Discussion:
[rsyslog] rsyslogd writing to '/cron' file
Brendan Simon (eTRIX)
2018-12-06 00:16:44 UTC
Permalink
I'm running Debian 10 (Buster) on some embedded systems (Xilinx Zynq SoC
with SD card as filesystem).

My root filesystem is formatted to 1GB and normally is about 66% full. 
Something is going wrong where syslog entries are being written to
`/var/log/syslog` and to a mystery file called `/cron`.  logrotate will
rotate files in `/var/log` daily (via cron), but of course logrotate
knows nothing about the mystery `/cron` file and the rootfs ends being
full and the system breaks.

`lsof` shows that `rsyslogd` has the `/cron` file open.  Removing the
`/cron` file sort of works, but the disk usage does not reduce.  I have
to restart the `rsyslogd` service for Linux to release the disk space.

# lsof | grep ' /cron' ; ls -l /cron ; systemctl stop rsyslog ; rm
/cron ; ls -l /cron ; systemctl stop rsyslog.service ; lsof | grep '
/cron' ; ls -l /cron

rsyslogd  2256            root    7w      REG      179,3    
4068       1886 /cron
in:imuxso 2256 2258       root    7w      REG      179,3    
4068       1886 /cron
in:imklog 2256 2259       root    7w      REG      179,3    
4068       1886 /cron
rs:main   2256 2260       root    7w      REG      179,3    
4068       1886 /cron

-rw-r--r-- 1 root root 4068 Dec  5 23:57 /cron

Warning: Stopping rsyslog.service, but it can still be activated by:
  syslog.socket

ls: cannot access '/cron': No such file or directory

Warning: Stopping rsyslog.service, but it can still be activated by:
  syslog.socket

rsyslogd  2275            root    7w      REG      179,3    
1890       1886 /cron
in:imuxso 2275 2280       root    7w      REG      179,3    
1890       1886 /cron
in:imklog 2275 2281       root    7w      REG      179,3    
1890       1886 /cron
rs:main   2275 2282       root    7w      REG      179,3    
1890       1886 /cron

-rw-r--r-- 1 root root 1890 Dec  5 23:57 /cron


Is this a problem with `rsyslogd` ?  Version 8.38.0 is installed.

Why is the mysterious file always called `/cron`?  Is it related to
`logrotate` being called from `cron`?

The `/cron` file contains the same content as `/var/log/syslog`, except
that the timestamp is formatted differently.

# tail /cron ; tail /var/log/syslog

2018-12-06T00:01:26.259166+00:00 efd-0100 efd_app.py[1728]:
WARNING:root:cloud:Not enough data records to post (0).
2018-12-06T00:01:26.260017+00:00 efd-0100 efd_app.py[1728]: Empty()
2018-12-06T00:01:26.833718+00:00 efd-0100 efd_app.py[1728]: DEBUG:
TIMEOUT: adc_select_wait()
2018-12-06T00:01:26.834415+00:00 efd-0100 efd_app.py[1728]: DEBUG:
status = 0xFFF8F800
2018-12-06T00:01:26.834951+00:00 efd-0100 efd_app.py[1728]: DEBUG:
semaphore = 0x00000000
2018-12-06T00:01:28.140049+00:00 efd-0100 efd_app.py[1728]: DEBUG:
TIMEOUT: adc_select_wait()
2018-12-06T00:01:28.140532+00:00 efd-0100 efd_app.py[1728]: DEBUG:
status = 0xFFF8F800
2018-12-06T00:01:28.140987+00:00 efd-0100 efd_app.py[1728]: DEBUG:
semaphore = 0x00000000
2018-12-06T00:01:28.260158+00:00 efd-0100 efd_app.py[1728]:
WARNING:root:cloud:Not enough data records to post (0).
2018-12-06T00:01:28.260958+00:00 efd-0100 efd_app.py[1728]: Empty()

