I figured out why the file called "audit" was showing up in the rsyslog spool directory on some servers. All of the servers in question were part of an openstack setup. Unknown to me, the openstack admins had included a couple of configuration files in /etc/rsyslog.d. One of which created this audit queue file. So, I have that figured out.
Thanks! On Mon, Mar 14, 2016 at 12:10 AM, <[email protected]> wrote: > > ------------------------------ > > Message: 20 > Date: Tue, 8 Mar 2016 15:23:55 -0800 (PST) > From: David Lang <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] files stuck in spool queue > Message-ID: <[email protected]> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > without seeing your config files we couldn't guess why you aer seeing the > audit.log stuff > > does impstats show that there is data in the queues still? the files will > not go > away until rsyslog is restarted. > > David Lang > > On Mon, 7 Mar 2016, Brad Van Orden wrote: > > > Date: Mon, 7 Mar 2016 05:57:34 -0500 > > From: Brad Van Orden <[email protected]> > > Reply-To: rsyslog-users <[email protected]> > > To: [email protected] > > Subject: Re: [rsyslog] files stuck in spool queue > > > > I found a link to recover queue index > > <https://gist.github.com/wilrnh/9373137> > > and started using that. That was a great help. My servers are sending > to > > two central rsyslog servers. One is the Corporate server and the other > is > > a server I manage to give me one location to monitor the log files. I > have > > about 200 systems sending log files to this one server. All of the > backed > > up queue files to the Corporate server were cleared up. On some of the > > systems, backed up queue files to my central server are still hanging > > around. I think it might relate to the $InputTCPMaxListeners and > > $InputTCPMaxSessions settings. This server is an HP DL380 G6 with 32GB > of > > RAM and 2 quad core Intel Xeon X5570 CPUs. Is the maxsessions a total > > number, or the number per listener? I have max listeners set to 50 and > > sessions to 500. I'm thinking I probably need to increase the number of > > listeners. Also, on a few servers I have a file called "audit" that > shows > > up in /var/spool/rsyslog. I have my audit daemon on each server writing > to > > /var/audit. In this /var/spool/rsyslog/audit file, it points to > > /var/log/audit/audit.log. Not sure where it is coming from. Ideas? > > > > Regards, > > > > Brad > > <https://gist.github.com/wilrnh/9373137> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
