Rsyslog State Files not being created

s_kipjack used Ask the Experts™
Hi all,

I recently ran into a problem and was hoping someone could help me figure it out.  I am running Ubuntu 10.04 and rsyslog 5.8.1.  I setup rsyslog to monitor a few files and send the any changes to those files to Loggly (great service by the way).  Well, it all works great, except for the fact that whenever I restart rsyslog it resends everything from those files that it had sent in the past.  Now, it is my understanding that rsyslog should use the $WorkDirectory and create what file that you set for $InputFileStateFile to save the state of the monitored file so that it does not send duplicate entries.  

Here is an example that I'm working with:

$WorkDirectory /var/log/rsyslog

# Monit log file
$InputFileName /var/log/monit.log
$InputFileTag monit
$InputFileStateFile monit-state
$InputFileSeverity info

So, from my description above, rsyslog should create a "monit-state" file in "/var/log/rsyslog" which would save the state of the /var/log/monit.log" file so no duplicates are sent.  Is that correct?  If so, this is not happening!

What should the premission of "/var/log/rsyslog" be?  Do I have to touch "monit-state" in "/var/log/rsyslog" (I tried that already and nothing happened)?  

I've been working on this for a couple days and am at a loss, so any help would be appreciated.  Thanks.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


Ok, I found this site (Trouble Shooting Rsyslog) and went through the interactive debugging mode using:

rsyslogd -c5 -dn > logfile

Open in new window

I was able to see that it was in fact a permissions problem.  I opened up permissions to 777 for my $WorkDirectory, just to test, and rsyslog did create the state files and everything worked as planned.  I will continue to play with the permissions so that it's not 777 (obviously), but I wanted to let anyone else that might be having this problem know how I solved it.    


This is interesting.  When I set the $WorkDirectory permissions to:

drwxrwxrwx 2 syslog    syslog     4096 2011-12-28 16:11 rsyslog

Everything works fine.  But any other permissions I get a 'permissions denied' error in debug mode.  I tried changing user:group and every other type of permission.  I can't believe that you have to have the permission set to 777.  

Does anyone have the actual permissions that $WorkDirectory should be set so that rsyslog could read and write to the state files?
Software Developer
You do know that you must be the same user as what rsyslogd normally runs when you debug, otherwise you will need 777, don't you? Assuming you do, try
strace -f rsyslogd -c5 -dn > logfile 2>tracefile

Open in new window

This will show you the actual failing system call in tracefile



Thanks for your response.  After playing around I was able to get the permissions down by setting the user to syslog and the group to adm.  Thanks for your suggestion as it's a great way to troubleshoot for future problems as well.  I really appreciate it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial