On Mon, 14 Jul 2014, Marc Fournier wrote:
Excerpts from David Lang's message of 2014-07-11 20:12:02 +0200:
On Fri, 11 Jul 2014, Marc Fournier wrote:
Excerpts from Rainer Gerhards's message of 2014-07-11 13:14:15 +0200:
Pls provide full config.
Yes, sorry, here they are. Both the initial one which definetely blocks
openldap, and the second one, which I'm not sure about because of the
main Q thread in "uninterruptible sleep".
Meanwhile, during a diskfull where a node got ejected out of the load
balancer pool, I noticed some openldap threads which were sleeping with
"unix_wait_for_peer" in ps's WCHAN column (something I didn't notice before
sending my previous email). This was on a node which still had the initial
configuration.
action queues only apply to the next action listed
so you have an action queue for
*.* @@logserver:514;RSYSLOG_ForwardFormat
and
auth,authpriv.* /var/log/secure
everything else is handled by the main queue.
Oh boy, then this as a serious misunderstanding I had about rsyslog ! I
was in the belief an action queue definition applied to everything
below, until the next action queue definition :-/ Thanks for pointing
that out !
So this basically means that to be sure syslog() won't block log
emitters, one has to explicitly configure an action queue which would
drop logs or overflow to disk, for each and every log destination ?
there's nothing you can do with an action queue that you can't also do with the
main queue, so set the spill to disk or log dropping (via watermarks)
you can also set a queue for a ruleset instead of a separate queue for each
action.
But you don't want to get to the point where there are no actions working from
the main queue.
what version of rsyslog are you running? there are significant performance
improvements in recent versions compared to v5 that is stock on many distros
Having no actions as part of the main queue is actually a problem, rsyslog ends
up moving the messages very inefficently (one at a time instead of in batches)
I'm indeed running 5.8.10, I think I'll consider upgrading.
if you are doing this sort of queue stuff, you _really_ want to be running a
current version and switch to the action() syntax, it makes it much clearer
what's happening with queues.
BTW David, thanks for the nice serie of articles you wrote about logging
in ";login:" magazine !
Thanks, any specific suggestions for future articles?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
