Re: [rsyslog] Does anybody have any experience using rsyslog to collect logs on kubernetes deployments?
I'm using Tanzu, the version we're currently using does not support output to syslog. I think we'll probably move to syslog after the next upgrade though, when it will we supported. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | ( 734-384-6403 | | ) 1-734-915-1444 | *scot.kreienk...@la-z-boy.com www.la-z-boy.com | facebook.com/lazboy | twitter.com/lazboy | youtube.com/lazboy -Original Message- From: rsyslog On Behalf Of Peter Portante via rsyslog Sent: Thursday, July 22, 2021 11:05 PM To: rsyslog-users Cc: Peter Portante Subject: [rsyslog] Does anybody have any experience using rsyslog to collect logs on kubernetes deployments? ATTENTION: This email was sent to La-Z-Boy from an external source. Be vigilant when opening attachments or clicking links. Hi Folks, I am curious if anybody has a working recipe for collecting logs from a kubernetes deployment in production, and what pitfalls or gotchas you ran into. And if you are capturing metadata from Kubernetes pods, containers, namespaces, etc. Thanks in advance, -Peter ___ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] RedHat 8 builds timeline?
Ah, got it… my bad. I hadn’t visited that page in quite some time as I was just used to using the Adiscon repo. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | • 734-384-6403 | | • 7349151444 | • scot.kreienk...@la-z-boy.com From: Rainer Gerhards Sent: Thursday, October 3, 2019 3:15 PM To: Scot Kreienkamp Cc: rsyslog-users Subject: Re: [rsyslog] RedHat 8 builds timeline? ATTENTION: This email was sent to La-Z-Boy from an external source. Be vigilant when opening attachments or clicking links. https://www.rsyslog.com/downloads/download-other/ Scot Kreienkamp mailto:scot.kreienk...@la-z-boy.com>> schrieb am Do., 3. Okt. 2019, 21:09: Think you may have been the victim of autocorrect… I’m taking that to mean the EPEL repositories should have it? If so I’m not seeing it, either on EPEL or rpms.adiscon.com<http://rpms.adiscon.com>. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | • 734-384-6403 | | • 7349151444 | • scot.kreienk...@la-z-boy.com<mailto:scot.kreienk...@la-z-boy.com> From: Rainer Gerhards mailto:rgerha...@hq.adiscon.com>> Sent: Wednesday, October 2, 2019 2:43 PM To: rsyslog-users mailto:rsyslog@lists.adiscon.com>> Cc: Scot Kreienkamp mailto:scot.kreienk...@la-z-boy.com>> Subject: Re: [rsyslog] RedHat 8 builds timeline? ATTENTION: This email was sent to La-Z-Boy from an external source. Be vigilant when opening attachments or clicking links. The obs repositories have it side today. Rainer Sent from phone, thus brief. Scot Kreienkamp via rsyslog mailto:rsyslog@lists.adiscon.com>> schrieb am Mi., 2. Okt. 2019, 20:30: Hi everyone, I notice there are no builds for EPEL-8 on the yum repository. Any idea when we'll start seeing those show up? Working through getting RHEL8 supported in my environment. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:scot.kreienk...@la-z-boy.com> www.la-z-boy.com<http://www.la-z-boy.com><http://www.la-z-boy.com> | facebook.com/lazboy<http://facebook.com/lazboy><http://facebook.com/lazboy> | twitter.com/lazboy<http://twitter.com/lazboy><http://twitter.com/lazboy> | youtube.com/lazboy<http://youtube.com/lazboy><http://youtube.com/lazboy> [cid:4C-lzbVertical_9ddbc47c-2ac7-4ab5-9162-d7bc17d5d136.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] RedHat 8 builds timeline?
Think you may have been the victim of autocorrect… I’m taking that to mean the EPEL repositories should have it? If so I’m not seeing it, either on EPEL or rpms.adiscon.com. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | • 734-384-6403 | | • 7349151444 | • scot.kreienk...@la-z-boy.com From: Rainer Gerhards Sent: Wednesday, October 2, 2019 2:43 PM To: rsyslog-users Cc: Scot Kreienkamp Subject: Re: [rsyslog] RedHat 8 builds timeline? ATTENTION: This email was sent to La-Z-Boy from an external source. Be vigilant when opening attachments or clicking links. The obs repositories have it side today. Rainer Sent from phone, thus brief. Scot Kreienkamp via rsyslog mailto:rsyslog@lists.adiscon.com>> schrieb am Mi., 2. Okt. 2019, 20:30: Hi everyone, I notice there are no builds for EPEL-8 on the yum repository. Any idea when we'll start seeing those show up? Working through getting RHEL8 supported in my environment. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:scot.kreienk...@la-z-boy.com> www.la-z-boy.com<http://www.la-z-boy.com><http://www.la-z-boy.com> | facebook.com/lazboy<http://facebook.com/lazboy><http://facebook.com/lazboy> | twitter.com/lazboy<http://twitter.com/lazboy><http://twitter.com/lazboy> | youtube.com/lazboy<http://youtube.com/lazboy><http://youtube.com/lazboy> [cid:4C-lzbVertical_9ddbc47c-2ac7-4ab5-9162-d7bc17d5d136.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] RedHat 8 builds timeline?
