我試圖配置 rsyslog 將日誌從特定檔案轉發到 syslogserver,最終清除了整個配置(rsyslog 服務被卡住 - 無法啟動)..
所以我清除了所有內容,並再次從頭開始安裝了所有內容......現在當我嘗試啟動它時它失敗了。
這是作業系統版本:
~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
這是 rsyslog 版本
~# rsyslogd -v
rsyslogd 8.2212.0 (aka 2022.12) compiled with:
PLATFORM: x86_64-pc-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: No
Config file: /etc/rsyslog.conf
PID file: /var/run/rsyslogd.pid
Number of Bits in RainerScript integers: 64
See https://www.rsyslog.com for more information.
這是我的 rsyslog.conf
~# cat /etc/rsyslog.conf
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
最後是 systemd 服務(這是到 /lib/systemd/system/rsyslog.service 的軟連結)
~# cat /etc/systemd/system/syslog.service
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=man:rsyslog.conf(5)
Documentation=https://www.rsyslog.com/doc/
[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n
StandardOutput=null
Restart=on-failure
# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
#LimitNOFILE=16384
[Install]
WantedBy=multi-user.target
Alias=syslog.service
當我跑步時/usr/sbin/rsyslogd -n我得到
~# /usr/sbin/rsyslogd -n
rsyslogd: pidfile '/var/run/rsyslogd.pid' and pid 6260 already exist.
If you want to run multiple instances of rsyslog, you need to specify
different pid files for them (-i option).
rsyslogd: run failed with error -3000 (see rsyslog.h or try https://www.rsyslog.com/e/3000 to learn what that number means)
服務狀態說:
~# systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2022-12-22 08:05:56 CET; 8s ago
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Process: 6464 ExecStart=/usr/sbin/rsyslogd -n (code=exited, status=1/FAILURE)
Main PID: 6464 (code=exited, status=1/FAILURE)
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: Failed to start System Logging Service.
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: rsyslog.service: Service RestartSec=100ms expired, scheduling restart.
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: rsyslog.service: Scheduled restart job, restart counter is at 5.
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: Stopped System Logging Service.
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: rsyslog.service: Start request repeated too quickly.
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Dec 22 08:05:56 TW-3CXNFA-B systemd[1]: Failed to start System Logging Service.
我有點卡在這裡...我用谷歌搜尋了「pid已經存在」訊息和許多其他訊息,但它沒有引導我:(
請您給我一點幫助,我將不勝感激:( 有什麼想法我需要做什麼嗎?
- - - - - - 編輯 - - - - - -
我按照你們的提示嘗試了這個...
編輯 (r)syslog.service 並新增 -iNONE 作為參數
~# cat /etc/systemd/system/syslog.service
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=man:rsyslog.conf(5)
Documentation=https://www.rsyslog.com/doc/
[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure
#Increase the default a bit in order to allow many simultaneous
#files to be monitored, we might need a lot of fds.
#LimitNOFILE=16384
[Install]
WantedBy=multi-user.target
Alias=syslog.service
重新載入守護進程 -> systemctl daemon-reload(沒有錯誤訊息)
都停止了systemctl stop syslog.socket rsyslog.service
檢查了兩者的狀態
~# systemctl status syslog.socket rsyslog.service
● syslog.socket - Syslog Socket
Loaded: loaded (/lib/systemd/system/syslog.socket; static; vendor preset: disabled)
Active: inactive (dead) since Thu 2022-12-22 14:57:32 CET; 18s ago
Docs: man:systemd.special(7)
https://www.freedesktop.org/wiki/Software/systemd/syslog
Listen: /run/systemd/journal/syslog (Datagram)
Dec 22 10:17:58 TW-3CXNFA-B systemd[1]: Listening on Syslog Socket.
Dec 22 14:57:32 TW-3CXNFA-B systemd[1]: syslog.socket: Succeeded.
Dec 22 14:57:32 TW-3CXNFA-B systemd[1]: Closed Syslog Socket.
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2022-12-22 14:57:32 CET; 18s ago
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Process: 22681 ExecStart=/usr/sbin/rsyslogd -n -iNONE (code=exited, status=0/SUCCESS)
Main PID: 22681 (code=exited, status=0/SUCCESS)
Dec 22 14:56:59 TW-3CXNFA-B systemd[1]: Starting System Logging Service...
Dec 22 14:57:32 TW-3CXNFA-B systemd[1]: rsyslog.service: Succeeded.
Dec 22 14:57:32 TW-3CXNFA-B systemd[1]: Stopped System Logging Service.
