Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The logcollector module reports journal error in AL2 (4.9.0) #25534

Closed
davidcr01 opened this issue Sep 2, 2024 · 4 comments · Fixed by #26716 or #26748
Closed

The logcollector module reports journal error in AL2 (4.9.0) #25534

davidcr01 opened this issue Sep 2, 2024 · 4 comments · Fixed by #26716 or #26748
Assignees
@vikman90
Labels
level/task module/logcollector platform/linux type/bug Something isn't working

Comments

@davidcr01
Copy link
Contributor

Description

While working on wazuh/wazuh-installation-assistant#20, we observed that an error was reported in an AL2 machine after performing an AIO installation:

[root@ip-172-31-81-120 ec2-user]# grep -i -E "error" /var/ossec/logs/ossec.log 
2024/09/02 09:12:44 wazuh-logcollector: ERROR: (1611): Failed to get the message from the journal

We need to investigate this error and try to fix it.

Steps to reproduce

  1. Provision an AL2 machine
  2. Download and perform an AIO installation with the curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh
  3. See the ossec.logs error.

Note

This behavior was not observed in other OSs.
@davidcr01 davidcr01 added type/bug Something isn't working level/task labels Sep 2, 2024
@JcabreraC
Copy link
Member

JcabreraC commented Sep 2, 2024
edited
Loading

Please attach the logs with the debug2 level enabled.

The issue is likely caused by the message not being in syslog format when fetched, leading to an attempt to convert it. To prevent this behavior from recurring, we recommend changing the following error message to a debug message: Link to the code in question.

This message may appear if a log in journald lacks the necessary fields (message, timestamp, hostname, program_name/tag) required to construct a syslog message.

This can be confirmed by reviewing the debug2 logs.

2024/09/23 15:28:20 wazuh-logcollector[149311] journal_log.c:557 at entry_as_syslog(): DEBUG: (9002): Failed to get the required fields, discarted log with timestamp '1727085498950140'
2024/09/23 15:28:20 wazuh-logcollector[149311] read_journald.c:153 at read_journald(): ERROR: (1611): Failed to get the message from the journal

@davidcr01
Copy link
Contributor Author

There you have:

