All Questions
122 questions
0
votes
1
answer
191
views
rsyslog variable from mmnormalize as part of omfile filename
I have a log line that looks like this:
May 20 10:25:42 192.168.20.100 Timestamp="2024-05-20 10:25:42",LogId="535666280",NodeId="192.168.1.100",Facility="Packet ...
- 1,000
5
votes
1
answer
954
views
/var/log/auth.log stops recording authentication errors
As the title says, /var/log/auth.log stops recording authentication errors. It all began with I accidentally deleting it. Then I created it using touch command and changed the owner:group to syslog:...
- 95
0
votes
1
answer
70
views
function log2syslog in kali linux 2023.4
Can you please help me with this ? im trying to logging the bash commands. In Centos or another Linux OS works , but does not wotk in Kali Linux. I have created shell file with name log2syslog.sh in /...
0
votes
1
answer
89
views
vpnc does not log anything to rsyslog
I am using vpnc-connect and vpnc-disconnect (from package vpnc) on Debian 12.
when I start vpnc-connect it just prints message:
VPNC started in background (pid: 2345)
But other than that, the whole ...
0
votes
1
answer
306
views
Split logging on rsyslogd
My goal is to send all logs to one source remote and still log local but then send all the AuditD logs to its own source on port 20002. But for some reason, my auditd logs are still ending up with my ...
- 1,744
0
votes
0
answers
583
views
Where is Rsyslog programname set?
I am using AWS Elasticbeanstalk to run my java web application. In EC2 node under /etc/rsyslog.d/web.conf
if $programname == 'web' then {
*.=warning;*.=err;*.=crit;*.=alert;*.=emerg /var/log/web....
- 101
0
votes
1
answer
2k
views
Debian 11 - audit logs appearing in /var/log/auth
I'm on a Debian 11 server and my audit logs are going into /var/log/audit/audit.log as well as in /var/log/auth.log. They are filling up my auth.log and they really should not be going there. Below ...
- 46
0
votes
1
answer
685
views
Do kernel messages go through syslogd or journald?
I'm using Debian. Debian ships with rsyslogd for its syslogd. It also ships journald. Does the kernel log to rsyslogd first, or journald?
I want to filter one of the messages out of the logs which is ...
- 32.9k
1
vote
1
answer
1k
views
Avoid duplicating syslog messages into /var/log/messages and /var/log/syslog
I'm using the following rsyslog configuration file to redirect logs of a program to a specific file.
# Name of the program
set $.program_name = "myapp";
# Path to the log file
set $....
- 1,198
0
votes
1
answer
436
views
How Do Logs Get From "Kernel Ring Buffer" to "/proc/kmgs" and "/dev/kmsg"?
I can not get any reliable information about how do kernel logs get from Kernel Ring Buffer to /proc/kmgs and /dev/kmsg. Is there any source I could have possbily missed or does perhaps anyone know ...
0
votes
1
answer
120
views
Journald and Sources of Log Messages
I would like to know what process is meant to write Timestapms (and other parts of Log messages) in Syslog protocol.
In other words, is it Syslog that sets timestamp of log message (exact time of ...
1
vote
0
answers
218
views
klogd, dmesg and syslog(2)
I got quite confused reading manual pages of klogd, dmesg and syslog(2). I would like to understand how the message produced by the kernel gets to /var/log/file.
First thing I would like to get to ...
0
votes
0
answers
870
views
Rsyslog is not installed after successfully executing "sudo make install" using source file
I need mmaudit plugin for converting system audit logs into JSON formatted logs. But mmaudit is not available with standard versions. so I decided to work with source files from GitHub. I followed ...
- 1
1
vote
1
answer
5k
views
Access denied for rsyslog
Good Morning,
I am trying to sends Zeek logs to another host on my local network with rsyslog.
So far I have a configuration file in /etc/rsyslog.d which looks like this :
module(load="imfile&...
- 33
0
votes
0
answers
66
views
Update service log at each print
I have a couple of Python scripts running as services, which periodically (for instance, every minute) print something.
By checking the system logs, I noticed that these periodic prints are someway ...
- 123
2
votes
0
answers
803
views
/dev/log: Connection refused after boot, but only on one system
I have two systems running NVIDIA jetpack 5.0.2, based on Ubuntu 20.04. /etc and /boot are identical on both systems. On the first system, after boot, if I try to run logger I get an error /dev/log: ...
- 211
0
votes
1
answer
368
views
Forwarding historic (old) syslog to syslog server
We can forward syslogs to syslog server by making the below entry in syslog.conf/rsyslog.conf
*.*<space/tab>@<syslog_server_name>:<port_no>
However, this only sends new syslogs, ...
