jeudi 7 mars 2013

rsyslogd on aix

installing :


I installed rsyslogd based on http://www.rsyslog.com/ on several AIX servers (both AIX6.1 and 7.1). I wanted to install ibm's own compiled module for several reasons :

  1. obvious security matters (rsyslogd is security related product, which will help us to have stronger means to keep traks on servers, so for that reason, we cannot install unstamped products)
  2. it's an installp product, and it's integrated to srcmstr daemon.
  3. we will have someone to yell on, if it doesn't work! (or maybe not!)

rsyslog is now on the expansion pack of the two main aix versions i work on. The minimum server level is :

6.1.8.0 : AIX 6.1, TL8, SP0
7.1.2.0 : AIX 7.1, TL2, SP0

After having installed rsyslogd, we have a new command, which is helpful to convert from the normal syslogd version :

syslog_ssw



syslog_ssw -c /etc/syslog.conf /etc/rsyslog.conf : will convert the normal syslog.conf into rsyslog.conf.

It will need some tuning to get into your own organisation  :
*.* @@ip_central_server:port
This will be the server that will receive all the syslog messages. you can add some parameters, according to rsyslog wiki. But a good starting poing is the following options (you have to create /var/rsyslog before launching rsyslog) :

$WorkDirectory /var/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1G # 1Gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down

*.* @@ip_central_server:port
Then, to replace syslog with rsyslog, you can use the command syslog_ssw with the -r option.

root@darkstar:/var/lib/rsyslog# syslog_ssw -r
0513-077 Subsystem has been changed.
Start daemon: syslogd
0513-059 The syslogd Subsystem has been started. Subsystem PID is 37027944.

As you keep the /etc/syslog.conf, you wan switch easily from rsyslog to syslog back and forth, via syslog_ssw -r and -s options.

It is started and stopped via startsrc -s syslogd, and via stopsrc -s syslogd command.

debugging :

To debug rsyslog is quite simple :

stop daemon via stopsrc command.
export the two RSYSLOG parameters :

export RSYSLOG_DEBUG="DebugOnDemand NoStdOut"
export RSYSLOG_DEBUGLOG=/tmp/gileb.out

then launch rsyslog on the command line as follow :

rsyslogd  -n -c5

then,  send the usr signal via the kill command on the running process

kill -USR1 syslogpid

you will then, have all the debug info into the indicated file  :

root/datestaix7 / #cat /tmp/gileb.out
7600.312486000:1:
7600.312524000:1:
7600.312537000:1: ********************************************************************************
7600.312550000:1: Switching debugging_on to true at 14:46:40
7600.312561000:1: ********************************************************************************
7635.540547000:203: Message from UNIX socket: #4
7635.540627000:203: MsgSetTAG in: len 3, pszBuf: ege
7635.540661000:203: MsgSetTAG exit: pMsg->iLenTAG 3, pMsg->TAG.szBuf: ege
7635.540709000:203: main Q: entry added, size now log 2, phys 3 entries
7635.540759000:203: main Q: EnqueueMsg advised worker start
7635.540821000:203: --------imuxsock calling select, active file descriptors (max 4): 4
7647.435687000:102: file netstrms.c released module 'lmnsd_ptcp', reference count now 1
7647.435722000:102: Action 20059608 transitioned to state: rtry

to stop, you can ctrl-c or kill the process.