[root@ip-172-31-80-140 ec2-user]# cat /var/ossec/logs/ossec.log | grep -i -E "wazuh-logcollector"
2024/09/03 08:13:58 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2024/09/03 08:13:58 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2024/09/03 08:13:58 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2024/09/03 08:13:58 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2024/09/03 08:13:58 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/09/03 08:13:58 wazuh-logcollector: INFO: Started (pid: 9479).
2024/09/03 08:14:00 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2024/09/03 08:14:08 wazuh-logcollector: ERROR: (1611): Failed to get the message from the journal
2024/09/03 08:16:06 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/09/03 08:16:16 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2024/09/03 08:16:16 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2024/09/03 08:16:16 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2024/09/03 08:16:16 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2024/09/03 08:16:16 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/09/03 08:16:16 wazuh-logcollector: INFO: Started (pid: 12666).
2024/09/03 08:16:18 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2024/09/03 08:31:04 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2024/09/03 08:31:07 wazuh-logcollector[14985] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/09/03 08:31:07 wazuh-logcollector[14985] main.c:126 at main(): DEBUG: Wazuh home directory: /var/ossec
2024/09/03 08:31:13 wazuh-logcollector[15234] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized
2024/09/03 08:31:13 wazuh-logcollector[15234] main.c:126 at main(): DEBUG: Wazuh home directory: /var/ossec
2024/09/03 08:31:13 wazuh-logcollector[15234] mq_op.c:52 at StartMQWithSpecificOwnerAndPerms(): DEBUG: Connected succesfully to 'queue/sockets/queue' after 0 attempts
2024/09/03 08:31:13 wazuh-logcollector[15234] mq_op.c:53 at StartMQWithSpecificOwnerAndPerms(): DEBUG: (unix_domain) Maximum send buffer set to: '212992'.
2024/09/03 08:31:13 wazuh-logcollector[15234] read_journald.c:235 at w_journald_set_status_from_JSON(): DEBUG: (9009): Setting last read timestamp to '1725352201038545'
2024/09/03 08:31:13 wazuh-logcollector[15234] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:273 at LogCollectorStart(): DEBUG: Entering LogCollectorStart().
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:342 at LogCollectorStart(): INFO: Monitoring output of command(360): df -P
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:346 at LogCollectorStart(): DEBUG: Socket target for 'df -P' -> agent
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:370 at LogCollectorStart(): INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:374 at LogCollectorStart(): DEBUG: Socket target for 'netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d' -> agent
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:370 at LogCollectorStart(): INFO: Monitoring full output of command(360): last -n 20
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:374 at LogCollectorStart(): DEBUG: Socket target for 'last -n 20' -> agent
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:419 at LogCollectorStart(): DEBUG: (9001): Socket target for 'journald' -> agent
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/log/audit/audit.log' -> agent
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/ossec/logs/active-responses.log' -> agent
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2024/09/03 08:31:13 wazuh-logcollector[15234] log_builder.c:270 at log_builder_update_host_ip(): DEBUG: Cannot update host IP: The control module is not available: Connection refused (111)
2024/09/03 08:31:13 wazuh-logcollector[15234] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/09/03 08:31:13 wazuh-logcollector[15234] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/09/03 08:31:13 wazuh-logcollector[15234] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/09/03 08:31:13 wazuh-logcollector[15234] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/09/03 08:31:13 wazuh-logcollector[15234] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:486 at LogCollectorStart(): INFO: Started (pid: 15236).
2024/09/03 08:31:13 wazuh-logcollector[15234] logcollector.c:487 at LogCollectorStart(): DEBUG: (1961): Files being monitored: 3/1000.
2024/09/03 08:31:13 wazuh-logcollector[15234] pthreads_op.c:45 at CreateThreadJoinable(): DEBUG: Thread stack size set to: 8192 KiB
2024/09/03 08:31:13 wazuh-logcollector[15234] lccom.c:511 at lccom_main(): DEBUG: Local requests thread ready
2024/09/03 08:31:15 wazuh-logcollector[15234] read_fullcommand.c:28 at read_fullcommand(): DEBUG: Running full command 'netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:26 at read_command(): DEBUG: Running command 'df -P'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_fullcommand.c:28 at read_fullcommand(): DEBUG: Running full command 'last -n 20'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_journald.c:117 at w_journald_can_read(): INFO: (9203): Monitoring journal entries.
2024/09/03 08:31:15 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:15 wazuh-logcollector[15234] read_fullcommand.c:54 at read_fullcommand(): DEBUG: Reading command message: 'ossec: output: 'last -n 20':
2024/09/03 08:31:15 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:66 at read_command(): DEBUG: Reading command message: 'ossec: output: 'df -P': Filesystem     1024-blocks     Used Available Capacity Mounted on'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:66 at read_command(): DEBUG: Reading command message: 'ossec: output: 'df -P': devtmpfs           4002452        0   4002452       0% /dev'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:66 at read_command(): DEBUG: Reading command message: 'ossec: output: 'df -P': tmpfs              4011248     1340   4009908       1% /dev/shm'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:66 at read_command(): DEBUG: Reading command message: 'ossec: output: 'df -P': tmpfs              4011248      444   4010804       1% /run'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:66 at read_command(): DEBUG: Reading command message: 'ossec: output: 'df -P': tmpfs              4011248        0   4011248       0% /sys/fs/cgroup'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:66 at read_command(): DEBUG: Reading command message: 'ossec: output: 'df -P': /dev/nvme0n1p1    31444972 10504400  20940572      34% /'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:66 at read_command(): DEBUG: Reading command message: 'ossec: output: 'df -P': tmpfs               802252        0    802252       0% /run/user/1000'
2024/09/03 08:31:15 wazuh-logcollector[15234] read_command.c:78 at read_command(): DEBUG: Read 7 lines from command 'df -P'
2024/09/03 08:31:15 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:15 wazuh-logcollector[15234] read_fullcommand.c:54 at read_fullcommand(): DEBUG: Reading command message: 'ossec: output: 'netstat listening ports':
2024/09/03 08:31:15 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:17 wazuh-logcollector[15234] read_journald.c:168 at read_journald(): DEBUG: (9008): Reading from journal: 'Sep 03 08:31:16 ip-172-31-80-140.ec2.internal env[14951]: Completed.'.
2024/09/03 08:31:17 wazuh-logcollector[15234] read_journald.c:168 at read_journald(): DEBUG: (9008): Reading from journal: 'Sep 03 08:31:16 ip-172-31-80-140.ec2.internal systemd[1]: Started Wazuh manager.'.
2024/09/03 08:31:17 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:17 wazuh-logcollector[15234] read_audit.c:159 at read_audit(): DEBUG: Read 1 lines from /var/log/audit/audit.log
2024/09/03 08:31:17 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:17 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:19 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:19 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:19 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:21 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:21 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:21 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:23 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:23 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:23 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:25 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:25 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:25 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:27 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:27 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:27 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:29 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:29 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:29 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:29 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:31 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:31 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:31 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:31 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:33 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:33 wazuh-logcollector[15234] read_journald.c:168 at read_journald(): DEBUG: (9008): Reading from journal: 'Sep 03 08:31:32 ip-172-31-80-140.ec2.internal dhclient[2330]: XMT: Solicit on eth0, interval 110690ms.'.
2024/09/03 08:31:33 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:33 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:35 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:35 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:35 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:37 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:37 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:39 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:39 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:41 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:41 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:41 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:41 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:43 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:43 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:43 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:43 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:45 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:45 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:45 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:45 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:47 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:47 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:47 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:47 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:49 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:49 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:49 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:51 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:51 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:51 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:53 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:53 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:53 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:55 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:55 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:55 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:57 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:57 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:57 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:59 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:31:59 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:31:59 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:01 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:01 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:32:01 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:03 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:03 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:32:03 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:05 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:05 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:32:05 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:07 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:07 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:32:07 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:09 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:09 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:32:09 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:09 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:11 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:11 wazuh-logcollector[15234] read_journald.c:142 at read_journald(): DEBUG: (9006): No new entries in the journal.
2024/09/03 08:32:11 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:11 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:13 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:13 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
2024/09/03 08:32:13 wazuh-logcollector[15234] logcollector.c:2123 at w_input_thread(): DEBUG: (9005): Skipping is not the owner of the journal log.
[root@ip-172-31-80-140 ec2-user]#

