[SOLVED] CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Issues related to applications and software problems
anderson_thomas
Posts: 81
Joined: 2011/11/21 10:19:41

[SOLVED] CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Postby anderson_thomas » 2017/09/21 11:15:43

Hi,

.... imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]

after upgrade from CentOS 7.3 to 7.4 these message are coming
periodically every day from rsyslog.

What does this mean and how can I fix this?

p.s. I think, the rsyslog forum are not much visited, so there was no answer till now...

Thank you!
Klaus.
Last edited by anderson_thomas on 2017/09/26 08:30:13, edited 1 time in total.

aks
Posts: 2495
Joined: 2014/09/20 11:22:14

Re: CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Postby aks » 2017/09/23 18:35:50

Could it be logrotate, rotating the logs and restarting rsyslog so it gets rid of (what are now stable handles - if the logs where rotated)?

anderson_thomas
Posts: 81
Joined: 2011/11/21 10:19:41

Re: CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Postby anderson_thomas » 2017/09/25 04:58:14

Hi aks,

no, I don't think so, beacuse the messages are written more than once a day be one server. See the following line from my /var/log/messages:

Code: Select all

Sep 24 05:56:46 server10 rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]
Sep 24 11:49:07 server10 rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]
Sep 24 13:07:46 server10 rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]
Sep 24 18:48:35 server10 rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]
Sep 24 20:16:37 server10 rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]
Sep 24 21:29:37 server10 rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]
Sep 24 23:22:09 server10 rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]


The only differnt to a lokal workstation with CentOS-7.4 is, that I submit all log entrys from the server10 to a "Graylog" server via Remote-Logging, see my extra configuration from /etc/rsyslog.conf (whole configuration file):

Code: Select all

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
# Tachtler
# default: #$ModLoad immark  # provides --MARK-- message capability
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Tachtler - new -
# Write all Log-Information to graylog
#$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
#*.*                                                     @10.7.0.110:514;GRAYLOGRFC5424
*.*                                                     @10.7.0.110:514;RSYSLOG_SyslogProtocol23Format

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

The changed lines from the original /etc/rsyslog.conf are marked as

Code: Select all

# Tachtler


Andy ideas?


Thank you!
Klaus.

aks
Posts: 2495
Joined: 2014/09/20 11:22:14

Re: CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Postby aks » 2017/09/25 18:37:15

Well I don't use imjournal because of the well known performance hot - see http://www.rsyslog.com/doc/v8-stable/co ... urnal.html

Following the link suggested (int he output) points to: http://kb.monitorware.com/kbeventdb-detail-id-7218.html (they suggest disabling xconsole stuff).

Also have a look at https://www.freedesktop.org/software/sy ... .conf.html for journal options (I just wonder if the journal is "full" - I seem to recall that is configurable option and perhaps journald is resetting in some manner - thus "forcing" rsyslog to reload/restart), but that's a guess.

anderson_thomas
Posts: 81
Joined: 2011/11/21 10:19:41

Re: CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Postby anderson_thomas » 2017/09/26 07:36:05

Hi aks,

o.k. NOT to use imjournal is maybe the best possibility.

I try to disable imjournal, BUT after that, NO logging was done in any log file?

Can you give me an example of an /etc/rsyslog.conf AND other dependencies, how I can I use rsyslog without using imjournal?

Thank you!
Klaus.

anderson_thomas
Posts: 81
Joined: 2011/11/21 10:19:41

Re: CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Postby anderson_thomas » 2017/09/26 07:47:16

Hi aks,

SORRY - I found my mistake - LOGGING is now working without imjournal.

/etc/rsyslog.conf

Code: Select all

# default: $OmitLocalLogging on
$OmitLocalLogging off


Was my fault!

Thank you!
Klaus.

anderson_thomas
Posts: 81
Joined: 2011/11/21 10:19:41

[SOLVED] Re: CentOS-7.4 - rsyslog - imjournal: journal reloaded...

Postby anderson_thomas » 2017/09/26 08:28:32

Hi,

thank you aks for the tip!

I think NOT to use the imjournal module will solve the problem!

Here my complete /etc/rsyslog.conf for example:

Code: Select all

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
# Tachtler
# default: $ModLoad imjournal # provides access to the systemd journal
# $ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
# Tachtler
# default: #$ModLoad immark  # provides --MARK-- message capability
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
# Tachtler
# default: $OmitLocalLogging on
$OmitLocalLogging off

# File to store the position in the journal
# Tachtler
# default: $IMJournalStateFile imjournal.state
# $IMJournalStateFile imjournal.state


#### RULES ####
 
# Tachtler - new -
# Write all Log-Information to graylog
#$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
#*.*                                                     @10.7.0.110:514;GRAYLOGRFC5424
*.*                                                     @10.7.0.110:514;RSYSLOG_SyslogProtocol23Format

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###


Thank you!
Klaus.