On Fri, 2 Nov 2018, Rory Toma wrote:
Date: Fri, 2 Nov 2018 15:44:10 -0700
From: Rory Toma <[email protected]>
To: David Lang <[email protected]>
Cc: Rory Toma via rsyslog <[email protected]>
Subject: Re: [rsyslog] Need help with high volume forwarding config
Does this mean that the packets are not even being forwarded?
Fri Nov 2 15:41:59 2018: main Q: origin=core.queue size=0 enqueued=8059
full=0 discarded.full=0 discarded.nf=0 maxqsize=632
so you received 8059 messages
Fri Nov 2 15:42:59 2018: global: origin=dynstats
Fri Nov 2 15:42:59 2018: action-0-builtin:omfwd: origin=core.action
processed=2591 failed=0 suspended=0 suspended.duration=0 resumed=0
and you sent 2591 messages through action 0 (this is why it's good to have
name='something' in the action to be sure you are looking at the right thing
Fri Nov 2 15:42:59 2018: action-1-builtin:omfwd: origin=core.action
processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0
Fri Nov 2 15:42:59 2018: imtcp(110): origin=imtcp submitted=2591
Fri Nov 2 15:42:59 2018: resource-usage: origin=impstats utime=2954582
stime=383935 maxrss=19192 minflt=5924 majflt=0 inblock=8 oublock=32
nvcsw=3462 nivcsw=7 openfiles=250
Fri Nov 2 15:42:59 2018: main Q: origin=core.queue size=0 enqueued=2591
full=0 discarded.full=0 discarded.nf=0 maxqsize=632
but here it says there were only 2591 messages received, are you resetting the
counters each time? if so, it's probably best not to do that right now.
David Lang
David Lang wrote on 11/2/18 2:34 PM:
On Fri, 2 Nov 2018, Rory Toma via rsyslog wrote:
We have several rsyslog hosts that forward to a logstash server. It runs
great, then after about an hour, data slows down until we get a trickle. I
did not see anything last time I ran impstats, so I'm stuck. Here's my
config (centos7, rsyslog 8.39) Any advice how to debug this?
Well, logstash has lots of bottlenecks, is it keeping up or is it refusing
to accept more data?
what does impstats show? does it show the output to logstash being
suspended?
until you know that the recipient is able to receive more logs, I don't
know that it's worth looking at the rsyslog config.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