Dec  6 00:01:26 efd-0100 efd_app.py[1728]: WARNING:root:cloud:Not
enough data records to post (0).
Dec  6 00:01:26 efd-0100 efd_app.py[1728]: Empty()
Dec  6 00:01:26 efd-0100 efd_app.py[1728]: DEBUG: TIMEOUT:
adc_select_wait()
Dec  6 00:01:26 efd-0100 efd_app.py[1728]: DEBUG: status = 0xFFF8F800
Dec  6 00:01:26 efd-0100 efd_app.py[1728]: DEBUG: semaphore = 0x00000000
Dec  6 00:01:28 efd-0100 efd_app.py[1728]: DEBUG: TIMEOUT:
adc_select_wait()
Dec  6 00:01:28 efd-0100 efd_app.py[1728]: DEBUG: status = 0xFFF8F800
Dec  6 00:01:28 efd-0100 efd_app.py[1728]: DEBUG: semaphore = 0x00000000
Dec  6 00:01:28 efd-0100 efd_app.py[1728]: WARNING:root:cloud:Not
enough data records to post (0).
Dec  6 00:01:28 efd-0100 efd_app.py[1728]: Empty()



Thanks for any help,
Brendan.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
David Lang
2018-12-06 01:10:07 UTC
Permalink
we would need to see your config to make any guesses.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Brendan Simon (eTRIX)
2018-12-06 03:43:06 UTC
Permalink
My `/etc/rsyslog.conf` is as follows:

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#            For more information see


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
/cron
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*            /var/log/auth.log
*.*;auth,authpriv.none        -/var/log/syslog
#cron.*                /var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*                -/var/log/kern.log
lpr.*                -/var/log/lpr.log
mail.*                -/var/log/mail.log
user.*                -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info            -/var/log/mail.info
mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err

#
# Logging for INN news system.
#
news.crit            /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice            -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
*.=debug;\
    auth,authpriv.none;\
    news.none;mail.none    -/var/log/debug

*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none        -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a
virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#    news.=crit;news.=err;news.=notice;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To
use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a
reasonably
#      busy site..
#
#daemon.*;mail.*;\
#    news.err;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    |/dev/xconsole
daemon.*;mail.*;\
    news.err;\
    *.=notice;*.=warn    |/dev/xconsole


Thanks,
Brendan.
Post by David Lang
we would need to see your config to make any guesses.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSC
Brendan Simon (eTRIX)
2018-12-06 03:49:31 UTC
Permalink
I just noticed a stray "/cron" line in the Modules section.  I have no
idea how that got there, but I assume that explains it.
Post by Brendan Simon (eTRIX)
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#            For more information see
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
/cron
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files.  Log by facility.
#
auth,authpriv.*            /var/log/auth.log
*.*;auth,authpriv.none        -/var/log/syslog
#cron.*                /var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*                -/var/log/kern.log
lpr.*                -/var/log/lpr.log
mail.*                -/var/log/mail.log
user.*                -/var/log/user.log
#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info            -/var/log/mail.info
mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err
#
# Logging for INN news system.
#
news.crit            /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice            -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
*.=debug;\
    auth,authpriv.none;\
    news.none;mail.none    -/var/log/debug
*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none        -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg                :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a
virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#    news.=crit;news.=err;news.=notice;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility.  To
use it,
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a
reasonably
#      busy site..
#
#daemon.*;mail.*;\
#    news.err;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    |/dev/xconsole
daemon.*;mail.*;\
    news.err;\
    *.=notice;*.=warn    |/dev/xconsole
Thanks,
Brendan.
Post by David Lang
we would need to see your config to make any guesses.
David Lang
--
------------------------------------------------------------------------
*eTRIX Services*
PO Box 497, Inverloch, VIC 3996, AUSTRALIA.
(m) 0417-380-984
------------------------------------------------------------------------
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST i
David Lang
2018-12-06 18:50:50 UTC
Permalink
Date: Thu, 6 Dec 2018 14:43:06 +1100
Subject: Re: [rsyslog] rsyslogd writing to '/cron' file
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#            For more information see
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
/cron
this is the line that is causing you to write to /cron.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and
Loading...