search

rsyslog / rsyslog

a Rocket-fast SYStem for LOG processing
http://www.rsyslog.com
GNU Lesser General Public License v3.0
2.05k stars 655 forks source link

Rsyslog Client Duplicating apache logs #5030

Open dolphinscorp opened 1 year ago

dolphinscorp commented 1 year ago

Expected behavior

Rsyslog Client should simply send apache2 access.log messages to rsyslog server. Rsyslog client should not duplicate the message in syslog too.

Actual behavior

Apache logs at client side should not be printed in syslog, When rsyslog client passes logs to rsyslog server, rsyslog client also writes same log messages to /var/log/syslog.

Rsyslog client configuration

/etc/rsyslog.d/logs.conf

Shipping Apache Logs

$InputFileName /var/log/apache2/access.log $InputFileTag apache2_access $InputFileStateFile apache2_access1 $InputFileSeverity info $InputRunFileMonitor

/etc/apache2/rsyslog.conf

###############

RULES

###############

auth,authpriv. /var/log/auth.log .;auth,authpriv.none -/var/log/syslog auth,authpriv.none -/var/log/syslog cron. /var/log/cron.log daemon. -/var/log/daemon.log kern. -/var/log/kern.log lpr. -/var/log/lpr.log mail. -/var/log/mail.log user.* -/var/log/user.log

. @rsyslog_server_IP

If the Syslog Server Will be Down

$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1

davidelang commented 1 year ago

why do you think that the logs should not go multiple places? nothing in your the partial config that you posted says not to (what is the faicility you use for the apache logs, that's not in this config)

also, the action queue you define does nothing if this is the full config.

please confirm that these are your full configs.

David Lang

On Sun, 20 Nov 2022, dolphinscorp wrote:

Date: Sun, 20 Nov 2022 04:18:59 -0800 From: dolphinscorp @.> Reply-To: rsyslog/rsyslog @.> To: rsyslog/rsyslog @.> Cc: Subscribed @.> Subject: [rsyslog/rsyslog] Rsyslog Client Duplicating apache logs (Issue

5030)

Expected behavior

Rsyslog Client should simply send apache2 access.log messages rsyslog server. Rsyslog client should not duplicate the message in syslog too.

Actual behavior

Apache logs at client side should not be printed in syslog, When rsyslog client passes logs to rsyslog server, rsylog client also writes same log messages to /var/log/syslog.

Rsyslog client configuration

/etc/rsyslog.d/logs.conf

Shipping Apache Logs

$InputFileName /var/log/apache2/access.log $InputFileTag apache2_access $InputFileStateFile apache2_access1 $InputFileSeverity info $InputRunFileMonitor

/etc/apache2/rsyslog.conf

###############

RULES

###############

#

First some standard log files. Log by facility.

# auth,authpriv. /var/log/auth.log .;auth,authpriv.none -/var/log/syslog auth,authpriv.none -/var/log/syslog cron. /var/log/cron.log daemon. -/var/log/daemon.log kern. -/var/log/kern.log lpr. -/var/log/lpr.log mail. -/var/log/mail.log user.* -/var/log/user.log

Syslog Server

. @195.15.222.112:514

If the Syslog Server Will be Down

$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1

dolphinscorp commented 1 year ago

Hi

Thank you so much for reply

Please check my configuration from following link

https://www.swisstransfer.com/d/b9b8185c-274d-4ae7-a268-4ad34144493d

This is remote client side configuration. logs.conf is in /etc/rsyslog.d/

I just want client that sends https logs and other application logs should write only in /var/log/apache2/access.log locally and send them to rsyslog server. I don't want client machine to write it in syslog as well. That consuming extra disk space.

Kindly let me know what rule should i add to avoid client machine to wrote application logs (apache etc) in syslog.

Thank you

rgerhards commented 1 year ago

I don't see writing to /var/log/apache2/access.log at all in that config. But I see you reading it. Looks like

If so, we can change rsyslog.conf to a different order: move forwarding above file writes, do a drop-style filter before writing to other files.

Is that the intent?

Side-note: the part after "if the syslog server will be down" does not do anything. I guess the intent was actually to place it in front of the send action, so that it applies to forwarding. That doesn't work either, because you use UDP, where we can't detect delivery errors.

dolphinscorp commented 1 year ago

Hi thanks

I have changed rsyslog.d/logs.conf as below to export apache logs to rsyslog server, now logs are not going into syslog and just export it to rsyslog and are receiving as expected.

module(load="imfile" PollingInterval="10") ruleset(name="ApacheLogs") { action( type="omfwd" target="Rsyslog Server IP" port="514" protocol="udp" queue.SpoolDirectory="/var/spool/rsyslog" queue.FileName="remote" queue.MaxDiskSpace="1g" queue.SaveOnShutdown="on" queue.Type="LinkedList" ResendLastMSGOnReconnect="on" ) stop } input(type="imfile" ruleset="ApacheLogs" Tag="apache2" File="/var/log/apache2/*.log")

Now at rsyslog client i am receiving this error, either it is ignoreable?

Nov 24 00:00:12 rsyslogd: imfile: internal error? inotify provided watch descriptor 23 which we could not find in our tables - ignored [v8.2102.0 try https://www.rsyslog.com/e/2175 ]

rgerhards commented 1 year ago

You can ignore it. I think newer versions do no longer emit that message (or some thing actually got fixed, my memory is not very strong on that case). In any case, it is not harmful if you do not get spammed by the message and miss logs.