On Wed, 17 Feb 2016, helices wrote:
On Wed, Feb 17, 2016 at 9:51 AM, David Lang <[email protected]> wrote:
On Wed, 17 Feb 2016, helices wrote:
As noted previously, we are now running: rsyslog-8.16.0-3.el7.x86_64
However, I did NOT change rsyslog.conf after upgrade.
The default rsyslog.conf for rsyslog-8.16.0-3.el7.x86_64 is this:
# grep -v "^\s*\(#\|$\)" /etc/rsyslog.conf.rpmnew
module(load="imuxsock") # provides support for local system logging (e.g.
via logger command)
module(load="imklog") # provides kernel logging support (previously done
by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
NOTE: This does not use: imjournal
Based on this new rsyslog.conf, how do you suggest that I configure my
running conf file?
well, the first question, does this default rsyslog.conf work for you or
do you still have delays?
for your version that writes to a database and forwards the messages to
remote systems, re-write the queue stuff, forwarding, and database write to
use the action() format, I think it will be obvious to you where the
problem is after you do that.
1) What do I gain by moving to the newer rsyslog.conf?
lots of bugfixes, lots of speed improvements, lots of new features
but I thought you had already upgraded to 8.16, what version are you running.
2) If I change to the new rsyslog.conf, how can I test this on this
production server, _without_ losing and events that must be forwarded to DB?
Ok, then I'm not clear which rsyslog.conf you are running, the original one or
the default one?
3) Yes, under other conditions, I would love to start from scratch, and
build the new rsyslog.conf through trial and error. I cannot do that on
this production server. I hoped that both of these brief and short
rsyslog.conf files would readily lend itself to experienced recommendations
for what to remove ...
It's not a matter of removing things. It's a matter of understanding what you
have told rsyslog to do.
If you re-write the forwarding/db/queue stuff in the new action() format, it
should be clear to you where the queues exist. This should make it obvious why
local messages are being delayed.
We are seeing and understanding this, but you are not.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
