On Thu, 2018-11-29 at 13:44:54 +0100, Rainer Gerhards wrote:
El jue., 29 nov. 2018 a las 13:42, Simon Lundström (<[email protected]>) escribió:
On Wed, 2018-11-28 at 12:24:24 +0100, Rainer Gerhards wrote:
>El mié., 28 nov. 2018 a las 12:16, Simon Lundström (<[email protected]>)
escribió:
>>
>> Hey all!
>>
>> While trying to setup queueing like we want it to I wonder if we've
>> found a bug or most likely doing something wrong. We've set limits very
>> low just to make sure we fill the queue fast for testing. We're running
>> 8.24.0-1 from Debian 9 Stretch and this is our config with comments
>> removed:
>>
>> module(load="imuxsock"
>> SysSock.RateLimit.Interval="0"
>> )
>> module(load="imklog")
>> module(load="builtin:omfile"
>> dirCreateMode="0755"
>> fileCreateMode="0644"
>> fileGroup="adm"
>> fileOwner="root"
>> )
>>
>> global(
>> workDirectory="/var/spool/rsyslog"
>> MaxMessageSize="64k"
>> preserveFQDN="on"
>> action.reportSuspensionContinuation="on"
>> )
>>
>> if $fromhost-ip == "127.0.0.1" then {
>> action(
>> type="omfile"
>> name="omfile-/var/log/messages"
>> File="/var/log/messages"
>> )
>> }
>>
>> module(load="imtcp")
>> module(load="imudp")
>> module(load="impstats"
>> format="json-elasticsearch"
>> interval="5"
>> )
>>
>> module(load="omprog")
>> if $fromhost-ip == "127.0.0.1" and $programname == "rsyslogd-pstats"
then {
>> action(
>> name="action-omprog-impstats"
>> type="omprog"
>> binary="/local/nrpe/libexec/check_rsyslogd.pl --write"
>> )
>> }
>>
>> input(type="imtcp"
>> port="514"
>> )
>>
>> action(type="omfwd"
>> name="om-logstash"
>> target="127.0.0.1"
>> port="2514"
>> protocol="tcp"
>> template="RSYSLOG_ForwardFormat"
>> action.resumeRetryCount="1"
>
>This tells rsyslog to do one retry, and if it fails suspend the
>action. A suspended action will drop messages sent to it.
That's exactly what we want but that's not what we're seeing. I wrote in
my original mail what happens but if I was unclear let me know how I can
expand and explain!
> Did you mean "-1" (wait forever)?
No, I mean retry once and then drop the incoming logs. But that "mode"
isn't supported my rsyslog.
No, as I wrote we want rsyslog to start dropping the incoming logs when
the queues are full and the action is suspended.
Out of my head, I don't think you can let an action go suspended but keep
the queue.
No, it seems that when the queue is full and rsyslog is done retrying it
dumps/removes the queue and then starts to fill it again.
This is not want we want. We'll have to solve it another way but that is
for another time.
Actually, what you do is not let it go suspended, but discard messages that
do no longer fit into the queue. There is a queue setting for "drop
messages with prio x if queue fuller than...).
If we used severity levels (correctly) that could work, sure. But
eventually you'd have to handle that a downstream is down for a longer
time than you have disk for.
Have a great weekend!
BR,
- Simon
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
