NLS setup-linux.sh and rsyslogd 5.10.1

[travishnag1]

Hello Nagios Log Server General Support,

I am evaluating Nagios Log Server 1.4.3 (nagioslogserver-1.4.3-64.ova). I have a test SUSE version 11.4.16 host (linux-fh9x) with rsyslogd 5.10.1 that I want to send application log entries to Nagios Log Server (NLS). I run the following commands with the results below.

1) linux-fh9x:~ # curl -s -O http://192.168.1.105/nagioslogserver/sc ... p-linux.sh

2) linux-fh9x:~ # sudo bash setup-linux.sh -s 192.168.1.105 -p 5544 -f "/test2/testlog2.txt" -t TEST_LOG2
Your system $PATH does not include /sbin and /usr/sbin. This could be the result of installing GNOME rather than creating a clean system.
Adding /sbin and /usr/sbin to $PATH.
Found syslog-ng 2.0.9
Detected rsyslog 5.10.1
Detected rsyslog work directory /var/spool/rsyslog
Destination Log Server: 192.168.1.105:5544
Processing /test2/testlog2.txt file...
Creating /etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf...
getenforce command not found, assuming SELinux is disabled.

It hangs here. 1 hour later it is still stuck. I ctrl+c and see the file /etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf has been created. But log entries in "/test2/testlog2.txt" do not show up in NLS.

linux-fh9x:~ # netstat -ano | grep 5544
tcp 0 0 192.168.150.162:45329 192.168.1.105:5544 ESTABLISHED off (0.00/0/0)

linux-fh9x:~ # ps -A | grep rsyslogd
34538 ? 00:00:00 rsyslogd

linux-fh9x:~ # rsyslogd -N1
rsyslogd: version 5.10.1, config validation run (level 1), master config /etc/rsyslog.conf

Hangs here too.

I have tested the same NLS setup commands on SUSE 12 SP2, Ubuntu 16 and CentOS 7 and the commands complete successfully. Log entries in "/test2/testlog2.txt" on SUSE 12 SP2, Ubuntu 16 and CentOS 7 show up in NLS. These systems have rsyslogd 8.x.

I have compared the /etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf files on SUSE 11 with those on SUSE 12 SP2, Ubuntu 16 and CentOS 7 but see no differences.

I have built another SUSE 11 SP4 VM and have the same results.

Are there NLS setup-linux.sh issues with the "Linux Files Setup" options, SUSE 11 SP4 and rsyslogd 5.10.1?

Please let me know what additional information I can provide.

Thank you.

[mcapra]

The default rsyslog configuration used on SUSE 12 is....odd. I can only assume SUSE 11 has the same quirks.

On my SUSE 12 system, the default configuration file loaded is not including the extra configurations that NLS tries to add (via setup-linux.sh). Can you share the contents of the following files:

Code: Select all

/etc/init.d/syslog
/etc/rsyslog.conf
/etc/rsyslog.early.conf

And the output of:

Code: Select all

/etc/init.d/syslog restart
/etc/init.d/syslog status

[travishnag1]

output below and attached.

Code: Select all

linux-fh9x:~ # cat /etc/init.d/syslog
#! /bin/sh
#
# Copyright (c) 1996-2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002-2003 SuSE Linux AG, Nuernberg, Germany.
# Copyright (c) 2004-2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# Author: Florian La Roche <[email protected]>, 1996
#	  Werner Fink <[email protected]>, 1998-2008
#         Stephan Kulow <[email protected]>, 2005-2008
#         Marius Tomaschewski <[email protected]>, 2001-2008
#
# /etc/init.d/syslog
#
### BEGIN INIT INFO
# Provides:       syslog
# Required-Start:
# Should-Start:   earlysyslog network
# Required-Stop:
# Should-Stop:    earlysyslog network
# Default-Start:  2 3 5
# Default-Stop:
# Description:    Start the system logging daemons
### END INIT INFO

. /etc/sysconfig/syslog

BINDIR=/sbin

# update $SYSLOG_DAEMON if not up-to-date
test -n "$SYSLOG_DAEMON" && \
test -x "${BINDIR}/$SYSLOG_DAEMON" || {
     for SYSLOG_DAEMON in rsyslogd syslog-ng syslogd ; do
         test -x "${BINDIR}/$SYSLOG_DAEMON" && break
     done
}

# set daemon dependent variables
rsocks=""
start_klogd=yes
case "$SYSLOG_DAEMON" in
    rsyslogd)
	syslog=rsyslogd
	mkdir -p -m 0750 /var/run/rsyslog
	if test "$2" = "early" ; then
	    config=/etc/rsyslog.early.conf
	else
	    config=/etc/rsyslog.conf
	fi
	compat=${RSYSLOGD_COMPAT_VERSION:-${RSYSLOGD_NATIVE_VERSION}}
	params="-c ${compat:-3} -f $config $RSYSLOGD_PARAMS"
	rsocks="/var/run/rsyslog/additional-log-sockets.conf"
	test -r "$config" && \
	while read one two rest ; do
	    test "x$one" = 'x$ModLoad'  && \
	    test "x$two" = 'ximklog.so' && {
	        start_klogd=no
	        break
	    }
	done < $config
	;;
    syslog-ng)
	syslog=syslog-ng
	config=/etc/syslog-ng/syslog-ng.conf
	params="$SYSLOG_NG_PARAMS"
	;;
    *)
	syslog=syslogd
	config=/etc/syslog.conf
	params="$SYSLOGD_PARAMS"
	;;
esac

syslog_pid="/var/run/${syslog}.pid"
syslog_bin=${BINDIR}/$syslog
  klog_bin=${BINDIR}/klogd
syslog_use=""

