Rainer, With all due respect, is fifteen (15) seconds from instance of event to logfile write "pushing the envelope" for rsyslog? I've been doing this a long, long time on just about every *NIX under the sun & this kind of delay - out of the box - is truly remarkable to me.
On Tue, Feb 16, 2016 at 2:20 PM, Damiano Verzulli <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Il 16/02/2016 20:53, helices ha scritto: > > [...] The delay problem may be better; but, it remains unacceptable: > > >60 seconds to logfile write. I can accept 10-15 seconds; but, no > > longer. > > Three considerations: > > 1 - it's not easy (...and error-prone) to (try to) guess what happens, in > your scenario, without giving a look to the "rsyslog.conf" configuration > files. Please, post them (eventually, with sensitive data/secions > obfuscated); > [ROOT@hermes ~ ] # grep -v "^\s*\(#\|$\)" /etc/rsyslog.conf $ModLoad imjournal # provides access to the systemd journal $ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad ommysql.so # load MySQL output driver $ModLoad imudp # network reception $UDPServerRun 514 $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state ftp.* /var/log/vsftpd.log *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure local6.* /var/log/sftp.log mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log $AddUnixListenSocket /vol1/chroot/dev/log if $programname == 'sshd' then /var/log/sftp.log if $programname == 'sshd' then ~ if $programname == 'internal-sftp' then /var/log/sftp.log if $programname == 'internal-sftp' then ~ $ActionQueueFileName dbQueue # set file name, also enables disk mode $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # use asynchronous processing $ActionResumeRetryCount -1 # infinite retries on insert failure *.* @@172.31.128.52 *.* @@192.168.151.99 ftp.* :ommysql:172.31.128.125,vsftplog,hermesvsftplog,___PASSWORD___ [ROOT@hermes ~ ] # ls -l /etc/rsyslog.d/*.conf -rw-r--r-- 1 root root 49 Sep 15 08:21 /etc/rsyslog.d/listen.conf [ROOT@hermes ~ ] # cat /etc/rsyslog.d/*.conf $SystemLogSocketName /run/systemd/journal/syslog NOTE: The sftp logging customizations were added last week. These unacceptable delays precede this by many months, since rebuilding this system to Centos 7 last year. > 2 - as far as I understand, we (me and you) are discussing in an > "open-scenario", without any guarranteed SLA and in a best-effort > "schema" by every participant. Should you need "strong"/"mandatory" > SLAs... Adiscon might help [1] ;-) > > 3 - despite point 2, I _STRONGLY_ believe that this list is an > _EXCELLENT_ source of information about a wide range of RSYSLOG > use-cases/problems/debugging. > > Cheers, > DV > > > [1] http://www.rsyslog.com/windows-agent/support/ => Priority support > > > - -- > Damiano Verzulli > e-mail: [email protected] > - --- > possible?ok:while(!possible){open_mindedness++} > - --- > "Technical people tend to fall into two categories: Specialists > and Generalists. The Specialist learns more and more about a > narrower and narrower field, until he eventually, in the limit, > knows everything about nothing. The Generalist learns less and > less about a wider and wider field, until eventually he knows > nothing about everything." - William Stucke - AfrISPA > http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (GNU/Linux) > > iEYEARECAAYFAlbDhJIACgkQcwT9fsMT4SyBjACeM+3oMEWFdlxi5IqXssO4AdeG > twQAnRZUVwDRrXAJCoOQoUzHtaglM1fL > =7Q0B > -----END PGP SIGNATURE----- > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
