Problem description
Simple Log Service fails to collect log data.
Solutions
Check the rsyslog service
Log on to the Elastic Compute Service (ECS) instance from which log data fails to collected. Check the syslog.conf configuration file of the rsyslog service. The information similar to the following content is included in the file:
$WorkDirectory /var/spool/rsyslog # where to place spool files $ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down # Fields for log data. $template ALI_LOG_FMT,"0.1 sys_tag %timegenerated:::date-unixtimestamp% %fromhost-ip% %hostname% %pri-text% %protocol-version% %app-name% %procid% %msgid% %msg:::drop-last-lf%\n" *.* @@[ip]:[port];ALI_LOG_FMT # The first asterisk (*) specifies all message types. The second asterisk (*) specifies all message levels. Two at signs (@@) specify TCP. One at sign (@) specifies UDP. [ip] specifies the IP address of the host to which a syslog message is forwarded. [port] specifies the port. ALI_LOG_FMT specifies the name of the template. You can configure multiple templates. $template specifies the identifier of the template. The content of the template is enclosed in double quotation marks (""). 0.1 specifies the version number of the log format. Logtail parses the user-defined field by using the version number. sys_tag specifies a data tag. You can use sys_tag to identify the tag of a project or Logstore in the Log Service console. timegenerated:::date-unixtimestamp% specifies the timestamp of the log. %fromhost-ip% specifies the IP address of the server from which the log is collected. If the value of %fromhost-ip% in a log is 127.0.0.1, the system replaces 127.0.0.1 with the peer IP address of the TCP socket when the system sends the log to Log Service. % hostname% ~~ %msgid % is a user-defined field. The fields that are enclosed in brackets [] are optional. %msg:::drop-last-lf% specifies the body of the log message.Run the following command to check whether the rsyslog service is started:
service rsyslog statusRun the following command to check the listening port and forwarding port of the rsyslog service:
netstat -antpul |grep 11111The information similar to the following content is displayed. In the following rsyslog process, two sockets monitor and forward data to the ports of the local machine. One socket monitors port 53552 and forwards data to port 11111. The other socket monitors port 53554 and forwards data to port 11111. Two rules are configured in the syslog.conf configuration file. Therefore, only two sockets are used to monitor and forward data. In addition, three Logtail services are started, and two of the Logtail services are in the ESTABLISHED state and are used for monitoring. Two rsyslog services are in the ESTABLISHED state and are used for monitoring.
Check the Logtail service
Run the following command to check the status of the Logtail service:
/etc/init.d/ilogtaild statusAccess ilogtail.LOG to check whether an error is reported for the Logtail service.
Check the status of your machine group
Check the status of your machine group. For more information, see What do I do if a Logtail machine group has no heartbeats?
Check error information in the Simple Log Service console
Log on to the Simple Log Service console.
View information about the reported errors and identify problems in Simple Log Service. For more information, see How do I view Logtail collection errors?
Click Preview to check whether log data is collected. If log data is collected but you cannot query the data, indexes are not enabled, or index configurations are invalid. For more information, see Query and analyze logs.