Re: [rsyslog] Are we building an ERK stack?
https://github.com/rsyslog/rsyslog/pull/1099 2016-11-25 16:46 GMT+08:00 mosto...@gmail.com: > Thanks! > > It's your mmdblookup opensourced? > > > El 25/11/16 a las 03:46, chenlin rao escribió: > > re-upload an english version. The content was a little old though. >> >> 2016-11-23 22:39 GMT+08:00 mosto...@gmail.com : >> >> http://www.slideshare.net/chenryn/elk-stack-at-weibocom >>> >>> I NEED the english version :P >>> >>> ___ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] omriemann Re: Are we building an ERK stack?
On Wed, Nov 23, 2016 at 1:32 PM, Bob Gregorywrote: > I can easily enough knock together an omriemann - it's protobuf over TCP or > UDP. TCP allows for message ack. > > There are a couple of C clients that are useful as prior art, and I've > worked with a bunch of clients in python, haskell and golang. That would be pretty great! We have been for a couple of years sending messages to Riemann by having omprog start up a Ruby script that basically looks like this: ``` def process_log_entries(io, ) until io.eof? process_log_entry(io.gets.chomp, ) end end require 'riemann/client' riemann = Riemann::Client.new(host: 'localhost', port: , timeout: 5) process_log_entries($stdin) do |event| riemann << event end ``` ``` action(type="omprog" binary="/usr/sbin/omriemann" template="omriemann-json" queue.type="linkedlist" queue.size="5" queue.dequeuebatchsize="100" queue.filename="riemannqueue" queue.highwatermark="4" queue.lowwatermark="2" queue.maxdiskspace="5g" queue.saveonshutdown="on") ``` My understanding is that omprog will create a few of these processes if necessary to keep queues happy. I have certainly seen times when there are a couple of omriemann.rb processes owned by rsyslog! - Adam Williams ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
I may be confused about which part is on the sender and which part is on the receiver. sender: a bunch of imfiles forwarded using RELP receiver: receives a JSON with msg=plain/original message, normalize and extract fields (that should be added to JSON) each "application" should define his own rules, and sometimes even transform the JSON after that (seem's that the hard part) *# Is addMetadata="on" needed in order to use $!metadata!filename?* the easiest thing is to try it :-) I'm going to create an issue for double checking...can't handle this while editing documentation! adding fields you may be able to do with the ammend= capabilities in the ruleset if you don't want a field to be reported, give it the name '-' in the ruleset. unfortunantly, you can't rename fields or copy fields in the ruleset. So: each application having one .conf file copied to rsyslog.d/ with the required steps it's the only way? Perhaps something like: *app1.conf* if $!group == "group" and $!app == "app1" then { # and here's an example on when to use inline rules # https://github.com/rsyslog/rsyslog/issues/625 # an inline rule here will make it possible to have # just 1 config file per app, instead of 2 action(type="mmnormalize" rulebase=:/rule-for-app1.fb") if $parsesuccess then { # do additional steps, transforms and whatever you want # call foo } call index stop } ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
On Fri, 25 Nov 2016, mosto...@gmail.com wrote: string="<%pri%>%timestamp:::date-rfc3339% %hostname% logs/$!data!group/$!data!app: %$!data%") to be fully correct Done. also watch out, the programname is limited to 32 characters, don't let your group and app names get too long. Wasn't it possible to change that? IIRC we had some issues with hostnames/tags being too long and were able to handle longer. Anyway, we'll try to stay within boundaries. since you changed the programname to be logs/group/app this would be field 3 Are you sure? *ruleset apps* is invoked for each input using TAG=group/app, and AFTER that ruleset relp uses template json, which prefix "logs/" I may be confused about which part is on the sender and which part is on the receiver. *# Is addMetadata="on" needed in order to use $!metadata!filename?* I think so. As I'm double checking everything while updating docs, I would love to have a more confident statement on this. Rainer? the easiest thing is to try it :-) correct, although mmjsonparse defaults to needing @cee: in front of the json, so the line below needs to be changed to: module(load="mmjsonparse" cookie="") I forgot! Nice catch (...I'll have to check if cookie goes in module or action...) it should be action, sorry *# Once all operations have ended, it should be indexed** **# Is there any way apps not only define rules, but aditional transformations?** **# I guess having a .conf file with if+ruleset could work...* no, the mmnormalize ruleset cannot apply any transformations. I would probably try to do that on the sending side if I could. That's why I played with rulesets to make something like a.conf normalize add some fields b.conf normalize c.conf normalize remove some fields That would make the combination script behave differently adding fields you may be able to do with the ammend= capabilities in the ruleset if you don't want a field to be reported, give it the name '-' in the ruleset. unfortunantly, you can't rename fields or copy fields in the ruleset. *# It is possible to use $!index here? Workaround?** this is what dynsearchindex and dynparent are for. so: dynSearchIndex="on" searchIndex="mytemplate" and template="$!index", right? yep. **# How could EACH app specify his own index pattern?** they can't directly, but the template can be "%$.manual%" and you use rainerscript commands to set $.manual to whatever you want it to me (another good use for a lookup table if it's complex enough ;-) I didn't understand this...but having each app.conf file could also work. you can do set ... set ... action() but not action(set) set is a statement, action is a statement. Action takes parameters, but not statements inside the () David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
