On Wed, 17 Feb 2016, helices wrote:
See rsyslog.conf questions below:
On Tue, Feb 16, 2016 at 2:32 PM, helices <[email protected]>
wrote:
On Tue, Feb 16, 2016 at 2:20 PM, Damiano Verzulli <[email protected]>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Il 16/02/2016 20:53, helices ha scritto:
[...] The delay problem may be better; but, it remains unacceptable:
60 seconds to logfile write. I can accept 10-15 seconds; but, no
longer.
Three considerations:
1 - it's not easy (...and error-prone) to (try to) guess what happens, in
your scenario, without giving a look to the "rsyslog.conf" configuration
files. Please, post them (eventually, with sensitive data/secions
obfuscated);
[ROOT@hermes ~ ] # grep -v "^\s*\(#\|$\)" /etc/rsyslog.conf
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from
journald)
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad ommysql.so # load MySQL output driver
$ModLoad imudp # network reception
$UDPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
ftp.* /var/log/vsftpd.log
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
local6.* /var/log/sftp.log
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$AddUnixListenSocket /vol1/chroot/dev/log
if $programname == 'sshd' then /var/log/sftp.log
if $programname == 'sshd' then ~
if $programname == 'internal-sftp' then /var/log/sftp.log
if $programname == 'internal-sftp' then ~
$ActionQueueFileName dbQueue # set file name, also enables disk mode
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # use asynchronous processing
$ActionResumeRetryCount -1 # infinite retries on insert failure
*.* @@172.31.128.52
*.* @@192.168.151.99
ftp.* :ommysql:172.31.128.125,vsftplog,hermesvsftplog,___PASSWORD___
[ROOT@hermes ~ ] # ls -l /etc/rsyslog.d/*.conf
-rw-r--r-- 1 root root 49 Sep 15 08:21 /etc/rsyslog.d/listen.conf
[ROOT@hermes ~ ] # cat /etc/rsyslog.d/*.conf
$SystemLogSocketName /run/systemd/journal/syslog
As noted previously, we are now running: rsyslog-8.16.0-3.el7.x86_64
However, I did NOT change rsyslog.conf after upgrade.
The default rsyslog.conf for rsyslog-8.16.0-3.el7.x86_64 is this:
# grep -v "^\s*\(#\|$\)" /etc/rsyslog.conf.rpmnew
module(load="imuxsock") # provides support for local system logging (e.g.
via logger command)
module(load="imklog") # provides kernel logging support (previously done
by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
NOTE: This does not use: imjournal
Based on this new rsyslog.conf, how do you suggest that I configure my
running conf file?
well, the first question, does this default rsyslog.conf work for you or do you
still have delays?
for your version that writes to a database and forwards the messages to remote
systems, re-write the queue stuff, forwarding, and database write to use the
action() format, I think it will be obvious to you where the problem is after
you do that.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
