I followed this guide but its not working at all


http://www.rsyslog.com/doc/imfile.html

full config file

$ModLoad imfile #
# needs to be done just once
#
# # File 1
$InputFileName /var/run/mysqld/mysqld.log
$InputFileTag mysql-dev:
$InputFileStateFile stat-file1
$InputFileSeverity notice
$InputFileFacility local7
$InputFilePollInterval 10
$InputRunFileMonitor

$InputFileName /root/testr
$InputFileTag test:
$InputFileStateFile stat-file2
$InputFileSeverity notice
$InputFileFacility local7
$InputFilePollInterval 10
$InputRunFileMonitor

#rsyslog v3 config file

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

#### MODULES ####

$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp.so
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.* /var/log/logoflogs
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spppl/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/iport, e.g. 192.168.0.1:514, port optional
*.* @@192.168.1.31:514
# ### end of the forwarding rule ###

centos 6.2

I populate /etc/rsyslog.conf like this, see if it works for you:

hmm I tired that didn't work.

I also tried to read a file that wasn't being used by mysql.

What user does rsyslog run as ?

is it chrooted?

"didn't work" doesn't tell me anything.


No file attributes and specs, no configuration. Doesn't tell me anything either.


Check with
Since when does Rsyslogd support or require chrooting?

1 members found this post helpful.

sorry I am new to rsyslog.

What I mean is I see no record of the file in rsyslog.

ps -C rsyslogd -o uid,gid,args
UID GID COMMAND
0 0 /sbin/rsyslogd -i /var/run/syslogd.pid -c 4

I tried this first

# Load directives first:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Then load modules:
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imfile

# Now load the external log
$InputFileName /var/run/mysqld/mysqld.log
$InputFileTag mysql-dev:
$InputFileStateFile mysqld.state
$InputFileSeverity notice
$InputFileFacility local8 # as 7 is in use already
$InputRunFileMonitor

#end file

# then I tired this
#start file
# Then load the rest of the rules:
*.* /var/log/logoflogs
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

*.* @@192.168.1.31:514


# Load directives first:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Then load modules:
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imfile

# Now load the external log
$InputFileName /root/test
$InputFileTag test:
$InputFileStateFile test.state
$InputFileSeverity notice
$InputFileFacility local8 # as 7 is in use already
$InputRunFileMonitor



# Then load the rest of the rules:
*.* /var/log/logoflogs
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

*.* @@192.168.1.31:514
~
~

in the rsys log server I wasn't able to see anything.

if I run

Logger -p local0.info -t `tail /var/run/mysqld.log`
I do get input in the rsyslog server.

Odd. I tried to get this to work, I can have Rsyslog (locally compiled version 5.8.5 running as '/sbin/rsyslogd -c5 -f /etc/rsyslog.conf') read a file and output to another local file and I can have Rsyslog do remote logging, but I can't get it to read /var/log/mysqld.log AND get it to log to remote even though 'lsof -Pwlnp `pgrep rsyslogd`;' shows the file is open, an UDP connection is made, the receiving Rsyslog has the /var/log/%HOSTNAME%/syslog opened and receiving all the other log lines. I also noticed that 'logger -t somemessage;' seems to stall at times.

I think you'd best get on the mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog.