[rsyslog] Disabling rsyslog rate-limiting just for audit/audispd
david at lang.hm
Fri May 19 00:52:38 CEST 2017
no, we do not have a way to disable rate limiting, rate limiting happens very
early in the processing of logs, much of the time before the source or facility
of the log is known.
On Thu, 18 May 2017, Stephen Buchanan via rsyslog wrote:
> Date: Thu, 18 May 2017 19:32:05 +0000
> From: Stephen Buchanan via rsyslog <rsyslog at lists.adiscon.com>
> To: rsyslog at lists.adiscon.com
> Cc: Stephen Buchanan <stephenwb at gmail.com>
> Subject: [rsyslog] Disabling rsyslog rate-limiting just for audit/audispd
> I'm hoping that someone has hit this issue before, and possibly solved it.
> I've set up a number of servers in my environment to forward all audit log
> entries via audispd and rsyslog to a central rsyslog receiver, where they
> are parsed and saved. All that is working (audit is sent with LOG_LOCAL6 in
> audispd syslog plugin, "local6.* @@loghost:514" is in rsyslog.conf).
> The problem/question I have is whether it is possible to turn off
> rate-limiting for rsyslog *only for audit traffic*. Leaving aside that I
> need to tune the audit rules better, on heavily loaded servers the rsyslogd
> starts dropping most of the audit traffic due to the rate-limiting
> parameters. I know I can turn it off (or set it much higher) for all
> rsyslog, but is there any way to selectively set the rate limit by either
> source (audispd) or facility (local6)?
> I hope that the answer will not involve using rsyslog v8, because I'm stuck
> with the RHEL7-provided v7.4.7.
> Any assistance/suggestions/leads are appreciated.
> rsyslog mailing list
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
More information about the rsyslog