On Thu, 1 Oct 2015, Angel L. Mateo wrote:
El 25/09/15 a las 20:03, David Lang escribió:
You have told your system that you want to guarantee delivery of your
logs to the central server, if you can't deliver the logs, they will
back up until the queue is full, and then (per the syslog standard),
refuse to accept any more log messages because they can't deliver the
ones they have.
Therefor, anything that tries to log will pause until the log server
comes back up, and rsyslog on your other servers detects it and delivers
some of the log messages.
When the queue is full, shouldn't it discard new messages instead of
block all processes trying to log? Is there any way to configure it this way?
not by default, the RFC says that it should block until the message is
processed.
Rsyslog does have configuration to allow you to discard messages, look at the
high watermark and low watermark setting. You are running a pretty old version,
and probably shoudl upgrade for the best support of these functions.
Other than the fact that it may be that your disk queue may not be
working (which just affects how long it can go with the central server
down before you run into trouble), it's doing exactly what you told it
to do.
I want to preserve logs in case of a failure in my central log
servers, but if this failure last longer, then I prefer discarding messages
than hanging my servers.
ok, that takes a bit more effort to configure, but should be doable.
First you need to check that the disk queue is working. does it create
any files in the workdirectory? you haven't said what version of rsyslog
you are using, which makes it hard to be more specific.
Sorry. I'm using versions 5.8.6 (the one distributed in ubuntu 12.04)
and 7.4.4 (ubuntu 14.04). In the client server I had the problem, it is
5.8.6.
In the work directory files are created. In fact, there are still the files
created when my system hanged last week:
-rw------- 1 syslog syslog 947K sep 25 11:19 syslog1_fwd.00000002
-rw------- 1 syslog syslog 507 sep 25 11:16 syslog1_fwd.qi
-rw------- 1 syslog syslog 944K sep 25 11:19 syslog2_fwd.00000002
-rw------- 1 syslog syslog 507 sep 25 11:17 syslog2_fwd.qi
so it should not have hung unless you ran out of disk space (or at least the max
size you configured rsyslog to be ale to use). Since disk queues are so much
slower than normal, it may have just sloed down drastically (something the
pstats output would show you
you should try starting rsyslog manually on a system with -dn (debug
mode) to get the huge number of startup messages. Look in them for
anything about your queue files (syslog[12]_fwd) or any errors
(especially anything about disk queues)
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
