Bug 1762035

Summary: rsyslog-8.24.0-41.el7.x86 imfile broken with logrotate and tomcat rotated logs
Product: Red Hat Enterprise Linux 7 Reporter: jcalhoun
Component: rsyslogAssignee: Jiří Vymazal <jvymazal>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.7CC: cww, dapospis, jvymazal, rmeggins, rmetrich
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-01 10:39:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jcalhoun 2019-10-15 22:24:20 UTC 
=======================
Description of problem:
=======================
We have a customer having problems with rsyslog version 38. As per red hat ERRATA note RHSA-2019:2110, it states that the issue has been fixed already (bug id 1649491 to bug id 1649250) via - rsyslog-8.24.0-38.el7.x86_64. But, It apparently isn’t fixed with version 38 either according to our internal customer.

Customer upgraded to rsyslog-8.24.0-41.el7.x86 and the issue persists.

=============================================================
Version-Release number of selected component (if applicable):
=============================================================
rsyslog-8.24.0-38.el7.x86_64
rsyslog-8.24.0-41.el7.x86

================
How reproducible
================
Always, intermittent as per the behavior of the original bug

==================
Steps to Reproduce
==================
1. use rsyslog imfile to monitor system logs 
2. let logrotate rotate logfile
3. rsyslog stops forwarding logs after 

===============
Actual results:
===============
# stat eve-json-lite.log
  File: ‘eve-json-lite.log’
  Size: 50097895        Blocks: 113152     IO Block: 4096   regular file
Device: fd04h/64772d    Inode: 268436015   Links: 1
Access: (0644/-rw-r--r--)  Uid: (  995/suricata)   Gid: (  100/   users)
Context: system_u:object_r:unlabeled_t:s0
Access: 2019-09-30 14:06:25.910678296 +0000
Modify: 2019-09-30 14:06:34.266695934 +0000
Change: 2019-09-30 14:06:34.266695934 +0000
Birth: -
 
[root@localhost rsyslog]# cat imfile-state:268436013 | jq
{
  "filename": "/data/suricata/log/eve-json-lite.log",
  "prev_was_nl": 0,
  "curr_offs": 100679293,
  "strt_offs": 100679293
}
 
[root@localhost rsyslog]# ls -lh
total 44K
-rw-------. 1 root root 124 Sep 30 03:14 imfile-state:268436013  <- Today’s statefile, wrong inode
-rw-------. 1 root root 124 Sep 29 03:39 imfile-state:268436015  <- Yesterdays file, todays inode
-rw-------. 1 root root 114 Sep 13 03:20 imfile-state:268436016
-rw-------. 1 root root 108 Sep 16 03:16 imfile-state:268436017
-rw-------. 1 root root 114 Sep 30 03:14 imfile-state:268436019
-rw-------. 1 root root 122 Sep 25 03:10 imfile-state:268436022
-rw-------. 1 root root 114 Sep 29 03:39 imfile-state:268436023
-rw-------. 1 root root 114 Sep 25 03:10 imfile-state:268436026
-rw-------. 1 root root 127 Sep 30 14:05 imjournal.state
-rw-------. 1 root root 239 Sep 12 13:56 rsyslogsuricata
-rw-------. 1 root root 231 Sep 12 13:56 rsyslogsuricatastats

=================
Expected results:
=================

Logfiles rotate properly and rsyslog continues writing logs to the fresh inode

================
Additional info:
================
Comment 6 Renaud Métrich 2019-11-01 10:39:37 UTC 

*** This bug has been marked as a duplicate of bug 1763746 ***