Re: [rsyslog] Lookup Table FH leak?
Sorry, I meant change log may have a ref(just have a look at master change log). On Oct 28, 2016 10:17 AM, "singh.janmejay"wrote: > FD leak on reload is fixed upstream already. Can't recall which release. > Release notes may have a ref. > > On Oct 28, 2016 6:15 AM, "David Lang" wrote: > >> I'm catching up on old mail, I think I saw fixes for the lookup table >> functionality go through recently, can you check with the latest version? >> >> David Lang >> >> On Mon, 8 Aug 2016, Christian Ramseyer wrote: >> >> Date: Mon, 8 Aug 2016 14:31:06 +0200 >>> From: Christian Ramseyer >>> Reply-To: rsyslog-users >>> To: rsyslog-users >>> Subject: [rsyslog] Lookup Table FH leak? >>> >>> Hi >>> >>> I've been testing the lookup table feature in 8.18.0 for a while now and >>> it works great, good stuff! >>> >>> However there seems to be an issue that reloading the table leaks a >>> filehandle: >>> >>> # config: >>> >>> lookup_table(name="mylookup" file="/etc/lookup.json" reloadOnHUP="on") >>> >>> # freshly started rsyslog, 1 FH as expected >>> >>> # lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json >>> rsyslogd 14135 root 3r REG 254,1 8467305 537540076 /etc/lookup.json >>> >>> # HUP a few times >>> >>> # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) >>> # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) >>> # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) >>> >>> # results in 1 FH per HUP >>> >>> # lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json >>> rsyslogd 14135 root 3r REG 254,1 8467305 537540076 /etc/lookup.json >>> rsyslogd 14135 root 11r REG 254,1 8467305 537540076 /etc/lookup.json >>> rsyslogd 14135 root 12r REG 254,1 8467305 537540076 /etc/lookup.json >>> rsyslogd 14135 root 13r REG 254,1 8467305 537540076 /etc/lookup.json >>> >>> >>> Is this a known issue? I've looked at the open issues and commits in >>> 8.19.0/8.20.0 and couldn't find any mention of it so I didn't try a >>> newer release for now. But I'm of course willing to upgrade if you guys >>> think this is addressed already. >>> >>> Build Info: >>> >>> rsyslogd 8.18.0, compiled with: >>> PLATFORM: x86_64-pc-linux-gnu >>> PLATFORM (lsb_release -d): >>> FEATURE_REGEXP: Yes >>> GSSAPI Kerberos 5 support: No >>> FEATURE_DEBUG (debug build, slow code): No >>> 32bit Atomic operations supported: Yes >>> 64bit Atomic operations supported: Yes >>> memory allocator: system default >>> Runtime Instrumentation (slow code):No >>> uuid support: Yes >>> Number of Bits in RainerScript integers: 64 >>> >>> Thanks >>> Christian >>> ___ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Lookup Table FH leak?
FD leak on reload is fixed upstream already. Can't recall which release. Release notes may have a ref. On Oct 28, 2016 6:15 AM, "David Lang"wrote: > I'm catching up on old mail, I think I saw fixes for the lookup table > functionality go through recently, can you check with the latest version? > > David Lang > > On Mon, 8 Aug 2016, Christian Ramseyer wrote: > > Date: Mon, 8 Aug 2016 14:31:06 +0200 >> From: Christian Ramseyer >> Reply-To: rsyslog-users >> To: rsyslog-users >> Subject: [rsyslog] Lookup Table FH leak? >> >> Hi >> >> I've been testing the lookup table feature in 8.18.0 for a while now and >> it works great, good stuff! >> >> However there seems to be an issue that reloading the table leaks a >> filehandle: >> >> # config: >> >> lookup_table(name="mylookup" file="/etc/lookup.json" reloadOnHUP="on") >> >> # freshly started rsyslog, 1 FH as expected >> >> # lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json >> rsyslogd 14135 root 3r REG 254,1 8467305 537540076 /etc/lookup.json >> >> # HUP a few times >> >> # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) >> # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) >> # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) >> >> # results in 1 FH per HUP >> >> # lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json >> rsyslogd 14135 root 3r REG 254,1 8467305 537540076 /etc/lookup.json >> rsyslogd 14135 root 11r REG 254,1 8467305 537540076 /etc/lookup.json >> rsyslogd 14135 root 12r REG 254,1 8467305 537540076 /etc/lookup.json >> rsyslogd 14135 root 13r REG 254,1 8467305 537540076 /etc/lookup.json >> >> >> Is this a known issue? I've looked at the open issues and commits in >> 8.19.0/8.20.0 and couldn't find any mention of it so I didn't try a >> newer release for now. But I'm of course willing to upgrade if you guys >> think this is addressed already. >> >> Build Info: >> >> rsyslogd 8.18.0, compiled with: >> PLATFORM: x86_64-pc-linux-gnu >> PLATFORM (lsb_release -d): >> FEATURE_REGEXP: Yes >> GSSAPI Kerberos 5 support: No >> FEATURE_DEBUG (debug build, slow code): No >> 32bit Atomic operations supported: Yes >> 64bit Atomic operations supported: Yes >> memory allocator: system default >> Runtime Instrumentation (slow code):No >> uuid support: Yes >> Number of Bits in RainerScript integers: 64 >> >> Thanks >> Christian >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Lookup Table FH leak?
I'm catching up on old mail, I think I saw fixes for the lookup table functionality go through recently, can you check with the latest version? David Lang On Mon, 8 Aug 2016, Christian Ramseyer wrote: Date: Mon, 8 Aug 2016 14:31:06 +0200 From: Christian RamseyerReply-To: rsyslog-users To: rsyslog-users Subject: [rsyslog] Lookup Table FH leak? Hi I've been testing the lookup table feature in 8.18.0 for a while now and it works great, good stuff! However there seems to be an issue that reloading the table leaks a filehandle: # config: lookup_table(name="mylookup" file="/etc/lookup.json" reloadOnHUP="on") # freshly started rsyslog, 1 FH as expected # lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json rsyslogd 14135 root 3r REG 254,1 8467305 537540076 /etc/lookup.json # HUP a few times # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) # kill -1 $(pgrep -f rsyslog/sbin/rsyslogd) # results in 1 FH per HUP # lsof -p $(pgrep -f rsyslog/sbin/rsyslogd) | fgrep .json rsyslogd 14135 root 3r REG 254,1 8467305 537540076 /etc/lookup.json rsyslogd 14135 root 11r REG 254,1 8467305 537540076 /etc/lookup.json rsyslogd 14135 root 12r REG 254,1 8467305 537540076 /etc/lookup.json rsyslogd 14135 root 13r REG 254,1 8467305 537540076 /etc/lookup.json Is this a known issue? I've looked at the open issues and commits in 8.19.0/8.20.0 and couldn't find any mention of it so I didn't try a newer release for now. But I'm of course willing to upgrade if you guys think this is addressed already. Build Info: rsyslogd 8.18.0, compiled with: PLATFORM: x86_64-pc-linux-gnu PLATFORM (lsb_release -d): FEATURE_REGEXP: Yes GSSAPI Kerberos 5 support: No FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes memory allocator: system default Runtime Instrumentation (slow code):No uuid support: Yes Number of Bits in RainerScript integers: 64 Thanks Christian ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Difference b/w old method and new action method
On Sat, 20 Aug 2016, Muhammad Asif wrote: If i use following old method, logs sent successfully at receiver. *.*@@172.20.16.18:5170;msgonly But if i use below method, it does not send. action(type="omfwd" target="172.20.16.18" port="5170" protocol="tcp" template="msgonly" ) I monitor syslog file and found no difference in log but there are two extra lines. Aug 20 14:20:59 scene rsyslogd-2359: action 'action 11' resumed (module 'builtin: omfwd') [v8.20.0 try http://www.rsyslog.com/e/2359 ] Aug 20 14:20:59 scene rsyslogd-2359: action 'action 11' resumed (module 'builtin: omfwd') [v8.20.0 try http://www.rsyslog.com/e/2359 ] What is meant by there two logs. the two log messages say that rsyslog had trouble forwarding the message and then later resumed delivery. the two lines you show look like they should produce identical results to me, can you start rsyslog with debug mode enabled to see if there is something different that shows up when the two different config lines are processed? actually, you may try changing the first one to just: @@172.20.16.18:5170;msgonly as that removes the redundant filter (which should end up getting optimized out) David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Problems connection journal and rsyslog 7.4.7 on CentOS 7
On Wed, 24 Aug 2016, adr...@pa0rda.nl wrote: Hi, On CentOS 7 I cannot get the connection right between systemd-journal and rsyslog. I want to get my mail logs in a separate file but it will not work. I can read the journal perfectly allrigth with journalctl and the kernel messages come through OK as well, but the rest seems to disappear somewhere. My rsyslog.conf load the following modules: MODULES # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imjournal # provides access to the systemd journal $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $OmitLocalLogging off $ModLoad imklog # reads kernel messages (the same are read from journald) What do I do wrong??? we would need to see the rest of your config to see what you do with the messages after they arrive. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Rsyslog Arrays not Working as Expected
On Fri, 16 Sep 2016, Shane Lawrence wrote: When I use this syntax, arrays work just fine: if ($fromhost-ip == ["127.0.0.1", "1.1.1.1"]) then { but when I use this syntax, it only matches the first item in the array: set $/ARCSIGHT_WHITELIST = ["127.0.0.1", "1.1.1.1"]; if ($fromhost-ip == $ARCSIGHT_WHITELIST) then { There are no syntax errors when I check rsyslogd -N1. I am using v8.21.0 on CentOS 7. I believe both of these should have the same result. If arrays can't be used in this way, they should generate an error. The second example isn't an array, it's the string '["127.0.0.1", "1.1.1.1"]' There is not currently a nice way to create an array in rsyslog Is there a workaround? yes, you can create a string and then use mmnormalize to parse it into an array (look at the repeat option or make a json string and parse that) David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm, imfile and Java stacktrace logs
On Tue, 13 Sep 2016, Radu Gheorghe wrote: But I haven't used mmnormalize/liblognorm on multiline logs. Not sure if it works as expected even. So I'm looking forward for your findings :) mmnormalize won't handle multiline logs, but it will handle lines with escaped newlines in it (either escaped as they were created, or escaped via the property replacer and an exec_template() call) David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] TCP listener and custom format
On Fri, 23 Sep 2016, Waqar Khan wrote: Hello, I have an application which will send TCP messages as log lines to my imtcp listener. I have been able to get the standard RFC formatted messages working and can log to a local file using omfile. However the messages are not standard format. They will look something like (this will be the full content of the TCP message, i.e. the data section will contain): FQDN CustomString Date [LogLevelString]:[LogType] Message \n For example: Win1.domain.com BLABLAbla 2016-09-23 11:04:54Z [DEBUG]:[SQL] SELECT * FROM table limit 1 \n What I would like to do this this message is to read the above into variables to evaluate in a filter and output to file name depending on the FQDN per message. So the above message would go into a file called /var/log/win1.domain.com-BLABLAbla.log Additionally I would like to evaluate [LogLevelString]. E.g. If $LogLevelString == '[ERROR]' then ...ommail How would I go about creating the $LogLevelString variable per message received? This is not a good fit for rsyslog as it assumes that incoming messages are in a known format. you may be able to work around this by using mmnormalize with a ruleset to parse the raw message. But the 'right' thing to do is to write (or pay professional services at adiscon to write) a parser module that understands this format and parses it correctly. This is assuming that you can't fix the thing that's generating the log messages to format them as a proper syslog message. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Delete log files after sending logs to Elasticsearch
