Description of problem:
RHEL5 introduced rsyslog as an optional replacement for syslog (it's default in RHEL6 onwards). The 5.7 update of sos adds the ability to parse syslog.conf/rsyslog.conf and collect non-standard log files defined in the two files (see bug 596970).
The current approach will fail if rsyslog is installed but not configured resulting in non-standard logfiles defined in syslog.conf being omitted from the report tarball.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install rsyslog but do not configure
2. configure additional syslog.conf log, e.g.:
echo -e '*.info;mail.none;authpriv.none;cron.none\t\t/var/log/mymessages' >> /etc/syslog.conf
3. run sosreport and inspect generated tarball
Additional log files not captured
Tarball includes log files defined in syslog.conf
Not strictly relevant in RHEL6 since rsyslog is the default however it would still be good to get this straightened out properly in upstream sos.
We should simplify to:
if /etc/syslog.conf present, parse it
if /etc/rsyslog.conf present, parse it
Ie, discard check for installed syslog versions and just grab log files defined in both - if config files are present.
One more defect to be fixed:
Since in 5.7 we have fix to tail oversized syslog logs according to specified limit, we should apply it to all syslog logs when all_logs is on. Now, additional log files defined in syslog/rsyslog configs are gathered without applying size limit.
In case of oversized messages and secure logs, it results in one full and one tailed instance of log in report. In case of other log files, these are in report once, but not tailed.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Cause: In prior release sos attempted to use a heuristic to determine whether the system is configured to use traditional syslogd or rsyslogd for logging.
Consequence: This heuristic would mis-identify systems having rsyslog installed (but not configured) as actually using the daemon and failed to collect custom-defined log destinations specified in syslog.conf on such hosts.
Fix: The general module no longer attempts to determine which log daemon is in use and will collect any user-defined log destinations present in either file
Result: Collection of user-defined log destinations is now more robust on systems using either syslogd or rsyslog.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.