string="<%pri%>%timestamp:::date-rfc3339% %hostname% logs/$!data!group/$!data!app: %$!data%") to be fully correct Done. also watch out, the programname is limited to 32 characters, don't let your group and app names get too long. Wasn't it possible to change that? IIRC we had some issues with hostnames/tags being too long and were able to handle longer. Anyway, we'll try to stay within boundaries. since you changed the programname to be logs/group/app this would be field 3 Are you sure? *ruleset apps* is invoked for each input using TAG=group/app, and AFTER that ruleset relp uses template json, which prefix "logs/" *# Is addMetadata="on" needed in order to use $!metadata!filename?* I think so. As I'm double checking everything while updating docs, I would love to have a more confident statement on this. Rainer? it's probably a good idea to put stop here to make it clear that you don't intend for there to be any other processing of the log message. With the input bound to a ruleset, I don't think it makes a difference, but better to be explicit. Done correct, although mmjsonparse defaults to needing @cee: in front of the json, so the line below needs to be changed to: module(load="mmjsonparse" cookie="") I forgot! Nice catch (...I'll have to check if cookie goes in module or action...) yes, the script can either populate the rules file with includes, or just combine them into one file (probably faster at startup to have them combined, but it may not be measureable) I'll combine them (if able) *# Once all operations have ended, it should be indexed** **# Is there any way apps not only define rules, but aditional transformations?** **# I guess having a .conf file with if+ruleset could work...* no, the mmnormalize ruleset cannot apply any transformations. I would probably try to do that on the sending side if I could. That's why I played with rulesets to make something like a.conf normalize add some fields b.conf normalize c.conf normalize remove some fields That would make the combination script behave differently *# It is possible to use $!index here? Workaround?** this is what dynsearchindex and dynparent are for. so: dynSearchIndex="on" searchIndex="mytemplate" and template="$!index", right? **# How could EACH app specify his own index pattern?** they can't directly, but the template can be "%$.manual%" and you use rainerscript commands to set $.manual to whatever you want it to me (another good use for a lookup table if it's complex enough ;-) I didn't understand this...but having each app.conf file could also work. The background idea is to combine this with "dynamic configuration reload" to be able to change "an application pipeline" This is looking pretty good now. Thanks. I think the same! Seems next pending issue is to solve "each application can do different things, like adding hiw own index pattern or additional transforms/steps" in his config file. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
On Fri, 25 Nov 2016, mosto...@gmail.com wrote: Date: Fri, 25 Nov 2016 11:22:08 +0100 From: "mosto...@gmail.com"Reply-To: rsyslog-users To: rsyslog-users Subject: Re: [rsyslog] mmnormalize with mutiple input: conditionals? What about...? *remote.conf*(Please, notice there are commented questions) global( MaxMessageSize="32k" ) template(name="json" type="string" string="%timestamp:::date-rfc3339% %hostname% logs/$!data!group/$!data!app %$!data%") change this to: string="<%pri%>%timestamp:::date-rfc3339% %hostname% logs/$!data!group/$!data!app: %$!data%") to be fully correct also watch out, the programname is limited to 32 characters, don't let your group and app names get too long. module(load="omrelp") ruleset(name="relp"){ action( port="20514" *# It is possible to use $!server here? Workaround?* target="server" template="json" type="omrelp" ) } ruleset(name="apps") { set $!data!app=field($programname,"/",2); since you changed the programname to be logs/group/app this would be field 3 *# Is addMetadata="on" needed in order to use $!metadata!filename?* I think so. set $!data!file="$!metadata!filename"; set $!data!group=field($programname,"/",1); as per above, field 2 set $!data!msg=$msg; call relp it's probably a good idea to put stop here to make it clear that you don't intend for there to be any other processing of the log message. With the input bound to a ruleset, I don't think it makes a difference, but better to be explicit. } input(type="imfile" file="/logs/apps/app1/app1.log" tag="mygroup/myapp1" addMetadata="on" ruleset="apps" startmsg.regex="^[[:digit:]]{2} [[:alpha:]]{3} [[:digit:]]{4}" readTimeout="5" PersistStateInterval="1") ... input(type="imfile" file="/logs/apps/anotherapp/file.log" tag="anothergroup/anotherapp" addMetadata="on" ruleset="apps" readTimeout="5" PersistStateInterval="1") *rsyslog.conf*(Please, notice there are commented questions) global( MaxMessageSize="32k" parser.escapeControlCharactersOnReceive="off" ) *# Message is parsed as json on receive, to be able to use $!whatever field, right?* correct, although mmjsonparse defaults to needing @cee: in front of the json, so the line below needs to be changed to: module(load="mmjsonparse" cookie="") module(load="mmjsonparse") ruleset(name="json"){ action( type="mmjsonparse" ) } module(load="imrelp") input( name="imrelp" port="20514" type="imrelp" ruleset="json" ) set $.line = $!group $!app + " " + $!msg; action( type="mmnormalize" variable="$.line" *# As I don't know the list of apps, ** **# the only way to combine all rules is an script** **# isnt it?