wiki

User Tools

Site Tools

Trace: tsm_tdpexchange_cmd hmc_upgrade tsm_oss rpm_install aix_rsyslog
aix:aix_rsyslog

This is an old revision of the document!

Table of Contents

RSYSLOG for AIX

Rsyslog is able to send and receive messages using UDP and TCP, on customized ports.

Basic setup on AIX

Rsyslog bff package is available by IBM: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp&lang=en_US

After having installed rsyslogd, we have a new command, which is helpful to convert from the normal syslogd version : 

syslog_ssw

First convert /etc/syslog.conf to /etc/rsyslog.conf 

[root@prnim01]/etc> syslog_ssw -c /etc/syslog.conf /etc/rsyslog.conf
[root@prnim01]/etc> cat /etc/rsyslog.conf
################################################################
# Rsyslog is free software

# Load the unix socket for local communication
$ModLoad imuxsock

# Load the UDP module for remote communication and Run the UDP server on the default port 514
$ModLoad imudp
$UDPServerRun 514

# Load the TCP module for remote communication and Run the TCP server on the default port 514
$ModLoad imtcp
$InputTCPServerRun 514
################################################################

aso.notice /var/log/aso/aso.log
aso.info /var/log/aso/aso_process.log
aso.debug /var/log/aso/aso_debug.log
*.emerg /var/log/syslog/emerg.log
*.alert /var/log/syslog/alert.log
*.crit /var/log/syslog/crit.log
*.err /var/log/syslog/error.log
*.warning /var/log/syslog/warning.log
*.notice /var/log/syslog/notice.log
*.info /var/log/syslog/info.log
*.debug /var/log/syslog/debug.log
caa.debug /var/adm/ras/syslog.caa
auth.debug /var/log/syslog/auth.log

Then, to replace syslog with rsyslog, you can use the command syslog_ssw with the -r option. 

[root@prnim01]/var/log/syslog# syslog_ssw -r 
0513-077 Subsystem has been changed.
Start daemon: syslogd
0513-059 The syslogd Subsystem has been started. Subsystem PID is 37027944.

Now test, you can see the date format has changed: 

[root@prnim01]/var/log/syslog# logger -p notice "this is a RSYSLOG test"

[root@prnim01]/var/log/syslog# tail -20 notice.log
Sep 29 11:13:46 prnim01 daemon:notice bootpd[8061212]: hardware address not found: 5CF3FC9F7580
Sep 29 11:13:54 prnim01 syslog:err|error syslogd: Good Bye

2017-09-29T11:14:06.067495+02:00 prnim01 bootpd[8061212]: hardware address not found: 5CF3FC9F7580
2017-09-29T11:14:22.070448+02:00 prnim01 bootpd[8061212]: hardware address not found: 5CF3FC9F7580
2017-09-29T11:14:29.506642+02:00 prnim01 root: this is a RSYSLOG test 
2017-09-29T11:14:38.073427+02:00 prnim01 bootpd[8061212]: hardware address not found: 5CF3FC9F7580

Now rsyslog can be start and stop using standard AIX service commands: 

startsrc -s rsyslogd
stopsrc -s rsyslogd

Example: 

[root@prnim01]/var/log/syslog# startsrc -s syslogd
 0513-059 The syslogd Subsystem has been started. Subsystem PID is 18809342.
[root@prnim01]/var/log/syslog# ps -ef | grep sysl
 root 18809342  3801372   0 11:22:00      -  0:00 /usr/sbin/rsyslogd

To switch back to standard AIX syslog: 

syslog_ssw -r

Notice
RSYSLOG has no rotation mechanism, you have to find your own solution, like logrotate.