On Mon, 19 Sep 2016, Alec Swan wrote: I am using rsyslog to read log files and send logs to Elasticsearch. I am looking for ideas on how to delete log files after their content is successfully sent to Elasticsearch. rsyslog doesn't have any options to remove a file when it's done processing it (rsyslog assumes that it's reading a file that something else is writing to). What I would suggest is to use something like logger to read the file and deliver the lines to rsyslog, then remove the file after it's all been delivered to rsyslog. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] feature request
On Tue, 30 Dec 2014, Kendall Green wrote: Hello and thank you for the example configuration for reparse(), which would help normalization efforts for parsing windows event messages for different event ids. How would the refactoring of reparse affect the new RainerScript functions warp() and replace(), and also mmnormalize can also work with variable, and are there any example configuration for these functions. At my last job I used mmnormalize on variables extensively, I took the message that arrived in JSON and created a 'standard' traditional syslog formatted line (no matter what format it arrived in) and then did the mmnormalize on that line. This included logs from windows systems However, keep in mind that mmnormalize scales very well with the rule size, so you can have as many different rules in one file as you want. Doing windows logs again, I would create a variable that had the event id as one of the early fields in the line (right after the prefix of timestamp, hostname, sourcename) which will let mmnormalize immediatly identify the correct parser rule(s) to use and then parse the message appropriately with no chance of confusing it with a different message type. The re_extract() function warning message that it is being deprecated, so I resorted to using legacy template syntax from the regex generator tool, and assigning to variable with the exec_template() function. This allows regex to be used, without putting into the mmnormalize rulebase, but different regex would be necessary to reparse the subsection of the messages, for conditions on contents or different events. The spacing depending on the contents of the message, or event states that affect the formatting changes, as another challenge, these messages currently have syslog agents that loose the structure, but can be restored with possibly wrap() and replace(), to reformat the message parts and mmjsonparse or reparse the key values into different format, key=value or json, cee, cef, csv. Using rulebase that is able to define most sections of the message, but the "iptables" type key=value pairs is limited. the repeat functionality can help you here, but I agree we need a more general key-value and csv type capability (look at what nxlog does for csv for a pretty flexible example) This awesome feature would provide so much ability if could specify separators, or way to define the key:value wrappers. Can anyone speak to the ability in example use cases for new features of mmnormalize? Would output name to separate json paths logically circumvent caveats regarding unknown results from executing multiple instances of different rulebases against a message, and how might reparse() might be able to take into account? I'm not sure I understand your question here, can you try to restate it (also, when you have a long e-mail like this with many questions, separating them out can help avoid confusion) Another odd thing with working with dynafiles and variables, is that $!vars appears to only work with lowercase letters, so the rulebase variables that are uppercase and used as output in the omfile name need to be set to another variable that is lowercase or it doesn't populate the outfile name. When dealing with tens of thousands of clients, it doesn't lend much to changing anything about what comes into the central logging service. The raw data output by windows is with nested structures defined by tabs, character return, new lines, that are replaced with 4, 3, or 2, spaces: what version are you using? we had some problems with capitalization not too long ago. "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1343760832-931058557-1943201436-1000\r\n\tAccount Name:\t\tkgreen\r\n\tAccount Domain:\t\tdell\r\n\tLogon ID:\t\t0x86c35c\r\n\r\nLogon Type:\t\t\t7\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." Windows Syslog Agent sends as: "An account was logged off.Subject: Security ID: S-1-5-21-1343760832-931058557-1943201436-1000 Account Name: kgreen Account Domain: dell Logon ID: 0x86c35cLogon Type: 7This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." what windows syslog agent are you using? I was using nxlog, which let me forward the eventlog data as a JSON message, which gave me both the message as you are describing and a lot of the fields (especially standard ones like eventid) broken out as separate json objects. The disadvantages in mmnormalize, is for the msg object is included as part of the json structure after the contents have been parsed to fields, essentially duplicating into structured data containing an unstructured mess of a log. This
Re: [rsyslog] Problem with queues configuration
On Thu, 27 Oct 2016, Scot Kreienkamp wrote: Thanks for the hints, I have already done most of them and at the present time I am able to keep up with the traffic easily. I like the solution of separating out the major senders by port so there's no possible cross contamination if tags are reused across different applications. All my if statements have stop after them so they don't do any further processing, and they are ordered with the rules that get hit the most at the very top. What would simplify my config the most was if there was a way to do a case on the syslogtag instead of multiple if statements. But I haven't found any way to do that. we don't have case, but the array on if statements and/or table lookup handle most cases. if $programname == ['foo','bar'] then { } else if $programname == ['baz'] then { } else if $programname == is functionally equivalent to a case statement. doing a table lookup can simplify a complex lookup into a simple one you could have a table that had keys of 'hostname + " " + programname' and map that to a simple string/number to then use in the if statements or dynafile strings for example. David Lang Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:23 PM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration On Thu, 27 Oct 2016, Scot Kreienkamp wrote: I have one centralized collector, and it was having trouble keeping up. It normally runs 20-30 meg (combined in and out) during the day, bursting as high as 90 meg. It has 228 if statements, mostly checking syslogtag, but some checking sending hostname, times, etc. To eliminate some processing time I changed the higher traffic apps to come in on their own dedicated ports so I could bind a much smaller ruleset to the inputs, and everything else comes in on the default port. So now the largest number of if statements in a ruleset is 49 with many being 15 or less. Ok, I would be interested in looking to simplify the receiving config, that doesn't seem like an excessive amount of traffic, we should be able to handle it on a single port. I've run servers handling many GB of logs per day with rather complex rulesets. a couple hints to start with. can you use arrays in if statements? if $syslogtag == ['foo', 'bar', baz'] then {} if you have a large enough ruleset, and lots of sets of tags being handled the same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b' etc. Can you use dynafiles (especially in combination with the above capabilities) to set variables that are then used in filenames to output the files in fewer statements? nest if statements instead of having a lot of complex filters if $syslogtag == 'foo' then { if ... then {} if ... then {} } (note: doing this may let you use rulesets for some of the inner conditions, greatly simplifying your config) And finally (and most simply), rsyslog is sensitive to the order of the rules, so if you have some very common logs, process them first and then have a stop action once you know that they aren't going to match anything else in the config. David Lang My original intent behind the question was not because I was using a large amount of ports, but so I could group everything outbound from the clients into one outbound queue and have something reusable by selecting a new port instead of writing a new ruleset, actions, and queues for every outbound port. Welcome back :-) Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 2:49 PM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration no, you cannot use a variable for a port. catching up on this, I'm trying to understand why you are using so many different ports. Each message has the original hostname in it, and you can split the logs on that at the central system rather easily, why split it on the sending side to different ports? If the receiver can't keep up, having lots of different queues on the sender is just going to mean you have a lot of queues filling up, the order that they then drain is rather unpredictable. David Lang On Fri, 21 Oct 2016, Scot Kreienkamp wrote: Would something like this work? I wasn't sure a config file variable could be used in the action context. ruleset(name="fwd-centralsyslog-customport" queue.type="LinkedList"
Re: [rsyslog] Problem with queues configuration