* yes, the script can either populate the rules file with includes, or just combine them into one file (probably faster at startup to have them combined, but it may not be measureable) rulebase=:/path/to/combined/rules.fb" ) *# IIUC, messages will be procesed by above rule** **# AFTER that, they will be processed by the following, right?* yes if message contains "ip" field then { # TODO lookup_table } *# Once all operations have ended, it should be indexed** **# Is there any way apps not only define rules, but aditional transformations?** **# I guess having a .conf file with if+ruleset could work...* no, the mmnormalize ruleset cannot apply any transformations. I would probably try to do that on the sending side if I could. template(name="json" type="string" string="%$!%") module(load="omelasticsearch") action( template="json" type="omelasticsearch" *# It is possible to use $!index here? Workaround?** this is what dynsearchindex and dynparent are for. **# How could EACH app specify his own index pattern?** they can't directly, but the template can be "%$.manual%" and you use rainerscript commands to set $.manual to whatever you want it to me (another good use for a lookup table if it's complex enough ;-) **# set $!index="$!app2_$$year-$$month-$$day"** **# set $!index="$!app2_$$year-$$month-$$day-$$hour"* set statements cant' be inside an action() statement, they would go before it. also, set statements end in ';' searchIndex="$!index" ) The background idea is to combine this with "dynamic configuration reload" to be able to change "an application pipeline" This is looking pretty good now. Thanks a lot for your help. I'll contribute as much as I can in exchange ;) that's how I got into this. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
What about...? *remote.conf*(Please, notice there are commented questions) global( MaxMessageSize="32k" ) template(name="json" type="string" string="%timestamp:::date-rfc3339% %hostname% logs/$!data!group/$!data!app %$!data%") module(load="omrelp") ruleset(name="relp"){ action( port="20514" *# It is possible to use $!server here? Workaround?* target="server" template="json" type="omrelp" ) } ruleset(name="apps") { set $!data!app=field($programname,"/",2); *# Is addMetadata="on" needed in order to use $!metadata!filename?* set $!data!file="$!metadata!filename"; set $!data!group=field($programname,"/",1); set $!data!msg=$msg; call relp } input(type="imfile" file="/logs/apps/app1/app1.log" tag="mygroup/myapp1" addMetadata="on" ruleset="apps" startmsg.regex="^[[:digit:]]{2} [[:alpha:]]{3} [[:digit:]]{4}" readTimeout="5" PersistStateInterval="1") ... input(type="imfile" file="/logs/apps/anotherapp/file.log" tag="anothergroup/anotherapp" addMetadata="on" ruleset="apps" readTimeout="5" PersistStateInterval="1") *rsyslog.conf*(Please, notice there are commented questions) global( MaxMessageSize="32k" parser.escapeControlCharactersOnReceive="off" ) *# Message is parsed as json on receive, to be able to use $!whatever field, right?* module(load="mmjsonparse") ruleset(name="json"){ action( type="mmjsonparse" ) } module(load="imrelp") input( name="imrelp" port="20514" type="imrelp" ruleset="json" ) set $.line = $!group $!app + " " + $!msg; action( type="mmnormalize" variable="$.line" *# As I don't know the list of apps, ** **# the only way to combine all rules is an script** **# isnt it?* rulebase=:/path/to/combined/rules.fb" ) *# IIUC, messages will be procesed by above rule** **# AFTER that, they will be processed by the following, right?* if message contains "ip" field then { # TODO lookup_table } *# Once all operations have ended, it should be indexed** **# Is there any way apps not only define rules, but aditional transformations?** **# I guess having a .conf file with if+ruleset could work...* template(name="json" type="string" string="%$!%") module(load="omelasticsearch") action( template="json" type="omelasticsearch" *# It is possible to use $!index here? Workaround?** **# How could EACH app specify his own index pattern?** **# set $!index="$!app2_$$year-$$month-$$day"** **# set $!index="$!app2_$$year-$$month-$$day-$$hour"* searchIndex="$!index" ) The background idea is to combine this with "dynamic configuration reload" to be able to change "an application pipeline" Thanks a lot for your help. I'll contribute as much as I can in exchange ;) ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
I will point out that no matter what software you run, you will eventually run into a case like this where the distro packages break for you, and you are faced with the need to run non-standard packages to work around a bug. As Rainer points out, if you aren't willing to compile your own version, even if he were to find that the bug was not fixed in the latest version, and create a fix for it, you still wouldn't be able to use the fix. David Lang On Fri, 25 Nov 2016, Kosta Psimoulis wrote: Thank you for much guys for your support, right now I have a much better picture of what is going on. I am aware how to build from source but this would be something difficult to maintain, I would probably need to create a custom repo. I think I have enough information right now to reconsider and evaluate a business decision whether to use rsyslog or look for another solution. I have some queue files that I can recover and rebuild with the information you have given but I am still not sure of how they got corrupted and what happened to the ones that were in memory, was everything saved on the hard drive or was there information that was lost. Kind Regards, Kosta On Fri, Nov 25, 2016 at 3:42 AM, David Langwrote: On Fri, 25 Nov 2016, mosto...@gmail.com wrote: TBH, it depends if you prefer building from source or instability Kidding away, I know there are problems in older versions, they are Isn't adiscon repo valid? It looks like we don't have a repo for Jessie, at least it's not included in the scripts/config.sh for rsyslog-pkg-debian This probably also means we don't have a Travis test box running Jessie. Packages for Wheezy will probably work (the only thing I can think of that would be likely to break is gnutls related dependencies) David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
