[rsyslog-notify] Forum Thread: rsyslog disk queue configuration - (Mode 'post')

[noreply at adiscon.com]

User: crahan 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26869#p26869

Message: 
----------
Hi,

I understand that rsyslog v5 and rsyslog v7 are quite old and currently
unsupported, but I'd like to receive confirmation about some disk queue
behaviour I'm seeing to determine if this is by design or if I will have to
find a way to upgrade to the most recent version (Centos/RHEL provide
rsyslog7 as the most recent version by default).

I have the following configuration set:

[code:2rbzlu5s]$WorkDirectory /var/lib/rsyslog

if $programname == 'app1' and $msg contains 'field=bar' then
/var/log/bar.log
$ActionQueueFileName bar
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionQueueRetryCount -1
& @@10.0.0.1:514
& ~

if $programname == 'app2' and $msg contains 'field=foo' then
/var/log/foo.log
$ActionQueueFileName foo
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionQueueRetryCount -1
& @@10.0.0.1:514
& ~[/code:2rbzlu5s]

This correctly sends log messages to 10.0.0.1 in both cases. I perform the
following test to check if disk queueing works:

1. block access (iptables) from the rsyslog host on 10.0.0.1 so messages
can't be delivered
2. generate log messages on the rsyslog host (which can't be delivered
since 10.0.0.1 can't be reached)
3. stop rsyslog (service rsyslog stop) which correctly creates the disk
queue files in /var/lib/rsyslog as expected
4. remove network block from 10.0.0.1
5. restart rsyslog

The first time I run this test everything works as expected: disk queue
files get created in /var/log/rsyslog and the unsent log messages are sent
when rsyslog is started again. Once the pending log messages are sent to
10.0.0.1, the queue files remain (which is explained in <!-- m --><a
class="postlink"
href="http://blog.gerhards.net/2013/07/rsyslog-why-disk-assisted-queues-keep.html">http://blog.gerhards.net/2013/07/rsyslo
... -keep.html</a><!-- m -->).

The issue I'm noticing though is when I run through steps 1-5 above a
second time I would expect the new undelivered log messages to be written
to the existing disk queue files when rsyslog is stopped. Instead all the
disk queue files are removed and when starting rsyslog again the
undelivered messages are obviously gone. If I run the same test a third
time everything works as expected again: disk queue files are created when
rsyslog is halted and undelivered log messages are sent to 10.0.0.1 when
rsyslog starts up again.

It appears that rsyslog (5 and 7) with my config correctly writes the disk
queue to disk when rsyslog is halted, but only when there's no existing
disk queue files already there. Is this by design? My understanding was
that the $ActionQueueSaveOnShutdown config parameter is what's needed to
force rsyslog to write any undelivered log messages to disk on shutdown.

Thanks for your help and as I mentioned I understand that these versions of
rsyslog are quite old now. I'm not looking for a fix per se, but rather for
some indication/confirmation that this is expected or unexpected behaviour.