I ran into this same problem and finally discovered that it was because there were two sets of rsyslog modules, the old ubuntu defaults and the ones I compiled. the wrong ones were being found and problems resulted.
you may find that you have files in /usr/lib/rsyslog and in /usr/local/lib/rsyslog delete the wrong ones (probably /usr/lib/rsyslog is the ubuntu package. rsyslog needs to eventually gain the ability to version the modules and report when the wrong version module is loaded. But at the moment this is not available. David Lang On Thu, 1 Jul 2010, utf-8?Q?G=C5=82owacki=2C_Tomasz_ ?= wrote: > Date: Thu, 1 Jul 2010 10:37:44 +0200 > From: utf-8?Q?G=C5=82owacki=2C_Tomasz_ ?= <[email protected]> > To: [email protected] > Subject: [rsyslog] high CPU usage on 5.5.5 and 5.4.0 > > Hi everyone, > > Web forum seems dead for a while, so I decided to post to mailing > list. > > I'm having problem running rsyslogd 5.4.0 and 5.5.0 compiled under > Ubuntu 10.04 x86. I'm using quite basic configuration: just logging to > a files based on facility and some simple forwarding using omudpspoof. > That is all I have plus generic system logging. Default as much as it > can be ;) > > rsyslogd is hogging my CPU. 5.4.0 doesn't even log a message, while > 5.5.0 seems to work quite normal but with CPU load for the process > reaching 99%. This is simple Pentium III 833 machine. > > I did some sort of debuging. I disabled /dev/xconsole section, immark > module as sugested. No change at all. > > Then, ran rsyslogd with -d and there were no errors at all, normal > initialization and no further messages at all. > > After all I did strace -ff -o /tmp/sysl.txt rsyslog -d -c4, and one of > the files started to grow about 1-2 megabytes every few seconds with > something like that: > > clock_gettime(CLOCK_REALTIME, {1277909500, 585805743}) = 0 > write(1, "9500.585805743:", 15) = -1 EINVAL (Invalid argument) > write(1, "b776db70: ", 10) = -1 EINVAL (Invalid argument) > write(1, "ruleset: get iRet 0 from rule.Pr"..., 43) = -1 EINVAL (Invalid > argument) > clock_gettime(CLOCK_REALTIME, {1277909500, 586203967}) = 0 > write(1, "9500.586203967:", 15) = -1 EINVAL (Invalid argument) > write(1, "b776db70: ", 10) = -1 EINVAL (Invalid argument) > write(1, "testing filter, f_pmask 0\n", 26) = -1 EINVAL (Invalid argument) > clock_gettime(CLOCK_REALTIME, {1277909500, 586596069}) = 0 > write(1, "9500.586596069:", 15) = -1 EINVAL (Invalid argument) > write(1, "b776db70: ", 10) = -1 EINVAL (Invalid argument) > write(1, "ruleset: get iRet 0 from rule.Pr"..., 43) = -1 EINVAL (Invalid > argument) > clock_gettime(CLOCK_REALTIME, {1277909500, 586991581}) = 0 > write(1, "9500.586991581:", 15) = -1 EINVAL (Invalid argument) > write(1, "b776db70: ", 10) = -1 EINVAL (Invalid argument) > write(1, "testing filter, f_pmask 0\n", 26) = -1 EINVAL (Invalid argument) > clock_gettime(CLOCK_REALTIME, {1277909500, 587383376}) = 0 > write(1, "9500.587383376:", 15) = -1 EINVAL (Invalid argument) > write(1, "b776db70: ", 10) = -1 EINVAL (Invalid argument) > write(1, "ruleset: get iRet 0 from rule.Pr"..., 43) = -1 EINVAL (Invalid > argument) > clock_gettime(CLOCK_REALTIME, {1277909500, 587778171}) = 0 > > this is tail from that rapidly growing file. > > How can I solve this? What kind of information should I provide to > solve the problem? :) I'm open and ready for further debugging. > > Distributed with Ubuntu 10.04 rsyslogd 4.2.0 is working just fine with > the same config besides that it doesn't support omudpspoof module, so > forwarding of messages is quite useless.. > > > > -- > Best regards, > Tomasz G?owacki mailto:[email protected] > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