兩者都處於非活動狀態..然後我檢查是否有任何活動的 PID(都很好)
~# ps axu | grep rsyslog
root 22747 0.0 0.0 6072 888 pts/0 S+ 14:59 0:00 grep rsyslog
驗證是否有pid檔ls /var/run/ | grep syslog(無)
然後我啟動了導致超時訊息的服務
~# systemctl start rsyslog
Job for rsyslog.service failed because a timeout was exceeded.
See "systemctl status rsyslog.service" and "journalctl -xe" for details.
檢查狀態
~# systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: activating (start) since Thu 2022-12-22 15:03:16 CET; 1min 26s ago
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 22896 (rsyslogd)
Tasks: 4 (limit: 1136)
Memory: 824.0K
CGroup: /system.slice/rsyslog.service
└─22896 /usr/sbin/rsyslogd -n -iNONE
Dec 22 15:03:16 TW-3CXNFA-B systemd[1]: Starting System Logging Service...
加日記:
~# journalctl -xe
-- A stop job for unit rsyslog.service has finished.
--
-- The job identifier is 25478 and the job result is done.
Dec 22 15:03:16 TW-3CXNFA-B systemd[1]: Starting System Logging Service...
-- Subject: A start job for unit rsyslog.service has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit rsyslog.service has begun execution.
--
-- The job identifier is 25478.
Dec 22 15:04:46 TW-3CXNFA-B systemd[1]: rsyslog.service: Start operation timed out. Terminating.
Dec 22 15:04:46 TW-3CXNFA-B systemd[1]: rsyslog.service: Failed with result 'timeout'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit rsyslog.service has entered the 'failed' state with result 'timeout'.
Dec 22 15:04:46 TW-3CXNFA-B systemd[1]: Failed to start System Logging Service.
-- Subject: A start job for unit rsyslog.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit rsyslog.service has finished with a failure.
--
-- The job identifier is 25478 and the job result is failed.
Dec 22 15:04:46 TW-3CXNFA-B systemd[1]: rsyslog.service: Service RestartSec=100ms expired, scheduling restart.
Dec 22 15:04:46 TW-3CXNFA-B systemd[1]: rsyslog.service: Scheduled restart job, restart counter is at 2.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Automatic restarting of the unit rsyslog.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Dec 22 15:04:46 TW-3CXNFA-B systemd[1]: Stopped System Logging Service.
-- Subject: A stop job for unit rsyslog.service has finished
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A stop job for unit rsyslog.service has finished.
--
-- The job identifier is 25554 and the job result is done.
Dec 22 15:04:46 TW-3CXNFA-B systemd[1]: Starting System Logging Service...
-- Subject: A start job for unit rsyslog.service has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit rsyslog.service has begun execution.
--
-- The job identifier is 25554.
Dec 22 15:05:01 TW-3CXNFA-B CRON[22955]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 22 15:05:01 TW-3CXNFA-B CRON[22956]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Dec 22 15:05:01 TW-3CXNFA-B CRON[22955]: pam_unix(cron:session): session closed for user root
我失蹤了什麼?
答案1
rsyslog 的預設 PID 檔案位置是/var/run/rsyslogd.pid(如 中所述man rsyslogd)。cat該文件以了解裡面的內容。
檢查該 PID 是否確實rsyslogd(類似於ps axu | grep $(cat /var/run/rsyslogd.pid)和ps axu | grep rsyslogd)。如果它正在運行,請按照建議殺死它並刪除 PID 檔案。這是服務管理員認為服務沒有運作的問題,而實際上服務正在運作(例如,無法停止)。
如果 PID 存在但不存在rsyslogd,則不要殺死它。這可能是無關的,而且這種行為可能會造成傷害而不是好處。只需刪除 rsyslog PID 檔案即可。發生這種情況的原因可能是 rsyslog 創建了該文件,將其 PID 放在那裡然後停止,系統後來將該 PID 重新用於其他用途。
現在,當服務顯然沒有運行和沒有誤導性的PID文件,嘗試使用服務管理員再次啟動它,觀察啟動情況/var/log/daemon.log和其他日誌檔案(messages、syslog)並檢查啟動過程中是否有任何錯誤。
有趣的是,從 Debian 11 開始,它被配置為不是寫入任何PID檔案(像這樣的啟動/usr/sbin/rsyslogd -n -iNONE)。
答案2
我認為這是透過以下連結報告的錯誤:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815862
這看起來違反直覺...但實際要執行的步驟是您必須停止兩個 systemd 單元,而不僅僅是停止rsyslog.service或殺死 rsyslog 的 PID:
systemctl stop syslog.socket rsyslog.service