Almost forgot, I also implemented async and IO buffering on dynafile, which lowered my CPU usage and disk churn greatly. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:23 PM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration On Thu, 27 Oct 2016, Scot Kreienkamp wrote: > I have one centralized collector, and it was having trouble keeping up. It > normally runs 20-30 meg (combined in and out) during the day, bursting as high > as 90 meg. It has 228 if statements, mostly checking syslogtag, but some > checking sending hostname, times, etc. To eliminate some processing time I > changed the higher traffic apps to come in on their own dedicated ports so I > could bind a much smaller ruleset to the inputs, and everything else comes in > on the default port. So now the largest number of if statements in a ruleset > is 49 with many being 15 or less. Ok, I would be interested in looking to simplify the receiving config, that doesn't seem like an excessive amount of traffic, we should be able to handle it on a single port. I've run servers handling many GB of logs per day with rather complex rulesets. a couple hints to start with. can you use arrays in if statements? if $syslogtag == ['foo', 'bar', baz'] then {} if you have a large enough ruleset, and lots of sets of tags being handled the same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b' etc. Can you use dynafiles (especially in combination with the above capabilities) to set variables that are then used in filenames to output the files in fewer statements? nest if statements instead of having a lot of complex filters if $syslogtag == 'foo' then { if ... then {} if ... then {} } (note: doing this may let you use rulesets for some of the inner conditions, greatly simplifying your config) And finally (and most simply), rsyslog is sensitive to the order of the rules, so if you have some very common logs, process them first and then have a stop action once you know that they aren't going to match anything else in the config. David Lang > My original intent behind the question was not because I was using a large > amount of ports, but so I could group everything outbound from the clients > into one outbound queue and have something reusable by selecting a new port > instead of writing a new ruleset, actions, and queues for every outbound port. > > Welcome back :-) > > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang > Sent: Thursday, October 27, 2016 2:49 PM > To: rsyslog-users > Subject: Re: [rsyslog] Problem with queues configuration > > no, you cannot use a variable for a port. > > catching up on this, I'm trying to understand why you are using so many > different ports. Each message has the original hostname in it, and you can > split > the logs on that at the central system rather easily, why split it on the > sending side to different ports? > > If the receiver can't keep up, having lots of different queues on the sender > is > just going to mean you have a lot of queues filling up, the order that they > then > drain is rather unpredictable. > > David Lang > > On Fri, 21 Oct 2016, Scot Kreienkamp wrote: > >> Would something like this work? I wasn't sure a config file variable could >> be used in the action context. >> >> >> ruleset(name="fwd-centralsyslog-customport" >>queue.type="LinkedList" >>queue.size="5" >>queue.maxDiskSpace="1g" >>queue.discardmark="45000" >>queue.dequeueBatchSize="1024" >>queue.filename="fwd-monvsyslog-514" >>queue.spoolDirectory="/var/spool/rsyslog" >>queue.saveOnShutdown="on" >>){ >>action( >>name="fwd-syslog-collector" >>type="omfwd" >>Target="monvsyslog " >>Port="$!remoteport" >>Protocol="tcp" >>) >> } >> >> >> >> if $syslogtag == 'Ecomm:' then { >>set $!remoteport = "1531"; >>call fwd-centralsyslog-customport >>stop >> } >> >> >> >> >> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate >> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | >> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com >> -Original Message- >> From:
Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
That's why I included the line I was using to test, so that anyone reading my message had the means to produce whatever output they needed if they chose to look into it further. I don't have a RH6 machine to try this with anymore. My solution was to upgrade to RH7 where it was no longer an issue. logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test $(date)" That logger line, executed on RH7 and delivered to a RH6 host, was not processed properly. I was filtering it based on syslogtag. Rsyslog rules I was using: template (name="NetworkPerIP" type="string" string="/opt/network/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log") template (name="FirewallChangeLog" type="string" string="/opt/network/FirewallChange/%$YEAR%-%$MONTH%-%$DAY%.log") ruleset(name="Net-1514"){ action(name="Net-1514-omfile" type="omfile" dynafilecachesize="50" DynaFile="NetworkPerIP" template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750" FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured") if $syslogtag contains "ASA-5-111010" then { action(name="Net-1514-FWCH" type="omfile" dynafilecachesize="50" DynaFile="FirewallChangeLog" template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750" FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured") } stop } input(type="imudp" port="1514" ruleset="Net-1514") input(type="imptcp" port="1514" ruleset="Net-1514") Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:24 PM To: rsyslog-users Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6? On Thu, 27 Oct 2016, Scot Kreienkamp wrote: > I was able to reproduce the problem using the logger command from a RH7 > workstation to an rsyslog server running under RH6 so I am fairly certain the > problem wasn't on the Cisco side. samples of the raw logs that are being mis-processed would be a huge help. David Lang > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang > Sent: Thursday, October 27, 2016 3:12 PM > To: rsyslog@lists.adiscon.com > Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6? > > On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote: >> Hi Everyone, >> >> I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM >> repo running in production here. It's a very busy server, but from >> what I can tell I am not dropping any messages. The queues are >> usually less than 100 and return to 0 within 60 seconds. I have had >> the config in place on my server for 1 month now and it had been >> working flawlessly until the end of last month. I have included the >> relevant part of my config inline below, any comments on tuning or >> help with my problem would be appreciated. >> >> Here's my problem: >> >> Basically, this section of my config is receiving syslogs from an ASA >> firewall and writing them all to dynafile NetworkPerIP. About 20 >> other hosts are also sending logs hitting this rule. Up through >> 23:59 >> 9-30-2016 all messages that had a tag that contained "ASA-5-111010" >> were also written to another dynafile, FirewallChangeLog. That's >> what >> I wanted to happen, and as I said, it was working flawlessly until >> the >> end of last month. Since the calendar flipped over to Oct 1 the logs >> have not been written to the FirewallChangeLog. In testing, I >> simulated a log message from my workstation to this rule like so: >> logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test >> $(date)". >> It was written to the FirewallChangeLog but NOT to the NetworkPerIP >> log; it's only written to the NetworkPerIP log if I don't tag it with >> the "ASA-5-111010". That's what makes me think I'm hitting a bug in >> the code somewhere. If I copy this config to a test box running >> RHEL7 >> with the same version of rsyslog and same config it seems to work OK. >> I haven't tried on another RHEL6. I am not hitting the limit of >> number of open files, it's set to 15,000 and I'm only at 5,000 last I >> checked. And lastly, rsyslogd -N1 doesn't show any errors. I went >> ahead and did the upgrade to RHEL7 since it was on my list to upgrade >> anyway and the problem has disappeared. >> > > When I see this sort of thing, I suspect that
Re: [rsyslog] Problem with queues configuration
Thanks for the hints, I have already done most of them and at the present time I am able to keep up with the traffic easily. I like the solution of separating out the major senders by port so there's no possible cross contamination if tags are reused across different applications. All my if statements have stop after them so they don't do any further processing, and they are ordered with the rules that get hit the most at the very top. What would simplify my config the most was if there was a way to do a case on the syslogtag instead of multiple if statements. But I haven't found any way to do that. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:23 PM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration On Thu, 27 Oct 2016, Scot Kreienkamp wrote: > I have one centralized collector, and it was having trouble keeping up. It > normally runs 20-30 meg (combined in and out) during the day, bursting as high > as 90 meg. It has 228 if statements, mostly checking syslogtag, but some > checking sending hostname, times, etc. To eliminate some processing time I > changed the higher traffic apps to come in on their own dedicated ports so I > could bind a much smaller ruleset to the inputs, and everything else comes in > on the default port. So now the largest number of if statements in a ruleset > is 49 with many being 15 or less. Ok, I would be interested in looking to simplify the receiving config, that doesn't seem like an excessive amount of traffic, we should be able to handle it on a single port. I've run servers handling many GB of logs per day with rather complex rulesets. a couple hints to start with. can you use arrays in if statements? if $syslogtag == ['foo', 'bar', baz'] then {} if you have a large enough ruleset, and lots of sets of tags being handled the same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b' etc. Can you use dynafiles (especially in combination with the above capabilities) to set variables that are then used in filenames to output the files in fewer statements? nest if statements instead of having a lot of complex filters if $syslogtag == 'foo' then { if ... then {} if ... then {} } (note: doing this may let you use rulesets for some of the inner conditions, greatly simplifying your config) And finally (and most simply), rsyslog is sensitive to the order of the rules, so if you have some very common logs, process them first and then have a stop action once you know that they aren't going to match anything else in the config. David Lang > My original intent behind the question was not because I was using a large > amount of ports, but so I could group everything outbound from the clients > into one outbound queue and have something reusable by selecting a new port > instead of writing a new ruleset, actions, and queues for every outbound port. > > Welcome back :-) > > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang > Sent: Thursday, October 27, 2016 2:49 PM > To: rsyslog-users > Subject: Re: [rsyslog] Problem with queues configuration > > no, you cannot use a variable for a port. > > catching up on this, I'm trying to understand why you are using so many > different ports. Each message has the original hostname in it, and you can > split > the logs on that at the central system rather easily, why split it on the > sending side to different ports? > > If the receiver can't keep up, having lots of different queues on the sender > is > just going to mean you have a lot of queues filling up, the order that they > then > drain is rather unpredictable. > > David Lang > > On Fri, 21 Oct 2016, Scot Kreienkamp wrote: > >> Would something like this work? I wasn't sure a config file variable could >> be used in the action context. >> >> >> ruleset(name="fwd-centralsyslog-customport" >>queue.type="LinkedList" >>queue.size="5" >>queue.maxDiskSpace="1g" >>queue.discardmark="45000" >>queue.dequeueBatchSize="1024" >>queue.filename="fwd-monvsyslog-514" >>queue.spoolDirectory="/var/spool/rsyslog" >>queue.saveOnShutdown="on" >>){ >>action( >>name="fwd-syslog-collector" >>type="omfwd" >>Target="monvsyslog " >>
Re: [rsyslog] Action Queue misunderstanding
