Why does syslog create a user.log when filebeat is restarted?


#1

Hello,

I have experienced something a bit weird for me. I have filebeat monitoring my rsyslog (syslog.log) file and sending it to my logstash.

I have noticed that after restarting filebeat where syslog is running, syslogs creates a new file user.log under /var/log/user.log where my logging is going to. However, filebeat expects that syslog.log is the one updated, since that file is not updated nothing is shipped by filebeat towards my logstash...

So my question is that, why does rsyslog daemon create this other file user.log? Should I configure filebeat to read user.log too even that might duplicate my logs towards logstash?

Any hint is appreciated!

Thanks in advance!

regards


(Andrew Kroh) #2

What's in your rsyslog config? That is what controls what goes to user.log. The user.log file probably contains messages from the user log facility (2).

Do you have Filebeat configured to write its logs to syslog? What Filebeat version are you running? You can configure Filebeat to write to it's own log file and not syslog (this is the default behavior in Filebeat 5.x).


#4

Hi @andrewkroh, Thanks for replying,

My rsyslog config looks like this, as you can see it's quite standard config

root@ar:/etc/rsyslog.d# cat 50-default.conf 
#  Default rules for rsyslog.
#
#            For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*            /var/log/auth.log
*.*;auth,authpriv.none        -/var/log/syslog
#cron.*                /var/log/cron.log
#daemon.*            -/var/log/daemon.log
kern.*                -/var/log/kern.log
#lpr.*                -/var/log/lpr.log
mail.*                -/var/log/mail.log
user.*                -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info            -/var/log/mail.info
#mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err

#
# Logging for INN news system.
#
news.crit            /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice            -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#    auth,authpriv.none;\
#    news.none;mail.none    -/var/log/debug
#*.=info;*.=notice;*.=warn;\
#    auth,authpriv.none;\
#    cron,daemon.none;\
#    mail,news.none        -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#    news.=crit;news.=err;news.=notice;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warn    |/dev/xconsole As you can see is the standard file without anything modified.

[quote="andrewkroh, post:2, topic:66134"]
Do you have Filebeat configured to write its logs to syslog?
[/quote]No as far as I can see, filebeats should read syslog.log and forward it to my logstash as per my config

root@ar:/etc/rsyslog.d# cat /etc/filebeat/filebeat.yml 
    filebeat:
      prospectors:
        -
          paths:
    #        - /var/log/auth.log
            - /var/log/syslog
          input_type: log
          ignore_older: 24h
          scan_frequency: 10s      
          document_type: TTN
          include_lines: ['TTN-.*$']

      registry_file: /var/lib/filebeat/registry

    output:
      logstash:
        hosts: ["LOGSTHASH_IP:5044"]
        bulk_max_size: 2048

        tls:
          certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

    shipper:

    logging:
      level: error
      to_files: true
      to_syslog: false
      files:
        path: /var/log/mybeat
        name: mybeat.log
        keepfiles: 7
        rotateeverybytes: 10485760 # = 10MB

My filebeat version is

root@ar:/etc/rsyslog.d# filebeat --version
filebeat version 1.3.1 (amd64)

EDIT: somenthing went wrong with previous post, a duplicate post...


(Andrew Kroh) #5

It looks like rsyslog is configured to write data to that file. So what's actually in the log file? Is it anything related to Filebeat or the process being restarted?


#6

I see, in that file there is the data tha filebeat should ship logstash, it is the same content as rsyslog.log


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.