# check config and programs
test -s ${config}	  || {
    echo "${config} does not exist" 1>&2
    test "$1" == "stop" && exit 0
    exit 6
}
test -x ${syslog_bin} || {
    echo "${syslog_bin} is not installed" 1>&2
    test "$1" == "stop" && exit 0
    exit 5
}
test -x ${klog_bin}   || {
    echo "${klog_bin} is not installed" 1>&2
    test "$1" == "stop" && exit 0
    exit 5
}
test -s /var/lock/subsys/syslogd && {
    read -t 5 syslog_use < /var/lock/subsys/syslogd
}
test -z "$syslog_use" && syslog_use=${syslog_bin}
syslog_use_pid="/var/run/${syslog_use##*\/}.pid"

#
# Do not translate symbol addresses for 2.6 kernel
#
case "$(uname -r)" in
[01].*|2.[0-4].*) ;;
*)  case "$KLOGD_PARAMS" in
    *-x*) ;;
    *)	  KLOGD_PARAMS="${KLOGD_PARAMS:+$KLOGD_PARAMS }-x" ;;
    esac  ;;
esac

. /etc/rc.status

if test "$2" = early && rc_readonlyroot ; then
	echo "Disabling early syslog on read-only root filesystem."
	exit 0
fi

rc_reset
case "$1" in
    start)
	if test -e /var/lock/subsys/earlysyslog ; then
	    # Syslog service already done
	    rm -f  /var/lock/subsys/earlysyslog
	    case "$SYSLOG_DAEMON" in
	        rsyslogd) ;; # switch to normal config
		*) exit 0 ;;
	    esac
	elif test "$2" = "early" ; then
	    # Start syslog service early
	    > /var/lock/subsys/earlysyslog
 	fi

	if ! test -e /dev/xconsole ; then
	    mknod -m 0600  /dev/xconsole p
	    chown root:tty /dev/xconsole
	fi
	killproc -p /var/run/klogd.pid ${klog_bin}
	if test -s ${syslog_use_pid} ; then
	    killproc -p ${syslog_use_pid} ${syslog_use}
	    echo -n "Re-"
	    rm -f /var/lock/subsys/syslogd
	fi
	echo -n "Starting syslog services"
	test -z "$KERNEL_LOGLEVEL" && KERNEL_LOGLEVEL=1

        case $syslog in
            (rsyslogd)
	      if [ "x$rsocks" != x ] ; then
	          rm -f "$rsocks"
	          touch "$rsocks"
	      fi
            ;;
	esac
	# add additional sockets to params or similar
	for variable in ${!SYSLOGD_ADDITIONAL_SOCKET*}; do
	    eval value=\$$variable
	    test -n "${value}" && test -d ${value%/*} && {
	        case $syslog in
	            rsyslogd)
	                if [ "x$rsocks" != x ] ; then
	                    echo "\$AddUnixListenSocket $value" >> "$rsocks"
	                fi
	            ;;
	            *)
	                params="$params -a $value"
	            ;;
	        esac
	    }
	done
	startproc -p ${syslog_pid} ${syslog_bin} ${params}
	rc_status

	# Remember the currently used syslog daemon
	echo ${syslog_bin} > /var/lock/subsys/syslogd

	if test $? -eq 0 ; then
	    if test "$start_klogd" = yes ; then
	        startproc ${klog_bin} -c $KERNEL_LOGLEVEL $KLOGD_PARAMS
	        rc_status
	    fi
	fi
	rc_status -v
	;;
    stop)
	rm -f /var/lock/subsys/earlysyslog
	test "$2" = "early" && exit 0

	echo -n "Shutting down syslog services"
	if test "$start_klogd" = yes ; then
	    killproc                  -TERM ${klog_bin}   ; rc_status
	else
	    killproc                  -TERM ${klog_bin}
	fi
	killproc -p ${syslog_use_pid} -TERM ${syslog_use} ; rc_status -v
	rm -f /var/lock/subsys/syslogd
	;;
    try-restart|condrestart)
	if test "$1" = "condrestart"; then
	    echo "${attn} Use try-restart ${done}(LSB)${attn} instead${norm}"
	fi
	$0 status
	if test $? = 0; then
	    $0 restart
	else
	    rc_reset	# Not running is not a failure.
	fi
	rc_status
	;;
    restart)
	$0 stop
	$0 start
	rc_status
	;;
    reload|force-reload)
	echo -n "Reload syslog service"
	if test "$start_klogd" = yes ; then
	    killproc                      -TSTP ${klog_bin}   ; rc_status
	    killproc -p ${syslog_use_pid} -HUP  ${syslog_use} ; rc_status
	    killproc                      -CONT ${klog_bin}   ; rc_status
	    killproc                      -USR2 ${klog_bin}   ; rc_status -v
	else
	    killproc -p ${syslog_use_pid} -HUP  ${syslog_use} ; rc_status -v
	fi
	;;
    status)
	echo -n "Checking for service syslog:"
	if test "$start_klogd" = yes ; then
	    checkproc		  	${klog_bin}   ; rc_status
	fi
	checkproc -p ${syslog_use_pid}	${syslog_use} ; rc_status -v
	;;
    probe)
	# Note: rsyslog does not re-read its config while reload
	if test "${syslog_use_pid}" != "${syslog_pid}" -o \
		"$syslog" = "rsyslogd" ; then
	    echo restart
	else
	    test ${config} -nt ${syslog_pid} && echo reload
	fi
	;;
    *)
	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
	exit 1
	;;
esac
rc_exit
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # cat /etc/rsyslog.conf
##
## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules
## (provided in separate rsyslog-module-* packages) are enabled, the
## configuration can't be used on a system with /usr on a remote
## filesystem.
## [The modules are linked against libraries installed bellow of /usr
##  thus also installed in /usr/lib*/rsyslog because of this.]
##
## You can change it by adding network-remotefs to the Required-Start
## and Required-Stop LSB init tags in the /etc/init.d/syslog script.
##

#
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# and report them at http://bugzilla.novell.com/
#

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!

$ModLoad immark.so     # provides --MARK-- message capability (every 1 hour)
$MarkMessagePeriod     3600

$ModLoad imuxsock.so   # provides support for local system logging (e.g. via logger command)
                       # reduce dupplicate log messages (last message repeated n times)
$RepeatedMsgReduction on

$ModLoad imklog.so     # kernel logging (may be also provided by /sbin/klogd),
                       # see also http://www.rsyslog.com/doc-imklog.html.
$klogConsoleLogLevel 1 # set log level 1 (same as in /etc/sysconfig/syslog).

#
# Use traditional log format by default. To change it for a single
# file, append ";RSYSLOG_TraditionalFileFormat" to the filename.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat


#
# Include config generated by /etc/init.d/syslog script
# using the SYSLOGD_ADDITIONAL_SOCKET* variables in the
# /etc/sysconfig/syslog file.
#
$IncludeConfig /var/run/rsyslog/additional-log-sockets.conf

#
# Include config files, that the admin provided? :
#
$IncludeConfig /etc/rsyslog.d/*.conf


###
# print most important on tty10 and on the xconsole pipe
#
if	( \
	    /* kernel up to warning except of firewall  */ \
	    ($syslogfacility-text == 'kern')      and      \
	    ($syslogseverity <= 4 /* warning */ ) and not  \
	    ($msg contains 'IN=' and $msg contains 'OUT=') \
	) or ( \
	    /* up to errors except of facility authpriv */ \
	    ($syslogseverity <= 3 /* errors  */ ) and not  \
	    ($syslogfacility-text == 'authpriv')           \
	) \
then	/dev/tty10
&	|/dev/xconsole


# Emergency messages to everyone logged on (wall)
*.emerg					 :omusrmsg:*

# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert				root


#
# firewall messages into separate file and stop their further processing
#
if	($syslogfacility-text == 'kern') and \
	($msg contains 'IN=' and $msg contains 'OUT=') \
then	-/var/log/firewall
&	~


#
# acpid messages into separate file and stop their further processing
#
# => all acpid messages for debuging (uncomment if needed):
#if	($programname == 'acpid' or $syslogtag == '[acpid]:') then \
#	-/var/log/acpid
#
# => up to notice (skip info and debug)
if	($programname == 'acpid' or $syslogtag == '[acpid]:') and \
	($syslogseverity <= 5 /* notice */) \
then	-/var/log/acpid
&	~


#
# NetworkManager into separate file and stop their further processing
#
if      ($programname == 'NetworkManager') or \
	($programname startswith 'nm-') \
then	-/var/log/NetworkManager
&	~


#
# email-messages
#
mail.*					-/var/log/mail
mail.info				-/var/log/mail.info
mail.warning				-/var/log/mail.warn
mail.err				 /var/log/mail.err


#
# news-messages
#
news.crit				-/var/log/news/news.crit
news.err				-/var/log/news/news.err
news.notice				-/var/log/news/news.notice
# enable this, if you want to keep all news messages
# in one file
#news.*					-/var/log/news.all


#
# Warnings in one file
#
*.=warning;*.=err			-/var/log/warn
*.crit					 /var/log/warn


#
# the rest in one file
#
*.*;mail.none;news.none			-/var/log/messages


#
# enable this, if you want to keep all messages
# in one file
#*.*					-/var/log/allmessages


#
# Some foreign boot scripts require local7
#
local0,local1.*				-/var/log/localmessages
local2,local3.*				-/var/log/localmessages
local4,local5.*				-/var/log/localmessages
local6,local7.*				-/var/log/localmessages

###
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # cat /etc/rsyslog.early.conf
##
## WARNING: This config contains only statements that are
##          safe for early syslog start, that is before the
##          network and remote filesystems are available.
##
##          Don't include /etc/rsyslog.d/remote.conf
##          in this configuration file or enable any of the
##          additional (MYSQL, PGSQL, GSSAPI, GnuTLS, SNMP)
##          modules provided in separate module packages.
##
##
## if you experience problems, check
## http://www.rsyslog.com/troubleshoot for assistance
## and report them at http://bugzilla.novell.com/
##

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!

$ModLoad immark.so	# provides --MARK-- message capability
$ModLoad imuxsock.so	# provides support for local system logging
			# (e.g. via logger command)
$ModLoad imklog.so	# kernel logging (may be also provided by /sbin/klogd)
			# see also http://www.rsyslog.com/doc-imklog.html.
$klogConsoleLogLevel 1	# set log level 1 (same as in /etc/sysconfig/syslog).

#
# Include config generated by /etc/init.d/syslog script
# using the SYSLOGD_ADDITIONAL_SOCKET* variables in the
# /etc/sysconfig/syslog file.
#
$IncludeConfig /var/run/rsyslog/additional-log-sockets.conf

###
#
# print most on tty10 and on the xconsole pipe
#
kern.warning;*.err;authpriv.none	 /dev/tty10;RSYSLOG_TraditionalFileFormat
kern.warning;*.err;authpriv.none	|/dev/xconsole;RSYSLOG_TraditionalFileFormat
*.emerg					 :omusrmsg:*

# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert				root

#
# firewall messages into separate file and stop their further processing
#
if	($syslogfacility-text == 'kern') and \
	($msg contains 'IN=' and $msg contains 'OUT=') then \
	-/var/log/firewall;RSYSLOG_TraditionalFileFormat
if	($syslogfacility-text == 'kern') and \
	($msg contains 'IN=' and $msg contains 'OUT=') then \
	~

#
# acpid messages into separate file and stop their further processing
#
# => all acpid messages for debuging (uncomment if needed):
#if	($programname == 'acpid' or $syslogtag == '[acpid]:') then \
#	-/var/log/acpid;RSYSLOG_TraditionalFileFormat
#
# => up to notice (skip info and debug)
if	($programname == 'acpid' or $syslogtag == '[acpid]:') and \
	($syslogseverity <= 5) then \
	-/var/log/acpid;RSYSLOG_TraditionalFileFormat
if	($programname == 'acpid' or $syslogtag == '[acpid]:') then \
	~

#
# NetworkManager into separate file and stop their further processing
#
if      ($programname == 'NetworkManager') or \
	($programname startswith 'nm-') then \
	-/var/log/NetworkManager;RSYSLOG_TraditionalFileFormat
if      ($programname == 'NetworkManager') or \
	($programname startswith 'nm-') then \
	~

#
# email-messages
#
mail.*					-/var/log/mail;RSYSLOG_TraditionalFileFormat
mail.info				-/var/log/mail.info;RSYSLOG_TraditionalFileFormat
mail.warning				-/var/log/mail.warn;RSYSLOG_TraditionalFileFormat
mail.err				 /var/log/mail.err;RSYSLOG_TraditionalFileFormat

#
# news-messages
#
news.crit				-/var/log/news/news.crit;RSYSLOG_TraditionalFileFormat
news.err				-/var/log/news/news.err;RSYSLOG_TraditionalFileFormat
news.notice				-/var/log/news/news.notice;RSYSLOG_TraditionalFileFormat
# enable this, if you want to keep all news messages
# in one file
#news.*					-/var/log/news.all;RSYSLOG_TraditionalFileFormat

#
# Warnings in one file
#
*.=warning;*.=err			-/var/log/warn;RSYSLOG_TraditionalFileFormat
*.crit					 /var/log/warn;RSYSLOG_TraditionalFileFormat

#
# the rest in one file
#
*.*;mail.none;news.none			-/var/log/messages;RSYSLOG_TraditionalFileFormat

#
# enable this, if you want to keep all messages
# in one file
#*.*					-/var/log/allmessages;RSYSLOG_TraditionalFileFormat

#
# Some foreign boot scripts require local7
#
local0,local1.*				-/var/log/localmessages;RSYSLOG_TraditionalFileFormat
local2,local3.*				-/var/log/localmessages;RSYSLOG_TraditionalFileFormat
local4,local5.*				-/var/log/localmessages;RSYSLOG_TraditionalFileFormat
local6,local7.*				-/var/log/localmessages;RSYSLOG_TraditionalFileFormat

###
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # /etc/init.d/syslog restart
Shutting down syslog services												failed
Re-Starting syslog services													done
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # /etc/init.d/syslog status
Checking for service syslog:												running
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ # 
linux-fh9x:~ #

[mcapra]

Can I also see the output of:

Code: Select all

ps -aef

My best guess is either the correct rsyslog config isn't being loaded, or some other daemon is being leveraged.

[travishnag1]

output below and attached.

