some of it is probably buffering on the output, if you send rsyslog a kill -HUP
it will flush all data and close the files. Check and see if this gets the data
in them as you expect.
David Lang
On Tue, 5 Nov 2013, G Jones wrote:
Date: Tue, 5 Nov 2013 16:25:03 -0800
From: G Jones <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] rsyslog writing to file lagging behind relayed logs
Hello, new to the list and to Rsyslog.
I have an Rsyslog machine I'm standing up on CentOS x64 to replace
some Kiwi log servers. I need to be able to receive syslog on TCP and
UDP, relay them to my SIEM and also store those logs locally on each
Rsyslog machine. Relaying is working just fine. The problem is with
the local files. I noticed that the files being written for each host
I recieve is lagging behind by minutes to upwards of a full day
behind. I'm running a tcpdump on both the rsyslog machine and the SIEM
and can see when the logs are received on both, however running a tail
-f on the files show that those entries are lagging behind. It gets
progressively worse as time goes on. They start out in near perfect
sync for the first couple of minutes, then the messages start to lag
horribly.
I just tried using this config, modified a bit for my environment:
# Modules$ModLoad imtcp
$ModLoad imudp
$ModLoad imuxsock
$ModLoad imklog# Templates# log every host in its own directory
$template
RemoteHost,"/var/opt/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"###
Rulesets# Local Logging
$RuleSet local
kern.* /var/log/messages
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
# use the local RuleSet as default if not specified otherwise
$DefaultRuleset local
# Remote Logging
$RuleSet remote
*.* ?RemoteHost
# Send messages we receive to SIEM
*.* @a.b.c.d:1514
### Listeners
# bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
# and activate it:
$InputTCPServerRun 1514
$InputUDPServerBindRuleset remote
$UDPServerRun 514
This particular config does exactly the same thing: I can watch syslog
messages come in, but they're not being written to the log file until
much later, if at all. Any thoughts as to why this is happening?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