On Fri, 25 Nov 2016, David Lang wrote: On Fri, 25 Nov 2016, mosto...@gmail.com wrote: After sleeping on it, I'm still thinking about "defining a separate pipeline for each application". To sum up, each application could do his own thing and return the message to the queue, in order to be processed by other modules...until it's done, and indexed into ES Is there a way to put the already processed message into the input queue to be processed again by another *sibling* modules? input-> queue -> app <- -> geoip <- -> index that's exactly what a message modification module (mm*) does, it changes the messages in the queue so that things after them in the config see the modified version. you can also simulate it by having separate rulesets all call one common ruleset, but that's really not merging the work back into one flow, it's just executing the same code in many different flows. Also, rsyslog really isn't structured to support per-application pipelines the way you are thinking of them. While you could simulate them, they are a bad fit for how rsyslog actually works, and as a result, your performance and resource usage will be substantially sub-optimal. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
On Fri, 25 Nov 2016, mosto...@gmail.com wrote: After sleeping on it, I'm still thinking about "defining a separate pipeline for each application". To sum up, each application could do his own thing and return the message to the queue, in order to be processed by other modules...until it's done, and indexed into ES Is there a way to put the already processed message into the input queue to be processed again by another *sibling* modules? input-> queue -> app <- -> geoip <- -> index that's exactly what a message modification module (mm*) does, it changes the messages in the queue so that things after them in the config see the modified version. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
Agains't Rainer's advice, we are using adiscon repos and we're quite happy with them... El 25/11/16 a las 09:59, Kosta Psimoulis escribió: Thank you for much guys for your support, right now I have a much better picture of what is going on. I am aware how to build from source but this would be something difficult to maintain, I would probably need to create a custom repo. I think I have enough information right now to reconsider and evaluate a business decision whether to use rsyslog or look for another solution. I have some queue files that I can recover and rebuild with the information you have given but I am still not sure of how they got corrupted and what happened to the ones that were in memory, was everything saved on the hard drive or was there information that was lost. Kind Regards, Kosta On Fri, Nov 25, 2016 at 3:42 AM, David Langwrote: On Fri, 25 Nov 2016, mosto...@gmail.com wrote: TBH, it depends if you prefer building from source or instability Kidding away, I know there are problems in older versions, they are Isn't adiscon repo valid? It looks like we don't have a repo for Jessie, at least it's not included in the scripts/config.sh for rsyslog-pkg-debian This probably also means we don't have a Travis test box running Jessie. Packages for Wheezy will probably work (the only thing I can think of that would be likely to break is gnutls related dependencies) David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
After sleeping on it, I'm still thinking about "defining a separate pipeline for each application". To sum up, each application could do his own thing and return the message to the queue, in order to be processed by other modules...until it's done, and indexed into ES Is there a way to put the already processed message into the input queue to be processed again by another *sibling* modules? input-> queue -> app <- -> geoip <- -> index Regards ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
Thank you for much guys for your support, right now I have a much better picture of what is going on. I am aware how to build from source but this would be something difficult to maintain, I would probably need to create a custom repo. I think I have enough information right now to reconsider and evaluate a business decision whether to use rsyslog or look for another solution. I have some queue files that I can recover and rebuild with the information you have given but I am still not sure of how they got corrupted and what happened to the ones that were in memory, was everything saved on the hard drive or was there information that was lost. Kind Regards, Kosta On Fri, Nov 25, 2016 at 3:42 AM, David Langwrote: > On Fri, 25 Nov 2016, mosto...@gmail.com wrote: > > TBH, it depends if you prefer building from source or instability >>> Kidding away, I know there are problems in older versions, they are >>> >> Isn't adiscon repo valid? >> > > It looks like we don't have a repo for Jessie, at least it's not included > in the scripts/config.sh for rsyslog-pkg-debian > > This probably also means we don't have a Travis test box running Jessie. > > Packages for Wheezy will probably work (the only thing I can think of that > would be likely to break is gnutls related dependencies) > > David Lang > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Are we building an ERK stack?
