On Wed, 17 Feb 2016, helices wrote:
On Wed, Feb 17, 2016 at 11:01 AM, David Lang <[email protected]> wrote:
On Wed, 17 Feb 2016, helices wrote:
1) What do I gain by moving to the newer rsyslog.conf?
lots of bugfixes, lots of speed improvements, lots of new features
but I thought you had already upgraded to 8.16, what version are you
running.
I did the following, which did NOT change /etc/rsyslog.conf:
yum update rsyslog
2) If I change to the new rsyslog.conf, how can I test this on this
production server, _without_ losing and events that must be forwarded to
DB?
Ok, then I'm not clear which rsyslog.conf you are running, the original
one or the default one?
See above
Ok.
3) Yes, under other conditions, I would love to start from scratch, and
build the new rsyslog.conf through trial and error. I cannot do that on
this production server. I hoped that both of these brief and short
rsyslog.conf files would readily lend itself to experienced
recommendations
for what to remove ...
It's not a matter of removing things. It's a matter of understanding what
you have told rsyslog to do.
I am a bit bewildered by differences between the 7.4.7 Centos 7 based
rsyslog.conf and the 8.16.0 adiscon.com based conf.
You can thank RedHat for that :-)
what in particular are you confused by?
If you re-write the forwarding/db/queue stuff in the new action() format,
it should be clear to you where the queues exist. This should make it
obvious why local messages are being delayed.
"new action() format" ???
http://www.rsyslog.com/doc/v8-stable/configuration/actions.html
http://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
hmm, the ommysql page doesn't show the action format. It needs to be updated.
http://www.rsyslog.com/doc/v8-stable/configuration/modules/ommysql.html
We are seeing and understanding this, but you are not.
What am I missing?
you have told rsyslog that if there is a problem sending to the 172.31 address,
you don't want it to hold up the main processing, but if there is a problem
delivering to the 192.168 address, or to the database, you do want it to hold
things up. This is an easy mistake to make with the old config format, because
it looks like you setup a queue and it should affect multiple actions after that
point, but the queue only affects the next action. With the new action() format,
the queue setup is very clearly part of a particular action (or ruleset) and so
it's much clearer what is going on.
How can I make changes without losing DB data from the
forwarding?
by default, there is one loop that goes through all the actions, and if any
action is slow or blocks, this loop pauses and doesn't process any logs.
If you want to continue processing logs for some things while other actions
block (without loosing any logs), you need to setup additional queues for the
logs to go to. This makes it so that when the main loop gets to that action,
instead of trying to deliver the log, it moves it to a separate queue (which has
it's own loop)
you can either do a separate queue for each action, or you can create a ruleset
that contains multiple actions and give the ruleset a queue
http://www.rsyslog.com/doc/v8-stable/configuration/basic_structure.html#rulesets-and-rules
Right now, you create a queue for one action (the forward to the 172.31 address)
but not for the other actions. Since inserts into a database can be slow, that
has a high probability of being the cause of the other delays.
You should also setup impstats
http://www.rsyslog.com/doc/v8-stable/configuration/modules/impstats.html so that
you can see how many logs are being received, how many are being processed by
each action, and how many are sitting in what queue at any time.
Note that if the MySQL database can't keep up with the logs that are arriving,
creating a separate queue for it only delays things, that queue will fill up and
the main loop will block because it can't deliver logs to the queue for the
mysql action. The impstats data will make this obvious when it happens.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
