Re: [rsyslog] Multiple rulesets and queues - strange behavior, problems logging to MySQL

[Jason Antman]

Haven't given that a try yet. I just finished working up a stable 
(albeit slow and very sub-optimal) configuration with everything in one 
ruleset, and ran that on my development server for the past 3 days. Once 
I have that migrated to production I'll give one input/one additional 
ruleset a try, probably sometime early tomorrow (by east coast US time).

Thanks,
Jason
Rainer Gerhards wrote:
Jason,

any chance you can reproduce this with a single input and a single additional
ruleset? Did you try this?

Rainer


  
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-
boun...@lists.adiscon.com] On Behalf Of Jason Antman
Sent: Friday, January 07, 2011 8:08 PM
To: rsyslog-users
Subject: Re: [rsyslog] Multiple rulesets and queues - strange behavior,
problems logging to MySQL

Ok.

Just as a quick overview (I haven't analyzed enough of the debugging
information that I collected to submit a bug report), rsyslog becomes
unstable when omruleset is called from within a ruleset. Crashes were a
mix of segfaults and malloc/realloc errors. With my original config
(complex mix of multiple ommysql calls per if statement, etc.)
triggered
a crash within the first few seconds of running, every time. I created
a
much smaller sample config (one ruleset bound to imudp/imtcp, two
rulesets called from there each with two if statement rules) and it
runs
for about 30 seconds before dieing.

Perhaps there's some interaction somewhere between omruleset and other
output modules??

If I remove the omruleset calls and put everything from them in the
main
ruleset (bound to imudp and imtcp), it runs without any problems.

I'm running 5.6.2 on CentOS 5.5 x86_64.

Thanks,
Jason

Sample config that segfaults is below:
====== BEGIN CODE====

#### GLOBAL DIRECTIVES ####

$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirOwner root
$DirGroup root
$DirCreateMode 0750

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$WorkDirectory /var/rsyslog/work

# Provides logging to MySQL - define before any rules that use it
$ModLoad ommysql
$ModLoad omruleset

# templates - include first
$IncludeConfig /etc/rsyslog.d/templates.conf
$IncludeConfig /etc/rsyslog.d/dhcp-templates.conf

#### Imports - ORDER MATTERS HERE ####

$RuleSet BSC-ruleset

*.* /var/log/TESTING/rules-BSC-ruleset

if $msg contains 'user_login_suc' then
/var/log/TESTING/rules-BSC-ruleset-logout_suc
& :ommysql:localhost,wireless_logs,syslogger,syslogger;BSC-login
& :ommysql:localhost,wireless_logs,syslogger,syslogger;BSC-login-web
& ~

$RuleSet DHCP-parsing

*.* /var/log/TESTING/rules-DHCP-parsing

:msg, startswith, " DHCPREQUEST for"
/var/log/TESTING/rules-DHCP-parsing-requestfor
& :ommysql:localhost,test,syslogger,syslogger;DHCPREQUESTMAC
& :ommysql:localhost,test,syslogger,syslogger;DHCPREQUESTIP
& ~ ### DISCARD

if $msg startswith ' DHCPACK to' and ( not ( $msg contains 'no client
hardware address' ) ) then /var/log/TESTING/rules-DHCP-parsing-ackto \
& :ommysql:localhost,test,syslogger,syslogger;DHCPACKtoMAC
& :ommysql:localhost,test,syslogger,syslogger;DHCPACKtoIP
& ~ ### DISCARD

$RuleSet remote

*.* /var/log/TESTING/rules-remote

$ActionOmrulesetRulesetName BSC-ruleset
if $fromhost-ip == '128.6.30.195' or $fromhost-ip == '128.6.30.196' \
then /var/log/TESTING/rules-remote-BSC
& :omruleset:
& ~

$ActionOmrulesetRulesetName DHCP-parsing
if ( $fromhost-ip == '172.16.25.114' ) or ( $fromhost-ip ==
'172.16.25.116' ) or ( $fromhost-ip == '128.6.17.217' ) then
/var/log/TESTING/rules-remote-dhcp
& :omruleset:

$RuleSet local
*.*                /var/log/TESTING/local

##### END IMPORTS

#### Default Ruleset ####
# since we bind TCP and UDP to remote, this should only handle local
$DefaultRuleset local

#### MODULES ####

$ModLoad imuxsock.so    # provides support for local system logging
(e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously
done by rklogd)
#$ModLoad immark.so     # provides --MARK-- message capability

#### BIND INPUTS ####

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerAddress *
$InputUDPServerBindRuleset remote # bind UDP to the remote ruleset
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerBindRuleset remote # bind tcp to the remote ruleset
$InputTCPServerRun 514


====== END CODE ====

Champ Clark III [Softwink] wrote:
    
On Fri, Jan 07, 2011 at 09:13:49AM -0500, Jason Antman wrote:

      
Since I haven't gotten any response to this... can anyone at least
        
give
    
me a yes or no answer:

        
        I think Rainer might still be on vacation.   It might be a bit
before he can look at it.  Hopefully someone else might have a answer
for you.



---------------------------------------------------------------------
      
---
    
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

      
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
    
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

  

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com