well, in the forward ruleset, you are only processing local5 messages, add an
else to write the logs that don't match that filter to a local file, I'd bet
that you will find your missing logs there
David Lang
On Mon, 9 Dec 2019, lxy via rsyslog wrote:
Date: Mon, 9 Dec 2019 14:41:45 +0800 (CST)
From: lxy via rsyslog <[email protected]>
To: "[email protected]" <[email protected]>
Cc: lxy <[email protected]>
Subject: [rsyslog] Why my action did not process anymore sometimes?
Hello,
My rsyslogd gets messages from a UNIX socket, then forward them to a TCP. The
configuration is as below.
module(load="imuxsock")
input(type="imuxsock" Socket="/dev/log" ruleset="forward")
module(load="impstats"
interval="30"
severity="7"
log.syslog="off"
log.file="/var/log/rsyslog.stats")
ruleset(name="forward"
queue.type="fixedArray"
queue.size="250000"
queue.dequeueBatchSize="4096"
queue.workerThreads="4"
#queue.workerThreadMinimumMessages="60000"
) {
if prifilt("local5.*") then {
action(type="omfwd"
Protocol="tcp"
Target="imi"
Port="514"
ZipLevel="6"
compression.Mode="stream:always"
#compression.stream.flushOnTXEnd="off"
)
# action(type="omfile" file="/var/log/publog")
}
}
#### GLOBAL DIRECTIVES ####
$MainMsgQueueType FixedArray
$MainMsgQueueSize 100000
$MainMsgQueueWorkerThreads 4
$MainMsgDequeueBatchSize 4096
$MainMsgQueueFileName MainQ
$MainMsgQueueHighWatermark 80000
$MainMsgQueueLowWatermark 10000
But from the output of impstats, it seems that the action did not process
sometimes, and there is no failed or suspended.
Mon Dec 9 13:43:09 2019: global: origin=dynstats
Mon Dec 9 13:43:09 2019: imuxsock: origin=imuxsock submitted=118251
ratelimit.discarded=0 ratelimit.numratelimiters=0
Mon Dec 9 13:43:09 2019: action 0: origin=core.action processed=63639 failed=0
suspended=0 suspended.duration=0 resumed=0
Mon Dec 9 13:43:09 2019: resource-usage: origin=impstats utime=3273134
stime=4468194 maxrss=45532 minflt=11395 majflt=0 inblock=0 oublock=912
nvcsw=173343 nivcsw=81
Mon Dec 9 13:43:09 2019: forward: origin=core.queue size=54612 enqueued=118251
full=0 discarded.full=0 discarded.nf=0 maxqsize=54612
Mon Dec 9 13:43:09 2019: main Q: origin=core.queue size=0 enqueued=0 full=0
discarded.full=0 discarded.nf=0 maxqsize=0
Mon Dec 9 13:43:39 2019: global: origin=dynstats
Mon Dec 9 13:43:39 2019: imuxsock: origin=imuxsock submitted=118251
ratelimit.discarded=0 ratelimit.numratelimiters=0
Mon Dec 9 13:43:39 2019: action 0: origin=core.action processed=63639 failed=0
suspended=0 suspended.duration=0 resumed=0
Mon Dec 9 13:43:39 2019: resource-usage: origin=impstats utime=3273187
stime=4468266 maxrss=45532 minflt=11395 majflt=0 inblock=0 oublock=920
nvcsw=173344 nivcsw=81
Mon Dec 9 13:43:39 2019: forward: origin=core.queue size=54612 enqueued=118251
full=0 discarded.full=0 discarded.nf=0 maxqsize=54612
Mon Dec 9 13:43:39 2019: main Q: origin=core.queue size=0 enqueued=0 full=0
discarded.full=0 discarded.nf=0 maxqsize=0
You can see that the action did not send any messages during those 30 seconds.
So where is the problem? How can I debug?
Thank you
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
