[rsyslog-notify] Forum Thread: rsyslog won't drop messages :-) - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Thu Mar 19 20:04:36 CET 2015 

User: hhm 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25335#p25335

Message: 
----------
Hi gang,
I'm having the data backup problem that fills up memory and spills over
into swap. Ugh, I've seen all the posts about queue backups. I've asked
google, read the queues doc, experimented with settings, scanned thru some
debug output, and I'm going to drop in imstats, but maybe I'm doing
something just plain dumb. So I'm asking for some help.

I have rsyslog receiving UDP, and forwarding to 2 UDP and 2 TCP receivers.
When I stop a downstream TCP receiver, I want rsyslog to buffer (in-memory
only for now) [u:36nftqoh]for awhile[/u:36nftqoh], then drop messages
destined for the disabled TCP receiver. The other flows need to be
maintained.

I'm trying these settings on the action that feeds the disabled TCP
receiver
[code:36nftqoh]
action(type="omfwd"
       Target="10.x.x.x"
       Port="1514"
       Protocol="tcp"
       queue.size="2000"
       queue.workerThreads="3"
       queue.discardmark="1000"
       queue.discardseverity="0"
       queue.TimeoutEnqueue="0"
       Template="cisco-syslog"
	)
[/code:36nftqoh]

This does not work. As I said, memory use just grows and grows.

I do not have any main_queue settings. The input data rate is about 3 MB/s.
The processing has an initial stage of dropping messages that contain
certain strings (high volume cisco firewall events).
[code:36nftqoh]
rsyslogd 8.8.0, compiled with:
	PLATFORM:				x86_64-pc-linux-gnu
	PLATFORM (lsb_release -d):
	FEATURE_REGEXP:				Yes
	GSSAPI Kerberos 5 support:		No
	FEATURE_DEBUG (debug build, slow code):	No
	32bit Atomic operations supported:	Yes
	64bit Atomic operations supported:	Yes
	memory allocator:			system default
	Runtime Instrumentation (slow code):	No
	uuid support:				Yes
	Number of Bits in RainerScript integers: 64
[/code:36nftqoh]

Thanks for any help/hints/pointers/refs. I'm sorry to be yet another voice
joining the chorus of "[i:36nftqoh]the data doth backeth uppeth! woe is
me![/i:36nftqoh]".

  hunter

More information about the rsyslog-notify mailing list