Hit Tomas, thanks for answering!
2012/5/22 Tomas Heinrich <[email protected]> > Hi. Just some quick notes. > > Upgrade if you can. 5.8.5 is way too old. I'm running OpenSuSE 12.1 and that's the rsyslog version that comes with it, i don't like using software out of the repositories. What version should i try??? I've heard something about bugs in this version..., this is a good start. > > > On 05/22/2012 03:56 PM, Juan Jose Pavlik wrote: > >> Right after the queues filled up, it stoped sending logs to the second log >> server too. >> > > My guess was that is hangs on one action which fills the main queue which > slows message processing. But forwarding would be the one to suspect if > other outputs are just plain files. I thought that too, that's way i dissabled the database writing (the db is in a remote server), i don't think that the other rsyslog is the one slowing it down. Maybe is a network problem...? > > > in my centralized logging server and im getting some troubles i'd really >>>> love to figure out. I've around 170 servers/switches/otherthings >>>> logging on >>>> this server, most of them just send auth.* logs, some apaches sending >>>> the >>>> access and error logs, and switches sending warns and errors. Sometimes >>>> the >>>> rsyslog queues get complettly filled up and it stops writing logs to >>>> disk, >>>> this is the exact logs of what happened: >>>> >>> > Stops completely or just writes them incredibly slowly? > It writes them incredibly slow, right. > > Once *size* reaches 10000 (the default max as far as i know) things get >>>> >>>> complicated, rsyslog starts to drop logs and misbehave. The rsyslog >>>> >>> > Dropping is a default action in case of congestion, do you really see some > misbehavior? > > What i see is (i've munin graphs of the server): -disk writing goes down, to almost zero. -rsyslog queues starts to grow dramatically fast. > > configuration write a per host files into /var/log/servidores/, it also >>>> sends some logs to another rsyslog server and a postgress database >>>> running >>>> in another server. 2 weeks ago, i disabled sending logs to the postgress >>>> databse, because i had this same problem and we lost too many hours of >>>> logs. Most of the servers are sending logs by TCP and a few servers and >>>> other devices use UDP. >>>> >>>> Is there a way i can avoid this problem? should i increase the mainqueue >>>> size? use other queues? Any help will be great. Thanks >>>> >>> > Any particular size of a queue (or available ram) is finite. If you can > identify the output that blocks the processing, put it in a separate queue > and configure enqueuing to have a short timeout. This should mitigate the > issue to some degree, not to be an ideal solution. > How can i identify the blocking proccess? any idea? > > e.g. > $ActionQueueTimeoutEnqueue <milisec> > > This could also be a bug, but I can't recall all the issues all the way > back to 5.8.5. Do you encrypt the forwarded logs? > > I'm not encrypting logs, i think it's a bug too. > Tomas > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > -- Pavlik Salles Juan José Prosecretaría de Informática - UNC Área Redes y Servidores _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