Code: Select all

linux-fh9x:~ # ps -aef
UID         PID   PPID  C STIME TTY          TIME CMD
root          1      0  1 07:26 ?        00:00:01 init [5]
root          2      0  0 07:26 ?        00:00:00 [kthreadd]
root          3      2  0 07:26 ?        00:00:00 [ksoftirqd/0]
root          4      2  0 07:26 ?        00:00:00 [kworker/0:0]
root          5      2  0 07:26 ?        00:00:00 [kworker/u:0]
root          6      2  0 07:26 ?        00:00:00 [migration/0]
root          7      2  0 07:26 ?        00:00:00 [watchdog/0]
root          8      2  0 07:26 ?        00:00:00 [cpuset]
root          9      2  0 07:26 ?        00:00:00 [khelper]
root         10      2  0 07:26 ?        00:00:00 [netns]
root         11      2  0 07:26 ?        00:00:00 [sync_supers]
root         12      2  0 07:26 ?        00:00:00 [bdi-default]
root         13      2  0 07:26 ?        00:00:00 [kintegrityd]
root         14      2  0 07:26 ?        00:00:00 [kblockd]
root         15      2  0 07:26 ?        00:00:00 [md]
root         16      2  0 07:26 ?        00:00:00 [khungtaskd]
root         17      2  0 07:26 ?        00:00:00 [kswapd0]
root         18      2  0 07:26 ?        00:00:00 [ksmd]
root         19      2  0 07:26 ?        00:00:00 [khugepaged]
root         20      2  0 07:26 ?        00:00:00 [fsnotify_mark]
root         21      2  0 07:26 ?        00:00:00 [crypto]
root         25      2  0 07:26 ?        00:00:00 [kthrotld]
root         26      2  0 07:26 ?        00:00:00 [kpsmoused]
root         27      2  0 07:26 ?        00:00:00 [kworker/0:1]
root         28      2  0 07:26 ?        00:00:00 [kworker/0:2]
root         69      2  0 07:26 ?        00:00:00 [mpt_poll_0]
root         70      2  0 07:26 ?        00:00:00 [mpt/0]
root         71      2  0 07:26 ?        00:00:00 [scsi_eh_0]
root         79      2  0 07:26 ?        00:00:00 [ata_sff]
root         80      2  0 07:26 ?        00:00:00 [scsi_eh_1]
root         81      2  0 07:26 ?        00:00:00 [scsi_eh_2]
root         82      2  0 07:26 ?        00:00:00 [scsi_eh_3]
root         83      2  0 07:26 ?        00:00:00 [scsi_eh_4]
root         84      2  0 07:26 ?        00:00:00 [scsi_eh_5]
root         85      2  0 07:26 ?        00:00:00 [scsi_eh_6]
root         86      2  0 07:26 ?        00:00:00 [scsi_eh_7]
root         87      2  0 07:26 ?        00:00:00 [scsi_eh_8]
root         88      2  0 07:26 ?        00:00:00 [scsi_eh_9]
root         89      2  0 07:26 ?        00:00:00 [scsi_eh_10]
root         90      2  0 07:26 ?        00:00:00 [scsi_eh_11]
root         91      2  0 07:26 ?        00:00:00 [scsi_eh_12]
root         92      2  0 07:26 ?        00:00:00 [scsi_eh_13]
root         93      2  0 07:26 ?        00:00:00 [scsi_eh_14]
root         94      2  0 07:26 ?        00:00:00 [scsi_eh_15]
root         95      2  0 07:26 ?        00:00:00 [scsi_eh_16]
root         96      2  0 07:26 ?        00:00:00 [scsi_eh_17]
root         97      2  0 07:26 ?        00:00:00 [scsi_eh_18]
root         98      2  0 07:26 ?        00:00:00 [scsi_eh_19]
root         99      2  0 07:26 ?        00:00:00 [scsi_eh_20]
root        100      2  0 07:26 ?        00:00:00 [scsi_eh_21]
root        101      2  0 07:26 ?        00:00:00 [scsi_eh_22]
root        102      2  0 07:26 ?        00:00:00 [scsi_eh_23]
root        103      2  0 07:26 ?        00:00:00 [scsi_eh_24]
root        104      2  0 07:26 ?        00:00:00 [scsi_eh_25]
root        105      2  0 07:26 ?        00:00:00 [scsi_eh_26]
root        106      2  0 07:26 ?        00:00:00 [scsi_eh_27]
root        107      2  0 07:26 ?        00:00:00 [scsi_eh_28]
root        108      2  0 07:26 ?        00:00:00 [scsi_eh_29]
root        109      2  0 07:26 ?        00:00:00 [scsi_eh_30]
root        110      2  0 07:26 ?        00:00:00 [kworker/u:1]
root        111      2  0 07:26 ?        00:00:00 [kworker/u:2]
root        112      2  0 07:26 ?        00:00:00 [kworker/u:3]
root        113      2  0 07:26 ?        00:00:00 [kworker/u:4]
root        114      2  0 07:26 ?        00:00:00 [kworker/u:5]
root        115      2  0 07:26 ?        00:00:00 [kworker/u:6]
root        116      2  0 07:26 ?        00:00:00 [kworker/u:7]
root        117      2  0 07:26 ?        00:00:00 [kworker/u:8]
root        118      2  0 07:26 ?        00:00:00 [kworker/u:9]
root        119      2  0 07:26 ?        00:00:00 [kworker/u:10]
root        120      2  0 07:26 ?        00:00:00 [kworker/u:11]
root        121      2  0 07:26 ?        00:00:00 [kworker/u:12]
root        122      2  0 07:26 ?        00:00:00 [kworker/u:13]
root        123      2  0 07:26 ?        00:00:00 [kworker/u:14]
root        124      2  0 07:26 ?        00:00:00 [kworker/u:15]
root        125      2  0 07:26 ?        00:00:00 [kworker/u:16]
root        126      2  0 07:26 ?        00:00:00 [kworker/u:17]
root        127      2  0 07:26 ?        00:00:00 [kworker/u:18]
root        128      2  0 07:26 ?        00:00:00 [kworker/u:19]
root        129      2  0 07:26 ?        00:00:00 [kworker/u:20]
root        130      2  0 07:26 ?        00:00:00 [kworker/u:21]
root        131      2  0 07:26 ?        00:00:00 [kworker/u:22]
root        132      2  0 07:26 ?        00:00:00 [kworker/u:23]
root        133      2  0 07:26 ?        00:00:00 [kworker/u:24]
root        134      2  0 07:26 ?        00:00:00 [kworker/u:25]
root        135      2  0 07:26 ?        00:00:00 [kworker/u:26]
root        136      2  0 07:26 ?        00:00:00 [kworker/u:27]
root        137      2  0 07:26 ?        00:00:00 [kworker/u:28]