Oh ok, thanks a lot! Ludovic -Message d'origine- De : rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang Envoyé : jeudi 27 octobre 2016 21:26 À : rsyslog-usersObjet : Re: [rsyslog] Action Queue misunderstanding Yes, the file does not get re-written as logs are delivered, it's just pointers into the file that change (the overhead and race conditions related to re-writing a potentially large file when one message is delivered and additional messages are arriving are ugly) David Lang On Thu, 27 Oct 2016, phrogz wrote: > Thanks for the feedback, you right pstats show 0 for the DA queue, but is it > normal that the file (inside) is not empty? Because there are still some > messages in the queue, and If I take one random msg in this file I can see > that the msg has been transmitted to the backend database. > > Thanks, > > Ludovic > -Message d'origine- > De : rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang > Envoyé : jeudi 27 octobre 2016 20:42 À : rsyslog-users > Objet : Re: [rsyslog] Action Queue > misunderstanding > > disk assisted queues will leave one file in place when they are fully caught > up (in case there are more files that need to be queued), when you shutdown > rsyslog (not a HUP, but a full shutdown), this 'last' queue file will go away. > > but the pstats data should show the enqueued size as 0 for the DA version of > the queue. > > when you have a DA queue, it's actually two queues, a memory queue and a disk > assist queue, they show up separately in the pstats data, and the memory > queue will fill up before the disk queue starts being used. > > David Lang > > > On Thu, 20 Oct 2016, phrogz wrote: > >> Date: 20 Oct 2016 17:42:22 +0200 >> From: phrogz >> Reply-To: rsyslog-users >> To: rsyslog@lists.adiscon.com >> Subject: Re: [rsyslog] Action Queue misunderstanding >> >> yes, but normally the queues are cleaned? isn't it? >> >> 2016-10-20 17:34 GMT+02:00 phrogz : >>> Anyway, the logs in the queue files are delivered. >> >> So you are happy? >>> >>> Thanks, >>> >>> Ludovic >>> >>> ___ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This >> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our >> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. >> >> >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >> THAT. >> > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Action Queue misunderstanding
Yes, the file does not get re-written as logs are delivered, it's just pointers into the file that change (the overhead and race conditions related to re-writing a potentially large file when one message is delivered and additional messages are arriving are ugly) David Lang On Thu, 27 Oct 2016, phrogz wrote: Thanks for the feedback, you right pstats show 0 for the DA queue, but is it normal that the file (inside) is not empty? Because there are still some messages in the queue, and If I take one random msg in this file I can see that the msg has been transmitted to the backend database. Thanks, Ludovic -Message d'origine- De : rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang Envoyé : jeudi 27 octobre 2016 20:42 À : rsyslog-usersObjet : Re: [rsyslog] Action Queue misunderstanding disk assisted queues will leave one file in place when they are fully caught up (in case there are more files that need to be queued), when you shutdown rsyslog (not a HUP, but a full shutdown), this 'last' queue file will go away. but the pstats data should show the enqueued size as 0 for the DA version of the queue. when you have a DA queue, it's actually two queues, a memory queue and a disk assist queue, they show up separately in the pstats data, and the memory queue will fill up before the disk queue starts being used. David Lang On Thu, 20 Oct 2016, phrogz wrote: Date: 20 Oct 2016 17:42:22 +0200 From: phrogz Reply-To: rsyslog-users To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Action Queue misunderstanding yes, but normally the queues are cleaned? isn't it? 2016-10-20 17:34 GMT+02:00 phrogz : Anyway, the logs in the queue files are delivered. So you are happy? Thanks, Ludovic ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Action Queue misunderstanding
Thanks for the feedback, you right pstats show 0 for the DA queue, but is it normal that the file (inside) is not empty? Because there are still some messages in the queue, and If I take one random msg in this file I can see that the msg has been transmitted to the backend database. Thanks, Ludovic -Message d'origine- De : rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] De la part de David Lang Envoyé : jeudi 27 octobre 2016 20:42 À : rsyslog-usersObjet : Re: [rsyslog] Action Queue misunderstanding disk assisted queues will leave one file in place when they are fully caught up (in case there are more files that need to be queued), when you shutdown rsyslog (not a HUP, but a full shutdown), this 'last' queue file will go away. but the pstats data should show the enqueued size as 0 for the DA version of the queue. when you have a DA queue, it's actually two queues, a memory queue and a disk assist queue, they show up separately in the pstats data, and the memory queue will fill up before the disk queue starts being used. David Lang On Thu, 20 Oct 2016, phrogz wrote: > Date: 20 Oct 2016 17:42:22 +0200 > From: phrogz > Reply-To: rsyslog-users > To: rsyslog@lists.adiscon.com > Subject: Re: [rsyslog] Action Queue misunderstanding > > yes, but normally the queues are cleaned? isn't it? > > 2016-10-20 17:34 GMT+02:00 phrogz : >> Anyway, the logs in the queue files are delivered. > > So you are happy? >> >> Thanks, >> >> Ludovic >> >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >> THAT. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
On Thu, 27 Oct 2016, Scot Kreienkamp wrote: I was able to reproduce the problem using the logger command from a RH7 workstation to an rsyslog server running under RH6 so I am fairly certain the problem wasn't on the Cisco side. samples of the raw logs that are being mis-processed would be a huge help. David Lang Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:12 PM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6? On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote: Hi Everyone, I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM repo running in production here. It's a very busy server, but from what I can tell I am not dropping any messages. The queues are usually less than 100 and return to 0 within 60 seconds. I have had the config in place on my server for 1 month now and it had been working flawlessly until the end of last month. I have included the relevant part of my config inline below, any comments on tuning or help with my problem would be appreciated. Here's my problem: Basically, this section of my config is receiving syslogs from an ASA firewall and writing them all to dynafile NetworkPerIP. About 20 other hosts are also sending logs hitting this rule. Up through 23:59 9-30-2016 all messages that had a tag that contained "ASA-5-111010" were also written to another dynafile, FirewallChangeLog. That's what I wanted to happen, and as I said, it was working flawlessly until the end of last month. Since the calendar flipped over to Oct 1 the logs have not been written to the FirewallChangeLog. In testing, I simulated a log message from my workstation to this rule like so: logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test $(date)". It was written to the FirewallChangeLog but NOT to the NetworkPerIP log; it's only written to the NetworkPerIP log if I don't tag it with the "ASA-5-111010". That's what makes me think I'm hitting a bug in the code somewhere. If I copy this config to a test box running RHEL7 with the same version of rsyslog and same config it seems to work OK. I haven't tried on another RHEL6. I am not hitting the limit of number of open files, it's set to 15,000 and I'm only at 5,000 last I checked. And lastly, rsyslogd -N1 doesn't show any errors. I went ahead and did the upgrade to RHEL7 since it was on my list to upgrade anyway and the problem has disappeared. When I see this sort of thing, I suspect that there is a problem with the date format being sent by the ASA, can you send samples of a raw message (either output with $rawmsg or use the RSYSLOG_DebugFormat) I would guess that instead of Oct 1 it's doing Oct 1 or something odd like that. You may want to play around with the pmcisco* modules to try and fix up the cisco specific oddities that we know about. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Problem with queues configuration
On Thu, 27 Oct 2016, Scot Kreienkamp wrote: I have one centralized collector, and it was having trouble keeping up. It normally runs 20-30 meg (combined in and out) during the day, bursting as high as 90 meg. It has 228 if statements, mostly checking syslogtag, but some checking sending hostname, times, etc. To eliminate some processing time I changed the higher traffic apps to come in on their own dedicated ports so I could bind a much smaller ruleset to the inputs, and everything else comes in on the default port. So now the largest number of if statements in a ruleset is 49 with many being 15 or less. Ok, I would be interested in looking to simplify the receiving config, that doesn't seem like an excessive amount of traffic, we should be able to handle it on a single port. I've run servers handling many GB of logs per day with rather complex rulesets. a couple hints to start with. can you use arrays in if statements? if $syslogtag == ['foo', 'bar', baz'] then {} if you have a large enough ruleset, and lots of sets of tags being handled the same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b' etc. Can you use dynafiles (especially in combination with the above capabilities) to set variables that are then used in filenames to output the files in fewer statements? nest if statements instead of having a lot of complex filters if $syslogtag == 'foo' then { if ... then {} if ... then {} } (note: doing this may let you use rulesets for some of the inner conditions, greatly simplifying your config) And finally (and most simply), rsyslog is sensitive to the order of the rules, so if you have some very common logs, process them first and then have a stop action once you know that they aren't going to match anything else in the config. David Lang My original intent behind the question was not because I was using a large amount of ports, but so I could group everything outbound from the clients into one outbound queue and have something reusable by selecting a new port instead of writing a new ruleset, actions, and queues for every outbound port. Welcome back :-) Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 2:49 PM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration no, you cannot use a variable for a port. catching up on this, I'm trying to understand why you are using so many different ports. Each message has the original hostname in it, and you can split the logs on that at the central system rather easily, why split it on the sending side to different ports? If the receiver can't keep up, having lots of different queues on the sender is just going to mean you have a lot of queues filling up, the order that they then drain is rather unpredictable. David Lang On Fri, 21 Oct 2016, Scot Kreienkamp wrote: Would something like this work? I wasn't sure a config file variable could be used in the action context. ruleset(name="fwd-centralsyslog-customport" queue.type="LinkedList" queue.size="5" queue.maxDiskSpace="1g" queue.discardmark="45000" queue.dequeueBatchSize="1024" queue.filename="fwd-monvsyslog-514" queue.spoolDirectory="/var/spool/rsyslog" queue.saveOnShutdown="on" ){ action( name="fwd-syslog-collector" type="omfwd" Target="monvsyslog " Port="$!remoteport" Protocol="tcp" ) } if $syslogtag == 'Ecomm:' then { set $!remoteport = "1531"; call fwd-centralsyslog-customport stop } Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Thursday, October 13, 2016 8:52 AM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration sorry, hit wrong key. Here comes the comnplete message ;) 2016-10-13 14:49 GMT+02:00 Rainer Gerhards: 2016-10-13 13:45 GMT+02:00 Angel L. Mateo : El 11/10/16 a las 15:17, Angel L. Mateo escribió: El 11/10/16 a las 15:01, Rainer Gerhards escribió: Can you check if the problem persists with the currently supported 8.22.0 version? V7 is very, very old. I have to make deeper tests, but it seems to work with 8.22. I can confirm that is working fine with 8.22.0.
