Rsyslog stops reading logs after log rotate

Stiggyman · May 8, 2024, 8:49am

The issue I am facing:
Running pihole i want the logs in a SIEM system ( Graylog ) and i found that Rsyslog had a relatively easy config file to setup to read from Pihole.

My issue is that once the pihole around midnight log rotates Rsyslog loses the file and needs a full apt-get remove and apt-get install before it starts reading again.. restarting the service is not enough.

Details about my system:

the Pihole is setup pretty bare bones it reads some lists from github to update gravity and thats about it

running on ubuntu 22.04

my rsyslog config here

 # /etc/rsyslog.conf configuration file for rsyslog

#

# For more information install rsyslog-doc and see

# /usr/share/doc/rsyslog-doc/html/configuration/index.html

#

# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################

#### MODULES ####

#################

module(load="imuxsock") # provides support for local system logging

#module(load="immark") # provides --MARK-- message capability

# provides UDP syslog reception

#module(load="imudp")

#input(type="imudp" port="514")

# provides TCP syslog reception

#module(load="imtcp")

#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages

module(load="imklog" permitnonkernelfacility="on")

###########################

#### GLOBAL DIRECTIVES ####

###########################

#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages

$RepeatedMsgReduction on

#

# Set the default permissions for all log files.

#

$FileOwner syslog

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

$PrivDropToUser syslog

$PrivDropToGroup adm

#

# Where to place spool and state files

#

$WorkDirectory /var/spool/rsyslog

#

# Include all config files in /etc/rsyslog.d/

#

$IncludeConfig /etc/rsyslog.d/*.conf

and my 22-graylog.conf here

 # Forward all logs to graylog:

*.* action(type="omfwd" target="XXXXXXXX" protocol="tcp"

action.resumeRetryCount="100"

queue.type="linkedList" queue.size="10000")

# Define extra log sources:

module(load="imfile" PollingInterval="30")

input(type="imfile" File="/var/log/pihole.log"

Tag="pihole"

StateFile="/var/spool/rsyslog/piholestate1"

Severity="notice"

Facility="local1")

input(type="imfile" File="/var/log/pihole-FTL.log"

Tag="piFTL"

StateFile="/var/spool/rsyslog/piFTLstate1"

Severity="notice"

Facility="local1")

have anyone got a clue how i can get this working for longer than 24 hours?

What I have changed since installing Pi-hole:

Not applicable other than installing Rsyslog its bare bones Ubuntu 22.04 server with pihole setup

CallMeCurious · May 8, 2024, 11:01am

I'm not familiar with how your doing this but I do not believe that pihole rotates the logs. I believe this would be a logrotate function. Perhaps you need to add a specific config in /etc/logrotate.d?

I also found this old thread. It was never responded to / resolved but might provide some additional insight.

rdwebdesign · May 8, 2024, 4:12pm

Log are rotated by logrotate, as CallMeCurious said.

github.com/pi-hole/pi-hole

advanced/Templates/logrotate

5490a6ea6

/var/log/pihole/pihole.log {
	# su #
	daily
	copytruncate
	rotate 5
	compress
	delaycompress
	notifempty
	nomail
}

/var/log/pihole/FTL.log {
	# su #
	weekly
	copytruncate
	rotate 3
	compress
	delaycompress
	notifempty
	nomail

This file has been truncated. show original

system · May 29, 2024, 4:12pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.