Hi everyone, I notice there are no builds for EPEL-8 on the yum repository. Any idea when we'll start seeing those show up? Working through getting RHEL8 supported in my environment. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com www.la-z-boy.com<http://www.la-z-boy.com> | facebook.com/lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<http://twitter.com/lazboy> | youtube.com/lazboy<http://youtube.com/lazboy> [cid:4C-lzbVertical_9ddbc47c-2ac7-4ab5-9162-d7bc17d5d136.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] imtcp performance
With +1100 established TCP connection we get ~100% CPU usage on imtcp thread causing the TCP stack/connections being stalled/not possible to establish. My syslog server is receiving at a constant 20 megabits, surging to 70 megabits, from around 400 hosts. My CPU load is .28 and my processor usage is 4% right now and maxes out at 20% on a 4 proc 12 gig memory VM. I'm using imptcp though. I also spent a few weeks tinkering with settings to get it this far. At one point I was hitting 100% CPU usage and refusing messages. Found out it was mostly too many threads causing my issue, but I also split things up into multiple queues to enable parallel processing. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | Fax: | Mobile: 7349151444 | E-mail: scot.kreienk...@la-z-boy.com www.la-z-boy.com |facebook.com/lazboy |twitter.com/lazboy |youtube.com/lazboy This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] segfault on start rsyslog-8.1905
FYI, I've found a second server where it will not start. This is OEL6, the first one was RHEL7. It does give an additional message when starting from init.d: rsyslog startup failure: error reading "fork pipe": No such file or directory Not sure if that's any help. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com From: Scot Kreienkamp Sent: Monday, June 3, 2019 8:53 AM To: rsyslog-users Subject: segfault on start rsyslog-8.1905 Hi, Rsyslog will not start on one of my servers. It segfaults immediately on start. I've attached the output of a debug run if anyone wants it. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:scot.kreienk...@la-z-boy.com> www.la-z-boy.com<http://www.la-z-boy.com> | facebook.com/lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<http://twitter.com/lazboy> | youtube.com/lazboy<http://youtube.com/lazboy> [cid:image002.jpg@01D519EA.C7CB5190] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Error in `rsyslogd': double free or corruption (out): 0x00007f9324002b10 ***
Hi, I was noticing rsyslog (rsyslog-8.1903.0-1.el7.x86_64) crashing on one of my servers with imjournal errors, so I commented out $ModLoad imjournal and replaced with: module(load="imjournal" StateFile="imjournal.state" WorkAroundJournalBug="on") Since then my rsyslogd crashes on start with errors. Details below. Just thought I'd report it to the list in case it's a bug. To troubleshoot I ran rsyslog -n, and got: [root@rh7update ~]# rsyslogd -n &>/root/out *** Error in `rsyslogd': double free or corruption (out): 0x7f0268002ea0 *** === Backtrace: = /usr/lib64/libc.so.6(+0x81489)[0x7f027eb51489] /usr/lib64/rsyslog/imjournal.so(+0x3b7d)[0x7f027b9a2b7d] rsyslogd(+0x675b6)[0x5617dca1e5b6] /usr/lib64/libpthread.so.0(+0x7dd5)[0x7f027fd0bdd5] /usr/lib64/libc.so.6(clone+0x6d)[0x7f027ebcdead] === Memory map: 5617dc9b7000-5617dca56000 r-xp fd:00 134370138 /usr/sbin/rsyslogd 5617dcc56000-5617dcc59000 r--p 0009f000 fd:00 134370138 /usr/sbin/rsyslogd 5617dcc59000-5617dcc6 rw-p 000a2000 fd:00 134370138 /usr/sbin/rsyslogd 5617dcc6-5617dcc61000 rw-p 00:00 0 5617ddc5a000-5617ddcdb000 rw-p 00:00 0 [heap] 7f026800-7f0268021000 rw-p 00:00 0 7f0268021000-7f026c00 ---p 00:00 0 7f026c00-7f026c021000 rw-p 00:00 0 7f026c021000-7f027000 ---p 00:00 0 7f027000-7f0270021000 rw-p 00:00 0 7f0270021000-7f027400 ---p 00:00 0 7f027439b000-7f027439c000 ---p 00:00 0 7f027439c000-7f0274d9c000 rw-p 00:00 0 7f0274d9c000-7f0274d9d000 ---p 00:00 0 7f0274d9d000-7f027519d000 rw-p 00:00 0 7f027519d000-7f027519e000 ---p 00:00 0 7f027519e000-7f027559e000 rw-p 00:00 0 7f027559e000-7f027559f000 ---p 00:00 0 7f027559f000-7f027599f000 rw-p 00:00 0 7f027599f000-7f027619f000 r--s 00:13 16149319 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00057f9c-0005855b3bd612b9.journal 7f027619f000-7f027699f000 r--s 00:13 16506278 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00059e9d-000585610a8fb041.journal 