On Wed, 17 Feb 2016, helices wrote:

On Wed, Feb 17, 2016 at 9:51 AM, David Lang <[email protected]> wrote:

On Wed, 17 Feb 2016, helices wrote:

As noted previously, we are now running: rsyslog-8.16.0-3.el7.x86_64

However, I did NOT change rsyslog.conf after upgrade.

The default rsyslog.conf for rsyslog-8.16.0-3.el7.x86_64 is this:
# grep -v "^\s*\(#\|$\)" /etc/rsyslog.conf.rpmnew
module(load="imuxsock") # provides support for local system logging (e.g.
via logger command)
module(load="imklog")   # provides kernel logging support (previously done
by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  /var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

NOTE: This does not use: imjournal

Based on this new rsyslog.conf, how do you suggest that I configure my
running conf file?


well, the first question, does this default rsyslog.conf work for you or
do you still have delays?

for your version that writes to a database and forwards the messages to
remote systems, re-write the queue stuff, forwarding, and database write to
use the action() format, I think it will be obvious to you where the
problem is after you do that.


1) What do I gain by moving to the newer rsyslog.conf?

lots of bugfixes, lots of speed improvements, lots of new features

but I thought you had already upgraded to 8.16, what version are you running.

2) If I change to the new rsyslog.conf, how can I test this on this
production server, _without_ losing and events that must be forwarded to DB?

Ok, then I'm not clear which rsyslog.conf you are running, the original one or the default one?

3) Yes, under other conditions, I would love to start from scratch, and
build the new rsyslog.conf through trial and error. I cannot do that on
this production server. I hoped that both of these brief and short
rsyslog.conf files would readily lend itself to experienced recommendations
for what to remove ...

It's not a matter of removing things. It's a matter of understanding what you have told rsyslog to do.

If you re-write the forwarding/db/queue stuff in the new action() format, it should be clear to you where the queues exist. This should make it obvious why local messages are being delayed.

We are seeing and understanding this, but you are not.

David Lang

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to