I had try to remove all my outputs, only leave the omfile action to record
my impstats metrics. But mainQ still didn't deliver message.
2014-11-03T20:38:13.304489+08:00 rsyslogf7 rsyslogd-pstats: {"name":"main
Q","size":1528,"enqueued":571,"full":0,"discarded.full":0,"discarded.nf
":0,"maxqsize":2209}
2014-11-03T20:40:13.366914+08:00 rsyslogf7 rsyslogd-pstats: {"name":"main
Q","size":806,"enqueued":464,"full":0,"discarded.full":0,"discarded.nf
":0,"maxqsize":2209}
*I have a lVS before rsyslog server, so after restart, there would be only
a few message sent to such server for a while.*
Now the rsyslog.conf as follow:
$MaxMessageSize 256k
module(load="imuxsock")
module(load="imklog")
module(load="imtcp")
module(load="omprog")
module(load="omelasticsearch")
module(load="mmsequence")
module(load="impstats" interval="120" severity="6" log.syslog="on"
format="json" resetCounters="on")
template( name="dynaFileForwardImpstats" type="string"
string="/data1/sinawap/rsyslog/forward/impstats/%$year%/%$month%/%$day%_impstats.log"
)
if ( $syslogfacility-text=='syslog' and $syslogseverity-text=="info" and
$fromhost == $$myhostname ) then
{
action( type="omfile" dynaFile="dynaFileForwardImpstats"
FileCreateMode="0600" )
action( type="omfwd"
Target="172.16.35.66"
Port="514"
Protocol="tcp"
name="action_rsyslog_172.16.35.66_forward_stats"
queue.filename="action_rsyslog_172.16.35.66_forward_stats"
queue.size="5000"
queue.dequeuebatchsize="500"
queue.maxdiskspace="1G"
queue.discardseverity="3"
queue.checkpointinterval="10"
queue.type="linkedlist"
queue.workerthreads="1"
queue.timeoutshutdown="10"
queue.timeoutactioncompletion="10"
queue.timeoutenqueue="200"
queue.timeoutworkerthreadshutdown="2"
queue.workerthreadminimummessages="500"
queue.maxfilesize="500M"
queue.saveonshutdown="on"
)
stop
}
input(type="imtcp" port="514")
$WorkDirectory /data1/sinawap/rsyslog/
template( name="defaultLogFormat" type="string"
string="%msg:2:$%`%hostname%\n" )
template( name="wwwLogFormat" type="string" string="%hostname%|%msg:2:$%\n"
)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$MainMsgQueueFilename mainQ
$MainMsgQueueType LinkedList # run asynchronously
$MainMsgQueueSize 700000
$MainMsgQueueHighWatermark 480000
$MainMsgQueueLowWatermark 120000
$MainMsgQueueTimeoutEnqueue 1000
$MainMsgQueuedequeuebatchsize 50000
$MainMsgQueueworkerthreads 10
$MainMsgQueueMaxFileSize 512M
$MainMsgQueueMaxDiskSpace 50G
template( name="dynaFileImpstats" type="string"
string="/data1/sinawap/rsyslog/frontend/impstats/%$year%/%$month%/%$day%_impstats.log"
)
template( name="RsyslogQueueFormat" type="string" string="%fromhost-ip%
%msg%\n")
template(name="logstash-index" type="list") {
constant(value="logstash-rsyslog-")
property(name="timereported" dateFormat="rfc3339" position.from="1"
position.to="4")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="6"
position.to="7")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="9"
position.to="10")
}
template(name="plain-syslog" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported"
dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"@fields\":") property(name="msg")
constant(value="}")
}
Ruleset( name="frontEndimpstats" )
{
action( type="omfile" dynaFile="dynaFileImpstats" FileCreateMode="0600"
)
action( type="omprog"
binary="/usr/local/pro/scripts/rsyslog_status_analyze.py"
template="RsyslogQueueFormat"
name="omprog-analyze"
queue.filename="omprog-analyze"
queue.size="250000"
queue.dequeuebatchsize="5000"
queue.maxdiskspace="15G"
queue.discardseverity="8"
queue.checkpointinterval="10"
queue.type="linkedlist"
queue.highwatermark="150000"
queue.lowwatermark="80000"
queue.workerthreads="8"
queue.timeoutshutdown="10000"
queue.timeoutactioncompletion="10000"
queue.timeoutenqueue="10000"
queue.timeoutworkerthreadshutdown="10000"
queue.workerthreadminimummessages="500"
queue.maxfilesize="500M"
queue.saveonshutdown="on"
)
action( type="omelasticsearch"
template="plain-syslog"
server="bx.es.dip.sina.com.cn"
searchIndex="logstash-index"
searchType="impstats"
bulkmode="on"
dynSearchIndex="on"
)
}
if ( $syslogfacility-text == 'syslog' and $programname == 'rsyslogd-pstats'
) then
{
call frontEndImpstats
stop
}
*.info;mail.none;authpriv.none;cron.none;local6.none;local7.none;user.none
/var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
uucp,news.crit /var/log/spooler
2014-11-03 20:08 GMT+08:00 David Lang <[email protected]>:
> On Mon, 3 Nov 2014, chenlin rao wrote:
>
> I use rsyslog v7, and has several actions using omfwd or omprog.
>> But today I found the output data flow decrease quickly. I check my
>> `impstats_log`, and found that every action pstats (no failed, no size, no
>> discarded, no suspended) is well, but mainQ always records as follow:
>>
>> {"name":"main
>> Q","size":490350,"enqueued":249858,"full":0,"discarded.full":0,"
>> discarded.nf
>> ":0,"maxqsize":490565}
>>
>>
>> anyone know the possible reason?
>>
>
> That's indicating that you aren't delivering messages and so you have
> almost 500k messages in the queue waiting to be delivered.
>
> We'd need to see your outputs to figure out why you are running into grief.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