7f027699f000-7f027719f000 r--s 00:13 16853001 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0005bdd9-00058566bbf997b5.journal 7f027719f000-7f027799f000 r--s 00:13 16940927 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0005dc48-00058566c75f2abe.journal 7f027799f000-7f027819f000 r--s 00:13 17055319 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0005fa89-000585674db37c53.journal 7f027819f000-7f027899f000 r--s 00:13 17412179 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00061a12-0005856d1cac93e9.journal 7f027899f000-7f027919f000 r--s 00:13 17770828 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0006393c-00058572fdb95703.journal 7f027919f000-7f027999f000 r--s 00:13 18132248 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00065883-00058578d844e50d.journal 7f027999f000-7f027a19f000 r--s 00:13 18514229 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-000677fa-0005857e5986ce06.journal 7f027a19f000-7f027a99f000 r--s 00:13 18848236 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0006990f-00058583d3a7dc01.journal 7f027a99f000-7f027b19f000 r--s 00:13 19180571 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0006b99a-00058589334f3f20.journal 7f027b19f000-7f027b99f000 r--s 00:13 19507319 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system.journal 7f027b99f000-7f027b9a4000 r-xp fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027b9a4000-7f027bba4000 ---p 5000 fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027bba4000-7f027bba5000 r--p 5000 fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027bba5000-7f027bba6000 rw-p 6000 fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027bba6000-7f027bba8000 r-xp fd:00 201851296 /usr/lib64/rsyslog/lmtcpclt.so 7f027bba8000-7f027bda7000 ---p 2000 fd:00 201851296 /usr/lib64/rsyslog/lmtcpclt.so 7f027bda7000-7f027bda8000
Re: [rsyslog] strange receiver directory names for FROMHOST on imfile long lines
Hi,
Went on vacation last week for a few days, so apologize if I missed the reply
somehow.
> in the latest version or two there are options to truncate overlylong
> messages
I'm assuming you're talking about trimLineOverBytes and discardTruncatedMsg? I
already have discardTruncatedMsg on. Doesn't seem to do anything. Any
suggestions for a sane value for trimLineOverBytes for TCP transmission?
> if you change the parsing stack to only use the new format (rfc5424) I think
> it
> will prevent this.
>
I'm not sure how to set to rfc5424, and whether that needs done on just the
receiver or both the sender and receiver, but before I can do that I have to
make sure the sender templates I have established are compliant, which I also
don't know. Any feedback on the below template would be appreciated.
Here's the templates I'm using:
template(name="RMS-ForwardTomcat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
constant(value="SERVERNAMEHERE")
constant(value=" ")
constant(value="RMS-Tomcat:")
property(name="msg" spifno1stsp="on" )
property(name="msg")
}
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] strange receiver directory names for FROMHOST on imfile long lines
I'm assuming you're talking about trimLineOverBytes and discardTruncatedMsg? I
already have discardTruncatedMsg on. Doesn't seem to do anything. Any
suggestions for a value for trimLineOverBytes? What's the max value for TCP
and/or UDP?
I'm not sure how to set to rfc5424, and whether that needs done on the sender
or receiver, but before I can do that I have to make sure the templates I have
established are compliant, which I also don't know.
Here's the templates I'm using:
template(name="RMS-ForwardTomcat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
constant(value="SERVERNAMEHERE")
constant(value=" ")
constant(value="RMS-Tomcat:")
property(name="msg" spifno1stsp="on" )
property(name="msg")
}
#Forwarding template for external services
template(name="RMS-ForwardEx" type="list") {
property(name="hostname")
constant(value=" ")
property(name="msg" spifno1stsp="off" droplastlf="on")
constant(value="\n")
}
Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David
> Lang via rsyslog
> Sent: Tuesday, March 26, 2019 12:14 PM
> To: rsyslog-users
> Cc: David Lang
> Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on
> imfile long lines
>
>
>
> ATTENTION: This email was sent to La-Z-Boy from an
> external
> source. Be vigilant when opening attachments or clicking links.