- 3
2
votes
1
answer
441
views
Generating fake old log messages e.g. six months old ( fake timestamp ) for syslog RFC5424
Good day;
I need to test my log management stack's database query performance and in order to do so, I need to generate bulks of log messages that seem to be six months old and send them to rsyslogd.
...
- 122
1
vote
1
answer
401
views
Can't find cron config file
I have CentOS 7 and am trying to access a configuration file that looks a little something like this:
# Cron configuration options
# For quick reference, the currently available log levels are:
# 0 ...
user532591
0
votes
1
answer
1k
views
How to stop cron logs from getting sent to syslog?
I posted this question in the Superuser community but maybe this forum is better suited to my question:
I'm sending logs to a syslog server, but cron logs there are taking up more space than they ...
user532591
2
votes
0
answers
104
views
Write logs to specifc file in linux
I have logs coming from my stormshield firewall to my debian server looking like this :
92.168.2.253 → 12.12.4.58 Syslog 758 USER.WARNING: 1 2021-12-22T10:45:38+01:00 FW-STORMSHIELD asqd - - - \357\...
- 33
2
votes
2
answers
10k
views
Almalinux 8.5 - Log Files (secure, messages, cron, etc) are not populating / blank?
Running Almalinux 8.5, rsyslog version 8.2102.0-5.el8. A few weeks ago all my system logs (secure, messages, cron...) began to show 0 byte values. Turns out they are not receiving messages from the ...
7
votes
4
answers
10k
views
cron: send error messages to file, when no MTA is installed
I get this message when there is an error in my crontab:
cron: No MTA installed, discarding output
I don't want to install a MTA on my system, but I also don't want to miss these error messages.
...
1
vote
1
answer
3k
views
Rsyslog - Change Default Log Directory(/var/log) for multiple clients
I have 2 Clients connected to my rsyslog server.
I want to change the default log directory for each client.
So client A writes to /var/log/ClientA and client B writes to /var/log/clientB.
I am ...
- 33
0
votes
0
answers
552
views
Getting rsyslog to fwd to Splunk from Ubuntu .20.04
So I've got an Ubuntu 20.04 LTS server setup with Haproxy and I'm trying to fwd log info to Splunk Cloud.
I have the Haproxy.cfg with a Global entry:
log 127.0.0.1 local4
And I've got an entry in /...
- 53
0
votes
1
answer
1k
views
In syslog or rsyslog, are ring buffer, queue of message, and write buffer the same?
Are the ring buffer, the queue of messages, and the write buffer the same?
If not, how do ring buffer, queue and write buffer work together in syslogd or rsyslogd?
Most implementations of syslogd ...
- 109
1
vote
0
answers
740
views
Rsyslog - send logs to remote server
I'm trying to send service log files to a centralized Rsyslog server.
On the Syslog server, I have a simple configuration
$template DailyPerHostLogs,"/var/log/syslog/%$DAY%/%Fromhost-ip%/%...
- 11
2
votes
2
answers
3k
views
How to configure rsyslogd to emit rfc5424 messages?
I want to configure my Linux machine using rsyslogd with the simplest yet standard way. I'll save all the logs to /var/log/syslog with rotation.
From my research it looks like the standard syslog ...
- 173
0
votes
1
answer
594
views
Missing syslog entries for OpenSSH
I would like to save the log for OpenSSH client. The manual says that I can use
ssh -y example.com
to turn on logging. Configuration manual says that the default Syslog facility is user; I didn't ...
- 1,269
1
vote
0
answers
1k
views
Error message starting rsyslog after configuring system logging without journald on RHEL 7
I followed this procedure from Red Hat website https://access.redhat.com/articles/4058681 to configuring system logging without journald but after reboot rsyslog failed to start.
edit the /etc/...
- 1,875
1
vote
0
answers
260
views
rsyslog is creating empty directories
I have the following rsyslog configurations.
SYSLOG MASTER(centos 7.x):
[root@SYSLOGMASTER ~]# egrep -i "UDP|TCP|template" /etc/rsyslog.conf -A3
# Provides UDP syslog reception
$ModLoad ...
3
votes
3
answers
2k
views
how are early logs logged in rsyslog, when rsyslog is not yet running?
I am using rsyslog on Debian Buster.
I am using old-style sysvinit, not systemd. rsyslog is started late in the init startup sequence, after most init scripts have run.
The dmesg messages during boot ...
2
votes
2
answers
1k
views
Is rsyslog a mandatory requirement in Linux with journald?
Note that this question is mainly about the openSUSE distro, but a general answer will also be appreciated.
Since journald can be used to do all the logging work (when forwardtosyslog option is ...
