I have experienced something a bit weird for me. I have filebeat monitoring my rsyslog (syslog.log) file and sending it to my logstash.
I have noticed that after restarting filebeat where syslog is running, syslogs creates a new file user.log under /var/log/user.log where my logging is going to. However, filebeat expects that syslog.log is the one updated, since that file is not updated nothing is shipped by filebeat towards my logstash...
So my question is that, why does rsyslog daemon create this other file user.log? Should I configure filebeat to read user.log too even that might duplicate my logs towards logstash?
What's in your rsyslog config? That is what controls what goes to user.log. The user.log file probably contains messages from the user log facility (2).
Do you have Filebeat configured to write its logs to syslog? What Filebeat version are you running? You can configure Filebeat to write to it's own log file and not syslog (this is the default behavior in Filebeat 5.x).
My rsyslog config looks like this, as you can see it's quite standard config
root@ar:/etc/rsyslog.d# cat 50-default.conf
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole As you can see is the standard file without anything modified.
[quote="andrewkroh, post:2, topic:66134"]
Do you have Filebeat configured to write its logs to syslog?
[/quote]No as far as I can see, filebeats should read syslog.log and forward it to my logstash as per my config
It looks like rsyslog is configured to write data to that file. So what's actually in the log file? Is it anything related to Filebeat or the process being restarted?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.