>
>
> in the latest version or two there are options to truncate overlylong messages
>
> imfile doesn't get the filename from the message, but when you send it over
> the
> network the fallback parser is the old format (rfc3164) which tries really
> hard
> to make _some_ sense out of even malformed logs, and so when it gets
> garbage
> (like from an overly long message) it will result in odd hostnames
>
> you need to either make sure the sender is not sending overly long lines
> (create
> a variable that has the message in it using exec_template() and then take the
> len() of that variable and log it, look for overly long lines on the sender)
>
> if you change the parsing stack to only use the new format (rfc5424) I think
> it
> will prevent this.
>
> but I think what you are wanting to to set it to truncate on overly long
> lines.
>
> David Lang
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
This message is intended only for the individual or entity to which it is
addressed. It may contain privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not the intended recipient,
you are strictly prohibited from disseminating or distributing this information
(other than to the intended recipient) or copying this information. If you
have received this communication in error, please notify us immediately by
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] strange receiver directory names for FROMHOST on imfile long lines
I can but it's not something I can post to the list. There's no sensitive data but we don't want it publicly available. Do you want me to send directly to you via email? Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: Rainer Gerhards [mailto:rgerha...@hq.adiscon.com] > Sent: Tuesday, March 26, 2019 9:26 AM > To: Scot Kreienkamp > Cc: rsyslog-users > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > imfile long lines > > > > ATTENTION: This email was sent to La-Z-Boy from an > external > source. Be vigilant when opening attachments or clicking links. > > > can you show a concrete sample log? Can you do a network capture and > show what exactly is on the wire? > > Rainer > > El mar., 26 mar. 2019 a las 14:24, Scot Kreienkamp > () escribió: > > > > Bug, logic error, or just a case that nobody thought of? I'm not a > programmer so I'm not sure I'll be much help. > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > -Original Message- > > > From: Rainer Gerhards [mailto:rgerha...@hq.adiscon.com] > > > Sent: Tuesday, March 26, 2019 9:15 AM > > > To: rsyslog-users > > > Cc: Scot Kreienkamp > > > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > > > imfile long lines > > > > > > > > > > > > ATTENTION: This email was sent to La-Z-Boy from > > > an > external > > > source. Be vigilant when opening attachments or clicking links. > > > > > > > > > looks bad ATM :( > > > > > > Rainer > > > > > > El mar., 26 mar. 2019 a las 13:49, Scot Kreienkamp via rsyslog > > > () escribió: > > > > > > > > Hi Rainer, have you had a chance to look at this yet? > > > > > > > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | > | > > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > > > -Original Message- > > > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > > > Rainer > > > > > Gerhards > > > > > Sent: Friday, March 22, 2019 9:59 AM > > > > > To: rsyslog-users > > > > > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST > on > > > > > imfile long lines > > > > > > > > > > > > > > > > > > > > ATTENTION: This email was sent to La-Z-Boy > > > > > from an > > > external > > > > > source. Be vigilant when opening attachments or clicking links. > > > > > > > > > > > > > > > El vie., 22 mar. 2019 a las 14:40, Scot Kreienkamp > > > > > () escribió: > > > > > > > > > > > > Currently 8.40 (RPM), pending upgrade to 8.1901 within the week. > > > > > > > > > > I would go 8.1903.0, there have been some bug fixes. > > > > > > > > > > I thought it would be a much older version. So out of my head I have > > > > > not real answer now. Need to look at code, but have no time today for > > > > > this. > > > > > > > > > > Rainer > > > > > > > > > > > > > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > > > > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384- > 6403 | > > > | > > > > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > > > > > -Original Message- > > > > > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf > Of > > > > > Rainer > > > > > > > Gerhards > > > > > > > Sent: Friday, March 22, 2019 9:34 AM > > > > > > > To: rsyslog-users > > > > > > > Subject: Re: [rsyslog] strange receiver directory names for > FROMHOST > > > on > > > > > >
Re: [rsyslog] strange receiver directory names for FROMHOST on imfile long lines
