On Thu, 8 Oct 2009, Martin Mielke wrote: > Hi Rainer, > > This is the rsyslog.conf used - quite simple as you can see: > -- > $ cat /etc/rsyslog.conf > # rsyslog v3: load input modules > # If you do not load inputs, nothing happens! > # You may need to set the module load path if modules are not found. > > $ModLoad immark.so # provides --MARK-- message capability > $ModLoad imuxsock.so # provides support for local system logging (e.g. > via logger command) > $ModLoad imklog.so # provides kernel logging support (previously done by > rklogd) > > > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* /dev/console > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none > -/var/log/messages > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* > -/var/log/maillog > > > # Log cron stuff > cron.* -/var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit > -/var/log/spooler > > # Save boot messages also to boot.log > local7.* > /var/log/boot.log > > # Remote Logging (we use TCP for reliable delivery) > # An on-disk queue is created for this action. If the remote host is > # down, messages are spooled to disk and sent when it is up again. > $WorkDirectory /var/spool/rsyslog # where to place spool files > $ActionQueueFileName uniqName # unique name prefix for spool files > $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as > possible) > $ActionQueueSaveOnShutdown on # save messages to disk on shutdown > $ActionQueueType LinkedList # run asynchronously > $ActionResumeRetryCount 5 # five retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > *.* @@logserver > -- > > Do you see anything suspicious?
this TCP logging would cause it. you have it limited to 1g of disk space, how large did it get? also, disk queues are pretty slow, it may be that you had messages arriving faster than they could be put into the queue also, you still have it using the default main queue size (something tiny like 1000 messages IIRC) I would bump the main queue size up significantly (assuming you can afford the ram) also, look at the high and low watermark config variables, they (along with one other variable I don't remember offhand) tell the system what to do in crisis mode and how to define that mode. unfortunantly I don't have time until late today to go through the config page and dig up the exact details. David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
