installing :
I installed rsyslogd based on http://www.rsyslog.com/ on several AIX servers (both AIX6.1 and 7.1). I wanted to install ibm's own compiled module for several reasons :
- obvious security matters (rsyslogd is security related product, which will help us to have stronger means to keep traks on servers, so for that reason, we cannot install unstamped products)
- it's an installp product, and it's integrated to srcmstr daemon.
- we will have someone to yell on, if it doesn't work! (or maybe not!)
rsyslog is now on the expansion pack of the two main aix versions i work on. The minimum server level is :
6.1.8.0 : AIX 6.1, TL8, SP0
7.1.2.0 : AIX 7.1, TL2, SP0
After having installed rsyslogd, we have a new command, which is helpful to convert from the normal syslogd version :
syslog_ssw
syslog_ssw -c /etc/syslog.conf /etc/rsyslog.conf : will convert the normal syslog.conf into rsyslog.conf.
It will need some tuning to get into your own organisation :
*.* @@ip_central_server:port
This will be the server that will receive all the syslog messages. you can add some parameters, according to rsyslog wiki. But a good starting poing is the following options (you have to create /var/rsyslog before launching rsyslog) :
$WorkDirectory /var/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1G # 1Gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.* @@ip_central_server:port
Then, to replace syslog with rsyslog, you can use the command syslog_ssw with the -r option.
root@darkstar:/var/lib/rsyslog# syslog_ssw -r
0513-077 Subsystem has been changed.
Start daemon: syslogd
0513-059 The syslogd Subsystem has been started. Subsystem PID is
37027944.
As you keep the /etc/syslog.conf, you wan switch easily from rsyslog to syslog back and forth, via syslog_ssw -r and -s options.
It is started and stopped via startsrc -s syslogd, and via stopsrc -s syslogd command.
debugging :
To debug rsyslog is quite simple :
stop daemon via stopsrc command.
export the two RSYSLOG parameters :
export RSYSLOG_DEBUG="DebugOnDemand NoStdOut"
export RSYSLOG_DEBUGLOG=/tmp/gileb.out
then launch
rsyslog on the command line as follow :
then, send the usr signal via the kill command on
the running process
you will then, have all the debug
info into the indicated file :
root/datestaix7 / #cat /tmp/gileb.out
7600.312486000:1:
7600.312524000:1:
7600.312537000:1:
********************************************************************************
7600.312550000:1: Switching debugging_on to true
at 14:46:40
7600.312561000:1:
********************************************************************************
7635.540547000:203: Message from UNIX socket: #4
7635.540627000:203: MsgSetTAG in: len 3, pszBuf:
ege
7635.540661000:203: MsgSetTAG exit:
pMsg->iLenTAG 3, pMsg->TAG.szBuf: ege
7635.540709000:203: main Q: entry added, size
now log 2, phys 3 entries
7635.540759000:203: main Q: EnqueueMsg advised
worker start
7635.540821000:203: --------imuxsock calling
select, active file descriptors (max 4): 4
7647.435687000:102: file netstrms.c released
module 'lmnsd_ptcp', reference count now 1
7647.435722000:102: Action 20059608 transitioned
to state: rtry
to stop, you can ctrl-c or kill the process.