Bug, logic error, or just a case that nobody thought of? I'm not a programmer so I'm not sure I'll be much help. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: Rainer Gerhards [mailto:rgerha...@hq.adiscon.com] > Sent: Tuesday, March 26, 2019 9:15 AM > To: rsyslog-users > Cc: Scot Kreienkamp > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > imfile long lines > > > > ATTENTION: This email was sent to La-Z-Boy from an > external > source. Be vigilant when opening attachments or clicking links. > > > looks bad ATM :( > > Rainer > > El mar., 26 mar. 2019 a las 13:49, Scot Kreienkamp via rsyslog > () escribió: > > > > Hi Rainer, have you had a chance to look at this yet? > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > -Original Message- > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Rainer > > > Gerhards > > > Sent: Friday, March 22, 2019 9:59 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > > > imfile long lines > > > > > > > > > > > > ATTENTION: This email was sent to La-Z-Boy from > > > an > external > > > source. Be vigilant when opening attachments or clicking links. > > > > > > > > > El vie., 22 mar. 2019 a las 14:40, Scot Kreienkamp > > > () escribió: > > > > > > > > Currently 8.40 (RPM), pending upgrade to 8.1901 within the week. > > > > > > I would go 8.1903.0, there have been some bug fixes. > > > > > > I thought it would be a much older version. So out of my head I have > > > not real answer now. Need to look at code, but have no time today for > > > this. > > > > > > Rainer > > > > > > > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | > | > > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > > > -Original Message- > > > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > > > Rainer > > > > > Gerhards > > > > > Sent: Friday, March 22, 2019 9:34 AM > > > > > To: rsyslog-users > > > > > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST > on > > > > > imfile long lines > > > > > > > > > > > > > > > > > > > > ATTENTION: This email was sent to La-Z-Boy > > > > > from an > > > external > > > > > source. Be vigilant when opening attachments or clicking links. > > > > > > > > > > > > > > > rsyslog version? > > > > > > > > > > Rainer > > > > > > > > > > El vie., 22 mar. 2019 a las 14:32, Scot Kreienkamp > > > > > () escribió: > > > > > > > > > > > > Hi everyone, > > > > > > > > > > > > I'm using patterns like this for all of the incoming logs in my > > > > > > central > syslog > > > > > receiver so that all the logs from each host wind up in a directory > named > > > after > > > > > the host that's sending the logs. > > > > > > > > > > > > template (name="DailyPerHostLogDMA" type="string" > > > > > string="/opt/syslog/%HOSTNAME%/tomcat/RMSDoormanAdapter- > > > %$YEAR%- > > > > > %$MONTH%-%$DAY%") > > > > > > $MaxMessageSize 8192k > > > > > > global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" > > > > > maxMessageSize="8192k") > > > > > > > > > > > > > > > > > > I think the basic problem is that I have a number of remote senders > that > > > are > > > > > using imfile to read logs that contain single lines that are pages > > >
Re: [rsyslog] strange receiver directory names for FROMHOST on imfile long lines
Hi Rainer, have you had a chance to look at this yet? Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer > Gerhards > Sent: Friday, March 22, 2019 9:59 AM > To: rsyslog-users > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > imfile long lines > > > > ATTENTION: This email was sent to La-Z-Boy from an > external > source. Be vigilant when opening attachments or clicking links. > > > El vie., 22 mar. 2019 a las 14:40, Scot Kreienkamp > () escribió: > > > > Currently 8.40 (RPM), pending upgrade to 8.1901 within the week. > > I would go 8.1903.0, there have been some bug fixes. > > I thought it would be a much older version. So out of my head I have > not real answer now. Need to look at code, but have no time today for > this. > > Rainer > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > -Original Message- > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Rainer > > > Gerhards > > > Sent: Friday, March 22, 2019 9:34 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > > > imfile long lines > > > > > > > > > > > > ATTENTION: This email was sent to La-Z-Boy from > > > an > external > > > source. Be vigilant when opening attachments or clicking links. > > > > > > > > > rsyslog version? > > > > > > Rainer > > > > > > El vie., 22 mar. 2019 a las 14:32, Scot Kreienkamp > > > () escribió: > > > > > > > > Hi everyone, > > > > > > > > I'm using patterns like this for all of the incoming logs in my central > > > > syslog > > > receiver so that all the logs from each host wind up in a directory named > after > > > the host that's sending the logs. > > > > > > > > template (name="DailyPerHostLogDMA" type="string" > > > string="/opt/syslog/%HOSTNAME%/tomcat/RMSDoormanAdapter- > %$YEAR%- > > > %$MONTH%-%$DAY%") > > > > $MaxMessageSize 8192k > > > > global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" > > > maxMessageSize="8192k") > > > > > > > > > > > > I think the basic problem is that I have a number of remote senders that > are > > > using imfile to read logs that contain single lines that are pages long, > > > I'm > > > assuming they are too long to forward without