Re: [rsyslog] help with high CPU usage
After much experimentation I found out that having multiple threads on the network input modules was causing my problems, probably as you said by causing locking issues with the queues. After changing to this: module(load="imudp"threads="1" timeRequery="8" batchSize="128") module(load="imptcp" threads="1") My load is back down to somewhere between .1 and .2. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:06 PM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] help with high CPU usage On Mon, 10 Oct 2016 15:23:22 +, Scot Kreienkamp wrote: > Hi everyone, > > I am troubleshooting a few problems on my rsyslog server, the first > of which is high CPU usage. Top -H is showing 100% CPU usage for the > imptcp module, and I can't figure out why. It doesn't start out that > way when rsyslog is restarted, but after a few minutes it goes right > to the top of the list. Can help direct me as to why the CPU usage > is > so high for IMPTCP? > > Top output showing threads: > PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ > COMMAND > 32670 root 20 0 6161012 204032 2908 R 99.9 1.7 31:57.75 > in:imptcp > 32673 root 20 0 6161012 204032 2908 R 79.4 1.7 21:43.37 > in:imptcp > > > My config is not that complicated, mostly just filtering things to > specific logs by tag. I've included the main queue incoming config > below, I can post the rest if needed but it's fairly long so I'll > defer that unless necessary. I don't seem to have any problems > receiving messages, none are being discarded that I'm aware of. Just > seems to be high CPU usage. > > $umask > $FileCreateMode 0644 > $DirCreateMode 0755 > $RepeatedMsgReduction off > $EscapeControlCharactersOnReceive off > $MaxMessageSize 64k > $RepeatedMsgReduction off > $WorkDirectory /var/spool/rsyslog > > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > $ActionQueueType LinkedList > $ActionQueueWorkerThreads 2 try removing these two lines, it's counter-intuitive, but having too many threads decreases performance because the extra threads end up fighting for locks on the queue. Also, these queue parameters only apply to the next action, so they are almost certinly not what you want. > > global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" > maxMessageSize="64k") > > > # Provides UDP syslog reception > # for parameters see http://www.rsyslog.com/doc/imudp.html > module(load="imudp"threads="1" timeRequery="8" batchSize="128") # > needs to be done just once > #input(type="imudp" port="514") > > # Provides TCP syslog reception > # for parameters see http://www.rsyslog.com/doc/imtcp.html > module(load="imptcp" threads="1") # needs to be done just once > #input(type="imptcp" port="514") > > module(load="impstats" > interval="60" > log.syslog="on" > resetCounters="on" > /* need to turn log stream logging off! */ > /* log.file="/var/log/rsyslogd.stats" */ > ) > > > > main_queue( > queue.workerThreadMinimumMessages="5000" > queue.discardmark="45000" > queue.workerThreads="2" this will actually function, but after you remove the lines above, try removing this line > queue.dequeueBatchSize="2048" > queue.spoolDirectory="/var/spool/rsyslog" # where to write on disk > queue.fileName="rsyslogmainqueue" > queue.maxDiskSpace="5g"# it will stop at this much disk > space > queue.size="5" # or this many messages > queue.saveOnShutdown="on" # save memory queue contents to disk > when rsyslog is exiting > } David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog?
Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
I was able to reproduce the problem using the logger command from a RH7 workstation to an rsyslog server running under RH6 so I am fairly certain the problem wasn't on the Cisco side. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:12 PM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6? On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote: > Hi Everyone, > > I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM > repo running in production here. It's a very busy server, but from > what I can tell I am not dropping any messages. The queues are > usually less than 100 and return to 0 within 60 seconds. I have had > the config in place on my server for 1 month now and it had been > working flawlessly until the end of last month. I have included the > relevant part of my config inline below, any comments on tuning or > help with my problem would be appreciated. > > Here's my problem: > > Basically, this section of my config is receiving syslogs from an ASA > firewall and writing them all to dynafile NetworkPerIP. About 20 > other hosts are also sending logs hitting this rule. Up through > 23:59 > 9-30-2016 all messages that had a tag that contained "ASA-5-111010" > were also written to another dynafile, FirewallChangeLog. That's > what > I wanted to happen, and as I said, it was working flawlessly until > the > end of last month. Since the calendar flipped over to Oct 1 the logs > have not been written to the FirewallChangeLog. In testing, I > simulated a log message from my workstation to this rule like so: > logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test > $(date)". > It was written to the FirewallChangeLog but NOT to the NetworkPerIP > log; it's only written to the NetworkPerIP log if I don't tag it with > the "ASA-5-111010". That's what makes me think I'm hitting a bug in > the code somewhere. If I copy this config to a test box running > RHEL7 > with the same version of rsyslog and same config it seems to work OK. > I haven't tried on another RHEL6. I am not hitting the limit of > number of open files, it's set to 15,000 and I'm only at 5,000 last I > checked. And lastly, rsyslogd -N1 doesn't show any errors. I went > ahead and did the upgrade to RHEL7 since it was on my list to upgrade > anyway and the problem has disappeared. > When I see this sort of thing, I suspect that there is a problem with the date format being sent by the ASA, can you send samples of a raw message (either output with $rawmsg or use the RSYSLOG_DebugFormat) I would guess that instead of Oct 1 it's doing Oct 1 or something odd like that. You may want to play around with the pmcisco* modules to try and fix up the cisco specific oddities that we know about. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote: Hi Everyone, I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM repo running in production here. It's a very busy server, but from what I can tell I am not dropping any messages. The queues are usually less than 100 and return to 0 within 60 seconds. I have had the config in place on my server for 1 month now and it had been working flawlessly until the end of last month. I have included the relevant part of my config inline below, any comments on tuning or help with my problem would be appreciated. Here's my problem: Basically, this section of my config is receiving syslogs from an ASA firewall and writing them all to dynafile NetworkPerIP. About 20 other hosts are also sending logs hitting this rule. Up through 23:59 9-30-2016 all messages that had a tag that contained "ASA-5-111010" were also written to another dynafile, FirewallChangeLog. That's what I wanted to happen, and as I said, it was working flawlessly until the end of last month. Since the calendar flipped over to Oct 1 the logs have not been written to the FirewallChangeLog. In testing, I simulated a log message from my workstation to this rule like so: logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test $(date)". It was written to the FirewallChangeLog but NOT to the NetworkPerIP log; it's only written to the NetworkPerIP log if I don't tag it with the "ASA-5-111010". That's what makes me think I'm hitting a bug in the code somewhere. If I copy this config to a test box running RHEL7 with the same version of rsyslog and same config it seems to work OK. I haven't tried on another RHEL6. I am not hitting the limit of number of open files, it's set to 15,000 and I'm only at 5,000 last I checked. And lastly, rsyslogd -N1 doesn't show any errors. I went ahead and did the upgrade to RHEL7 since it was on my list to upgrade anyway and the problem has disappeared. When I see this sort of thing, I suspect that there is a problem with the date format being sent by the ASA, can you send samples of a raw message (either output with $rawmsg or use the RSYSLOG_DebugFormat) I would guess that instead of Oct 1 it's doing Oct 1 or something odd like that. You may want to play around with the pmcisco* modules to try and fix up the cisco specific oddities that we know about. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] help with high CPU usage
