On Fri, Aug 30, 2013 at 9:47 PM, Robert Ortiz <[email protected]> wrote:
> Sorry didnt see the output > > Hey guys, > > So currently I'm running a load of 50K mps and mostly retaining logs there > are random seconds where I drop 20K+ messages, I wanted to run rsyslog in > debug mode, and I wanted to run this: > > > "RSYSLOG_DEBUGLOG" (sample: RSYSLOG_DEBUGLOG="/path/to/debuglog/") > > with this " LogFuncFlow" > > You most probably do not really want to do this. This will generate an enormous amount of output, as it tells you each internal function that rsyslog executes. This volume usually overwhelms me (up to the point of me thinking to remove it as I didn't use it successfully the past 5 years due to sheer amount). Performance will drop significatnly with the option (several tenthousand percent, I guess). What you probably want, is to use impstats to see where you lose messages. HTH Rainer > But I am not sure where to do this from? Do I need to put this on the > .conf file or is this something that needs to be created? > > Sorry I don't understand the instructions on the debugging site > > Thanks > > Currently this is my .conf file: > > #### MODULES #### > > #module(load="imuxsock") # needs to be done just once Robert 8-9-13 > #SysSock.FlowControl=(:"on") # enable flow control (use if needed) Robert > 8-9-13 > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > > #module(load="imklog") > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > $ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > #module(load="imudp") # needs to be done just once Robert 8-9-13 > #input(type="imudp" port="514") # Robert 8-9-13 > $ModLoad imudp > $UDPServerRun 514 > #$UDPServerTimeRequery 1000000 > > > #### GLOBAL DIRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is usually > not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Set Buffer Size - default is 4k > #$OMFileIOBufferSize 128k # - Gil 06/06/13 > #$OMFileAsyncWriting on > #$OMFileFlushOnTXEnd off > #$OMFileFlushInterval 30 > #$OMFileZipLevel 9 > $OMFileIOBufferSize 256k > > #Turn on Main Ruleset Robert 8-20-13 > #$RulesetCreateMainQueue on > > > # Set Main Message Queue Size - default is 10000 > > $MainMsgQueueSize 200000 # Robert 8-9-13 > > #### RULES #### > > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* > # /dev/console > > #Specific ruleset for remote messages > #$Ruleset <name> > > #*.* /var/log/test/f_all #Robert 8-21-13 > #Module (load="builtin:omfile") > #*.* action(type="omfile" > # DirCreateMode="0700" > # FileCreateMode="0644" > # File="/var/log/test/alllogs") > > > #switch back to default ruleset > #$Ruleset RSYSLOG DefaultRuleset > > # Begin action Robert 8-20-13 > # $ActionOmrulesetRulesetName somename > > :hostname, contains, "pdc" /var/log/test/f_ad > :hostname, contains, "fdfw" /var/log/test/f_fw > :hostname, contains, "mail" /var/log/test/f_mail > :hostname, contains, "networks" /var/log/test/f_networks > :hostname, contains, "shib" /var/log/test/f_shib > :hostname, contains, "rout" /var/log/test/f_router > :hostname, contains, "vm" /var/log/test/f_vm > :hostname, contains, "pix" /var/log/test/f_pix > > > #if $hostname contains 'pdc' then /var/log/test/f_ad > #& ~ > #if $hostname contains 'fdfw' then /var/log/test/f_fw > #& ~ > #if $hostname contains 'networks' then /var/log/test/f_networks > #& ~#if $hostname contains 'shib' then /var/log/test/f_shib > #& ~ > #if $hostname contains 'mail' then /var/log/test/f_mail > #& ~ > #if $hostname contains 'vm' then /var/log/test/f_vm > #& ~ > #if $hostname contains 'pix' then /var/log/test/f_pix > #& ~ > #if $hostname contains 'rout' then /var/log/test/f_router > #& ~ > > #if $hostname startswith 'sws' then /var/log/test/f_networks > #& ~ > #if $fromhost-ip == '10.0.0.10' then /var/log/test/test_fromhost > #& ~ > #if $hostname == 'swserv1.networks' then /var/log/test/test_swserv1 > #&~ > #if $hostname startswith 'virtserv' then /var/log/test/test_virtserv > #&~ > #if $hostname contains 'virtserv' then /var/log/test/test_virtserv1 > #& ~ > #if $fromhost-ip startswith '10.0.6' then /var/log/test/test_10.0.6 > #& ~ > #if $fromhost-ip startswith '10.0.7.' then > /var/log/test/test_10.0.7_virtserv > #& ~ > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > #*.info;mail.none;authpriv.none;cron.none /var/log/messages > *.debug /var/log/messages > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > > # ### begin forwarding rule ### > # The statement between the begin ... end define a SINGLE forwarding > # rule. They belong together, do NOT split them. If you create multiple > # forwarding rules, duplicate the whole block! > # Remote Logging (we use TCP for reliable delivery) > # > # An on-disk queue is created for this action. If the remote host is > # down, messages are spooled to disk and sent when it is up again. > #$WorkDirectory /var/lib/rsyslog # where to place spool files > #$ActionQueueFileName fwdRule1 # unique name prefix for spool files > #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) > #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.