splitting. The end result > > > is > that I > > > have all kinds of directories created by rsyslog with logs in them that > > > are > not > > > named after servers. Here's a sample: > > > > > > > > [root@monvsyslog syslog]# ll |egrep -iv -e lzb -e mdmza > > > > total 1352 > > > > drwxr-xr-x 4 root root 44 Feb 28 12:55 b.hq > > > > drwxr-xr-x 2 root root 4096 Mar 22 01:30 echo > > > > drwxr-xr-x 2 root root 4096 Mar 22 01:23 GET > > > > drwxr-xr-x 4 root root 44 Feb 28 15:50 hq > > > > drwxr-xr-x 2 root root 4096 Mar 22 01:22 modv6029 > > > > drwxr-xr-x 4 root root 44 Feb 28 13:25 q > > > > drwxr-xr-x 4 root root 44 Feb 28 16:15 zb.hq > > > > > > > > Again, I'm assuming that the receiver is splitting the message, but I > > > > guess > it > > > could be done on the sender as well. I do get notices sometimes on the > > > receiver that it's splitting messages but not often. I've increased the > > > MaxMessageSize on everything in the environment but it doesn't seem to > make > > > any difference. Beyond that I'm not sure what to do to try and resolve > > > this. > > > > > > > > The sender config is inline below: > > > > > > > > #RMSDoormanAdapter forwarder template, so we can add servername > and > > > tag > > > > template (name="DailyPerHostLogDMA" type="string" > > > string="/var/log/tomcat6/RMSDoormanAdapter-%$Y
Re: [rsyslog] strange receiver directory names for FROMHOST on imfile long lines
I have to wait for each version to bubble up through the lower testing environments unless there's a compelling reason to pull it forward. It takes 2 months to make it to production normally. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer > Gerhards > Sent: Friday, March 22, 2019 9:59 AM > To: rsyslog-users > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > imfile long lines > > > > ATTENTION: This email was sent to La-Z-Boy from an > external > source. Be vigilant when opening attachments or clicking links. > > > El vie., 22 mar. 2019 a las 14:40, Scot Kreienkamp > () escribió: > > > > Currently 8.40 (RPM), pending upgrade to 8.1901 within the week. > > I would go 8.1903.0, there have been some bug fixes. > > I thought it would be a much older version. So out of my head I have > not real answer now. Need to look at code, but have no time today for > this. > > Rainer > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > -Original Message- > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Rainer > > > Gerhards > > > Sent: Friday, March 22, 2019 9:34 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on > > > imfile long lines > > > > > > > > > > > > ATTENTION: This email was sent to La-Z-Boy from > > > an > external > > > source. Be vigilant when opening attachments or clicking links. > > > > > > > > > rsyslog version? > > > > > > Rainer > > > > > > El vie., 22 mar. 2019 a las 14:32, Scot Kreienkamp > > > () escribió: > > > > > > > > Hi everyone, > > > > > > > > I'm using patterns like this for all of the incoming logs in my central > > > > syslog > > > receiver so that all the logs from each host wind up in a directory named > after > > > the host that's sending the logs. > > > > > > > > template (name="DailyPerHostLogDMA" type="string" > > > string="/opt/syslog/%HOSTNAME%/tomcat/RMSDoormanAdapter- > %$YEAR%- > > > %$MONTH%-%$DAY%") > > > > $MaxMessageSize 8192k > > > > global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" > > > maxMessageSize="8192k") > > > > > > > > > > > > I think the basic problem is that I have a number of remote senders that > are > > > using imfile to read logs that contain single lines that are pages long, > > > I'm > > > assuming they are too long to forward without splitting. The end result > > > is > that I > > > have all kinds of directories created by rsyslog with logs in them that > > > are > not > > > named after servers. Here's a sample: > > > > > > > > [root@monvsyslog syslog]# ll |egrep -iv -e lzb -e mdmza > > > > total 1352 > > > > drwxr-xr-x 4 root root 44 Feb 28 12:55 b.hq > > > > drwxr-xr-x 2 root root 4096 Mar 22 01:30 echo > > > > drwxr-xr-x 2 root root 4096 Mar 22 01:23 GET > > > > drwxr-xr-x 4 root root 44 Feb 28 15:50 hq > > > > drwxr-xr-x 2 root root 4096 Mar 22 01:22 modv6029 > > > > drwxr-xr-x 4 root root 44 Feb 28 13:25 q > > > > drwxr-xr-x 4 root root 44 Feb 28 16:15 zb.hq > > > > > > > > Again, I'm assuming that the receiver is splitting the message, but I > > > > guess > it > > > could be done on the sender as well. I do get notices sometimes on the > > > receiver that it's splitting messages but not often. I've increased the > > > MaxMessageSize on everything in the environment but it doesn't seem to > make > > > any difference. Beyond that I'm not sure what to do to try and resolve > > > this. > > > > > > > > The sender config is inline below: > > > > > > > > #RMSDoormanAdapter forwarder template, so we can add servername > and > >
Re: [rsyslog] strange receiver directory names for FROMHOST on imfile long lines
Currently 8.40 (RPM), pending upgrade to 8.1901 within the week.
Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> Sent: Friday, March 22, 2019 9:34 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] strange receiver directory names for FROMHOST on
> imfile long lines
>
>
>
> ATTENTION: This email was sent to La-Z-Boy from an
> external
> source. Be vigilant when opening attachments or clicking links.
>
>
> rsyslog version?
>
> Rainer
>
> El vie., 22 mar. 2019 a las 14:32, Scot Kreienkamp
> () escribió:
> >
> > Hi everyone,
> >
> > I'm using patterns like this for all of the incoming logs in my central
> > syslog
> receiver so that all the logs from each host wind up in a directory named
> after
> the host that's sending the logs.
> >
> > template (name="DailyPerHostLogDMA" type="string"
> string="/opt/syslog/%HOSTNAME%/tomcat/RMSDoormanAdapter-%$YEAR%-
> %$MONTH%-%$DAY%")
> > $MaxMessageSize 8192k
> > global(workDirectory="/var/spool/rsyslog" preserveFQDN="on"
> maxMessageSize="8192k")
> >
> >
> > I think the basic problem is that I have a number of remote senders that are
> using imfile to read logs that contain single lines that are pages long, I'm
> assuming they are too long to forward without splitting. The end result is
> that I
> have all kinds of directories created by rsyslog with logs in them that are
> not
> named after servers. Here's a sample:
> >
> > [root@monvsyslog syslog]# ll |egrep -iv -e lzb -e mdmza
> > total 1352
> > drwxr-xr-x 4 root root 44 Feb 28 12:55 b.hq
> > drwxr-xr-x 2 root root 4096 Mar 22 01:30 echo
> > drwxr-xr-x 2 root root 4096 Mar 22 01:23 GET
> > drwxr-xr-x 4 root root 44 Feb 28 15:50 hq
> > drwxr-xr-x 2 root root 4096 Mar 22 01:22 modv6029
> > drwxr-xr-x 4 root root 44 Feb 28 13:25 q
> > drwxr-xr-x 4 root root 44 Feb 28 16:15 zb.hq
> >
> > Again, I'm assuming that the receiver is splitting the message, but I guess
> > it
> could be done on the sender as well. I do get notices sometimes on the
> receiver that it's splitting messages but not often. I've increased the
> MaxMessageSize on everything in the environment but it doesn't seem to make
> any difference. Beyond that I'm not sure what to do to try and resolve this.
> >
> > The sender config is inline below:
> >
> > #RMSDoormanAdapter forwarder template, so we can add servername and
> tag
> > template (name="DailyPerHostLogDMA" type="string"
> string="/var/log/tomcat6/RMSDoormanAdapter-%$YEAR%-%$MONTH%-
> %$DAY%")
> > template(name="RMS-ForwardDMA" type="list") {
> > constant(value="<")
> > property(name="pri")
> > constant(value=">")
> > property(name="timestamp" dateFormat="rfc3339")
> > constant(value=" ")
> > constant(value="retv6030.na.lzb.hq")
> > constant(value=" ")
> > constant(value="RMS-DMA:")
> > property(name="msg" spifno1stsp="on" )
> > property(name="msg")
> > }
> >
> >
> > #ruleset for local port listener for RMSDoorManAdapter
> > ruleset(name="RMS-DMA-1516-1531"
> > queue.filename="Net-1516-1531"
> > queue.dequeuebatchsize="1024"
> > queue.discardmark="45000"
> > queue.DiscardSeverity="0"
> > queue.maxDiskSpace="1g"
> > queue.saveOnShutdown="on"
> > queue.size="5"
> > queue.spoolDirectory="/var/spool/rsyslog"
> > queue.type="LinkedList"
> > ){
> > action(
> > name="omfile-RMS-ForwardDMA"
> > type="omfile"
> > dynafilecachesize="5"
> > DynaFile="DailyPerHostLogDMA"
> > template="msgonly-no1sp"
> > ioBufferSize="64k"
> > flushOnTXEnd="off"
> > asyncWriting="on"
> > dirCreateMode="0755"
> >
[rsyslog] strange receiver directory names for FROMHOST on imfile long lines
Hi everyone,
I'm using patterns like this for all of the incoming logs in my central syslog
receiver so that all the logs from each host wind up in a directory named after
the host that's sending the logs.
