Server not sending all logs as configure.

[GhostRider2110]

OK, so I change the port for apache_access log to send to, to the same port for syslog. From 5581 to 5544. No change, could not find any evidence that the logs were being sent. Unless it's not picked up by the NLS. How can I turn up the verbosity of the logstash log?

Thanks
Mitch

[GhostRider2110]

I found how/where to kick up the logging level. Nothing from that server. Again I switched the config on that system to send to 5544, which I knows works since that is where /var/log/messages is being sent. And I am getting those. But no, nothing.... just the normal from /var/log/messages. Any ideas on where to go from here would be greatly appreciated...

[Box293]

It sounds like date / time issue.

Can we verify all machines that are participating in this have synced clocks. Ideally they are all on the same timezone however even if they are not they at least are on the same clock cycle.

[GhostRider2110]

All good... for both working and non-working.. Thanks for the tip.. I was hoping it would be that.

Time on igapubwebcache01
Thu Jan 23 18:39:07 EST 2020

Time on igapubwebcache02
Thu Jan 23 18:39:07 EST 2020

Time on iganagiosls01
Thu Jan 23 18:39:07 EST 2020

Time on iganagioslog
Thu Jan 23 18:39:07 EST 2020

[Box293]

In that case my normal troubleshooting technique for these issues is to go back to basics. Remove any of the extra stuff and just configure rsyslog to send the standard logs.

Confirm that it is consistently working and then extend from that.

Sometimes you need to remove all the variables.

[GhostRider2110]

Thanks Box293,

I have done that. Pulled everything, removed and reinstalled rsyslog. It's really strange that on the reboot yesterday morning, the previous days logs were sent from the rotated logs. I'm going to see if I can get it pulled from production rotation. It's one of the front end cache servers for the external web site. This is really messing with my stats gathering LOL. If I can to that I can play with it much easier.

If I can get it where I can reboot a few times, then I am going to do what you suggested again. Starting with the complete removal of rsyslog, reboot and go from there, one step at a time.


Thanks for the help, any more ideas would be greatly appreciated.

Later
Mitch

[scottwilkerson]

If I can get it where I can reboot a few times, then I am going to do what you suggested again. Starting with the complete removal of rsyslog, reboot and go from there, one step at a time.

Sounds good

[GhostRider2110]

Didn't get a change to work on it over the weekend, but noticed something this morning. Seems last night, (this morning) it did get sent the the log that was rotated after rsyslog restarted. I have log entries from 0345 012620 to 0345 012720. So when rsyslog is restart for the logrotate maintenance, the rotated log is being sent.. Similar to what I saw when I did the reboot. I'll be starting the trouble shooting process this morning and update as I go.

Thanks
Mitch

[cdienger]

Sounds good. Please update us if you find anything or run into any problems.

[GhostRider2110]

Been caught up with some fires. Still working this. Thanks