* @@remote-host:514 > # ### end of the forwarding rule ### > > > > > Robert. > ----- Original Message ----- > From: David Lang > Sent: 08/30/13 03:43 PM > To: rsyslog-users > Subject: Re: [rsyslog] debugging > > with everything run together like this, it's hard to tell what you meant > to post (if anything) that's different from your prior message. David Lang > On Fri, 30 Aug 2013, Robert Ortiz wrote: > Date: Fri, 30 Aug 2013 11:38:23 > -0400 > From: Robert Ortiz <[email protected]> > Reply-To: rsyslog-users < > [email protected]> > To: rsyslog-users <[email protected]> > > Subject: [rsyslog] debugging > > Hey guys, So currently I'm running a > load of 50K mps and mostly retaining logs there are random seconds where I > drop 20K+ messages, I wanted to run rsyslog in debug mode, and I wanted to > run this: "RSYSLOG_DEBUGLOG" (sample: > RSYSLOG_DEBUGLOG="/path/to/debuglog/") with this " LogFuncFlow" But I am > not sure where to do this from? Do I need to put this on the .conf file or > is this something that needs to be created? Sorry I don't understand the > instructions on the debugging site Thanks Currently this is my .conf file: > #### MODULES #### #module(load="imuxsock") # needs to be done jus > t once Robert 8-9-13 #SysSock.FlowControl=(:"on") # enable flow control > (use if needed) Robert 8-9-13 $ModLoad imuxsock # provides support for > local system logging (e.g. via logger command) #module(load="imklog") > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) $ModLoad immark # provides --MARK-- message capability # Provides > UDP syslog reception #module(load="imudp") #! ne > eds to be done just once > Robert 8-9-13 #input(type="imudp" port="514") # Robert 8-9-13 $ModLoad > imudp $UDPServerRun 514 #$UDPServerTimeRequery 1000000 #### GLOBAL > DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate > RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by > default. This feature is usually not required, # not useful and an extreme > performance hit #$ActionFileEnableSync on # Include all config files in > /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Set Buffer Size - > default is 4k #$OMFileIOBufferSize 128k # - Gil 06/06 > /13 #$OMFileAsyncWriting on #$OMFileFlushOnTXEnd off > #$OMFileFlushInterval 30 #$OMFileZipLevel 9 $OMFileIOBufferSize 256k #Turn > on Main Ruleset Robert 8-20-13 #$RulesetCreateMainQueue on # Set Main > Message Queue Size - default is 10000 $MainMsgQueueSize 200000 # Robert > 8-9-13 #### RULES #### # Log all kernel messages to the console. # Logging > much else clutters up the screen. #kern.* # /dev/console #Spe! ci > fic > ruleset for remote messages #$Ruleset <name> #*.* /var/log/test/f_all > #Robert 8-21-13 #Module (load="builtin:omfile") #*.* action(type="omfile" # > DirCreateMode="0700" # FileCreateMode="0644" # > File="/var/log/test/alllogs") #switch back to default ruleset #$Ruleset > RSYSLOG DefaultRuleset # Begin action Robert 8-20-13 # > $ActionOmrulesetRulesetName somename :hostname, contains, "pdc" > /var/log/test/f_ad :hostname, contains, "fdfw" /var/log/test/f_fw > :hostname, contains, "mail" /var/log/test/f_mail :hostname, contains, > "networks" /var/log/test/f_networks :hostname, conta > ins, "shib" /var/log/test/f_shib :hostname, contains, "rout" > /var/log/test/f_router :hostname, contains, "vm" /var/log/test/f_vm > :hostname, contains, "pix" /var/log/test/f_pix #if $hostname contains 'pdc' > then /var/log/test/f_ad #& ~ #if $hostname contains 'fdfw' then > /var/log/test/f_fw #& ~ #if $hostname contains 'networks' then > /var/log/test/f_networks #& ~#if $hostname contains 'shib' then > /var/log/test/f! _s > hib #& ~ #if $hostname contains 'mail' then > /var/log/test/f_mail #& ~ #if $hostname contains 'vm' then > /var/log/test/f_vm #& ~ #if $hostname contains 'pix' then > /var/log/test/f_pix #& ~ #if $hostname contains 'rout' then > /var/log/test/f_router #& ~ #if $hostname startswith 'sws' then > /var/log/test/f_networks #& ~ #if $fromhost-ip == '10.0.0.10' then > /var/log/test/test_fromhost #& ~ #if $hostname == 'swserv1.networks' then > /var/log/test/test_swserv1 #&~ #if $hostname startswith 'virtserv' then > /var/log/test/test_virtserv #&~ #if $hostname contains 'virtserv' then /v > ar/log/test/test_virtserv1 #& ~ #if $fromhost-ip startswith '10.0.6' then > /var/log/test/test_10.0.6 #& ~ #if $fromhost-ip startswith '10.0.7.' then > /var/log/test/test_10.0.7_virtserv #& ~ # Log anything (except mail) of > level info or higher. # Don't log private authentication messages! > #*.info;mail.none;authpriv.none;cron.none /var/log/messages *.debug > /var/log/messages # The authpriv file has restricted access. ! au > > thpriv.* /var/log/secure # Log all the mail messages in one place. mail.* > -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets > emergency messages *.emerg * # Save news errors of level crit and higher in > a special file. uucp,news.crit /var/log/spooler # Save boot messages also > to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # > The statement between the begin ... end define a SINGLE forwarding # rule. > They belong together, do NOT split them. If you create multiple # > forwarding rules, duplicate the whole block! # Remote L > ogging (we use TCP for reliable delivery) # # An on-disk queue is created > for this action. If the remote host is # down, messages are spooled to disk > and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to > place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for > spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as > possible) #$ActionQueueSaveOnShutdown on # save ! me > ssages to disk on > shutdown #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down # remote > host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* > @@remote-host:514 # ### end of the forwarding rule ### Robert. > _______________________________________________ rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ What's up with rsyslog? > Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing > list, posts are ARCHIVE > D by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT. > > > > > > Robert. > > _______________________________________________ > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? > Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC > mailing list, posts are ARCHIVED by a myriad of sites beyond our control. > PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > _______________________________________________ rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ What's up with rsyslog? > Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing > list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE > UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > > > > > Robert. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
