Hi again, I simplified the rsyslog config file:
$ModLoad immark.so # provides --MARK-- message capability $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # kernel logging (formerly provided by rklogd) $WorkDirectory /var/log/queue $ActionQueueType LinkedList $ActionQueueFileName prueba $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on *.* @@10.10.0.210 & ~ *.* /var/log/messages kern.* /dev/console *.info;mail.none;authpriv.none;cron.none -/var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* -/var/log/cron uucp,news.crit -/var/log/spooler local7.* /var/log/boot.log Now I have disk queue, but rsyslog only logs up to 3000 entries. 0719.224892620:imuxsock.c: --------imuxsock calling select, active file descriptors (max 3): 3 0719.233534436:imuxsock.c: Message from UNIX socket: 0000003 0719.233573550:imuxsock.c: logmsg: flags 4, from 'linux-92wq', msg Nov 4 22:38:39 punisher: pruebaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0719.233589475:imuxsock.c: Message has legacy syslog format. 0719.233643675:imuxsock.c: main queue: entry added, size now 3000 entries 0719.233659599:imuxsock.c: main queue: EnqueueMsg signaled condition (0) 0719.233674127:imuxsock.c: wtpAdviseMaxWorkers signals busy 0719.233688096:imuxsock.c: --------imuxsock calling select, active file descriptors (max 3): 3 0719.244104262:imuxsock.c: Message from UNIX socket: 0000003 0719.244145331:imuxsock.c: logmsg: flags 4, from 'linux-92wq', msg Nov 4 22:38:39 punisher: pruebaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0719.244161256:imuxsock.c: Message has legacy syslog format. 0719.244186680:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0720.818283853:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0721.819871573:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0722.828967380:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0723.832482270:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0724.839541947:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0725.848415367:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0726.855937980:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0727.858592935:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. 0728.862998771:imuxsock.c: main queue: enqueueMsg: LightDelay mark reached for light delayble message - blocking a bit. Rsyslog 3.19.7 (Suse) 2009/11/4 <[email protected]>: > ok, looking at this I don't see that you have any commands that would use > the work directory. > > now when you say the client computer locks up do you mean the following? > > you have a server writing logs > you have a seperate client sending logs to the server > you shut down the server > later the client machine stops responding. > > is this config for the client or for the server? > > one possible explination for the freeze you are seeing is that if you have > the client configured to send via TCP (the @@ option) and the server does > not accept the message, the client will queue the message, when the client > queue fills up it will not accept any more messages. many processes > (including login) will block until syslog accepts the message causeing the > machine to 'freeze' or 'lock up' > > does this match what you are seeing? > > if so, turning the server back on should un-freeze the client machines. > > > if this is the case you need to decide your priorities > > how critical is it to get the logs off the machine? in some cases they are > a real security issue and you must get them off (in which case you really > should be using relp, not tcp, but that's a different discussion that > rainer did a write-up on), and your only real answer is to setup multiple > servers so that one is always up. > > in other cases you are willing to spill over to disk and risk having an > intruder tamper with the logs before they get sent off to another machine > and set the main queu type to disk assisted mode > > in other cases you are willing to loose logs rather than freezing the > machine and can configure rsyslog to accept messages, even when it can't > do anything with them to avoid this sort of lockup. > > Daivd Lang > > > On Wed, 4 Nov 2009, Miguel Angel Nieto wrote: > >> $ModLoad immark.so # provides --MARK-- message capability >> $ModLoad imuxsock.so # provides support for local system logging (e.g. >> via logger command) >> $ModLoad imklog.so # kernel logging (formerly provided by rklogd) >> >> $WorkDirectory /var/log/queue >> $MainMsgQueueFileName mainq >> >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionQueueMaxDiskSpace 1g >> $ActionQueueSaveOnShutdown on >> $ActionResumeRetryCount -1 >> :msg, contains, "TVC" @@10.10.0.100 >> & ~ >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionQueueMaxDiskSpace 1g >> $ActionQueueSaveOnShutdown on >> $ActionResumeRetryCount -1 >> :msg, contains, "TVB" @@10.10.0.100 >> & ~ >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionQueueMaxDiskSpace 1g >> $ActionQueueSaveOnShutdown on >> $ActionResumeRetryCount -1 >> :msg, contains, "TTD" @@10.10.0.100 >> & ~ >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionQueueMaxDiskSpace 1g >> $ActionQueueSaveOnShutdown on >> $ActionResumeRetryCount -1 >> :msg, contains, "KCD" @@10.10.0.100 >> & ~ >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionQueueMaxDiskSpace 1g >> $ActionQueueSaveOnShutdown on >> $ActionResumeRetryCount -1 >> :msg, contains, "LPT" @@10.10.0.100 >> & ~ >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionQueueMaxDiskSpace 1g >> $ActionQueueSaveOnShutdown on >> $ActionResumeRetryCount -1 >> :msg, contains, "ABT" @@10.10.0.100 >> & ~ >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionQueueMaxDiskSpace 1g >> $ActionQueueSaveOnShutdown on >> $ActionResumeRetryCount -1 >> :msg, contains, "XET" @@10.10.0.100 >> & ~ >> >> *.* /var/log/syslog >> kern.* /dev/console >> *.info;mail.none;authpriv.none;cron.none -/var/log/messages >> authpriv.* /var/log/secure >> mail.* -/var/log/maillog >> cron.* -/var/log/cron >> uucp,news.crit -/var/log/spooler >> local7.* /var/log/boot.log >> >> >> 2009/11/4 <[email protected]>: >>> On Wed, 4 Nov 2009, Miguel Angel Nieto wrote: >>> >>>> I have a problem with the attached client-configuration. When I stop >>>> the server, the client computer hangs-up some minutes later and didn't >>>> write logs on $WorkDirectory /var/log/queue. >>> >>> this list strips attachments, please re-send with the config in the body of >>> the message. >>> >>> david Lang >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> >> >> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -- Lo que haría sería hacerme pasar por sordomudo y así no tendría que hablar. Si querían decirme algo, tendrían que escribirlo en un papelito y enseñármelo. Al final se hartarían y ya no tendría que hablar el resto de mi vida. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