Advanced setup

To revert back to old date format, add this option in /etc/rsyslog.conf 

Sep 29 15:04:55 prnim01 root: this is a RSYSLOG test 
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Custom Time Format: 

2013-11-30 13:39:59 localhost sshd[17331]: Accepted publickey for kaz from 192.1...
$template CustomFormat,"%timestamp:::date-year%-%timestamp:::date-month%-%timestamp:::date-day% %timestamp:::date-hour%:%timestamp:::date-minute%:%timestamp:::date-second% %HOSTNAME% %syslogtag%%msg%0\n"
$ActionFileDefaultTemplate CustomFormat

Send info messages to central server using TCP port 222: 

info.* @@syslogserver:222

Send info messages to central server using UDP port 222: 

info.* @syslogserver:222

This will be the server that will receive all the syslog messages. you can add some parameters, according to rsyslog wiki. But a good starting point is the following options (you have to create /var/rsyslog before launching rsyslog) : 

$WorkDirectory /var/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1G # 1Gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.* @@ip_central_server:port

Advanced config using Rulesets 

################
# Modules
################
$ModLoad imtcp
$ModLoad imudp
$ModLoad imuxsock

################
# Templates
################
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# log every host in its own directory
$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

################
### Rulesets
################

################
# Local Logging
$RuleSet local
aso.notice /var/log/aso/aso.log
aso.info /var/log/aso/aso_process.log
aso.debug /var/log/aso/aso_debug.log
*.emerg /var/log/syslog/emerg.log
*.alert /var/log/syslog/alert.log
*.crit /var/log/syslog/crit.log
*.err /var/log/syslog/error.log
*.warning /var/log/syslog/warning.log
*.notice /var/log/syslog/notice.log
*.info /var/log/syslog/info.log
*.debug /var/log/syslog/debug.log
caa.debug /var/adm/ras/syslog.caa
auth.debug /var/log/syslog/auth.log
# use the local RuleSet as default if not specified otherwise
$DefaultRuleset local


################
# Remote Logging
$RuleSet remote
*.* ?RemoteHost
# Send messages we receive to another syslog server using TCP port 514
*.* @@W.X.Y.Z:514

################
### Listeners
################

# bind ruleset to tcp listener, must be at the end
$InputTCPServerBindRuleset remote
$InputTCPServerRun 514

$InputUDPServerBindRuleset remote
$UDPServerRun 514

debugging :

To debug rsyslog is quite simple :

stop daemon via stopsrc command. export the two RSYSLOG parameters : 

export RSYSLOG_DEBUG="DebugOnDemand NoStdOut"
export RSYSLOG_DEBUGLOG=/tmp/rsyslog_debug.out

then launch rsyslog on the command line as follow : 

# rsyslogd  -n -c5

then, send the usr signal via the kill command on the running process 

# kill -USR1 syslogpid

you will then, have all the debug info into the indicated file : 

root/datestaix7 / #cat /tmp/rsyslog_debug.out
7600.312486000:1:
7600.312524000:1:
7600.312537000:1: ********************************************************************************
7600.312550000:1: Switching debugging_on to true at 14:46:40
7600.312561000:1: ********************************************************************************
7635.540547000:203: Message from UNIX socket: #4
7635.540627000:203: MsgSetTAG in: len 3, pszBuf: ege
7635.540661000:203: MsgSetTAG exit: pMsg->iLenTAG 3, pMsg->TAG.szBuf: ege
7635.540709000:203: main Q: entry added, size now log 2, phys 3 entries
7635.540759000:203: main Q: EnqueueMsg advised worker start
7635.540821000:203: --------imuxsock calling select, active file descriptors (max 4): 4
7647.435687000:102: file netstrms.c released module 'lmnsd_ptcp', reference count now 1
7647.435722000:102: Action 20059608 transitioned to state: rtry

http://gileb-aix.blogspot.fr/2013/03/rsyslogd-on-aix.html

centralize login

If you switch from auth_type = STD_AUTH to auth_type = PAM_AUTH in /etc/security/login.cfg

You can enable pam debug by creating an empty file: /etc/pam_debug

Now you are able to collect to syslog all login informations:

  • .debug /var/log/auth.log
aix/aix_rsyslog.1609532523.txt.gz · Last modified: 2021/01/01 21:22 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki