On Fri, 6 Mar 2015, Michael Biebl wrote:
2015-03-06 22:07 GMT+01:00 Tyson Whitehead <[email protected]>:
On March 6, 2015 15:45:09 Tyson Whitehead wrote:
That makes a lot more sense now.
Thanks so much to both you guys.
BTW, am I correct to assume that the imuxsock module is a better match than
the imjournal module for trying to get any last dieing messages off the box
before it wedges itself up.
That's a good question. As long as the message is properly stored in
the journal and the journal file was not corrupted when the system
dies, imjournal/rsyslog should pick up those messages upon the next
(re)boot.
the problem is that in a machine crash condition, the odds are very good that
there will be messages in the OS write cache that have not been flushed to disk
yet, so the most useful messages are likely to be lost. Sending the logs off the
box as quickly as possible stands a better chance of catching the log, but there
is always going to be a lag, and if the box crashes fast enough, you may not
catch it. The kernel has some provisions for sending kernel logs raw over a
serial port, and I believe it can send them over the network. This mechanism
isn't good for normal logs, but it's sometimes the only chance you have with
kernel crashes. It won't get you any app logs, for those imuxsock is better (and
put the rule to forward the message as early in the rsyslog config as you can)
The journal is a bit prone though to corrupt the journal files if the
system is shutdown uncleanly and journald will rotate those corrupt
files away (You typically see those in /var/log/journal having a
journal~ file extension).
Theoretically, using imjournal, you should be able to capture more
messages from early boot and late shutdown, since journald is started
earliers and stopped later then rsyslog.
What is it that prevents you from starting rsyslog earlier and stopping it
later?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
