On Thu, 12 Feb 2015, Michael Hart wrote:
Updating an old thread, I found a bug in my config which was causing the
odd spikes I referred to earlier. Instead of counters all values should be
gauges, so the resulting section for the “main Q” is as follows:
when you use 'counters' you will eventually end up with the issue of the counter
wrapping around to zero and monitoring systems assume that when the new value is
lower than the old one, it's because it's wrapped, so it assumes that you went
up to 2 million or 4 million before wrapping.
Since restarting rsyslog would reset the counters, but the monitoring system has
no way of knowing that this happened, going to gauges (and resetCounters=on in
rsyslog) is the right thing to do.
David Lang
template(name="mainQTemplate" type="list") {
constant(value="rsyslog.myhost_example_com.main_q.size:")
property(name="$!size")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.enqueued:")
property(name="$!enqueued")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.full:")
property(name="$!discarded.full")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.nf:")
property(name="$!discarded.nf")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.maxqsize:")
property(name="$!maxqsize")
constant(value="|g\n")
}
And for completeness, the module load command is:
module(load="impstats" interval="10" severity="7" format="cee"
resetCounters="on")
Hope that helps anyone using this.
mike
—
Michael Hart
Arctic Wolf Networks
226.388.4773
On 2014-11-18, 10:28, "Michael Hart" <[email protected]> wrote:
I have rsyslog configured with impstats, forwarding to statsd/graphite,
so
I can graph the metrics and monitor them (I have Nagios pulling metrics
from graphite).
I keep meaning to put a blog post together to document this properly, but
here’s a config snippet that gets you the basics. The hard part is
figuring out which queues you want monitored. I’ve only got “main Q”
showing here for brevity but I have a lot more defined.
<snip>
module(load="impstats" interval="10" severity="7" format="cee”)
module(load="mmjsonparse”)
#json format: {"name":"main
Q","size":25,"enqueued":32,"full":0,"discarded.full":0,"discarded.nf":0,"m
a
xqsize":25}
template(name="mainQTemplate" type="list") {
constant(value="rsyslog.myhost_example_com.main_q.size:")
property(name="$!size")
constant(value="|g\n")
constant(value="rsyslog.myhost_example_com.main_q.enqueued:")
property(name="$!enqueued")
constant(value="|c|@10\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.full:")
property(name="$!discarded.full")
constant(value="|c|@10\n")
constant(value="rsyslog.myhost_example_com.main_q.discarded.nf:")
property(name="$!discarded.nf")
constant(value="|c|@10\n")
constant(value=“rsyslog.myhost_example_com.main_q.maxqsize:")
property(name="$!maxqsize")
constant(value="|g\n")
}
if $syslogtag contains "rsyslogd-pstats" then {
action(type="mmjsonparse”)
#write to file here for debugging.
action(type=“omfile” file=“/var/log/stats.log”)
if $!name == "main Q" then {
action(type="omfwd" Target="127.0.0.1" Protocol="udp" Port="8125"
template="mainQTemplate”)
}
stop
}
</snip>
There is still some wonkiness in the enqueued stat as occasionally it has
an absolutely massive unrealistic spike, I have never tracked down why it
does that, but this should give you a start.
Cheers
mike
--
Michael Hart
Arctic Wolf Networks
M: 226-388-4773
On 2014-11-18, 15:14, "Dave Caplinger" <[email protected]>
wrote:
Absolutely. Rsyslog has statistics counters via the impstats module;
you
can process the log lines it generates to determine the health of the
rsyslog instance, including individual queues, drop rates, forwarding
rates, etc.
See:
http://www.rsyslog.com/rsyslog-statistic-counter/
http://www.rsyslog.com/how-to-use-impstats/
--
Dave Caplinger, Director of Architecture | Ph: (402) 361-3063 |
Solutionary — An NTT Group Security Company
On Nov 18, 2014, at 6:46 AM, Damian <[email protected]> wrote:
Hi,
I'm trying to determine whether it's possible to monitor the health of
an rsyslog daemon running as a forwarder.
ie. If I'm running it as a component in a logging service, how do I
check the event rates, or know it's not losing events or queuing
incoming data. Are there any 'self-monitoring' events that I can
generate and forward from it, in order to keep an eye on its health?
Thanks!
Damo
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