root        138      2  0 07:26 ?        00:00:00 [kworker/u:29]
root        139      2  0 07:26 ?        00:00:00 [kworker/u:30]
root        151      2  0 07:26 ?        00:00:00 [scsi_eh_31]
root        152      2  0 07:26 ?        00:00:00 [scsi_eh_32]
root        196      2  0 07:26 ?        00:00:00 [kmpath_rdacd]
root        211      2  0 07:26 ?        00:00:00 [kmpath_aluad]
root        264      2  0 07:26 ?        00:00:00 [khubd]
root        506      2  0 07:26 ?        00:00:00 [kjournald]
root        512      2  0 07:26 ?        00:00:00 [flush-8:0]
root        604      1  0 07:26 ?        00:00:00 /sbin/udevd --daemon
root        840      2  0 07:26 ?        00:00:00 [vmmemctl]
root        853      2  0 07:26 ?        00:00:00 [l2cap]
root        857      2  0 07:26 ?        00:00:00 [hci0]
root        926      2  0 07:26 ?        00:00:00 [kauditd]
root       1451      1  0 07:26 ?        00:00:00 /sbin/acpid
100        1464      1  0 07:26 ?        00:00:00 /bin/dbus-daemon --system
root       1806      1  0 07:26 ?        00:00:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
root       1845      1  0 07:26 ?        00:00:00 /usr/sbin/vmtoolsd
101        1933      1  0 07:26 ?        00:00:00 /usr/sbin/hald --daemon=yes
root       1936      1  0 07:26 ?        00:00:00 /usr/sbin/console-kit-daemon
root       1937   1933  0 07:26 ?        00:00:00 hald-runner
root       2044   1937  0 07:26 ?        00:00:00 hald-addon-input: Listening on /dev/input/event0 /dev/input/event3
root       2047   1937  0 07:26 ?        00:00:00 /usr/lib64/hal/hald-addon-rfkill-killswitch
root       2075   1937  0 07:26 ?        00:00:00 hald-addon-storage: polling /dev/sr0 (every 2 sec)
101        2078   1937  0 07:26 ?        00:00:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
root       2081   1937  0 07:26 ?        00:00:00 hald-addon-storage: no polling on /dev/fd0 because it is explicitly disabled
root       3155      1  0 07:26 ?        00:00:00 /sbin/dhcpcd --netconfig -L -E -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h linux-fh9x eth0
root       3228      1  0 07:26 ?        00:00:00 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
root       3240      1  0 07:26 ?        00:00:00 /sbin/auditd -s disable
root       3242   3240  0 07:26 ?        00:00:00 /sbin/audispd
root       3261      1  0 07:26 ?        00:00:00 /sbin/haveged -w 1024 -v 1
root       3273      1  0 07:26 ?        00:00:00 /sbin/rpcbind
root       3406      1  0 07:26 ?        00:00:00 /usr/sbin/mcelog --daemon --config-file /etc/mcelog/mcelog.conf
root       3703      1  0 07:26 ?        00:00:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid
root       3715      1  0 07:26 ?        00:00:00 /usr/sbin/cupsd
root       3728      1  0 07:26 ?        00:00:00 /usr/sbin/nscd
root       3816      1  0 07:26 ?        00:00:00 /usr/lib/postfix/master
postfix    3835   3816  0 07:26 ?        00:00:00 pickup -l -t fifo -u
postfix    3836   3816  0 07:26 ?        00:00:00 qmgr -l -t fifo -u
root       3906      1  0 07:26 ?        00:00:00 tpvmlpd2
root       3979      1  0 07:26 ?        00:00:00 /usr/sbin/gdm
root       3980   3979  0 07:26 ?        00:00:00 /usr/lib/gdm/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1
root       3982   3980  0 07:26 tty7     00:00:00 /usr/bin/X :0 -br -verbose -auth /var/run/gdm/auth-for-gdm-1sheZX/database -nolisten tcp vt7
root       4007      1  0 07:26 ?        00:00:00 /usr/sbin/cron
root       4022      1  0 07:26 tty1     00:00:00 /sbin/mingetty --noclear tty1
root       4023      1  0 07:26 tty2     00:00:00 /sbin/mingetty tty2
root       4024      1  0 07:26 tty3     00:00:00 /sbin/mingetty tty3
root       4025      1  0 07:26 tty4     00:00:00 /sbin/mingetty tty4
root       4026      1  0 07:26 tty5     00:00:00 /sbin/mingetty tty5
root       4027      1  0 07:26 tty6     00:00:00 /sbin/mingetty tty6
gdm        4159      1  0 07:26 ?        00:00:00 /usr/bin/dbus-launch --exit-with-session
gdm        4160      1  0 07:26 ?        00:00:00 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
gdm        4161   3980  0 07:26 ?        00:00:00 /usr/bin/gnome-session --autostart=/usr/share/gdm/autostart/LoginWindow/
gdm        4189      1  0 07:26 ?        00:00:00 /usr/lib/GConf/2/gconfd-2
gdm        4205   4161  0 07:26 ?        00:00:00 /usr/lib/at-spi/at-spi-registryd
gdm        4207      1  0 07:26 ?        00:00:00 /usr/lib/gnome-settings-daemon/gnome-settings-daemon --gconf-prefix=/apps/gdm/simple-greeter/settings-manager-plugins
gdm        4209      1  0 07:26 ?        00:00:00 /usr/lib/bonobo/bonobo-activation-server --ac-activate --ior-output-fd=12
gdm        4213      1  0 07:27 ?        00:00:00 gnome-power-manager
gdm        4217      1  0 07:27 ?        00:00:00 /usr/lib64/gvfs/gvfsd
gdm        4218   4161  0 07:27 ?        00:00:00 metacity
gdm        4219   4161  0 07:27 ?        00:00:00 /usr/lib/gdm/gdm-simple-greeter
root       4221   3980  0 07:27 ?        00:00:00 /usr/lib/gdm/gdm-session-worker
gdm        4225      1  0 07:27 ?        00:00:00 /usr/bin/pulseaudio --start --log-target=syslog
root       4232   3228 99 07:27 ?        00:01:36 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
root       4246    604  0 07:27 ?        00:00:00 /sbin/udevd --daemon
root       4247    604  0 07:27 ?        00:00:00 /sbin/udevd --daemon
root       4329   3703  0 07:28 ?        00:00:00 sshd: root@pts/0
root       4332   4329  0 07:28 pts/0    00:00:00 -bash
root       4366   4332 99 07:28 pts/0    00:00:00 ps -aef
linux-fh9x:~ #

