Hi Rainer, This is the rsyslog.conf used - quite simple as you can see: -- $ cat /etc/rsyslog.conf # rsyslog v3: load input modules # If you do not load inputs, nothing happens! # You may need to set the module load path if modules are not found.
$ModLoad immark.so # provides --MARK-- message capability $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none -/var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* -/var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit -/var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # Remote Logging (we use TCP for reliable delivery) # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. $WorkDirectory /var/spool/rsyslog # where to place spool files $ActionQueueFileName uniqName # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount 5 # five retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @@logserver -- Do you see anything suspicious? Thanks, Martin > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rainer Gerhards > Sent: 08 October 2009 14:12 > To: rsyslog-users > Subject: Re: [rsyslog] URGENT - rsyslog stops sshd > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Dag Wieers > > Sent: Thursday, October 08, 2009 12:37 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] URGENT - rsyslog stops sshd > > > > On Thu, 8 Oct 2009, [email protected] wrote: > > > > > rsyslog can be configured to accept and discard log entries when the > > queue > > > is full, doing this can avoid this sort of situation. > > > > Hi Martin, > > > > We were in a similar situation recently (because of a limit of open > > file > > descriptors) and I am very interested to learn how you can do the > > above. > > Well, it depends on your configuration. If you use a plain default config, > this situation is expected to never happen, because we assume that log > files > can be written and discard messages when this is not the case. However, if > you begin to configure the system to be reliable, you need to think about > the > implications. In almost all cases where I have seen such a problem > (assuming > it was not a real bug, of course), the configuration demanded reliable > delivery, but it was not thought about the fact that if the message could > not > be delivered, the system would stall. Some organizations actually prefer > this > mode, so it may be useful. > > If you post your config, I could check if there is something in it that > demands such reliability and prevents the engine from discarding messages > when needed. > > Rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > /rsyslog > http://www.rsyslog.com This email and any attachments are confidential, and may be legally privileged and protected by copyright. If you are not the intended recipient dissemination or copying of this email is prohibited. If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system. Any views or opinions are solely those of the sender. This communication is not intended to form a binding contract unless expressly indicated to the contrary and properly authorised. Any actions taken on the basis of this email are at the recipient's own risk. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