- 693
3
votes
0
answers
2k
views
Replacing rsyslog with journald for a more modern approach of logging
I'm looking for a more modern way of keeping logs my Linux servers. Rsyslog still strongly relies on logrotate to keep logs maintainable and space occupation by logs to a minimum, which is not a ...
- 693
0
votes
1
answer
1k
views
Is UDP data lost when executing kill -HUP on rsyslog?
I am very new to rsyslog and I am going through the documentation as well as seeing examples of what other people have done with their configuration and a question came to mind when the topic of log ...
- 351
4
votes
0
answers
7k
views
Journald to rsyslog forwarding confusion
I do not really understand the forwarding from Journald to Rsyslog.
Basically I understood it in the way that the 'pipeline' is built up as follows:
Kernel logs through printk() → /proc/kmesg ← ...
- 41
0
votes
1
answer
298
views
Rsyslog not saving logs from another servers into custom directories
I am receving logs on UDP 514 from another server and i have configured rsyslog.conf to save the logs to another custom directory but i am unable to do so, i confirmed through tcpdump logs are getting ...
- 3
2
votes
1
answer
399
views
Prevent rsyslog messages from repeating in different priority levels
[Running Linux Mint 19.3]
I'm trying to work with individual rsyslog priority levels, separating out the messages like this (from /etc/rsyslog.d/50-default.conf):
*.info /var/...
- 3,474
2
votes
0
answers
3k
views
What happens to rsyslog queue files after they have been processed?
I am working on a machine (ubuntu 18.04) that generates logs at times when it's not connected to a network. I have configured rsyslog to forward some of these logs to an aggregator service (fluentd) ...
- 121
0
votes
1
answer
3k
views
Haproxy seems to not send logs to 127.0.0.1:514 despite configuration
Edit: the actual problem ended up being either the local0 vs local2 distinction and the rsyslog end of deal.
I'm building a kubernetes / openshift cluster, and on front of that, I need to set up a L4 ...
0
votes
2
answers
2k
views
Using rsyslog, is it possible to have ruleset within an action, within a ruleset?
The question might be confusing...
What I have:
*.local1 call rule1
I have a ruleset rule1, that has two actions, a1 and a2. a2 is only executed if a1 failes, something like
ruleset(name="rule1"){...
- 33
1
vote
1
answer
5k
views
Redirecting information from syslog to separate file
I want to log all incoming TCP connections to my Ubuntu 18.04.3 system. That works fine and is not the problem, just as an intro. I am using this command in crontab for this:
@reboot /sbin/iptables -...
- 11
1
vote
0
answers
612
views
How to know why a service was restarted by systemd?
I have a host running rsyslog which uses imuxsock to accept messages from journald. However, during boot, after rsyslog is started, it is restarted (stopped and started) again by systemd. I need to ...
- 11
2
votes
2
answers
2k
views
rsyslog filter severity not working
I have following Rsyslog config to send logs to remote servers. Problem is its sending lots of INFO mesg to remote server and i don't want that noise. I am trying to configure filter so it send all ...
- 1,672
1
vote
2
answers
976
views
How to get rid of number suffix in rsyslog's own 'programname' ang 'syslogtag' property
I'm forwarding logs from local rsyslogs to central rsyslog and then to Elasticsearch. Everything works fine, but entries with severity error generated by rsyslog itself have property programname like ...
- 179
3
votes
1
answer
12k
views
rsyslog configuration without restart
I have a problem with logging.
With my configuration below, I have to perform rsyslog restart if I want to have my application log file in /var/log. Also, I have to restart rsyslog it in case of log ...
- 31
1
vote
1
answer
3k
views
How do I forward particular logs under a directory using rsyslog?
Trying to froward following logs from /home/ddlog/ms/logs/execution_logs/_abc-xyz-ms_* to VMware vRealize Log Insight using rsyslog. For some reason that does not seem to be working.
I have tried ...
- 21
0
votes
0
answers
93
views
how to update the log message about failure of service
I configured the service - calc_mem.service
as the following
Restart=on-failure
RestartSec=5
StartLimitInterval=400
StartLimitBurst=3
the configuration above should do the following
the service ...
- 13.7k
0
votes
1
answer
3k
views
How to keep kern.log out of syslog
I'm working on Ubuntu 16.04.3 and I found that I could get the log of kernel from two places: /var/log/kern.log and /var/log/syslog. /var/log/syslog contains other logs but I could find /var/log/kern....
- 3,391
1
vote
0
answers
510
views
why messages logs are zero
we have linux machine:
more /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
all message files under /var/log are ZERO
how it could be ?
what is wrong here ?
-rw-------. 1 ...
- 13.7k