> in that case, you should either put everything in /etc/hosts or run a local > resolver (I don't know which is faster, I suspect /etc/hosts will be faster until > you get to a large number of systems)
I do have a local caching resolver running. > > >> with your config, only traffic arriving on port 10517 will get > >> written tothe testingruleset, internal syslog messages won't show up. > > > Yup! I was trying to eliminate all the other noise to focus on a > > specific source that I know is having issues. > > in that case I don't understand your comment about not seeing local logs. I must have misspoke somewhere along the way, my apologies! The only thing I'm not seeing that I expect to see are some random messages coming in over the network from other systems. The other systems I've noticed are all low volume systems. Some messages are UDP (the one I've been testing with as part of this thread), some are TCP (some Windows boxes monitoring specific flat files with nxlog, which are written to infrequently on the source systems). > > rsyslog will have different permissions when run as root than when run as a > daemon (as far as SELinux is concerned anyway) > > If it can't write to /tmp it won't get past that line to write to /var/log because > it can't process the message. I'm running as root - I know, slap my hand, bad security practice. Also, SELinux is disabled on this system. > > > So rsyslog processes the messages and says it is writing it out, but > > they > aren't there. > > the only time I've seen this happen is if asyncwrites are enabled (in which > case they will show up after rsyslog gets a HUP), can you show what action > 20's full output line is? Something more than this? Oct 7 13:34:28 its-syslog-up1 rsyslogd-pstats: action 20: origin=core.action processed=415 failed=0 suspended=0 suspended.duration=0 resumed=0 Oct 7 13:34:28 its-syslog-up1 rsyslogd-pstats: dynafile cache EduroamACSFile: origin=omfile requests=415 level0=409 missed=6 evicted=0 maxused=1 closetimeouts=0 Oct 7 13:34:28 its-syslog-up1 rsyslogd-pstats: writeEduroamACSFile: origin=core.action processed=415 failed=0 suspended=0 suspended.duration=0 resumed=0 The last message output I have in the file is: Oct 7 12:01:33 <hostname> CSCOacs_Failed_Attempts 0000133963 1 0 2015-10-07 12:01:33.634 -04:00 0006712534 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ACSVersion=acs-5.6.0.22-B.225, ConfigVersionId=23, FailureReason=11013 , Step=11013 , Step=5405 , Rsyslog is HUPed hourly for rotations and the messages are not showing up at that time, so I don't think it would be asyncwrites (which I haven't explicitly configured anywhere) > main_queue( > queue.size = "400000" > queue.dequeuebatchsize = "1000" > } > > The question is which outputs were causing rsyslog to not keep up. It will be > interesting to hear what you get after cleaning up the last few dynafile > issues. > > David Lang > I have all my actions named now, main queue size increased to 500k, and I've attempted using TCP from this particular problem log source, but the sending device is not sending messages when set to TCP, so I'm going to change it back to UDP. Other than that, I'm going to let this ride until tomorrow to gather more impstats output before I report back. Thanks for sticking with me through this, Dan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
