Hi,
I have a centos 6.3 system with rsyslogd 5.8.10 running. I have a config that forwards logs to a collector using tcp. I have action queues set-up in case the collector is not available. I previously had an issue where the queues filled up and any app using syslog slowed down. I addressed that by enabling discards for each of the action queues. However, a new problem cropped up where it 'appears' that messages to be written locally are discarded. I moved the local rules above the forwarding rules, but it still appears that local messages are also being discarded. I must not fully understand all the ActionQueue config parameters. Interestingly, when I looked at the action queue files on disk they only had a 5 or so messages in them. My goal is to write the messages locally, then forward them. If the queue is full drop the message that would have been forward, but don't drop the local copy of the message. At this point moving to a newer version of rsyslog is not an option. Any help in debugging my issue and/or getting this config to work is greatly appreciated. Thanks, Al Ross #example config local3.* /var/log/fred/sam.log local4.* /var/log/fred/sam-alt.log # Std local rules, if facility is not in this # list, it won't get logged to the generic messages file kern.info /var/log/messages user.info /var/log/messages daemon.info /var/log/messages auth.info /var/log/messages syslog.info /var/log/messages news.info /var/log/messages uucp.info /var/log/messages ftp.info /var/log/messages mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log $template sam3-fwd,"<%PRI%>1 %timegenerated:::date-rfc3339% sam3 %syslogtag:1:32% - - %msg:::drop-last-lf%\n" #action queue. One of these per forwarding rule. $ActionQueueFileName sam3-fwd-q1 $ActionQueueDiscardSeverity 4 $ActionQueueSize 30000 $ActionQueueDiscardMark 25000 $ActionQueueHighWaterMark 10000 $ActionQueueLowWatermark 0 $ActionQueueTimeoutEnqueue 500 $ActionQueueMaxDiskSpace 20m $ActionQueueWorkerTimeoutThreadShutdown -1 $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 *.debug;mail.none;authpriv.none;cron.none; @@1.2.3.4:51400;sam3-fwd #action queue. One of these per forwarding rule. $ActionQueueFileName sam3-fwd-q2 $ActionQueueDiscardSeverity 4 $ActionQueueSize 30000 $ActionQueueDiscardMark 25000 $ActionQueueHighWaterMark 10000 $ActionQueueLowWatermark 0 $ActionQueueTimeoutEnqueue 500 $ActionQueueMaxDiskSpace 20m $ActionQueueWorkerTimeoutThreadShutdown -1 $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 *.debug;mail.none;authpriv.none;cron.none; @@5.6.7.8:51400;sam3-fwd _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