Thanks! It's your mmdblookup opensourced? El 25/11/16 a las 03:46, chenlin rao escribió: re-upload an english version. The content was a little old though. 2016-11-23 22:39 GMT+08:00 mosto...@gmail.com: http://www.slideshare.net/chenryn/elk-stack-at-weibocom I NEED the english version :P ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
On Fri, 25 Nov 2016, mosto...@gmail.com wrote: TBH, it depends if you prefer building from source or instability Kidding away, I know there are problems in older versions, they are Isn't adiscon repo valid? It looks like we don't have a repo for Jessie, at least it's not included in the scripts/config.sh for rsyslog-pkg-debian This probably also means we don't have a Travis test box running Jessie. Packages for Wheezy will probably work (the only thing I can think of that would be likely to break is gnutls related dependencies) David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
2016-11-25 9:38 GMT+01:00 mosto...@gmail.com: > >> TBH, it depends if you prefer building from source or instability >> Kidding away, I know there are problems in older versions, they are > > Isn't adiscon repo valid? We don't have everything. Too few contributors :-( Rainer ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
TBH, it depends if you prefer building from source or instability Kidding away, I know there are problems in older versions, they are Isn't adiscon repo valid? ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
On Fri, 25 Nov 2016, Kosta Psimoulis wrote: Hello Rainer, Thank you for your honest answer, so you are basically saying that the queue will be lost ? I thought that my current version of rsyslog was stable enough, I guess I was wrong, in that case I will try a different queue system. I am sending a little bit extra debugging information, please let me know if you see anything useful and if you believe that this issue was fixed in 8.23 we do believe that it is fixed in the current version. Unfortunantly, you aren't running the current version. 8.4 is rather old, and even 8.16 is prior to some very substantial reliability fixes, including several that caused segfaults. In the short term, move the queue files to another directory and see if rsyslog starts. If so, we can look at trying to fix the queue files (there is a command that will rebuild the .qi file from the raw queue files, that may solve your issues. with the exception of encryption, the packages for wheezy should have no problems running on Jessie (although I agree that after a year we should be providing a Jessie repo, nobody called it to our attention, so we missed it) Unfortunantly, due to manpower limits, we (the community) can only support the most recent release of rsyslog, we can't do backports of fixes (although that is an option for people who get paid support). We tried to do that sort of thing and the project almost died under the load. When you rely on the distro provided versions instead of the upstream releases, it's on the basis that the distro is providing support for them. If the distro isn't providing support for a bug that you are running into, you need to look at shifting to the upstream version. Sometimes this is going to require that you maintain your own version of the package, built from source (to apply a fix, or because you need a compile-time option that's not in the default packages, or to use a new feature) The number of fixes since 8.16 (let alone 8.4) is huge, trying to backport them all, without backporting the other features added would probably result in a less reliable system than just running the latest 8.24 version. IIRC, 8.16 was the last release before we started using libfastjson, and part of the reason why Debian hasn't picked up the newer versions, even into backports, is concerns over long-term maintinance of libfastjson. But it fixed so many errors that we killing people's systems that we really need to shift. In theory, you should be able to clone the source git repos, and the rsyslog-pkg-debian repo and in the rsyslog-pkg-debian repo under scripts/config.sh add Jessie to the distro list and everything should work. We just haven't tested it yet (and yes, there is a bit more to getting this going, contact me off-list and I'll pass along the build scripts I put together for ubuntu, they should work almost the same on Debian) David Lang Kind Regards, Kosta 1388.716086990:action 3 queue[DA]:Reg/w0: in destructor: sendbuf 0xada9030 1388.716159868:action 3 queue[DA]:Reg/w0: relp engine is dispatching frame with command 'rsp' 1388.716530324:action 3 queue[DA]:Reg/w0: relpSessWaitState returns 10019 1388.718355599:action 3 queue[DA]:Reg/w0: in destructor: sendbuf 0xada9570 1388.719729919:action 3 queue[DA]:Reg/w0: relp engine created new client 0xadae250 1388.719865043:action 3 queue[DA]:Reg/w0: omrelp: endTransaction ==16816== Thread 2 rs:action 3 queue[DA]:R: ==16816== Invalid read of size 8 ==16816==at 0x76FEE94: relpCltHintBurstEnd (in /usr/lib/x86_64-linux-gnu/librelp.so.0.1.0) ==16816==by 0x74EFB7A: ??? (in /usr/lib/rsyslog/omrelp.so) ==16816==by 0x4529ED: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x453517: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x448F8A: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x4457BD: wtiWorker (in /usr/sbin/rsyslogd) ==16816==by 0x4447CB: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x50580A3: start_thread (pthread_create.c:309) ==16816==by 0x5F7A62C: clone (clone.S:111) ==16816== Address 0x20 is not stack'd, malloc'd or (recently) free'd ==16816== ==16816== ==16816== Process terminating with default action of signal 11 (SIGSEGV) ==16816== Access not within mapped region at address 0x20 ==16816==at 0x76FEE94: relpCltHintBurstEnd (in /usr/lib/x86_64-linux-gnu/librelp.so.0.1.0) ==16816==by 0x74EFB7A: ??? (in /usr/lib/rsyslog/omrelp.so) ==16816==by 0x4529ED: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x453517: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x448F8A: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x4457BD: wtiWorker (in /usr/sbin/rsyslogd) ==16816==by 0x4447CB: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x50580A3: start_thread (pthread_create.c:309) ==16816==by 0x5F7A62C: clone (clone.S:111) ==16816== If you believe this happened as a result of a stack ==16816== overflow in your program's main thread (unlikely but ==16816== possible), you can try to increase the
