    I hope it helps.

    --
    mjf