Bug 1649491

Summary: After a log rotation, rsyslog fails to reliably detect change in inode
Product: Red Hat Enterprise Linux 7 Reporter: Doug Wussler <doug.wussler>
Component: rsyslogAssignee: Jiří Vymazal <jvymazal>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.6CC: dapospis, jvymazal, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-14 08:00:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Doug Wussler 2018-11-13 17:43:49 UTC 
Description of problem:  After applying the recent update to RHEL 7.6, rsyslog was upgraded from 8.24.0-16.el7_5.4 to 8.24.0-34.el7.  This updated version fails to reliably detect a change in an inode when a log file is rotated.  This is the error I find in /var/log/messages:

rsyslogd: imfile: internal error? inotify provided watch descriptor 4 which we could not find in our tables

The repercussion is that rsyslog is then not able to take input from "imfile" source that was rotated.

This appears to be fixed by the RSYSLOG team. See https://github.com/rsyslog/rsyslog/pull/3051/commits/f85ef7aabcec84497a5eaf9670616b3402c79d9c

It is possible that the defective code existed in the previous version of rsyslog but was never instantiated, or perhaps some other part of the 7.6 update exposed this defect in rsyslog.  But in any case, after moving from 7.5 to 7.6 my log transfers managed by rsyslog no longer work because of this problem.  Kind of a big deal.  Can anything be done in a timely manner or do I need to compile from current source?


Version-Release number of selected component (if applicable):
rsyslog.x86_64                      8.24.0-34.el7

How reproducible:
In /etc/rsyslog.conf, use "imfile" as an input source for publishing log records to a remote server.  Then run a log rotation on those same sources.

e.g.
module(load="imfile"     # This applies to all input text files
       mode="inotify")

template(name="my-template"
         type="string"
         string="<150>%hostname% %rawmsg-after-pri%")

ruleset(name="Forward-to-Splunk"
        queue.type="Direct") {
            action(type="omfwd"
                   template="my-template"
                   target="111.222.333.444"
                   port="514"
                   protocol="udp")
}

input(type="imfile"
      File="/var/log/logdir/myfile.log"
      Tag="xyz"
      Severity="Info"
      Facility="local2"
      Ruleset="Forward-to-Splunk")


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Jiří Vymazal 2018-11-14 08:00:56 UTC 
Doug, thanks for reporting the problem, however we are already tracking this specific issue, please follow it at bug 1649250

Thanks

*** This bug has been marked as a duplicate of bug 1649250 ***