This was referenced Sep 3, 2024
Closed
Merged
Open
@JcabreraC JcabreraC mentioned this issue Oct 1, 2024
Closed
@vikman90 vikman90 self-assigned this Nov 5, 2024
@vikman90
Copy link
Member

vikman90 commented Nov 5, 2024

I've had the same error on Ubuntu 24.04 @ WSL2.

Original log from Journald:

Nov 04 21:49:32 Rocket unknown: WSL (2): Creating login session for root

In this case, the parameter syslog_identifier is missing, and that causes the error:

2024/11/05 10:30:14 wazuh-logcollector: ERROR: (1611): Failed to get the message from the journal

Fix proposal

  1. Set the syslog identifier to "unknown" when missing from the source.
  2. Set the log level to "debug", in order to prevent log flooding.

@vikman90 vikman90 mentioned this issue Nov 5, 2024
Merged
4 tasks
@vikman90 vikman90 linked a pull request Nov 5, 2024 that will close this issue
Allow unknown syslog identifier at Logcollector's journald reader #26716
Merged
4 tasks
@vikman90 vikman90 closed this as completed Nov 5, 2024
@vikman90
Copy link
Member

vikman90 commented Nov 7, 2024

Reopening this issue to back port the fix to version 4.10.0.

@wazuhci wazuhci moved this to In progress in Release 4.10.0 Nov 7, 2024
@vikman90 vikman90 mentioned this issue Nov 7, 2024
Merged
4 tasks
@vikman90 vikman90 reopened this Nov 7, 2024
@vikman90 vikman90 linked a pull request Nov 7, 2024 that will close this issue
Allow unknown syslog identifier at Logcollector's journald reader #26748
Merged
4 tasks
@wazuhci wazuhci moved this from In progress to Pending review in Release 4.10.0 Nov 7, 2024
@vikman90 vikman90 closed this as completed Nov 7, 2024
@wazuhci wazuhci moved this from Pending review to Done in Release 4.10.0 Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vikman90 vikman90

Labels
level/task module/logcollector platform/linux type/bug Something isn't working
Projects
Release 4.10.0
Status: Done
Milestone
No milestone
3 participants
@vikman90 @JcabreraC @davidcr01