On Mon, 10 Oct 2016 15:23:22 +, Scot Kreienkamp wrote: Hi everyone, I am troubleshooting a few problems on my rsyslog server, the first of which is high CPU usage. Top -H is showing 100% CPU usage for the imptcp module, and I can't figure out why. It doesn't start out that way when rsyslog is restarted, but after a few minutes it goes right to the top of the list. Can help direct me as to why the CPU usage is so high for IMPTCP? Top output showing threads: PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND 32670 root 20 0 6161012 204032 2908 R 99.9 1.7 31:57.75 in:imptcp 32673 root 20 0 6161012 204032 2908 R 79.4 1.7 21:43.37 in:imptcp My config is not that complicated, mostly just filtering things to specific logs by tag. I've included the main queue incoming config below, I can post the rest if needed but it's fairly long so I'll defer that unless necessary. I don't seem to have any problems receiving messages, none are being discarded that I'm aware of. Just seems to be high CPU usage. $umask $FileCreateMode 0644 $DirCreateMode 0755 $RepeatedMsgReduction off $EscapeControlCharactersOnReceive off $MaxMessageSize 64k $RepeatedMsgReduction off $WorkDirectory /var/spool/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionQueueType LinkedList $ActionQueueWorkerThreads 2 try removing these two lines, it's counter-intuitive, but having too many threads decreases performance because the extra threads end up fighting for locks on the queue. Also, these queue parameters only apply to the next action, so they are almost certinly not what you want. global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" maxMessageSize="64k") # Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp"threads="1" timeRequery="8" batchSize="128") # needs to be done just once #input(type="imudp" port="514") # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html module(load="imptcp" threads="1") # needs to be done just once #input(type="imptcp" port="514") module(load="impstats" interval="60" log.syslog="on" resetCounters="on" /* need to turn log stream logging off! */ /* log.file="/var/log/rsyslogd.stats" */ ) main_queue( queue.workerThreadMinimumMessages="5000" queue.discardmark="45000" queue.workerThreads="2" this will actually function, but after you remove the lines above, try removing this line queue.dequeueBatchSize="2048" queue.spoolDirectory="/var/spool/rsyslog" # where to write on disk queue.fileName="rsyslogmainqueue" queue.maxDiskSpace="5g"# it will stop at this much disk space queue.size="5" # or this many messages queue.saveOnShutdown="on" # save memory queue contents to disk when rsyslog is exiting } David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Problem with queues configuration
I have one centralized collector, and it was having trouble keeping up. It normally runs 20-30 meg (combined in and out) during the day, bursting as high as 90 meg. It has 228 if statements, mostly checking syslogtag, but some checking sending hostname, times, etc. To eliminate some processing time I changed the higher traffic apps to come in on their own dedicated ports so I could bind a much smaller ruleset to the inputs, and everything else comes in on the default port. So now the largest number of if statements in a ruleset is 49 with many being 15 or less. My original intent behind the question was not because I was using a large amount of ports, but so I could group everything outbound from the clients into one outbound queue and have something reusable by selecting a new port instead of writing a new ruleset, actions, and queues for every outbound port. Welcome back :-) Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 2:49 PM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration no, you cannot use a variable for a port. catching up on this, I'm trying to understand why you are using so many different ports. Each message has the original hostname in it, and you can split the logs on that at the central system rather easily, why split it on the sending side to different ports? If the receiver can't keep up, having lots of different queues on the sender is just going to mean you have a lot of queues filling up, the order that they then drain is rather unpredictable. David Lang On Fri, 21 Oct 2016, Scot Kreienkamp wrote: > Would something like this work? I wasn't sure a config file variable could > be used in the action context. > > > ruleset(name="fwd-centralsyslog-customport" >queue.type="LinkedList" >queue.size="5" >queue.maxDiskSpace="1g" >queue.discardmark="45000" >queue.dequeueBatchSize="1024" >queue.filename="fwd-monvsyslog-514" >queue.spoolDirectory="/var/spool/rsyslog" >queue.saveOnShutdown="on" >){ >action( >name="fwd-syslog-collector" >type="omfwd" >Target="monvsyslog " >Port="$!remoteport" >Protocol="tcp" >) > } > > > > if $syslogtag == 'Ecomm:' then { >set $!remoteport = "1531"; >call fwd-centralsyslog-customport >stop > } > > > > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Thursday, October 13, 2016 8:52 AM > To: rsyslog-users > Subject: Re: [rsyslog] Problem with queues configuration > > sorry, hit wrong key. Here comes the comnplete message ;) > > 2016-10-13 14:49 GMT+02:00 Rainer Gerhards: >> 2016-10-13 13:45 GMT+02:00 Angel L. Mateo : >>> El 11/10/16 a las 15:17, Angel L. Mateo escribió: El 11/10/16 a las 15:01, Rainer Gerhards escribió: > > Can you check if the problem persists with the currently supported 8.22.0 > version? V7 is very, very old. > I have to make deeper tests, but it seems to work with 8.22. >>> I can confirm that is working fine with 8.22.0. >>> >>> One more question... I have a lot of this rule sending to a remote >>> syslog depending on different conditions. Is there any way to share the >>> queue between all these rules? >> > The way to do this is to use a ruleset. Instead of doing > > action(name="action1" type="omfwd" queue. ...) > action(name="action2" type="omfwd" queue. ...) > action(name="action3" type="omfwd" queue. ...) > > do > > ruleset(name="fwdtodest" queue. ...) { > action(name="action" type="omfwd" ...) # NO queue params > } > > and replace the action calls with > > call fwdtodest > > This will make all actions use the single ruleset queue. Note that you > now have a single connection to the destination and thus possibly > different timing. But that's probably what you also wanted. > > HTH > Rainer >>> >>> >>> -- >>> Angel L. Mateo Martínez >>> Sección de Telemática >>> Área de Tecnologías de la Información >>> y las Comunicaciones Aplicadas (ATICA) >>> http://www.um.es/atica >>> Tfo: 868889150 >>> Fax: 86337 >>> ___ >>> rsyslog mailing list >>>
Re: [rsyslog] Assign variable from expression replacement
On Fri, 14 Oct 2016, Rainer Gerhards wrote: 2016-10-14 15:12 GMT+02:00 Angel L. Mateo: Hello, I'm trying to assign a variable with a substring of the message. This is my config: set $!myvar = "%msg:R,ERE,1,DFLT:^ *([a-zA-Z]+)(--end%"; This is not a valid expression, but rather a string template. You can use e.g. the re_extract() function. Or -much less performat- use a template and execute it. what's the performance of calling a small mmnormalize ruleset compared to executing a template? David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] liblognorm vs grok
On Sat, 8 Oct 2016, Radu Gheorghe wrote: That's right, it's not so much about problems as conveniency/flexibility. For example, with grok.regex you can specify optional fields right in the middle of the pattern. With liblognorm/mmnormalize I have to repeat that rule with and without that field. If you have 5 of those... you get quite a combinatorial explosion. Maybe this particular one is already possible with liblognorm v2? But anyway, this is just an example. Though I'm looking forward to work [more] with v2 because it seems much more flexible than v1 indeed. Yep, one of the things you can specify in the v2 language is alturnatives, and you can do this either inside a single rule or as a type that you then use in a rule. v2 is a massive improvement in terms of flexibility compared to v1 David Lang -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Fri, Oct 7, 2016 at 9:56 AM, Rainer Gerhardswrote: Not speaking for Radu, buy I think he does not have problems, but Grok rules seem more convenient, and often that's really what they are. That's where custom types come in: if you have a good base set, then it really is not much difference in convenience. Unfortunately we don't have this yet. Rainer Sent from phone, thus brief. Am 07.10.2016 18:53 schrieb "Joe Blow" : Hey Radu, Long time listener, first time caller :). What did you have problems with mmnormalize? Cheers, JB On Fri, Oct 7, 2016 at 12:43 PM, Rainer Gerhards wrote: Hi Radu After reading http://lists.adiscon.net/pipermail/rsyslog/2013-December/035122.html and considering several years have passed, I would like to get some feedback of your experience, to help me choose between raw forwarding messages+logstash or split before forwarding with mmnormalize. If this decision should've been made today, what you would've choosen? Of course, everybody is welcome to join the thread. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
Re: [rsyslog] Confirmation on disk assisted queue functionality
I believe I read this somewhere previously, but cannot currently find it. For a Disk Assisted In-Memory queue configuration, messages are pulled off the top of the disk queue, correct? So for a sufficiently busy action queue, messages will be dequeued out of order and delivered to their destination out of order? When a disk assisted queue is being drained, current messages are delivered first, and then when the queue size drops 'low enough', rsyslog will pull messages from disk and send them. So yes, the messages will be delivered out of order. This is only one of the many ways that messages can end up being processed out of order. Rsyslog is multi-threaded, so if you get busy enough to have two threads sending messages, they will each be processing messages independently of each other and this will result in re-ordering of messages. But even with traditional syslog, UDP packets have been known to get re-ordered over the network, causing logs to arrive out of order. The advanced features of Rsyslog can trigger this in more common cases, but it's a matter of how common this is, not if it happens or not. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] I'm back
