linux - How to debug rsyslog on centos7

Question

I have a forward mechanism of rsyslogs to an external service.

Under /etc/rsyslog.d I have created a .conf file.

This is the file:

$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /var/log/secure
$InputFileTag securelogs:
$InputFileStateFile securelogs
$InputFileFacility local0
$InputRunFileMonitor
:syslogtag, isequal, "securelogs:" {
  :msg, contains, "sshd" {
    local0.* /var/log/forward_securelogs_audit.log
    local0.* @@<server-ip>:514
  }
  stop
}

I have the same configurations on multiple servers, but for 2 of them, it is not working.

How can I debug?

I tried following the instructions here - https://www.rsyslog.com/how-to-use-debug-on-demand/

But there is no file - /etc/rc.d/init.d/rsyslog

Also there is no file - /var/run/rsyslogd.pid

When fetching the version rsyslogd -v I get the following

0726.220297821:7f4d57c22780: Note: debug on demand turned on via configuraton file, use USR1 signal to activate.
rsyslogd 8.24.0-57.el7_9, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

But again, I cannot see anything in the debug file, nor on the terminal.

Any help will be much appreciated.

question from:https://stackoverflow.com/questions/65879277/how-to-debug-rsyslog-on-centos7

Answer 1

The document you link to is very old, and RedHat and CentOS now use systemd to start the daemon so those files no longer exist. If you do

systemctl status rsyslog 

you should see lines including something like

   Active: active (running) since ...
 Main PID: 738 (rsyslogd)

You can send the USR1 signal to this numbered process to toggle debug. In this case it would be:

sudo kill -USR1 738

By default, I think the debug output should be on stdout, which on my Fedora systemd is directed to /dev/null for rsyslogd, so this may not help. I don't have CentOS but it may be similar. You can look at the systemd unit with:

systemctl cat rsyslog

In my case this includes the lines:

EnvironmentFile=-/etc/sysconfig/rsyslog
StandardOutput=null

If this is your case, you can add options to file /etc/sysconfig/rsyslog such as:

RSYSLOG_DEBUGLOG=/tmp/rsyslogdebug

and then restart rsyslogd and try to signal it again to toggle debug.