[rsyslog] High CPU utlization, and memory usage

[Peter Doherty]

On Jul 9, 2009, at 5:35 PM, david at lang.hm wrote:
>
> one thing when examining the load is to keep in mind that rsyslog uses
> multiple threads, in linux hit 'H' in top to have it show the  
> individual
> threads.
>
> it's very possible that the high cpu load is due to the encryption
> overhead
>
> one thing that I do when testing is that once I identify which  
> thread is
> eating a significant amount of cpu I do 'strace -p <pid>' for that  
> thread
> for a few seconds, looking at that output I can ususally make a fair  
> guess
> at what the thread is busy working on.
>
> using that much ram would leave me guessing that the ability to  
> write the
> log file stopped, and the queue is filling up.
>
> David Lang


I'll have to do a little further testing, but I've got a hunch what  
caused this state.
One of the computers sometimes gets into a state where it starts  
flooding its syslog with errors from a program.  On the order of  
hundreds of messages a minute.  I can correct this one case, but I  
can't guarantee some other system won't ever have some error that  
causes it to start flooding it's logs.
Are there settings in rsyslog that can control this?  Essentially I  
need something that will prevent a DoS style attack.
Something that drops messages from the queue if they come in too fast  
from a certain host?
Or I often see messages from syslogd systems which just say "Last  
message repeated n times"  Can I enable that functionality in rsyslog?

--Peter