The queue only applies to the next action (this is why the new syntax was
created, the old syntax was too confusing)
so if syslog1 blocks, it will queue to memory and up to 1G on disk, while it is
queueing everything else will continue to log
but if syslog2 blocks, all processing will be blocked
if you want a single queue for both of them, you would put them in a ruleset and
put the queue on the ruleset.
This is incredibly confusing to try and do (if it's even possible) with the old
syntax, but very straightforward with the new syntax.
David Lang
On Tue, 16 Oct 2018, sophie.loewenthal--- via rsyslog wrote:
I uncommented the default actions in the rsyslogd.conf to enable a disc queue
as shown in the enclosed configuration.
In order to create a condition so the client could not send to the server, I
set the remote syslog server ports to ports that were *not* open on a server.
Next, I sent lots of messages to syslog with, while :;do logger -t
cron.crit TEST;done
I expected a file to be created on disc called fwdRule1, but I could not find this with a
find / -name "*fwdRule1*"
Where and how should this file be?
# cat /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.info @@(o)syslog1:3514
*.info @@(o)syslog2:4514
Best wishes,
Sophie
-----Original Message-----
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of John
Chivian
Sent: Wednesday, October 10, 2018 5:18 PM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] How to syslog to log to both local files (e.g
/var/log/messages) _and_ remotly to syslog server?
How can I add multiple IP addresses/hosts into the target = "" statement?
You don't. You have one action for each target, and each of the actions
should have a unique name and queue.filename specified. Research the
other values and set as appropriate for your environment.
Regards,
On 10/10/18 8:25 AM, sophie.loewenthal--- via rsyslog wrote:
Hi John and David Lang,
Thanks for the configuration & suggestions.
I should set this up on both the client & the server, because the server also
forwards to a logstash box.
How can I add multiple IP addresses/hosts into the target = "" statement? I
looked on https://www.rsyslog.com/doc/v8-stable/configuration/actions.html
but did not find much reference to targets.
rsyslog clients:
action(
type="omfwd"
target="sys1,sys2"
port="514"
protocol="tcp"
name="tdp-514-out"
queue.size="1024000"
queue.filename="tdp-514.queue"
queue.maxdiskspace="512m"
queue.type="FixedArray"
queue.maxfilesize="10m"
queue.saveonshutdown="on"
queue.discardseverity="8"
Action.ResumeInterval="1"
Action.ResumeRetryCount="-1"
)
rsyslog server:
action(
type="omfwd"
target="logstash1,logstash2"
port="10514"
protocol="udp"
name="udp-10514-out"
queue.size="1024000"
queue.filename="udp-10514.queue"
queue.maxdiskspace="1g"
queue.type="FixedArray"
queue.maxfilesize="10m"
queue.saveonshutdown="on"
queue.discardseverity="8"
Action.ResumeInterval="1"
Action.ResumeRetryCount="-1"
)
Best wishes,
Sophie
-----Original Message-----
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of John
Chivian
Sent: Friday, October 05, 2018 1:43 PM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] How to syslog to log to both local files (e.g
/var/log/messages) _and_ remotly to syslog server?
On 10/5/18 6:34 AM, sophie.loewenthal--- via rsyslog wrote:
Perhaps this was caused by a network outage since resolved. I know of one.
If
so, how could rsyslog buffer and then send later whilst logging to local files?
Setup queueing.
action(
type="omfwd"
target="192.168.10.14"
port="5141"
protocol="tcp"
name="udp-5141-out"
queue.size="1024000"
queue.filename="udp-5141.queue"
queue.maxdiskspace="1g"
queue.type="FixedArray"
queue.maxfilesize="10m"
queue.saveonshutdown="on"
queue.discardseverity="8"
Action.ResumeInterval="1"
Action.ResumeRetryCount="-1"
)
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
This message and any attachments (the "message") is
intended solely for the intended addressees and is confidential.
If you receive this message in error,or are not the intended recipient(s),
please delete it and any copies from your systems and immediately notify
the sender. Any unauthorized view, use that does not comply with its purpose,
dissemination or disclosure, either whole or partial, is prohibited. Since the
internet
cannot guarantee the integrity of this message which may not be reliable, BNP
PARIBAS
(and its subsidiaries) shall not be liable for the message if modified, changed
or falsified.
Do not print this message unless it is necessary, consider the environment.
----------------------------------------------------------------------------------------------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le "message")
sont etablis a l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destine,
merci de le detruire ainsi que toute copie de votre systeme et d'en avertir
immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de
ce message qui n'est pas conforme a sa destination, toute diffusion ou toute
publication, totale ou partielle, est interdite. L'Internet ne permettant pas
d'assurer
l'integrite de ce message electronique susceptible d'alteration, BNP Paribas
(et ses filiales) decline(nt) toute responsabilite au titre de ce message dans
l'hypothese
ou il aurait ete modifie, deforme ou falsifie.
N'imprimez ce message que si necessaire, pensez a l'environnement.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
