Rsyslog State Files not being created

s_kipjack
s_kipjack used Ask the Experts™
on
Hi all,

I recently ran into a problem and was hoping someone could help me figure it out.  I am running Ubuntu 10.04 and rsyslog 5.8.1.  I setup rsyslog to monitor a few files and send the any changes to those files to Loggly (great service by the way).  Well, it all works great, except for the fact that whenever I restart rsyslog it resends everything from those files that it had sent in the past.  Now, it is my understanding that rsyslog should use the $WorkDirectory and create what file that you set for $InputFileStateFile to save the state of the monitored file so that it does not send duplicate entries.  

Here is an example that I'm working with:

$WorkDirectory /var/log/rsyslog

# Monit log file
$InputFileName /var/log/monit.log
$InputFileTag monit
$InputFileStateFile monit-state
$InputFileSeverity info
$InputRunFileMonitor

So, from my description above, rsyslog should create a "monit-state" file in "/var/log/rsyslog" which would save the state of the /var/log/monit.log" file so no duplicates are sent.  Is that correct?  If so, this is not happening!

What should the premission of "/var/log/rsyslog" be?  Do I have to touch "monit-state" in "/var/log/rsyslog" (I tried that already and nothing happened)?  

I've been working on this for a couple days and am at a loss, so any help would be appreciated.  Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Ok, I found this site (Trouble Shooting Rsyslog) and went through the interactive debugging mode using:

rsyslogd -c5 -dn > logfile

Open in new window


I was able to see that it was in fact a permissions problem.  I opened up permissions to 777 for my $WorkDirectory, just to test, and rsyslog did create the state files and everything worked as planned.  I will continue to play with the permissions so that it's not 777 (obviously), but I wanted to let anyone else that might be having this problem know how I solved it.    

Author

Commented:
This is interesting.  When I set the $WorkDirectory permissions to:

drwxrwxrwx 2 syslog    syslog     4096 2011-12-28 16:11 rsyslog

Everything works fine.  But any other permissions I get a 'permissions denied' error in debug mode.  I tried changing user:group and every other type of permission.  I can't believe that you have to have the permission set to 777.  

Does anyone have the actual permissions that $WorkDirectory should be set so that rsyslog could read and write to the state files?
Software Developer
Commented:
You do know that you must be the same user as what rsyslogd normally runs when you debug, otherwise you will need 777, don't you? Assuming you do, try
strace -f rsyslogd -c5 -dn > logfile 2>tracefile

Open in new window

This will show you the actual failing system call in tracefile

Author

Commented:
ducan,

Thanks for your response.  After playing around I was able to get the permissions down by setting the user to syslog and the group to adm.  Thanks for your suggestion as it's a great way to troubleshoot for future problems as well.  I really appreciate it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial