Updating an old thread, I found a bug in my config which was causing the
odd spikes I referred to earlier. Instead of counters all values should be
gauges, so the resulting section for the “main Q” is as follows:
template(name="mainQTemplate" type="list") {
constant(value="rsyslog.myhost_example_com.main_q.size:")
property(name="$!size")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.enqueued:")
property(name="$!enqueued")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.full:")
property(name="$!discarded.full")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.nf:")
property(name="$!discarded.nf")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.maxqsize:")
property(name="$!maxqsize")
constant(value="|g\n")
}
And for completeness, the module load command is:
module(load="impstats" interval="10" severity="7" format="cee"
resetCounters="on")
Hope that helps anyone using this.
mike
—
Michael Hart
Arctic Wolf Networks
226.388.4773
On 2014-11-18, 10:28, "Michael Hart" <[email protected]> wrote:
>I have rsyslog configured with impstats, forwarding to statsd/graphite,
>so
>I can graph the metrics and monitor them (I have Nagios pulling metrics
>from graphite).
>
>I keep meaning to put a blog post together to document this properly, but
>here’s a config snippet that gets you the basics. The hard part is
>figuring out which queues you want monitored. I’ve only got “main Q”
>showing here for brevity but I have a lot more defined.
>
><snip>
>module(load="impstats" interval="10" severity="7" format="cee”)
>module(load="mmjsonparse”)
>
>#json format: {"name":"main
>Q","size":25,"enqueued":32,"full":0,"discarded.full":0,"discarded.nf":0,"m
>a
>xqsize":25}
>template(name="mainQTemplate" type="list") {
> constant(value="rsyslog.myhost_example_com.main_q.size:")
> property(name="$!size")
> constant(value="|g\n")
> constant(value="rsyslog.myhost_example_com.main_q.enqueued:")
> property(name="$!enqueued")
> constant(value="|c|@10\n")
> constant(value="rsyslog.myhost_example_com.main_q.discarded.full:")
> property(name="$!discarded.full")
> constant(value="|c|@10\n")
> constant(value="rsyslog.myhost_example_com.main_q.discarded.nf:")
> property(name="$!discarded.nf")
> constant(value="|c|@10\n")
> constant(value=“rsyslog.myhost_example_com.main_q.maxqsize:")
> property(name="$!maxqsize")
> constant(value="|g\n")
>}
>
>
>if $syslogtag contains "rsyslogd-pstats" then {
> action(type="mmjsonparse”)
> #write to file here for debugging.
> action(type=“omfile” file=“/var/log/stats.log”)
> if $!name == "main Q" then {
> action(type="omfwd" Target="127.0.0.1" Protocol="udp" Port="8125"
>template="mainQTemplate”)
> }
> stop
>}
>
></snip>
>
>There is still some wonkiness in the enqueued stat as occasionally it has
>an absolutely massive unrealistic spike, I have never tracked down why it
>does that, but this should give you a start.
>
>Cheers
>mike
>
>--
>Michael Hart
>Arctic Wolf Networks
>M: 226-388-4773
>
>
>
>
>
>
>
>
>On 2014-11-18, 15:14, "Dave Caplinger" <[email protected]>
>wrote:
>
>>Absolutely. Rsyslog has statistics counters via the impstats module;
>>you
>>can process the log lines it generates to determine the health of the
>>rsyslog instance, including individual queues, drop rates, forwarding
>>rates, etc.
>>
>>See:
>>
>>http://www.rsyslog.com/rsyslog-statistic-counter/
>>http://www.rsyslog.com/how-to-use-impstats/
>>
>>--
>>Dave Caplinger, Director of Architecture | Ph: (402) 361-3063 |
>>Solutionary — An NTT Group Security Company
>>
>>> On Nov 18, 2014, at 6:46 AM, Damian <[email protected]> wrote:
>>>
>>> Hi,
>>> I'm trying to determine whether it's possible to monitor the health of
>>>an rsyslog daemon running as a forwarder.
>>> ie. If I'm running it as a component in a logging service, how do I
>>>check the event rates, or know it's not losing events or queuing
>>>incoming data. Are there any 'self-monitoring' events that I can
>>>generate and forward from it, in order to keep an eye on its health?
>>> Thanks!
>>>
>>> Damo
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>if you DON'T LIKE THAT.
>>
>>_______________________________________________
>>rsyslog mailing list
>>http://lists.adiscon.net/mailman/listinfo/rsyslog
>>http://www.rsyslog.com/professional-services/
>>What's up with rsyslog? Follow https://twitter.com/rgerhards
>>NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>DON'T LIKE THAT.
>_______________________________________________
>rsyslog mailing list
>http://lists.adiscon.net/mailman/listinfo/rsyslog
>http://www.rsyslog.com/professional-services/
>What's up with rsyslog? Follow https://twitter.com/rgerhards
>NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
