[rsyslog-notify] Forum Thread: Re: Time lag issue of forwarding vs available I/O at 6600 mp - (Mode 'reply')

[noreply at adiscon.com]

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26789#p26789

Message: 
----------
The syslog standard says that things writing to the syslog daemon (rsyslog
in this case) must stop and wait if the syslog daemon cannot process
messages fast enough. Rsyslog loosens this by having it's queues, so it
will accept thigns into it's queues faster than it can output them until
the queues fill up.

This is clearly the case in your situation.


So what we need to do is to figure out what rsyslog is doing that is not
keeping up.

In your earlier posts, it looked like what was not keeping up was the
delivery to the central server (which is a fairly common problem), so at
that point I was syaing that we needed to shift our focus to that central
server.

If you have commented out the config that sends the logs to the central
server, then we are troublehooting just the local system, but you will
still need to troubleshoot the central server when you go to send logs to
it later.

So to troubleshoot the local server, I would need to see the rsyslog.con
(and anything included into it) to see what's happening.

Given the huge amount of performance work that has been done between 7.4
and 8.20 (just over a 3-year span), it's very possible that just upgrading
to the current version would solve your problems. It's also going to be
very possible that some of the config tweaks that we are going to tell you
will not work on 7.4

But if you can post your config, we can look and see if there are any
obvious things to improve.

If you look at top with the threads visible, is one of the threads hitting
100% cpu? or even domething high (80-90%)