Re: [rsyslog] files stuck in spool queue

Tue, 08 Mar 2016 15:24:55 -0800

without seeing your config files we couldn't guess why you aer seeing the audit.log stuff
does impstats show that there is data in the queues still? the files will not go away until rsyslog is restarted. 

David Lang

On Mon, 7 Mar 2016, Brad Van Orden wrote:


Date: Mon, 7 Mar 2016 05:57:34 -0500
From: Brad Van Orden <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: Re: [rsyslog] files stuck in spool queue

I found a link to recover queue index
<https://gist.github.com/wilrnh/9373137>
and started using that.  That was a great help.  My servers are sending to
two central rsyslog servers.  One is the Corporate server and the other is
a server I manage to give me one location to monitor the log files.  I have
about 200 systems sending log files to this one server.  All of the backed
up queue files to the Corporate server were cleared up.  On some of the
systems, backed up queue files to my central server are still hanging
around.  I think it might relate to the $InputTCPMaxListeners and
$InputTCPMaxSessions settings.  This server is an HP DL380 G6 with 32GB of
RAM and 2 quad core Intel Xeon X5570 CPUs.  Is the maxsessions a total
number, or the number per listener?  I have max listeners set to 50 and
sessions to 500.  I'm thinking I probably need to increase the number of
listeners.  Also, on a few servers I have a file called "audit" that shows
up in /var/spool/rsyslog.  I have my audit daemon on each server writing to
/var/audit.  In this /var/spool/rsyslog/audit file, it points to
/var/log/audit/audit.log.  Not sure where it is coming from.  Ideas?

Regards,

Brad
<https://gist.github.com/wilrnh/9373137>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to