On Wed, 16 Sep 2015, Thomas Straubinger wrote:
Hey guys,
I have noticed a strange behavior with rsyslog which I can reproduce with
current rsyslog versions: 8.4 (Debian Jessie) and 5.8 (Debian wheezy).
I'm using the following configuration to forward messages via TCP to a
syslog-ng server and to activate queuing in case the syslog-ng server is not
reachable:
$WorkDirectory /var/spool/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName centralwork
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* @@syslog-ng.example.com:514
Now - to test queuing - I block the clients IP address at syslog-ng side via
iptables. Then I'm producing 5000 log entries on the client via:
for (( x=1; $x<=5000; x++ )); do logger "message: $x"; done &
At this point, I already see some strange behavior:
- In the queue file, the first message is number 468 (?). I would expect, that it will
start with "1" as rsyslog was not able to deliver it to the syslog-ng server.
- On the other side, the last message in the queue file is number 4211. Of
course here I would expect number 5000.
However, if I now unblock the connection to the syslog-ng server, I see that
all messages are delivered to the syslog-ng server. But not in the correct
order. Most of the time number 1-467 and 4212-5000 (which are not in the queue
file) are delivered first and a few seconds later the messages which are stored
in the queue file (468-4211). I could live with that, but there is a huge
problem:
If I restart rsyslog before unblocking the connection to the syslog-ng server
(to test the 'ActionQueueSaveOnShutdown on' option). rsyslog is not writing
anything to the queue file, it only writes an additional centralwork.qi file
and ends. This results in losing message 1-467 and 4212-5000.
Thanks for clearing up this
Thomas
PS: Please also notice, that the number of messages/lines (were rsyslog starts
to store the message in the queue file) is always changing. Everytime it's in a
random range somewhere between 400-1400 which also looks a kind of strange to
me. The last entry in the queue file is also affected of this behavior (but
it's never 5000).
First off, I suggest that you configure impstats and look at it's info, I think
it will clarify a bunch of things for you.
Secondly, what are you doing to stop rsyslog? depending on what you are doing,
you may not be giving it time to save the messages.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
