Hello,
I have several distributed virtualized rsyslog servers with the same
configuration.
On all servers I have an undeterministical dying of rsyslog between once a day
and once a week.
Messages in kernel ringbuffer (dmesg) are:
INFO: task rs:main Q:Reg:2614 blocked for more than 120 seconds.
or
rs:main Q:Reg D 0000000000000000 0 2614 1 0x00000000
or
rs:main Q:Reg[19176]: segfault at 0 ip 00007f9e2c5e492a sp 00007f9e284fd418
error 4 in libc-2.12.so[7f9e2c565000+18a000]
or
rs:main Q:Reg[12532]: segfault at 7f2d00534c5a ip 00007f2d2b95f92a sp
00007f2d27878418 error 4 in libc-2.12.so[7f2d2b8e0000+18a000]
VMCIUtil: Updating context id from 0x694633da to 0x694633da on event 0.
Configuration looks like this:
----------------------------------------------------------------------
Module (load="imtcp" KeepAlive="on" KeepAlive.Probes="1"
KeepAlive.Interval="2" KeepAlive.Time="20" MaxSessions="5000")
Module (load="imudp")
Module (load="omudpspoof")
$MaxOpenFiles 9000
lookup_table(name="lookuptable" file="rsyslog.lookup")
set $!dst = lookup("lookuptable", $fromhost-ip);
$template raw,"%rawmsg%"
$template rel,"%fromhost% %fromhost-ip% %rawmsg%\n"
ruleset(name="typea"){
action (type="omudpspoof" target="loghost" port="514" template="raw")
}
ruleset(name="typeb"){
if $syslogfacility-text != "local0" then {
action(type="omfwd" Target="loghost2" Port="414" Protocol="tcp"
template="rel")
}
}
ruleset(name="other"){
action(type="omfile" file="/var/log/otherlog")
}
ruleset(name="local"){
# Log all kernel messages to kern.log.
kern.* /var/log/kern.log
authpriv.* /var/log/secure
[...]
}
# Unfortunately quite complex queries, case would be nice :)
if $!dst == "typea" then {
call typea
stop
} else {
if $!dst == "typeb" then {
call typeb
stop
} else {
if $!dst == "local" then {
call local
stop
} else {
call other
stop
}
}
}
input(type="imtcp" port="414")
input(type="imudp" port="514")
----------------------------------------------------------------------
Sometimes (unexpectedly when) I get on a chained rsyslog-server logevents like
this:
Original-Message: host1 1.2.3.4 Apr 21 11:39:43 host1 sshd[11600]: Accepted
publickey for user from 2.3.4.5 port 23869 ssh2
Message on changed rsyslog: .3.4 Apr 21 11:39:43 host1 sshd[11600]: Accepted
publickey for user from 2.3.4.5 port 23869 ssh2
Error-Log on chained system:
----------------------------------------------------------------------
Apr 23 10:43:11 chained-srv rsyslogd: Framing Error in received TCP message:
invalid octet count 0. [v8.8.0.ad1]
Apr 23 10:43:11 chained-srv rsyslogd: Framing Error in received TCP message:
delimiter is not SP but has ASCII value 58. [v8.8.0.ad1]
Apr 23 10:43:11 chained-srv rsyslogd: Framing Error in received TCP message:
delimiter is not SP but has ASCII value 46. [v8.8.0.ad1]
----------------------------------------------------------------------
Do you have any idear / debugging concept?
In my lab, everything seems to be fine, so I see only the option to test in
production, what i definitively don't want to do...
I use the latest rsyslog Version 8.9.0
regards
Chris
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
