you don't show any config on the receiver that would write logs to any file.
you don't show us the full config, so we don't know if the numbers in pstats are reset after each report or not
David Lang On Wed, 12 Feb 2020, lxy via rsyslog wrote:
Date: Wed, 12 Feb 2020 16:24:51 +0800 (CST) From: lxy via rsyslog <[email protected]> To: "[email protected]" <[email protected]> Cc: lxy <[email protected]> Subject: [rsyslog] I found that many logs vanished on the way of omfwd, so how to check it? Hello, all, I used omfwd to forward my logs to an endpoint. But I found that many of them have been vanished, but I don't know where to find them. The status of sender is as below, and there are 40 senders. So the total numer is more than 12000. Wed Jan 29 21:48:43 2020: global: origin=dynstats Wed Jan 29 21:48:43 2020: imuxsock: origin=imuxsock submitted=351 ratelimit.discarded=0 ratelimit.numratelimiters=0 Wed Jan 29 21:48:43 2020: action-0-builtin:omfwd: origin=core.action processed=346 failed=0 suspended=0 suspended.duration=0 resumed=0 Wed Jan 29 21:48:43 2020: resource-usage: origin=impstats utime=32025 stime=37956 maxrss=2184 minflt=566 majflt=0 inblock=0 oublock=40 nvcsw=520 nivcsw=2 openfiles=6 Wed Jan 29 21:48:43 2020: forward[DA]: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0 Wed Jan 29 21:48:43 2020: forward: origin=core.queue size=0 enqueued=351 full=0 discarded.full=0 discarded.nf=0 maxqsize=6 Wed Jan 29 21:48:43 2020: main Q: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0 On the receiver side. Wed Jan 29 21:48:44 2020: global: origin=dynstats Wed Jan 29 21:48:44 2020: imuxsock: origin=imuxsock submitted=2452 ratelimit.discarded=0 ratelimit.numratelimiters=0 Wed Jan 29 21:48:44 2020: action-0-omuxsock: origin=core.action processed=2947 failed=0 suspended=0 suspended.duration=0 resumed=0 Wed Jan 29 21:48:44 2020: action-1-builtin:omfile: origin=core.action processed=2947 failed=0 suspended=0 suspended.duration=0 resumed=0 Wed Jan 29 21:48:44 2020: imptcp(*/514/IPv4): origin=imptcp submitted=2909 sessions.opened=51 sessions.openfailed=46 sessions.closed=0 bytes.received=45676 bytes.decompressed=458997 Wed Jan 29 21:48:44 2020: resource-usage: origin=impstats utime=185247 stime=366687 maxrss=5128 minflt=1434 majflt=0 inblock=0 oublock=1048 nvcsw=9145 nivcsw=3 openfiles=60 Wed Jan 29 21:48:44 2020: action-0-omuxsock queue: origin=core.queue size=0 enqueued=2947 full=0 discarded.full=0 discarded.nf=0 maxqsize=2285 Wed Jan 29 21:48:44 2020: action-1-builtin:omfile queue[DA]: origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 maxqsize=0 Wed Jan 29 21:48:44 2020: action-1-builtin:omfile queue: origin=core.queue size=0 enqueued=2947 full=0 discarded.full=0 discarded.nf=0 maxqsize=68 Wed Jan 29 21:48:44 2020: main Q: origin=core.queue size=0 enqueued=5361 full=0 discarded.full=0 discarded.nf=0 maxqsize=16 Wed Jan 29 21:48:44 2020: io-work-q: origin=imptcp enqueued=167 maxqsize=5 The sender's configuration is as below. input(type="imuxsock" Socket="/dev/log" ruleset="forward") ruleset(name="forward" queue.type="fixedArray" queue.size="100000" queue.dequeueBatchSize="1000" queue.workerThreads="4" queue.filename="Forward" queue.highwatermark="80000" queue.lowwatermark="10000" #queue.workerThreadMinimumMessages="60000" ) { if prifilt("local5.*") then { action(type="omfwd" Protocol="tcp" Target="imi" Port="514" ZipLevel="6" compression.Mode="stream:always" #compression.stream.flushOnTXEnd="off" ) # action(type="omfile" file="/var/log/publog") } } And the receiver's configuration is as below. module(load="imptcp" threads="4") input(type="imptcp" port="514" Compression.mode="stream:always") So, how to check it? I did not find any failure yet. Thank you very much _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
