We would need to see your full config file to begin to troubleshoot this
There are a lot of things that you can do in your config that will change this.
Also, since you are using RHEL/CentOS 7, you have the systemd journal involved
by default. It could very well be that it is taking a long time to deliver
messages. Or, if you are setup to use imjournal to fetch logs from the systemd
journal, it could be that you are seeing the granularity of the imjournal
polling to retrieve logs from systemd.
There are a log of possible things going on here, it's not going to be possible
to guess which are the cause until we see the config.
David Lang
On Tue, 16 Feb 2016, helices wrote:
Date: Tue, 16 Feb 2016 13:53:22 -0600
From: helices <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Why 5-10 minute write delay?
Rainer,
I have updated to: rsyslogd 8.16.0 , from rsyslog.repo, as described by DV
in this same thread.
The delay problem may be better; but, it remains unacceptable: >60 seconds
to logfile write. I can accept 10-15 seconds; but, no longer.
[ms50013@russell ~] $ /usr/bin/date; ssh mschleif@hermes /usr/bin/date
;/usr/bin/date
Tue Feb 16 13:45:58 CST 2016
mschleif@hermes's password:
Tue Feb 16 13:46:03 CST 2016
Tue Feb 16 13:46:03 CST 2016
[ROOT@hermes ~ ] # tail -f /var/log/sftp.log
...
Feb 16 13:46:03 hermes sshd[3475]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=russell.provell.com
user=mschleif
Feb 16 13:46:03 hermes sshd[3475]: Accepted password for mschleif from
192.168.199.140 port 57465 ssh2
Feb 16 13:46:03 hermes sshd[3475]: pam_unix(sshd:session): session opened
for user mschleif by (uid=0)
Feb 16 13:46:03 hermes sshd[3498]: Received disconnect from 192.168.199.140:
11: disconnected by user
Feb 16 13:46:03 hermes sshd[3475]: pam_unix(sshd:session): session closed
for user mschleif
^C
[ROOT@hermes ~ ] # /usr/bin/date
Tue Feb 16 13:47:39 CST 2016
I have repeated this test several times. That one above is near the mean:
1:36 or 96 seconds
Please, advise. Thank you.
On Tue, Feb 16, 2016 at 8:56 AM, Rainer Gerhards <[email protected]>
wrote:
2016-02-16 15:53 GMT+01:00 helices <[email protected]>:
rsyslogd 7.4.7, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
uuid support: Yes
CentOS Linux release 7.1.1503 (Core)
Why does my rsyslogd often take 5-10 minutes to write events to logfile?
I need to do near real time logfile monitoring, and this delay is
unacceptable.
Please, advise. Thank you.
I think this is a bug in that outdated version. There was a bug that made
output only on buffer full. If so, you'll probably also see partial log
lines at the end of the file.
The solution is to upgrade to the currently supported 8.17.0 version.
HTH
Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
