[rsyslog-notify] Forum Thread: Re: How to Determine Message Drops ? - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Tue Sep 22 03:54:10 CEST 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25946#p25946
Message:
----------
[quote="jtsai.cp":2nk3vf1q]Anyway, following is my config but not sure if
ActionQueue is properly setup. From examples, it uses Action queue per
action such as per file written to...not sure how that applies.
[/quote:2nk3vf1q]
queues are global, per ruleset, or per action, never per file
[quote:2nk3vf1q]
main_queue(
queue.saveonshutdown="on"
queue.size="1000000"
queue.debatchsize="1000"
queue.workerthreads="2"
queue.MaxOpenFiles="10000"
)
[/quote:2nk3vf1q]
you should not set workerthreads > 1 until measurements show that you need
it
[quote:2nk3vf1q]
#$outchannel log_rotation,/mnt/cifs/rsyslog/active/syslog.log,
52428800,/etc/log_rotation_script.sh
#*.* :omfile:$log_rotation
module(
load="impstats"
interval="60" # how often to generate stats
resetCounters="on" # to get deltas (e.g. # of messages submitted
in the last 10 seconds)
log.file="/var/log/rsyslog-stats" # file to write those stats to
log.syslog="off" # don't send stats through the normal
processing pipeline. More on that in a bit
)
[/quote:2nk3vf1q]
note that resetting the counters makes them a little less precise (there
are race conditions that are deliberately not closed in the name of
performance), but I find it much easier to follow what's gonig on with the
resets.
[quote:2nk3vf1q]
module(
load="imuxsock"
SysSock.FlowControl="off"
#SysSock.RateLimit.Interval="3" #rate-limiting interval in seconds-
default is 5 seconds
#SysSock.RateLimitBurst="5" #messages for 5 seconds before rate
limiting
#SysSock.RateLimit.Severity = "7" #severity of messages that shall be
rate-limited
) # provides support for local system logging (e.g. via logger command)
[/quote:2nk3vf1q]
I would explicitly disable rate limiting, the default on some versions is
to have it on. This is protection against a local process flooding you with
junk, but that's been far less of a problem for me than missing logs from
legitimate busy processes
[quote:2nk3vf1q]
module(load="imklog") # provides kernel logging support (previously done
by rklogd)
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
$FileCreateMode 0644
$template RemoteLogs,"/mnt/cifs/rsyslog/active/%HOSTNAME%" *
*.* ?RemoteLogs
& ~
[/quote:2nk3vf1q]
everything below this is going to be ignored because you just told rsyslog
to write everything to the remotelog template and tehn throw the log
message away
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$WorkDirectory /var/spool/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
$ActionQueueWorkerThreadMinimumMessages 1000
$ActionQueueWorkerThreads 5
$ActionQueueWorkerTimeoutThreadShutdown 0
$ActionQueueDequeueBatchSize 5000
$ActionQueueSize="100000"
$OMFileIOBufferSize 256k
~
~[/quote]
these queue configs have no meaning beacuse they only affect the next
action, which is '~' (or throw the log message away, unless that's just the
bottom of your vi window, in which case there is no action for them to
affect)
More information about the rsyslog-notify
mailing list