Re: [rsyslog] rsyslog fails to start due to high queue
2016-11-25 9:16 GMT+01:00 Kosta Psimoulis: > Thank you for your honest answer, so you are basically saying that the > queue will be lost ? There is this little tool: https://github.com/rsyslog/rsyslog/blob/master/tools/recover_qi.pl It works for your version as well and, depending on what is wrong, it can fix the queue files. Worth a try. > I thought that my current version of rsyslog was > stable enough, I guess I was wrong, in that case I will try a different > queue system. Well, as always in life: things are deemed stable unless someone finds it isn't the case. Then those things are fixed and we go back to think "we are stable" unless... That's a large part of why new releases happen, and that's part of the frequent release philosophy in open source. > I am sending a little bit extra debugging information, please > let me know if you see anything useful and if you believe that this issue > was fixed in 8.23 It's indeed interesting, as it may point into a bug that was fixed in librelp (I barely remember there was something). Unfortunately, I have made it my policy to NEVER AGAN look at old versions for fixing bugs. I have done so in the past, and wasted month of my life, because in 95% of the cases it turned out I hunt for a bug that was long fixed. So I only do this if I am actually paid for the pain, via an Adiscon support contract. I am NOT trying to get money out of you, and I understand that you do not like to upgrade or are even unable to do so. But again, time is very limited, I have a large TODO list and year-long experience has prooven that hunting bugs in old code bases is fruitless. Even more so if after hours I discover it's already fixed AND you need to apply a code patch, what you don't want to do/ are not permitted to do in the first place. Which means the effort was fruitless and wasteful for everyone involved (yes, this *is* *practical* *experience*, more than once). So the first filter in open source development for me is: if the user (or his org) is unwilling to update to current, there is no point in looking at something that might even remotely be a bug. I hope for your understanding. Rainer > > Kind Regards, > Kosta > > 1388.716086990:action 3 queue[DA]:Reg/w0: in destructor: sendbuf 0xada9030 > 1388.716159868:action 3 queue[DA]:Reg/w0: relp engine is dispatching frame > with command 'rsp' > 1388.716530324:action 3 queue[DA]:Reg/w0: relpSessWaitState returns 10019 > 1388.718355599:action 3 queue[DA]:Reg/w0: in destructor: sendbuf 0xada9570 > 1388.719729919:action 3 queue[DA]:Reg/w0: relp engine created new client > 0xadae250 > 1388.719865043:action 3 queue[DA]:Reg/w0: omrelp: endTransaction > ==16816== Thread 2 rs:action 3 queue[DA]:R: > ==16816== Invalid read of size 8 > ==16816==at 0x76FEE94: relpCltHintBurstEnd (in > /usr/lib/x86_64-linux-gnu/librelp.so.0.1.0) > ==16816==by 0x74EFB7A: ??? (in /usr/lib/rsyslog/omrelp.so) > ==16816==by 0x4529ED: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x453517: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x448F8A: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x4457BD: wtiWorker (in /usr/sbin/rsyslogd) > ==16816==by 0x4447CB: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x50580A3: start_thread (pthread_create.c:309) > ==16816==by 0x5F7A62C: clone (clone.S:111) > ==16816== Address 0x20 is not stack'd, malloc'd or (recently) free'd > ==16816== > ==16816== > ==16816== Process terminating with default action of signal 11 (SIGSEGV) > ==16816== Access not within mapped region at address 0x20 > ==16816==at 0x76FEE94: relpCltHintBurstEnd (in > /usr/lib/x86_64-linux-gnu/librelp.so.0.1.0) > ==16816==by 0x74EFB7A: ??? (in /usr/lib/rsyslog/omrelp.so) > ==16816==by 0x4529ED: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x453517: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x448F8A: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x4457BD: wtiWorker (in /usr/sbin/rsyslogd) > ==16816==by 0x4447CB: ??? (in /usr/sbin/rsyslogd) > ==16816==by 0x50580A3: start_thread (pthread_create.c:309) > ==16816==by 0x5F7A62C: clone (clone.S:111) > ==16816== If you believe this happened as a result of a stack > ==16816== overflow in your program's main thread (unlikely but > ==16816== possible), you can try to increase the size of the > ==16816== main thread stack using the --main-stacksize= flag. > ==16816== The main thread stack size used in this run was 8388608. > ==16816== > ==16816== HEAP SUMMARY: > ==16816== in use at exit: 1,136,880 bytes in 2,685 blocks > ==16816== total heap usage: 15,434 allocs, 12,749 frees, 3,325,304 bytes > allocated > ==16816== > ==16816== LEAK SUMMARY: > ==16816==definitely lost: 0 bytes in 0 blocks > ==16816==indirectly lost: 0 bytes in 0 blocks > ==16816== possibly lost: 1,152 bytes in 4 blocks > ==16816==still reachable: 1,135,728 bytes in 2,681 blocks > ==16816== suppressed: 0 bytes in 0 blocks >
Re: [rsyslog] Are we building an ERK stack?
