Hello, Trying to understand rsyslog behavior with that sample config: - If loghost.unet.brandeis.edu is down, messages will pile up in the main queue (because the TCP action has a direct queue by default) - Once the main queue is full, rsyslog will no longer poll /dev/log - Now, rsyslog will no longer accept new connections on /dev/log and will no longer poll already connections established through that socket, so the processes who try to connect/write messages to /dev/log get blocked
Is that the expected behavior of rsyslog with that configuration ? How can we configure the TCP action in order to prevent the complete locking ? Thanks for your help :-) Philippe Philippe Muller On Mon, Dec 17, 2012 at 11:02 PM, David Lang <[email protected]> wrote: > On Mon, 17 Dec 2012, John Miller wrote: > > Hello everyone, >> >> I'm running into a strange problem with some new RHEL 6 servers I've >> built. I can go for days without anything appearing to get logged (to any >> file/remote server), but then when I restart rsyslog via the provided >> initscripts, logs magically appear! Obviously there's some sort of >> buffering happening, but where/how? If anyone is familiar with this, and >> could point me to the relevant spot in the docs, I'd be grateful. >> >> We're running a pretty bare-bones config (comments removed): >> >> $ModLoad imuxsock.so >> $ModLoad imklog.so >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> *.info;mail.none;authpriv.**none;cron.none >> /var/log/messages >> authpriv.* /var/log/secure >> mail.* -/var/log/maillog >> cron.* /var/log/cron >> *.emerg * >> uucp,news.crit /var/log/spooler >> local7.* /var/log/boot.log >> *.info;mail.none;authpriv.*;**cron.none @@loghost.unet.brandeis.edu >> >> The initscript calls rsyslog as: >> /sbin/rsyslogd -i /var/run/syslogd.pid -c5 >> >> I'm running things in debug mode right now, and will post the debug logs >> once I read through them a bit. >> > > My guess is that something is interrupting the TCP connection and logs > then stop (possibly a firewall or NAT timeout), logs are then buffered > until something gets restarted and they start flowing again. > > However, I don't see anything in your config that would spool to disk, so > it would have to be a HUP refresh on the sender, or a full restart on the > reciever that would get logs flowing again (a full stop on the sender would > throw away the logs that it has buffered) > > > Ryslog always buffers logs, but usually only does so for a very short > time. The internal structure of rsyslog is that it has one or more threads > recieving new messages and adding them to a queue (by default in-memory), > and one or more threads pulling messages out of the queue and delivering > them (either directly, ot to a secondary queue with yet another thread > pulling from that queue for delivery) > > > I notice that you have rsyslog set for TCP relaying of messages, you need > to be aware that if rsyslog is unable to deliver messages for long enough > that it's internal buffering fills up, it will stop accepting new messages, > and this will cause systems trying to log to syslog to stop. Rsyslog has > config options to let you tell it to throw away logs if it gets too full, > or to spill logs out to disk, but you don't appear to have any of these > options configured. > > David Lang > > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
