Dr. Klahn
asked on
rsyslog 8.24.0 fails to log message
This problem occurs on a Debian system using rsyslog 8.24.0. In all other respects rsyslog was and still is operating correctly, so the problem is in the ruleset.
The number of ntpdate entries in the cron log is distracting:
The desired effect is to log only the first (01:43) daily occurrence of ntpdate to the cron log. /etc/rsyslog.conf was modified:
Result - now there are no cron log entries.
Side note: The host is an SBC with hardware clock "issues" that mandate this approach. Replacing ntpdate with the ntp daemon was tried and didn't work.
The number of ntpdate entries in the cron log is distracting:
Nov 20 06:01:01 CRON[19514]: (root) CMD (sh /root/iptables-backup.sh >/dev/null 2>&1)
Nov 20 07:43:01 CRON[7110]: (root) CMD (ntpdate -s 0.us.pool.ntp.org)
Nov 20 10:43:01 CRON[9972]: (root) CMD (ntpdate -s 0.us.pool.ntp.org)
Nov 20 13:43:01 CRON[12836]: (root) CMD (ntpdate -s 0.us.pool.ntp.org)
Nov 20 16:43:01 CRON[15705]: (root) CMD (ntpdate -s 0.us.pool.ntp.org)
Nov 20 19:43:01 CRON[18578]: (root) CMD (ntpdate -s 0.us.pool.ntp.org)
Nov 20 22:43:01 CRON[21523]: (root) CMD (ntpdate -s 0.us.pool.ntp.org)
Nov 21 01:43:01 CRON[24473]: (root) CMD (ntpdate -s 0.us.pool.ntp.org)The desired effect is to log only the first (01:43) daily occurrence of ntpdate to the cron log. /etc/rsyslog.conf was modified:
# Log cron into its own file
# Block all but the first daily ntpdate message
if $programname == 'cron' then {
if $msg contains 'ntpdate' then {
if not($timereported contains '01:43') then stop
}
# Anything else gets logged normally
action(type="omfile" file="/var/log/cron")
stop
}Result - now there are no cron log entries.
Side note: The host is an SBC with hardware clock "issues" that mandate this approach. Replacing ntpdate with the ntp daemon was tried and didn't work.
What were the old contents of /etc/rsyslog.conf?
ASKER
The original contents in that segment were:
# Log cron into its own file
if $programname == 'cron' then {
action(type="omfile" file="/var/log/cron")
stop
}
Since you are running cron through syslog, and you effectively do not care to see the events of the cron running ntpdate -s 8 times a day, why would like to see it even a couple times?
When installing servers, etc. configuring ntpd is a trivial matter maintaining the time in close proximate throughout the day.
in your setup if there is a significant drift. the time will be jumping every three hours by a minute, minutes, 10s of minutes?
ntpd calculates drift and maintains .....your log does not include the closing/completion of the running of the cron, which could be used to see the time correction.
i.e. if the ntpdate -s takes five seconds to complete on average.
but the time of stop occurs before the start of the run of the JOB.
or on the other side, the stop occurs minutes after the start ran.
run ntpstat
ntpq
peer
and it will tell you ....
when ntpd is running, on a system, a system's clcok can be within 72ms of accuracy with the defined peers in ntp.conf every second.
When installing servers, etc. configuring ntpd is a trivial matter maintaining the time in close proximate throughout the day.
in your setup if there is a significant drift. the time will be jumping every three hours by a minute, minutes, 10s of minutes?
ntpd calculates drift and maintains .....your log does not include the closing/completion of the running of the cron, which could be used to see the time correction.
i.e. if the ntpdate -s takes five seconds to complete on average.
but the time of stop occurs before the start of the run of the JOB.
or on the other side, the stop occurs minutes after the start ran.
run ntpstat
ntpq
peer
and it will tell you ....
when ntpd is running, on a system, a system's clcok can be within 72ms of accuracy with the defined peers in ntp.conf every second.
ASKER
Arnold, it is not possible to run the ntp daemon on this system; I did state that in the original posting. It is not a standard PC with a standard clock.
timereported or timegenerated....
Possible remedy is to use a counter to see whether this is the first event of the day.
http://www.rsyslog.com/rsyslog-statistic-counter/
in which case it will be recorded, if it is the 8th, reset the counter...
Possible remedy is to use a counter to see whether this is the first event of the day.
http://www.rsyslog.com/rsyslog-statistic-counter/
in which case it will be recorded, if it is the 8th, reset the counter...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solved the issue by rewriting the rsyslog rule to account for upper and lower case. cron logs messages with both.
Make sure to configure /etc/ntp.conf with SNTP servers, you can use ntp.org to locate NTP server in your geographic proximate with which your system can synchronize,
Then make sure ntpd service is set to start.
Commonly the ntpd startup script runs ntpdate to sync the clock, and then ntpd maintains the sync as close as possible to while sending requests to the defined NTP servers.
This change will eliminate those entries once disabled in cron.