I personally recommend using fromhost-ip instead of fromhost. If you want to
use a name, use the hostname that the server put in the log message, if you
need to ignore that and see where it last came from, the IP is fasterand has
fewer failure modes.
That's what we used to do when we were on rsyslog v5 a couple years ago, but
the name makes the data more user friendly, and sysadmins (and me) are in here
actually using the data regularly. And not all the hostnames from the messages
were consistent, so it was messy. I'll have to re-evaluate.
in that case, you should either put everything in /etc/hosts or run a local
resolver (I don't know which is faster, I suspect /etc/hosts will be faster
until you get to a large number of systems)
with your config, only traffic arriving on port 10517 will get written tothe
testingruleset, internal syslog messages won't show up.
Yup! I was trying to eliminate all the other noise to focus on a specific
source that I know is having issues.
in that case I don't understand your comment about not seeing local logs.
But since you are writing to /tmp you could be running into permission
problems with SELinux/AppArmor (depending on your distro). try putting the
file under /var/log and see if it appears. It should appear when the firstlog
message arrives.
The file exists in /tmp already and is written to randomly. The dynafile
template also has an omfile output to /var/log/collection, which is where
everything else we collect is written. Both the file in /tmp and
/var/log/collection always get written to at the same time, but randomly and
not always when tcpdump shows a message came in. So I don't think it is a
permissions issue because data is written out to both locations, sometimes.
rsyslog will have different permissions when run as root than when run as a
daemon (as far as SELinux is concerned anyway)
If it can't write to /tmp it won't get past that line to write to /var/log
because it can't process the message.
So rsyslog processes the messages and says it is writing it out, but they
aren't there.
the only time I've seen this happen is if asyncwrites are enabled (in which case
they will show up after rsyslog gets a HUP), can you show what action 20's full
output line is?
I can tune the main queue size, but I haven't explicitly defined that
anywhere. Seems 100,000 is the built in default. I'll figure out how to bump
that up and increase it.
main_queue(
queue.size = "400000"
queue.dequeuebatchsize = "1000"
}
The question is which outputs were causing rsyslog to not keep up. It will be
interesting to hear what you get after cleaning up the last few dynafile issues.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
