Eric, Saw your response when I sent my follow-up. Thanks for the info - creating the directory was the solution. I've not gotten to where you're at as all my tests were with messages that dumped to the same location, but I'll certainly put together a test of your scenario and see what I get.
So to clarify: your have your loghost directive AFTER some exclusion rules and all works fine until disk queuing comes into play? Essentially, when disk queuing begins, rsyslog dumps everything to the queue, regardless of rules? Todd On Feb 12, 2011, at 4:26 PM, Eric Schoeller wrote: > I've been playing around with this recently too. You certainly need to create > the spool directory. rsyslog won't do it (but like you, I thought it would). > Once I did that, I quickly saw spool files being created there while > performing tests similar to yours. > > My issue is still standing, previous filters within the rsyslog configuration > aren't honored when you've enabled disk queuing. Everything gets sent to the > log server, even messages specifically thrown away earlier with '~'. I'd be > interested to see if you experience similar behavior. > > -- Eric > > Todd Michael Bushnell wrote: >> I configured reliable forwarding in accordance with instructions here: >> http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html >> >> Version: rsyslog-3.22.1-3.el5_5.1 >> >> Configuration: >> >> # forward to remote host, queueing to local disk if host is down and memory >> fills up >> # work (spool) files directory >> $WorkDirectory /var/log/rsyslog # start forwarding rule - loghost2 >> # in-memory queue; set for asynchronous processing (?) >> $ActionQueueType LinkedList >> # failover queue filename; also enables disk mode >> $ActionQueueFileName failqueue-loghost2 >> # infinite retries on insert failure >> $ActionResumeRetryCount -1 >> # save in-memory data if rsyslog shuts down >> $ActionQueueSaveOnShutdown on >> # remote logging of everything >> *.* @@loghost2:5140 >> >> I wanted to test its functionality before going into production. >> >> First, I used iptables to block access to the syslog port on the central >> syslog (syslog-ng) server, simulating a down syslog server: >> # on loghost2 >> /sbin/iptables -I INPUT -p tcp --destination-port 5140 -j REJECT >> --reject-with icmp-admin-prohibited >> >> I then ran logger through a loop to start creating a pile of messages on the >> rsyslog client: >> for i in {1..1000000}; do logger -t tmbtest -p local1.info "this is a test >> $i"; done >> >> I ran this loop twice in an effort to sufficiently fill up memory and >> initiate dump to disk. While this loop was running I verified that memory >> consumption for the rsylogd process on the client was increasing. It >> eventually got to this point: >> root 20263 0.2 77.8 2537008 1603712 ? Sl Feb10 6:09 >> /sbin/rsyslogd -c 3 >> >> To be honest, I don't know how much memory it will consume before dumping to >> disk (feel free to school me on this) so I figured I'd keep going until I >> saw /var/log/rsyslog directory and files created. This never happened and >> my second iteration stopped at about 600k and I saw some memory fork errors >> (though they dumped only to standard error, not log, so I lost them (sorry)). >> >> Dump to disk having failed, I next wanted to see if rsyslog would at least >> resume forward to remote host when it came back up (dumping whatever was in >> memory to central syslog server). I restarted iptables on the syslog server >> to restore access to the port, but no logs were forwarded from the rsyslog >> client. >> >> Lastly, I restarted rsyslog, hoping that I would see a dump to disk but this >> failed as well. >> I'm sure it's something I'm doing incorrectly. Would appreciate some >> guidance. Who knows, maybe I just need to create the /var/log/rsyslog >> directory (assumed rsyslog would create it). While I'm waiting for >> feedback, I'll probably give that a shot. Thanks. >> Todd >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