I was wondering about your silence on the mailing list. Welcome back. On Oct 28, 2016 12:03 AM, "David Lang"wrote: > I'm back on my feet, but don't have a new job yet, so I'm getting there. > > David Lang > > On Thu, 27 Oct 2016, Rainer Gerhards wrote: > > Hi David, >> >> welcome back, you have been missed :-) >> >> I hope your are doing well again and everyting has worked out to your >> favor! >> >> Rainer >> >> 2016-10-27 11:10 GMT+02:00 David Lang : >> >>> I left my job and broke my ankle the next day and just dropped out of >>> everything for a while. >>> >>> The volume of traffic related to rsyslog has been quite significant, >>> which >>> is a good thing, but kept being a "amd I really ready to dive back into >>> that" barrier :-) >>> >>> It's great to see so many people talking on the list and new active >>> contributers. >>> >>> so I'm catching up on things from the last couple of months. >>> >>> David Lang >>> ___ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >>> >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Problem with queues configuration
no, you cannot use a variable for a port. catching up on this, I'm trying to understand why you are using so many different ports. Each message has the original hostname in it, and you can split the logs on that at the central system rather easily, why split it on the sending side to different ports? If the receiver can't keep up, having lots of different queues on the sender is just going to mean you have a lot of queues filling up, the order that they then drain is rather unpredictable. David Lang On Fri, 21 Oct 2016, Scot Kreienkamp wrote: Would something like this work? I wasn't sure a config file variable could be used in the action context. ruleset(name="fwd-centralsyslog-customport" queue.type="LinkedList" queue.size="5" queue.maxDiskSpace="1g" queue.discardmark="45000" queue.dequeueBatchSize="1024" queue.filename="fwd-monvsyslog-514" queue.spoolDirectory="/var/spool/rsyslog" queue.saveOnShutdown="on" ){ action( name="fwd-syslog-collector" type="omfwd" Target="monvsyslog " Port="$!remoteport" Protocol="tcp" ) } if $syslogtag == 'Ecomm:' then { set $!remoteport = "1531"; call fwd-centralsyslog-customport stop } Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Thursday, October 13, 2016 8:52 AM To: rsyslog-users Subject: Re: [rsyslog] Problem with queues configuration sorry, hit wrong key. Here comes the comnplete message ;) 2016-10-13 14:49 GMT+02:00 Rainer Gerhards: 2016-10-13 13:45 GMT+02:00 Angel L. Mateo : El 11/10/16 a las 15:17, Angel L. Mateo escribió: El 11/10/16 a las 15:01, Rainer Gerhards escribió: Can you check if the problem persists with the currently supported 8.22.0 version? V7 is very, very old. I have to make deeper tests, but it seems to work with 8.22. I can confirm that is working fine with 8.22.0. One more question... I have a lot of this rule sending to a remote syslog depending on different conditions. Is there any way to share the queue between all these rules? The way to do this is to use a ruleset. Instead of doing action(name="action1" type="omfwd" queue. ...) action(name="action2" type="omfwd" queue. ...) action(name="action3" type="omfwd" queue. ...) do ruleset(name="fwdtodest" queue. ...) { action(name="action" type="omfwd" ...) # NO queue params } and replace the action calls with call fwdtodest This will make all actions use the single ruleset queue. Note that you now have a single connection to the destination and thus possibly different timing. But that's probably what you also wanted. HTH Rainer -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements
Hum when I enter exactly that, I got again: rsyslogd-2207: error during config processing: STOP is followed by unreachable statements! [v8.16.0 try http://www.rsyslog.com/e/2207 ] On Thu, 27 Oct 2016 11:35:27 -0700 (PDT), David Langwrote : > looking at your original, another way of viewing it is: > > :msg, startswith, "Starting Cleanup" stop > :msg, startswith, "Started Cleanup" stop > :msg, startswith, "Failed to reset devices.list" { >stop >stop > } > > it was the last stop that it was complaining about. > > David Lang > > On Thu, 27 Oct 2016, Saint Germain wrote: > > > I have removed all the stop except the one on the last line and it > > seems to work. > > > > Thanks a lot ! > > > > On Thu, 27 Oct 2016 13:27:06 +0200, Rainer Gerhards > > wrote : > > > >> You have stop twice. > >> > >> Sent from phone, thus brief. > >> > >> Am 27.10.2016 1:24 PM schrieb "Saint Germain" : > >> > >>> Hello, > >>> > >>> Perhaps is my previous message gone in the spam folders ? > >>> Can someone give me some hints on how to solve the problem > >>> described below ? > >>> > >>> Thanks in advance ! > >>> > >>> On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain > >>> wrote : > >>> > Hello, > > I am using rsyslog 8.16 on Debian Jessie (package is coming from > backports) and I have trouble filtering my logs. > > I wanted to filter out the following logs in /var/log/syslog: > systemd[1]: Starting Cleanup of Temporary Directories... > systemd[1]: Failed to reset devices.list > on /system.slice/systemd-tmpfiles-clean.service: No such file or > directory systemd[1]: Started Cleanup of Temporary Directories. > > I have create a file with the following content > in /etc/rsyslog.d: :msg, startswith, "Starting Cleanup" stop > :msg, startswith, "Started Cleanup" stop > :msg, startswith, "Failed to reset devices.list" stop > & stop > > But each time I start rsyslog I got the following message: > rsyslogd-2207: error during config processing: STOP is followed > by unreachable statements! [v8.16.0 try > http://www.rsyslog.com/e/2207 ] > > I don't understand what I am doing wrong. > > Perhaps someone can point me to the mistake ? > > Thanks > >>> ___ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > >>> POST if you DON'T LIKE THAT. > >>> > >> ___ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > >> POST if you DON'T LIKE THAT. > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > POST if you DON'T LIKE THAT. > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Action Queue misunderstanding
disk assisted queues will leave one file in place when they are fully caught up (in case there are more files that need to be queued), when you shutdown rsyslog (not a HUP, but a full shutdown), this 'last' queue file will go away. but the pstats data should show the enqueued size as 0 for the DA version of the queue. when you have a DA queue, it's actually two queues, a memory queue and a disk assist queue, they show up separately in the pstats data, and the memory queue will fill up before the disk queue starts being used. David Lang On Thu, 20 Oct 2016, phrogz wrote: Date: 20 Oct 2016 17:42:22 +0200 From: phrogzReply-To: rsyslog-users To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Action Queue misunderstanding yes, but normally the queues are cleaned? isn't it? 2016-10-20 17:34 GMT+02:00 phrogz : Anyway, the logs in the queue files are delivered. So you are happy? Thanks, Ludovic ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements
looking at your original, another way of viewing it is: :msg, startswith, "Starting Cleanup" stop :msg, startswith, "Started Cleanup" stop :msg, startswith, "Failed to reset devices.list" { stop stop } it was the last stop that it was complaining about. David Lang On Thu, 27 Oct 2016, Saint Germain wrote: I have removed all the stop except the one on the last line and it seems to work. Thanks a lot ! On Thu, 27 Oct 2016 13:27:06 +0200, Rainer Gerhardswrote : You have stop twice. Sent from phone, thus brief. Am 27.10.2016 1:24 PM schrieb "Saint Germain" : Hello, Perhaps is my previous message gone in the spam folders ? Can someone give me some hints on how to solve the problem described below ? Thanks in advance ! On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain wrote : Hello, I am using rsyslog 8.16 on Debian Jessie (package is coming from backports) and I have trouble filtering my logs. I wanted to filter out the following logs in /var/log/syslog: systemd[1]: Starting Cleanup of Temporary Directories... systemd[1]: Failed to reset devices.list on /system.slice/systemd-tmpfiles-clean.service: No such file or directory systemd[1]: Started Cleanup of Temporary Directories. I have create a file with the following content in /etc/rsyslog.d: :msg, startswith, "Starting Cleanup" stop :msg, startswith, "Started Cleanup" stop :msg, startswith, "Failed to reset devices.list" stop & stop But each time I start rsyslog I got the following message: rsyslogd-2207: error during config processing: STOP is followed by unreachable statements! [v8.16.0 try http://www.rsyslog.com/e/2207 ] I don't understand what I am doing wrong. Perhaps someone can point me to the mistake ? Thanks ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] I'm back
I'm back on my feet, but don't have a new job yet, so I'm getting there. David Lang On Thu, 27 Oct 2016, Rainer Gerhards wrote: Hi David, welcome back, you have been missed :-) I hope your are doing well again and everyting has worked out to your favor! Rainer 2016-10-27 11:10 GMT+02:00 David Lang: I left my job and broke my ankle the next day and just dropped out of everything for a while. The volume of traffic related to rsyslog has been quite significant, which is a good thing, but kept being a "amd I really ready to dive back into that" barrier :-) It's great to see so many people talking on the list and new active contributers. so I'm catching up on things from the last couple of months. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements
I have removed all the stop except the one on the last line and it seems to work. Thanks a lot ! On Thu, 27 Oct 2016 13:27:06 +0200, Rainer Gerhardswrote : > You have stop twice. > > Sent from phone, thus brief. > > Am 27.10.2016 1:24 PM schrieb "Saint Germain" : > > > Hello, > > > > Perhaps is my previous message gone in the spam folders ? > > Can someone give me some hints on how to solve the problem described > > below ? > > > > Thanks in advance ! > > > > On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain > > wrote : > > > > > Hello, > > > > > > I am using rsyslog 8.16 on Debian Jessie (package is coming from > > > backports) and I have trouble filtering my logs. > > > > > > I wanted to filter out the following logs in /var/log/syslog: > > > systemd[1]: Starting Cleanup of Temporary Directories... > > > systemd[1]: Failed to reset devices.list > > > on /system.slice/systemd-tmpfiles-clean.service: No such file or > > > directory systemd[1]: Started Cleanup of Temporary Directories. > > > > > > I have create a file with the following content in /etc/rsyslog.d: > > > :msg, startswith, "Starting Cleanup" stop > > > :msg, startswith, "Started Cleanup" stop > > > :msg, startswith, "Failed to reset devices.list" stop > > > & stop > > > > > > But each time I start rsyslog I got the following message: > > > rsyslogd-2207: error during config processing: STOP is followed by > > > unreachable statements! [v8.16.0 try > > > http://www.rsyslog.com/e/2207 ] > > > > > > I don't understand what I am doing wrong. > > > > > > Perhaps someone can point me to the mistake ? > > > > > > Thanks > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > POST if you DON'T LIKE THAT. > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] I'm back
Welcome back David! R. Singh Sr. Systems Administrator Middleware/PTC Support 904-633-5745 RC Offering: SC07507098 H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 "Give instruction to a wise man, and he will be yet wiser : teach a just man, and he will increase in learning." - Proverbs 9:9 -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 5:11 AM To: rsyslog-users Subject: [rsyslog] I'm back I left my job and broke my ankle the next day and just dropped out of everything for a while. The volume of traffic related to rsyslog has been quite significant, which is a good thing, but kept being a "amd I really ready to dive back into that" barrier :-) It's great to see so many people talking on the list and new active contributers. so I'm catching up on things from the last couple of months. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://secure-web.cisco.com/1osma2ggoKVJhW_vA40j4_T8iAgEkI7Be5_eUkY2sT8-L5biV2lxQ441OYOS06XnzrU9GdDqHunGQX8rha-os6XxTudi1vdNK2iQgZ-qYKVI5BhaxrRJFL68-fe55FzMm5uCqr3jfso67Fb77bR3hqP2hSvPYwXCxhUuD14nWTHxhp2wNqhM2GvsnBBw0on2_meITPisCHix8phi8EMUCE192zTk9Dj4v-ga3aPwAiHBMf2qIPfxld01ekoGiSNtWPgqCRv1MvbBxLrHYBvGjMNDE2FtS9fh9jKTpoI5exBEISSErwOouw-pNNWIG-ZdPBh_3Xh2ISkIjuk7oBrkxaKez4h8DwW-hH-ouc3odcmmjUD1UjB5AL0j19jbC2f6Y/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F What's up with rsyslog? Follow https://secure-web.cisco.com/1HCVDJOh8vetA4GiOz7qjfduxOP7ORoxRVmi0HSWVavZXgBKARLly8CRkeWClihRifexD_idAa4V-HxX3OnF3JT2p-VSpG0R58KycgV5MjQ_O8T__dqlJjQbWxw26jY4TUmqlBK3N3_H00IMzAyYnLVc3LrAlOdzHRwFSmj25qGQm_2Uk2UrRQopRaTNdNQSw0Sz94SUqsI-yp7JHhywwTdnxOrTP5PQ7XfYLh-iSyAG8Gw_ZCOidIiMHLeUbB43jnycjZC9IcMsKnstIOTKN_UTSW8wNv2R-3I_PfJAhs3L_Li48AGs-FY8LlbB6KytWtjjM_Pmc2KlQOQDdAHSuZCMy_hSzDLiZXogonOztSnDpD3rqOZ3S-muqT4x3NJe-JnpdTEf4kXCOQaXP-Y1V-g/https%3A%2F%2Ftwitter.com%2Frgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This email transmission and any accompanying attachments may contain CSX privileged and confidential information intended only for the use of the intended addressee. Any dissemination, distribution, copying or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it and notify sender at the above CSX email address. Sender and CSX accept no liability for any damage caused directly or indirectly by receipt of this email. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] I'm back
Welcome back! Where are you working now? Cheers, JB Original Message From: rgerha...@hq.adiscon.com Sent: October 27, 2016 6:51 AM To: rsyslog@lists.adiscon.com Reply-to: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] I'm back Hi David, welcome back, you have been missed :-) I hope your are doing well again and everyting has worked out to your favor! Rainer 2016-10-27 11:10 GMT+02:00 David Lang: > I left my job and broke my ankle the next day and just dropped out of > everything for a while. > > The volume of traffic related to rsyslog has been quite significant, which > is a good thing, but kept being a "amd I really ready to dive back into > that" barrier :-) > > It's great to see so many people talking on the list and new active > contributers. > > so I'm catching up on things from the last couple of months. > > David Lang > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] I'm back
Hi David, welcome back, you have been missed :-) I hope your are doing well again and everyting has worked out to your favor! Rainer 2016-10-27 11:10 GMT+02:00 David Lang: > I left my job and broke my ankle the next day and just dropped out of > everything for a while. > > The volume of traffic related to rsyslog has been quite significant, which > is a good thing, but kept being a "amd I really ready to dive back into > that" barrier :-) > > It's great to see so many people talking on the list and new active > contributers. > > so I'm catching up on things from the last couple of months. > > David Lang > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements
You have stop twice. Sent from phone, thus brief. Am 27.10.2016 1:24 PM schrieb "Saint Germain": > Hello, > > Perhaps is my previous message gone in the spam folders ? > Can someone give me some hints on how to solve the problem described > below ? > > Thanks in advance ! > > On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain > wrote : > > > Hello, > > > > I am using rsyslog 8.16 on Debian Jessie (package is coming from > > backports) and I have trouble filtering my logs. > > > > I wanted to filter out the following logs in /var/log/syslog: > > systemd[1]: Starting Cleanup of Temporary Directories... > > systemd[1]: Failed to reset devices.list > > on /system.slice/systemd-tmpfiles-clean.service: No such file or > > directory systemd[1]: Started Cleanup of Temporary Directories. > > > > I have create a file with the following content in /etc/rsyslog.d: > > :msg, startswith, "Starting Cleanup" stop > > :msg, startswith, "Started Cleanup" stop > > :msg, startswith, "Failed to reset devices.list" stop > > & stop > > > > But each time I start rsyslog I got the following message: > > rsyslogd-2207: error during config processing: STOP is followed by > > unreachable statements! [v8.16.0 try http://www.rsyslog.com/e/2207 ] > > > > I don't understand what I am doing wrong. > > > > Perhaps someone can point me to the mistake ? > > > > Thanks > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements
Hello, Perhaps is my previous message gone in the spam folders ? Can someone give me some hints on how to solve the problem described below ? Thanks in advance ! On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germainwrote : > Hello, > > I am using rsyslog 8.16 on Debian Jessie (package is coming from > backports) and I have trouble filtering my logs. > > I wanted to filter out the following logs in /var/log/syslog: > systemd[1]: Starting Cleanup of Temporary Directories... > systemd[1]: Failed to reset devices.list > on /system.slice/systemd-tmpfiles-clean.service: No such file or > directory systemd[1]: Started Cleanup of Temporary Directories. > > I have create a file with the following content in /etc/rsyslog.d: > :msg, startswith, "Starting Cleanup" stop > :msg, startswith, "Started Cleanup" stop > :msg, startswith, "Failed to reset devices.list" stop > & stop > > But each time I start rsyslog I got the following message: > rsyslogd-2207: error during config processing: STOP is followed by > unreachable statements! [v8.16.0 try http://www.rsyslog.com/e/2207 ] > > I don't understand what I am doing wrong. > > Perhaps someone can point me to the mistake ? > > Thanks ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] I'm back
Welcome back, David I'm relieved to hear that... :p *Best regards,* *chika.tambun* *"Winning loves preparation"* On Thu, Oct 27, 2016 at 4:10 PM, David Langwrote: > I left my job and broke my ankle the next day and just dropped out of > everything for a while. > > The volume of traffic related to rsyslog has been quite significant, which > is a good thing, but kept being a "amd I really ready to dive back into > that" barrier :-) > > It's great to see so many people talking on the list and new active > contributers. > > so I'm catching up on things from the last couple of months. > > David Lang > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] I'm back
I left my job and broke my ankle the next day and just dropped out of everything for a while. The volume of traffic related to rsyslog has been quite significant, which is a good thing, but kept being a "amd I really ready to dive back into that" barrier :-) It's great to see so many people talking on the list and new active contributers. so I'm catching up on things from the last couple of months. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.