[Bug 1110456] New: rsyslog not logging most messages
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456 Bug ID: 1110456 Summary: rsyslog not logging most messages Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kubic Assignee: kubic-bugs@opensuse.org Reporter: kukuk@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On SLES, all messages I see in journalctl are also available in /var/log/messages. On Kubic, where we use rsyslog, nearly no message I see in journalctl can be found in /var/log/messages. So something with journalctl and rsyslog is configured wrong. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c1
Thorsten Kukuk
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c2
Thomas Blume
simple test: "logger aaa"
On openSUSE Kubic (current Factory) we use the same setup as with SLES: journald and rsyslog. On openSUSE Kubic the string "aaa" is only visible in journalctl, not in /var/log/messages. As result, this log entry is gone after a reboot. Which is critical for us, as it does not allow us to debug problems.
On SLES15, "aaa" is visible in journalctl and /var/log/messages.
Hm, I'm not able to reproduce the issue on a recent Tumbleweed. After installing rsyslog and rebooting I get: --> c592:~ # cat /etc/os-release NAME="openSUSE Tumbleweed" # VERSION="20180917" ID="opensuse-tumbleweed" ID_LIKE="opensuse suse" VERSION_ID="20180917" PRETTY_NAME="openSUSE Tumbleweed" c592:~ # logger tblume c592:~ # logger aaa c592:~ # tail /var/log/messages [...] 2018-10-08T14:03:10.525978+02:00 c592 root: tblume 2018-10-08T14:03:16.917398+02:00 c592 root: aaa c592:~ # --< Have you got a machine where I can log in to see the issue? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c3
Thorsten Kukuk
Have you got a machine where I can log in to see the issue?
I have many, you can use e225.suse.de -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c4
Thomas Blume
(In reply to Thomas Blume from comment #2)
Have you got a machine where I can log in to see the issue?
I have many, you can use e225.suse.de
There is a mismatch in the socket where systemd listens. The machine shows: --> e225:/var/log # dmesg | grep ' Listening on' [ 1.423452] systemd[1]: Listening on udev Control Socket. [ 1.423509] systemd[1]: Listening on Journal Socket (/dev/log). [...] e225:/var/log # ls -l /dev/log lrwxrwxrwx 1 root root 28 Oct 6 01:59 /dev/log -> /run/systemd/journal/dev-log --< On my reference machine it looks like this: kvm126:~ # dmesg | grep ' Listening on' [ 2.204170] systemd[1]: Listening on udev Control Socket. [ 4.004526] systemd[1]: Listening on Syslog Socket. rsyslog listens on: /run/systemd/journal/syslog and that's where systemd should be listening too.
From the systemd setup I don't see differences, but in /etc/apparmor.d/abstractions/base I cannot find and entry for:
/run/systemd/journal/syslog So, maybe apparmor needs to be reconfigured (on my reference machine there is no apparmor installed). Can I disable apparmarmor and reboot your machine to double check? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c5
Thorsten Kukuk
So, maybe apparmor needs to be reconfigured (on my reference machine there is no apparmor installed). Can I disable apparmarmor and reboot your machine to double check?
Yes -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c6
--- Comment #6 from Thomas Blume
(In reply to Thomas Blume from comment #4)
So, maybe apparmor needs to be reconfigured (on my reference machine there is no apparmor installed). Can I disable apparmarmor and reboot your machine to double check?
Yes
I was wrong, this has nothing to do with apparmor. The configuration issue is in: /etc/systemd/journald.conf that defaults to: #ForwardToSyslog=no as soon as I set: ForwardToSyslog=yes and restart journald, it works correctly. That matches the documentation in the journald.conf manpage. On SLES it defaults to ForwardToSyslog=yes, that's why it works there out of the box. The interesting question is why it worked on my reference Tumbleweed machine, even though it also defaults to ForwardToSyslog=no. But that might not be of interest for you. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c7
--- Comment #7 from Thorsten Kukuk
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c8
--- Comment #8 from Thorsten Kukuk
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c9
--- Comment #9 from Thomas Blume
The fix is quite simple for this:
rsyslog provides a journald.d.conf/rsyslog.conf file, which enables ForwardToSyslog. No need to differentiate in the sources if this is openSUSE or SLE: in case rsyslog is installed, forward the messages.
You are fast. :) I was investigating another approach where pulls directly from the journal: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imjournal.html but it seems this method has some drawbacks. Let's use the proven method then. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1110456
http://bugzilla.suse.com/show_bug.cgi?id=1110456#c10
Thomas Blume
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1110456
https://bugzilla.suse.com/show_bug.cgi?id=1110456#c16
--- Comment #16 from Swamp Workflow Management
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com