I think my syslogd options are on
/etc/sysconfig/rsyslog:
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-c 5"
/etc/sysconfig/rsyslog (END)
So I will add it to "= -c 5 -x"
also when I run :
$ sudo rsyslogd -x
$ sudo service rsyslog status
rsyslogd (pid 35610) is running...
$ ls
f_ad f_fw f_mail f_networks f_pix f_router f_shib f_vm
$ sudo tail f_fw
$
It starts the daemon without dns enabled, and it created the files but it
doesnt actually write anything to the files?
I have a local hosts file that has a list of all the hostnames that will be
sending the server messages but it doesnt seem to read it?
----- Original Message -----
From: David Lang
Sent: 08/30/13 04:21 PM
To: rsyslog-users
Subject: Re: [rsyslog] (no subject)
the right thing is to find where $SYSLOGD_OPTIONS is defined and add -x to that
however, in this case, the line that's commented out has the -x on it, just
switch which line is commented out should work If you are still having
problems, try and start it manually just doing rsyslogd -x will probably get
you a running rsyslog you can get debug output by doing rsyslog -x -dn, but
that produces a LOT of output and significantly slows rsyslog down. David Lang
On Fri, 30 Aug 2013, Robert Ortiz wrote: > Thank you David, where exactly do I
need to start rsyslog with -x? from the init.d/rsyslog or the sysconfig/rsyslog
? > > start() { > [ -x $exec ] || exit 5 > > umask 077 > > echo -n $"Starting
system logger: " > # daemon --pidfile="$PIDFILE" $exec -x -i "$PIDFILE"
$SYSLOGD_OPTIONS > daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE"
$SYSLOGD_OPTIONS > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch $lockfile >
return $RETVAL > } > When I do it from init.d/rsyslog and I de-comment the dae
mon line and run -x from there , no logs are written? > ----- Original Message
----- > From: David Lang > Sent: 08/30/13 03:47 PM > To: rsyslog-users >
Subject: Re: [rsyslog] (no subject) > > If things are working most of the time,
but occasionally you are seeing lots of dropped messages, I would be looking at
DNS issues. One of the big reasons to disable DNS lookups on UDP rsyslog
servers is that DNS can take an unknown amount of time to resolve (up to
several seconds), and during that time, additional new messages cannot be
processed, if you don't have insanely large buffers setup in the OS, this will
cause you to loose messages. Try starting rsyslog with -x (to disable DNS
lookups) and see if you still have the problem what version are you running?
you should upgrade to 7.x and see if the problem reamins (lots of improvements,
including a DNS cache compared to 5.x and earlier) David Lang On Fri, 30 Aug
2013, Robert Ortiz wrote: > Hey guys, > > So currently I'm running a l
oad of 50K mps and mostly retaining logs there are random seconds where I drop
20K+ messages, I wanted to run rsyslog in debug mode, and I wanted to run this:
> > > "RSYSLOG_DEBUGLOG" (sampl! e: > RSYSLOG_DEBUGLOG="/path/to/debuglog/") >
> with this " LogFuncFlow" > > But I am not sure where to do this from? Do I
need to put this on the .conf file or is this something that needs to be
created? > > Sorry I don't understand the instructions on the debugging site >
> Thanks > > Currently this is my .conf file: > > #### MODULES #### > >
#module(load="imuxsock") # needs to be done just once Robert 8-9-13 >
#SysSock.FlowControl=(:"on") # enable flow control (use if needed) Robert
8-9-13 > $ModLoad imuxsock # provides support for local system logging (e.g.
