Rsyslogd not monitoring all files in config file

rsyslogubuntu-12.04

I am not seeing rsyslog pick up all files I am trying to monitor. I am using the standard config from Ubuntu 12.04 LTS but am adding the contents below to /etc/rsyslog.d/30-logentries.conf.

I only see messages from /var/log/myapp.log and a few system log files that are monitored in /etc/rsyslog.d/50-default.conf being pushed to LogEntries, not the other files I am trying to monitor.

I've verified the following:

  • My other log files are world readable
  • My other log files are being written to
  • LogEntries is receiving log messages from the server
  • /var/log/syslog sees what LogEntries sees, so the log messages don't appear to be lost by log entries
  • Restarting rsyslog doesn't fix the issue

Any ideas on what I'm doing wrong?

$ModLoad imfile   # Load the imfile input module
$ModLoad imklog   # for reading kernel log messages
$ModLoad imuxsock # for reading local syslog messages

$InputFileName /var/log/myapp.log
$InputFileTag myapp:
$InputFileStateFile myapp
$InputRunFileMonitor

$InputFileName /var/log/nginx/myapp.log
$InputFileTag nginx-myapp:
$InputFileStateFile nginx-myapp
$InputRunFileMonitor

$InputFileName /var/log/nginx/access.log
$InputFileTag nginx-access:
$InputFileStateFile nginx-access
$InputRunFileMonitor

$InputFileName /var/log/nginx/error.log
$InputFileTag nginx-error:
$InputFileStateFile nginx-error
$InputRunFileMonitor

$InputFileName /var/log/nginx/redir-to-http-myapp.log
$InputFileTag nginx-redir-to-http-myapp:
$InputFileStateFile nginx-redir-to-http-myapp
$InputRunFileMonitor

$InputFileName /var/log/nginx/redir-to-www-myapp.log
$InputFileTag nginx-redir-to-www-myapp:
$InputFileStateFile nginx-redir-to-www-myapp
$InputRunFileMonitor

$InputFilePollInterval 1

$DefaultNetstreamDriverCAFile /etc/syslog.logentries.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logentries.com

$template LogentriesFormat,"guidguid-guid-guid-guid-guidguidguid production %HOSTNAME% %syslogtag%%msg%\n"
*.* @@api.logentries.com:20000;LogentriesFormat

Best Answer

Unicorn(s) was converting comment to CW....

To get rsyslog process the file, its file must be readable by rsyslog. Even though the nginx log files were world readable, the nginx log directory (/var/log/nginx/) was not. Giving rsyslog access to that directory fixed it.

Related Topic