[mcapra]

It does look like rsyslog is the daemon and is loading the proper configuration file. This makes me think the configuration provided by the NLS script is incorrect for rsyslog v5. Can you share the output of:

Code: Select all

grep '' /etc/rsyslog.d/*

A tcpdump to verify that traffic is being sent from the SUSE machine to NLS, and that the NLS machine is receiving traffic from the SUSE machine would also be beneficial.

[travishnag1]

Output below and attached.

Code: Select all

grep '' /etc/rsyslog.d/*
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$ModLoad imfile
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$InputFilePollInterval 10
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$PrivDropToGroup adm
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$WorkDirectory /var/spool/rsyslog
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:# Input for TEST_LOG2
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$InputFileName /test2/testlog2.txt
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$InputFileTag TEST_LOG2:
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$InputFileStateFile nls-state-test2_testlog2.txt # Must be unique for each file being polled
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:# Uncomment the folowing line to override the default severity for messages
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:# from this file.
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:#$InputFileSeverity info
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$InputFilePersistStateInterval 20000
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:$InputRunFileMonitor
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:# Forward to Nagios Log Server and then discard, otherwise these messages
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:# will end up in the syslog file (/var/log/messages) unless there are other
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:# overriding rules.
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:if $programname == 'TEST_LOG2' then @@192.168.1.105:5544
/etc/rsyslog.d/90-nagioslogserver_test2_testlog2.txt.conf:if $programname == 'TEST_LOG2' then ~
/etc/rsyslog.d/remote.conf:##
/etc/rsyslog.d/remote.conf:## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules
/etc/rsyslog.d/remote.conf:## (provided in separate rsyslog-module-* packages) are enabled, the
/etc/rsyslog.d/remote.conf:## configuration can't be used on a system with /usr on a remote
/etc/rsyslog.d/remote.conf:## filesystem.
/etc/rsyslog.d/remote.conf:## [The modules are linked against libraries installed bellow of /usr
/etc/rsyslog.d/remote.conf:##  thus also installed in /usr/lib*/rsyslog because of this.]
/etc/rsyslog.d/remote.conf:##
/etc/rsyslog.d/remote.conf:## You can change it by adding network-remotefs to the Required-Start
/etc/rsyslog.d/remote.conf:## and Required-Stop LSB init tags in the /etc/init.d/syslog script.
/etc/rsyslog.d/remote.conf:##
/etc/rsyslog.d/remote.conf:
/etc/rsyslog.d/remote.conf:
/etc/rsyslog.d/remote.conf:# Remote Logging (we use TCP for reliable delivery)
/etc/rsyslog.d/remote.conf:# An on-disk queue is created for this action. If the remote host is
/etc/rsyslog.d/remote.conf:# down, messages are spooled to disk and sent when it is up again.
/etc/rsyslog.d/remote.conf:#$WorkDirectory /var/spool/rsyslog # where to place spool files
/etc/rsyslog.d/remote.conf:#$ActionQueueFileName uniqName # unique name prefix for spool files
/etc/rsyslog.d/remote.conf:#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
/etc/rsyslog.d/remote.conf:#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
/etc/rsyslog.d/remote.conf:#$ActionQueueType LinkedList   # run asynchronously
/etc/rsyslog.d/remote.conf:#$ActionResumeRetryCount -1    # infinite retries if host is down
/etc/rsyslog.d/remote.conf:# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
/etc/rsyslog.d/remote.conf:#*.* @@remote-host
/etc/rsyslog.d/remote.conf:
/etc/rsyslog.d/remote.conf:
/etc/rsyslog.d/remote.conf:# ######### Receiving Messages from Remote Hosts ##########
/etc/rsyslog.d/remote.conf:# TCP Syslog Server:
/etc/rsyslog.d/remote.conf:# provides TCP syslog reception and GSS-API (if compiled to support it)
/etc/rsyslog.d/remote.conf:#$ModLoad imtcp.so  # load module
/etc/rsyslog.d/remote.conf:# Note: as of now, you need to use the -t command line option to
/etc/rsyslog.d/remote.conf:# enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
/etc/rsyslog.d/remote.conf:# This will change in later v3 releases.
/etc/rsyslog.d/remote.conf:
/etc/rsyslog.d/remote.conf:# UDP Syslog Server:
/etc/rsyslog.d/remote.conf:#$ModLoad imudp.so  # provides UDP syslog reception
/etc/rsyslog.d/remote.conf:#$UDPServerRun 514 # start a UDP syslog server at standard port 514
/etc/rsyslog.d/remote.conf:
/etc/rsyslog.d/remote.conf:
/etc/rsyslog.d/remote.conf:########### Encrypting Syslog Traffic with TLS ##########
/etc/rsyslog.d/remote.conf:# -- TLS Syslog Server:
/etc/rsyslog.d/remote.conf:## make gtls driver the default
/etc/rsyslog.d/remote.conf:#$DefaultNetstreamDriver gtls
/etc/rsyslog.d/remote.conf:#
/etc/rsyslog.d/remote.conf:## certificate files
/etc/rsyslog.d/remote.conf:#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
/etc/rsyslog.d/remote.conf:#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/server_cert.pem
/etc/rsyslog.d/remote.conf:#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/server_key.pem
/etc/rsyslog.d/remote.conf:#
/etc/rsyslog.d/remote.conf:#$ModLoad imtcp # load TCP listener
/etc/rsyslog.d/remote.conf:#
/etc/rsyslog.d/remote.conf:#$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
/etc/rsyslog.d/remote.conf:#$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
/etc/rsyslog.d/remote.conf:#$InputTCPServerRun 10514 # start up listener at port 10514
/etc/rsyslog.d/remote.conf:#
/etc/rsyslog.d/remote.conf:# -- TLS Syslog Client:
/etc/rsyslog.d/remote.conf:## certificate files - just CA for a client
/etc/rsyslog.d/remote.conf:#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
/etc/rsyslog.d/remote.conf:#
/etc/rsyslog.d/remote.conf:## set up the action
/etc/rsyslog.d/remote.conf:#$DefaultNetstreamDriver gtls # use gtls netstream driver
/etc/rsyslog.d/remote.conf:#$ActionSendStreamDriverMode 1 # require TLS for the connection
/etc/rsyslog.d/remote.conf:#$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
/etc/rsyslog.d/remote.conf:#*.* @@(o)server.example.net:10514 # send (all) messages
/etc/rsyslog.d/remote.conf:

[travishnag1]

tcpdumps attached.

[travishnag1]

As a test I ran the "Linux syslogs" setup (not "Linux Files") on another SUSE 11 SP4 rsyslog 5.10.1 VM (linux-av3h). It succeeded and the log entries for linux-av3h show up in NLS.

linux-av3h:~ # sudo bash setup-linux.sh -s 192.168.1.105 -p 5544
Your system $PATH does not include /sbin and /usr/sbin. This could be the result of installing GNOME rather than creating a clean system.
Adding /sbin and /usr/sbin to $PATH.
Found syslog-ng 2.0.9
Detected rsyslog 5.10.1
Detected rsyslog work directory /var/spool/rsyslog
Destination Log Server: 192.168.1.105:5544
Creating /etc/rsyslog.d/99-nagioslogserver.conf...
getenforce command not found, assuming SELinux is disabled.
rsyslog configuration check passed.
Restarting rsyslog service with 'service'...
service: no such service rsyslog
ERROR: Unable to restart rsyslog service. Please restart the rsyslog service to use the new configuration.

linux-av3h:~ # rcsyslog stop
Shutting down syslog services done
linux-av3h:~ # rcsyslog status
Checking for service syslog: unused
linux-av3h:~ # rcsyslog start
Starting syslog services done

linux-av3h:~ # ps -A | grep rsyslog
32433 ? 00:00:00 rsyslogd

linux-av3h:~ # netstat -ano | grep 5544
tcp 0 0 192.168.150.165:56069 192.168.1.105:5544 ESTABLISHED off (0.00/0/0)

linux-av3h:~ #

[mcapra]

Yeah, there's probably issues with how our setup script is generating the file input configurations for rsyslog on older versions. Can you share the rsyslog configurations that are currently working and i'll see if I can identify where the "Linux Files" setup is going wrong?