Hello, new to the list and to Rsyslog. I have an Rsyslog machine I'm standing up on CentOS x64 to replace some Kiwi log servers. I need to be able to receive syslog on TCP and UDP, relay them to my SIEM and also store those logs locally on each Rsyslog machine. Relaying is working just fine. The problem is with the local files. I noticed that the files being written for each host I recieve is lagging behind by minutes to upwards of a full day behind. I'm running a tcpdump on both the rsyslog machine and the SIEM and can see when the logs are received on both, however running a tail -f on the files show that those entries are lagging behind. It gets progressively worse as time goes on. They start out in near perfect sync for the first couple of minutes, then the messages start to lag horribly.
I just tried using this config, modified a bit for my environment: # Modules$ModLoad imtcp $ModLoad imudp $ModLoad imuxsock $ModLoad imklog# Templates# log every host in its own directory $template RemoteHost,"/var/opt/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"### Rulesets# Local Logging $RuleSet local kern.* /var/log/messages *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log # use the local RuleSet as default if not specified otherwise $DefaultRuleset local # Remote Logging $RuleSet remote *.* ?RemoteHost # Send messages we receive to SIEM *.* @a.b.c.d:1514 ### Listeners # bind ruleset to tcp listener $InputTCPServerBindRuleset remote # and activate it: $InputTCPServerRun 1514 $InputUDPServerBindRuleset remote $UDPServerRun 514 This particular config does exactly the same thing: I can watch syslog messages come in, but they're not being written to the log file until much later, if at all. Any thoughts as to why this is happening? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
