[rsyslog-notify] Forum Thread: Re: Dequeue Perfomance - (Mode 'reply')

[noreply at adiscon.com]

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25534#p25534

Message: 
----------
the fact that the DA queueing started after the drop says that it wasn't
the cause (although it could be related to the recovery problems post
19:00, one problem at a time)

There should have been some local logs saying that the action was being
suspended or something.

could you add something like

if $fromhost-ip == "127.0.0.1" and $programname startswith "rsyslog" then {
  /var/log/rsyslog-local-messages
}

so that we can capture any messages from rsyslog without any possibility of
them being lost to the queueing or any other network hiccup

I would also like you to watch for local rsyslog log messages and pstats on
the receiving system. I know that you don't think there is anything going
wrong there, but I want to double check.


old versions of rsyslog would try to send messages queued to disk before
new messages, but that caused serious performance problems and code
complications, so current versions should be sending from the memory queue,
and only once it's drained pull logs from disk to send.

Since you are having the sending system get a large spike of cpu, I think
we will learn a lot (at least about where to focus our attention) by
finding out what thread is using all the CPU when it runs into trouble.