Description of problem: RHEL5 introduced rsyslog as an optional replacement for syslog (it's default in RHEL6 onwards). The 5.7 update of sos adds the ability to parse syslog.conf/rsyslog.conf and collect non-standard log files defined in the two files (see bug 596970). The current approach will fail if rsyslog is installed but not configured resulting in non-standard logfiles defined in syslog.conf being omitted from the report tarball. Version-Release number of selected component (if applicable): sos-1.7-9.54.el5 How reproducible: 100% Steps to Reproduce: 1. install rsyslog but do not configure 2. configure additional syslog.conf log, e.g.: echo -e '*.info;mail.none;authpriv.none;cron.none\t\t/var/log/mymessages' >> /etc/syslog.conf /etc/init.d/syslog restart 3. run sosreport and inspect generated tarball Actual results: Additional log files not captured Expected results: Tarball includes log files defined in syslog.conf Additional info: Not strictly relevant in RHEL6 since rsyslog is the default however it would still be good to get this straightened out properly in upstream sos.
We should simplify to: if /etc/syslog.conf present, parse it if /etc/rsyslog.conf present, parse it Ie, discard check for installed syslog versions and just grab log files defined in both - if config files are present.
One more defect to be fixed: Since in 5.7 we have fix to tail oversized syslog logs according to specified limit, we should apply it to all syslog logs when all_logs is on. Now, additional log files defined in syslog/rsyslog configs are gathered without applying size limit. In case of oversized messages and secure logs, it results in one full and one tailed instance of log in report. In case of other log files, these are in report once, but not tailed.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: In prior release sos attempted to use a heuristic to determine whether the system is configured to use traditional syslogd or rsyslogd for logging. Consequence: This heuristic would mis-identify systems having rsyslog installed (but not configured) as actually using the daemon and failed to collect custom-defined log destinations specified in syslog.conf on such hosts. Fix: The general module no longer attempts to determine which log daemon is in use and will collect any user-defined log destinations present in either file Result: Collection of user-defined log destinations is now more robust on systems using either syslogd or rsyslog.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0153.html