No, I don't detect them, just capture them with a special regexp because I only need to process PHP slowlog. which memory addr appear in the beginning `\[0x\w+\]`... The use case for slow functions stack without mem addrs can be found at the slide 25 (pie charts for nested sub terms aggs). 2016-11-25 15:39 GMT+08:00 Rainer Gerhards: > 2016-11-25 8:26 GMT+01:00 chenlin rao : > > - rewrite most of mmgrok into mmnormalize+rainerscript. Except PHP > slowlog > > only. We want to translate the memory address of each line into "x", > > but seems can't be done in rsyslog, so a mmexternal here. > > focussed question: how exactly do you detect memory address? I ask > because there is mmanon, which does something similiar to IP > addresses, and I *think* it could be extended to other objects if only > we know pricesely what to look for and how to transform it. > > Rainer > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog fails to start due to high queue
Hello Rainer, Thank you for your honest answer, so you are basically saying that the queue will be lost ? I thought that my current version of rsyslog was stable enough, I guess I was wrong, in that case I will try a different queue system. I am sending a little bit extra debugging information, please let me know if you see anything useful and if you believe that this issue was fixed in 8.23 Kind Regards, Kosta 1388.716086990:action 3 queue[DA]:Reg/w0: in destructor: sendbuf 0xada9030 1388.716159868:action 3 queue[DA]:Reg/w0: relp engine is dispatching frame with command 'rsp' 1388.716530324:action 3 queue[DA]:Reg/w0: relpSessWaitState returns 10019 1388.718355599:action 3 queue[DA]:Reg/w0: in destructor: sendbuf 0xada9570 1388.719729919:action 3 queue[DA]:Reg/w0: relp engine created new client 0xadae250 1388.719865043:action 3 queue[DA]:Reg/w0: omrelp: endTransaction ==16816== Thread 2 rs:action 3 queue[DA]:R: ==16816== Invalid read of size 8 ==16816==at 0x76FEE94: relpCltHintBurstEnd (in /usr/lib/x86_64-linux-gnu/librelp.so.0.1.0) ==16816==by 0x74EFB7A: ??? (in /usr/lib/rsyslog/omrelp.so) ==16816==by 0x4529ED: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x453517: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x448F8A: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x4457BD: wtiWorker (in /usr/sbin/rsyslogd) ==16816==by 0x4447CB: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x50580A3: start_thread (pthread_create.c:309) ==16816==by 0x5F7A62C: clone (clone.S:111) ==16816== Address 0x20 is not stack'd, malloc'd or (recently) free'd ==16816== ==16816== ==16816== Process terminating with default action of signal 11 (SIGSEGV) ==16816== Access not within mapped region at address 0x20 ==16816==at 0x76FEE94: relpCltHintBurstEnd (in /usr/lib/x86_64-linux-gnu/librelp.so.0.1.0) ==16816==by 0x74EFB7A: ??? (in /usr/lib/rsyslog/omrelp.so) ==16816==by 0x4529ED: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x453517: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x448F8A: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x4457BD: wtiWorker (in /usr/sbin/rsyslogd) ==16816==by 0x4447CB: ??? (in /usr/sbin/rsyslogd) ==16816==by 0x50580A3: start_thread (pthread_create.c:309) ==16816==by 0x5F7A62C: clone (clone.S:111) ==16816== If you believe this happened as a result of a stack ==16816== overflow in your program's main thread (unlikely but ==16816== possible), you can try to increase the size of the ==16816== main thread stack using the --main-stacksize= flag. ==16816== The main thread stack size used in this run was 8388608. ==16816== ==16816== HEAP SUMMARY: ==16816== in use at exit: 1,136,880 bytes in 2,685 blocks ==16816== total heap usage: 15,434 allocs, 12,749 frees, 3,325,304 bytes allocated ==16816== ==16816== LEAK SUMMARY: ==16816==definitely lost: 0 bytes in 0 blocks ==16816==indirectly lost: 0 bytes in 0 blocks ==16816== possibly lost: 1,152 bytes in 4 blocks ==16816==still reachable: 1,135,728 bytes in 2,681 blocks ==16816== suppressed: 0 bytes in 0 blocks ==16816== Rerun with --leak-check=full to see details of leaked memory ==16816== ==16816== For counts of detected and suppressed errors, rerun with: -v ==16816== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Killed On Fri, Nov 25, 2016 at 3:03 AM, Rainer Gerhardswrote: > 2016-11-25 8:59 GMT+01:00 Kosta Psimoulis sourceknowledge.com>: > > Hello, > > > > Perhaps I wasn't clear on the first message but I am getting Segmentation > > fault. > > > > this error was on syslog: > > Nov 24 20:18:25 ip-172-16-1-152 systemd[1]: rsyslog.service: main process > > exited, code=killed, status=11/SEGV > > > > and when I