[rsyslog] URGENT - rsyslog stops sshd

Martin Mielke martinmie at PartyGaming.com
Thu Oct 8 13:32:23 CEST 2009 

Hi,


> 
> ssh logs connections, if the syslog process cannot process the
message,
> ssh is designed to stop and wait until it does (it deems the log so
> important that it refuses to do anything until the log is written)
> 
> conole logins do the same thing.


Is there any way I can test this? Strace? Ltrace? Sshd configuration
directive?...

> 
> so something causes rsyslog to stop accepting messages. the same thing
can
> happen to syslog-ng or to plain sysklog, just under different
conditions.
> 
> so the question is why rsyslog stopped.
> 
> what is rsyslog configured to do with log messages?
> 
> is there any chance that it was unable to do something with a message
and
> so would have had to keep it in it's queue until the queue filled up?
> (logging via TCP to a remote server that stops responding will do
this, so
> will writing to a full filesystem)

The system sends its logs over TCP to a remote logserver.
Initial analysis yield a routing problem which should have been fixed so
I hope not to see such a problem due to this.

But, my question now is: shouldn't logfiles be spooled under
$WorkDirectory /var/spool/rsyslog and sent over to the logserver once it
becomes available again? There's plenty of space on /var ...

> 
> rsyslog can be configured to accept and discard log entries when the
queue
> is full, doing this can avoid this sort of situation.

Could you please tell us how? :-)


Regards,
Martin


This email and any attachments are confidential, and may be legally privileged and protected by copyright. If you are not the intended recipient dissemination or copying of this email is prohibited. If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system. 

Any views or opinions are solely those of the sender.  This communication is not intended to form a binding contract unless expressly indicated to the contrary and properly authorised. Any actions taken on the basis of this email are at the recipient's own risk.

More information about the rsyslog mailing list