Hey Guys, I am new to this mailing list and I wanted to see about getting some pointers if possible regarding tweakin rsyslog:
I am pretty new to rsyslog, and I've been given a pretty fun task... to test rsyslog vs syslog-ng and pick the best one, I am having a problem with rsyslog where im at 25K/mps and im dropping logs, I need to get it at 100k mps with and I'm not sure where the misconfiguration is if anyone could take a look I would really appreciatte it, my current setup: rhel 6.4 x86_64 rsyslog-5.8.10-2.el6.x86_64 Dual Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz 32GB RAM 500GB 15k raid 0 # rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # $UDPServerTimeRequery 10 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Set Buffer Size - default is 4k # $OMFileIOBufferSize 128k # Set Main Message Queue Size - default is 10000 # $MainMsgQueueSize 50000 #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console if $hostname contains 'pdc' then /var/log/test/f_ad & ~ if $hostname contains 'fdfw' then /var/log/test/f_fw & ~ if $hostname contains 'mail' then /var/log/test/f_mail & ~ if $hostname contains 'pix' then /var/log/test/ix & ~ if $hostname contains 'rout' then /var/log/test/rout & ~ if $hostname contains 'networks' then /var/log/test/net & ~ #if $fromhost-ip == '10.0.0.10' then /var/log/test/thost #& ~ #if $hostname startswith 'virtserv' then /var/log/test/test_virtserv #&~ #if $fromhost-ip startswith '10.0.6' then /var/log/test/test_10.0.6 #& ~ # Log anything (except mail) of level info or higher. # Don't log private authentication messages! #*.info;mail.none;authpriv.none;cron.none /var/log/messages *.debug /var/log/messages # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### Robert. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