run it debug mode (-dn), it is trying to process the queue and > > gives the following error: > > . > > 9771.929711621:action 3 queue[DA]:Reg/w0: relp engine is dispatching > frame > > with command 'rsp' > > 9771.929715606:action 3 queue[DA]:Reg/w0: in rsp command handler, txnr > 201, > > code 200, text 'OK' > > 9771.929723831:action 3 queue[DA]:Reg/w0: DEL sess 0x7f21a40023b0 unacked > > 1, sessState 6 > > 9771.929727757:action 3 queue[DA]:Reg/w0: in destructor: sendbuf > > 0x7f21a401de00 > > 9771.929733344:action 3 queue[DA]:Reg/w0: relp engine is dispatching > frame > > with command 'rsp' > > 9771.929739980:action 3 queue[DA]:Reg/w0: relpSessWaitState returns 10019 > > 9771.929754387:action 3 queue[DA]:Reg/w0: in destructor: sendbuf > > 0x7f21a4025730 > > 9771.929771799:action 3 queue[DA]:Reg/w0: relp engine created new client > > 0x7f21a40023b0 > > 9771.929780641:action 3 queue[DA]:Reg/w0: omrelp: endTransaction > > Segmentation fault > > > > 8.4.2 is the latest version available as a package on Debian Jessie 8.6 > and > > 8.16 if I use the backports. There are no repositories for Debian Jessie, > > only for Wheezy, are you suggesting to install 8.23 from source on a > > production server ? > > TBH, it depends if you
Re: [rsyslog] rsyslog fails to start due to high queue
2016-11-25 8:59 GMT+01:00 Kosta Psimoulis: > Hello, > > Perhaps I wasn't clear on the first message but I am getting Segmentation > fault. > > this error was on syslog: > Nov 24 20:18:25 ip-172-16-1-152 systemd[1]: rsyslog.service: main process > exited, code=killed, status=11/SEGV > > and when I run it debug mode (-dn), it is trying to process the queue and > gives the following error: > . > 9771.929711621:action 3 queue[DA]:Reg/w0: relp engine is dispatching frame > with command 'rsp' > 9771.929715606:action 3 queue[DA]:Reg/w0: in rsp command handler, txnr 201, > code 200, text 'OK' > 9771.929723831:action 3 queue[DA]:Reg/w0: DEL sess 0x7f21a40023b0 unacked > 1, sessState 6 > 9771.929727757:action 3 queue[DA]:Reg/w0: in destructor: sendbuf > 0x7f21a401de00 > 9771.929733344:action 3 queue[DA]:Reg/w0: relp engine is dispatching frame > with command 'rsp' > 9771.929739980:action 3 queue[DA]:Reg/w0: relpSessWaitState returns 10019 > 9771.929754387:action 3 queue[DA]:Reg/w0: in destructor: sendbuf > 0x7f21a4025730 > 9771.929771799:action 3 queue[DA]:Reg/w0: relp engine created new client > 0x7f21a40023b0 > 9771.929780641:action 3 queue[DA]:Reg/w0: omrelp: endTransaction > Segmentation fault > > 8.4.2 is the latest version available as a package on Debian Jessie 8.6 and > 8.16 if I use the backports. There are no repositories for Debian Jessie, > only for Wheezy, are you suggesting to install 8.23 from source on a > production server ? TBH, it depends if you prefer building from source or instability ;-) Kidding away, I know there are problems in older versions, they are fixed, and so I do not know how *I* can help you without you making sure you run the fixes. If you don't like to apply them yourself (I can understand that), I think you should coordinate with the Debian folks (Michael who packages rsyslog for deb is also on the list) and ask them for update or to apply the relevant patches. For the version you have, I think the solution is to remove the queue files, restart rsyslog and hope for the best. Might work. Sorry I have no better answer, Rainer ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] mmnormalize with mutiple input: conditionals?
2016-11-24 18:18 GMT+01:00 David Lang: > On Thu, 24 Nov 2016, Rainer Gerhards wrote: > >> 2016-11-24 17:21 GMT+01:00 mosto...@gmail.com : # I would consider adding a section here to look for parsing failures and log them to someplace for later investigation, probably in raw format >>> >>> >>> That's mandatory. is there any easy way to catch norm failures? >> >> >> Have a look here: >> >> http://www.rsyslog.com/using-mongodb-with-rsyslog-and-loganalyzer/ >> >> $parsesuccess is your friend... and looking at it, it doesn't seem >> documented. Would you like to document it or add an rsyslog-doc issue >> tracker? > > > It was documented in the past, but when I tried to use it with mmnormalize, Unfortunately the change of doc to RST lost quite some content (that's why I insist so much this doesn't happen again when restructuring). Should be documented anyhow. > it didn't work, I had to fall back to looking for unparsed-data existing. That's definitely a bug. I have co-incidently looked at the code yesterday, the status is set, so it *should* work. Bug Tracker? Rainer > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.