Multiline log records in syslog
Alternatively, if you want to keep your syslog intact on one line for parsing, you can just replace the characters when viewing the log. tail -f /var/log/syslog | sed ‘s/#012/\n\t/g’
Alternatively, if you want to keep your syslog intact on one line for parsing, you can just replace the characters when viewing the log. tail -f /var/log/syslog | sed ‘s/#012/\n\t/g’
Most probably it’s a file ownership problem. rsyslog starts running as root but then drops privileges and runs as user syslog (configuration directive $PrivDropToUser). syslog files (auth.log, daemon.log, etc.) initially are owned by syslog:adm but if you change ownership to root (as it seems from your file list) then no matter if you HUP (i.e., … Read more
From Forwarding to More than One Server; What is important to know, however, is that the full set of directives make up an action. So you can not simply add (just) a second forwarding rule, but need to duplicate the rule configuration as well. Be careful that you use different queue file names for the … Read more
I’ve not used if like that (or syslogtag) but I have used :<blah>,<condition> … (in particular :msg, contains,…) but try :syslogtag, isequal, “giomanager:” /var/log/giomanager.log & stop The & stop (Or, & ~ in rsyslog v6 and older (Such as on RHEL6)) causes the matched message to be discarded after logging otherwise it will be further … Read more
You don’t tell logrotate which file to rotate on the command line. You pass it a configuration file. So in your case, logrotate is reading /var/log/syslog and trying to parse it as a config file and failing (hence your errors). If you want to rotate /var/log/syslog it needs to be listed in a logrotate config … Read more
If you use a recent version of rsyslog (7 for example), you need to do & stop after your message. Failing to do so will give you warning: ~ action is deprecated, consider using the ‘stop’ statement instead [try http://www.rsyslog.com/e/2307 ]
You have to specify the log in the frontend if you really want every request to be logged. But usually this is overkill for the server and your disk will be full in no time. frontend webfront log /dev/log local0 debug
Very tricky. 🙂 And here is the trick answer: Notice the file in /etc/rsyslog.d It says to log haproxy into /var/log/haproxy.log But this will not take effect without restarting rsyslog: service rsyslog restart
Googled this a bit more, and found this. In essence, it means to not synchronize the log file to disk every time there is a write, if synchronization behavior is on by default. It is stated that since v3 the default behavior is not sync, and it’s possible to change this by specifying “$ActionFileEnableSync on/off“.
To answer your question, you first need to understand the different trade-off of reload and copytruncate: reload: the old log file is renamed and the process writing into that log is notified (via Unix signal) to re-create its log file. This is the fastest / lower overhead method: rename/move operations are very fast and have … Read more