via logger command) > > #module(load="imklog") > $ModLoad imklog # provides
kernel logging support (previously done by rklogd) > $ModLoad immark # provides
--MARK-- message capability > > # Provides UDP syslog reception > #module
(load="imudp") # needs to be done just once Robert 8-9-13 >
#input(type="imudp" port="514") # Robert 8-9-13 > $ModLoad imudp >
$UDPServerRun 514 > #$UDPServerTimeRequery 1000000 > > > #### GLOBAL! D >
IRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate
RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by
default. This feature is usually not required, > # not useful and an extreme
performance hit > #$ActionFileEnableSync on > > # Include all config files in
/etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Set Buffer Size -
default is 4k > #$OMFileIOBufferSize 128k # - Gil 06/06/13 >
#$OMFileAsyncWriting on > #$OMFileFlushOnTXEnd off > #$OMFileFlushInterval 30 >
#$OMFileZipLevel 9 > $OMFileIOBufferSize 256k > > #Turn on Main Ruleset Robert
8-20-13 > #$RulesetCreateMainQueue on > > > # Set Main Message Queue Size -
default is 10000 > > $MainMsgQueueSize 200000 # Robert 8-9-13 > > #### RULES
#### > > # Log all kernel m
essages to the console. > # Logging much else clutters up the screen. >
#kern.* > # /dev/console > > #Specific ruleset for remote messages > #$Ruleset
<name> > > #*.* /var/log/test/f_all #Robert 8-21! -1 > 3 > #Module
(load="builtin:omfile") > #*.* action(type="omfile" > # DirCreateMode="0700" >
# FileCreateMode="0644" > # File="/var/log/test/alllogs") > > > #switch back to
default ruleset > #$Ruleset RSYSLOG DefaultRuleset > > # Begin action Robert
8-20-13 > # $ActionOmrulesetRulesetName somename > > :hostname, contains, "pdc"
/var/log/test/f_ad > :hostname, contains, "fdfw" /var/log/test/f_fw >
:hostname, contains, "mail" /var/log/test/f_mail > :hostname, contains,
"networks" /var/log/test/f_networks > :hostname, contains, "shib"
/var/log/test/f_shib > :hostname, contains, "rout" /var/log/test/f_router >
:hostname, contains, "vm" /var/log/test/f_vm > :hostname, contains, "pix"
/var/log/test/f_pix > > > #if $hostname contains 'pdc' then /var/log/test/f_ad
> #& ~ > #if $host
name contains 'fdfw' then /var/log/test/f_fw > #& ~ > #if $hostname contains
'networks' then /var/log/test/f_networks > #& ~#if $hostname contains 'shib'
then /var/log/test/f_shib > #& ~ > #if $hostname c! on > tains 'mail' then
/var/log/test/f_mail > #& ~ > #if $hostname contains 'vm' then
/var/log/test/f_vm > #& ~ > #if $hostname contains 'pix' then
/var/log/test/f_pix > #& ~ > #if $hostname contains 'rout' then
/var/log/test/f_router > #& ~ > > #if $hostname startswith 'sws' then
/var/log/test/f_networks > #& ~ > #if $fromhost-ip == '10.0.0.10' then
/var/log/test/test_fromhost > #& ~ > #if $hostname == 'swserv1.networks' then
/var/log/test/test_swserv1 > #&~ > #if $hostname startswith 'virtserv' then
/var/log/test/test_virtserv > #&~ > #if $hostname contains 'virtserv' then
/var/log/test/test_virtserv1 > #& ~ > #if $fromhost-ip startswith '10.0.6' then
/var/log/test/test_10.0.6 > #& ~ > #if $fromhost-ip startswith '10.0.7.' then
/var/log/test/test_10.0.7_virtserv > #& ~ >
> # Log anything (except mail) of level info or higher. > # Don't log private
authentication messages! > #*.info;mail.none;authpriv.none;cron.none
/var/log/messages > *.debug /var/log/messages > > # The authp! ri > v file has
restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages
in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.*
/var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save
news errors of level crit and higher in a special file. > uucp,news.crit
/var/log/spooler > > # Save boot messages also to boot.log > local7.*
/var/log/boot.log > > > # ### begin forwarding rule ### > # The statement
between the begin ... end define a SINGLE forwarding > # rule. They belong
together, do NOT split them. If you create multiple > # forwarding rules,
duplicate the whole block! > # Remote Logging (we use TCP for reliable
delivery) > # > # An on-disk queue is created for this action. If the remote
host is > # down,
messages are spooled to disk and sent when it is up again. > #$WorkDirectory
/var/lib/rsyslog # where to place spool files > #$ActionQueueFileName fwdRule1
# unique name prefix for spool files > #$ActionQueueMaxDis! kS > pace 1g # 1gb
space limit (use as much as possible) > #$ActionQueueSaveOnShutdown on # save
messages to disk on shutdown > #$ActionQueueType LinkedList # run
asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down
> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.*
@@remote-host:514 > # ### end of the forwarding rule ### > > > > > Robert. >
_______________________________________________ > rsyslog mailing list >
http://lists.adiscon.net/mailman/listinfo/rsyslog >
http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow
https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts
are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
NOT POST if
you DON'T LIKE THAT. > _______________________________________________ rsyslog
mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow !
ht > tps://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list,
posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
and DO NOT POST if you DON'T LIKE THAT. > > > > > > Robert. >
_______________________________________________ > rsyslog mailing list >
http://lists.adiscon.net/mailman/listinfo/rsyslog >
http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow
https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts
are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
NOT POST if you DON'T LIKE THAT. >
_______________________________________________ rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professiona
l-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Robert.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