template (name="DailyPerHostLogDMA" type="string"
string="/opt/syslog/%HOSTNAME%/tomcat/RMSDoormanAdapter-%$YEAR%-%$MONTH%-%$DAY%")
$MaxMessageSize 8192k
global(workDirectory="/var/spool/rsyslog" preserveFQDN="on"
maxMessageSize="8192k")
I think the basic problem is that I have a number of remote senders that are
using imfile to read logs that contain single lines that are pages long, I'm
assuming they are too long to forward without splitting. The end result is
that I have all kinds of directories created by rsyslog with logs in them that
are not named after servers. Here's a sample:
[root@monvsyslog syslog]# ll |egrep -iv -e lzb -e mdmza
total 1352
drwxr-xr-x 4 root root 44 Feb 28 12:55 b.hq
drwxr-xr-x 2 root root 4096 Mar 22 01:30 echo
drwxr-xr-x 2 root root 4096 Mar 22 01:23 GET
drwxr-xr-x 4 root root 44 Feb 28 15:50 hq
drwxr-xr-x 2 root root 4096 Mar 22 01:22 modv6029
drwxr-xr-x 4 root root 44 Feb 28 13:25 q
drwxr-xr-x 4 root root 44 Feb 28 16:15 zb.hq
Again, I'm assuming that the receiver is splitting the message, but I guess it
could be done on the sender as well. I do get notices sometimes on the
receiver that it's splitting messages but not often. I've increased the
MaxMessageSize on everything in the environment but it doesn't seem to make any
difference. Beyond that I'm not sure what to do to try and resolve this.
The sender config is inline below:
#RMSDoormanAdapter forwarder template, so we can add servername and tag
template (name="DailyPerHostLogDMA" type="string"
string="/var/log/tomcat6/RMSDoormanAdapter-%$YEAR%-%$MONTH%-%$DAY%")
template(name="RMS-ForwardDMA" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
constant(value="retv6030.na.lzb.hq")
constant(value=" ")
constant(value="RMS-DMA:")
property(name="msg" spifno1stsp="on" )
property(name="msg")
}
#ruleset for local port listener for RMSDoorManAdapter
ruleset(name="RMS-DMA-1516-1531"
queue.filename="Net-1516-1531"
queue.dequeuebatchsize="1024"
queue.discardmark="45000"
queue.DiscardSeverity="0"
queue.maxDiskSpace="1g"
queue.saveOnShutdown="on"
queue.size="5"
queue.spoolDirectory="/var/spool/rsyslog"
queue.type="LinkedList"
){
action(
name="omfile-RMS-ForwardDMA"
type="omfile"
dynafilecachesize="5"
DynaFile="DailyPerHostLogDMA"
template="msgonly-no1sp"
ioBufferSize="64k"
flushOnTXEnd="off"
asyncWriting="on"
dirCreateMode="0755"
)
action(
name="fwd-monvsyslog-1531-RMS-DMA"
queue.dequeuebatchsize="1024"
queue.discardmark="45000"
queue.DiscardSeverity="0"
queue.maxDiskSpace="1g"
queue.saveOnShutdown="on"
queue.size="5"
queue.spoolDirectory="/var/spool/rsyslog"
queue.type="LinkedList"
queue.filename="fwd-monvsyslog-1531-RMS-DMA"
type="omfwd"
TCP_Framing="octet-counted"
protocol="tcp"
Target="monvsyslog.na.lzb.hq"
Port="1531"
template="RMS-ForwardDMA"
)
stop
}
I've been banging my head against the wall with this problem for some time and
haven't made any progress. I don't know if I can limit the imfile per line
size or trim imfile input in any way? Or trim the line on the sender to less
than maxmessagesize? Or anything else I can do? Any suggestions would be
appreciated.
Thanks!
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444
| * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D>
www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> |
facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.faceb
Re: [rsyslog] Long line, can't understand forward truncation reason
We're running 8.38 currently, waiting for the next patch cycle for 8.39. Not seeing any kind of truncation messages. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer > Gerhards > Sent: Wednesday, December 5, 2018 2:51 AM > To: rsyslog-users > Subject: Re: [rsyslog] Long line, can't understand forward truncation reason > > Is this an old version? Current ones should report oversize messages and do > not break but truncate (except if you Vogue differently iirc). > > Rainer > > Sent from phone, thus brief. > > Am Mi., 5. Dez. 2018, 01:10 hat David Lang geschrieben: > > > On Tue, 4 Dec 2018, Scot Kreienkamp wrote: > > > > > Hi everyone, > > > > > > I have a program that is sending long lines into the logs they are > > > arriving at the local server and into the logs correctly but are being > > > truncated when being received on a remote server, and I can't understand > > why. > > > > what is your maxmessagesize on the two systems? that sounds like the cause > > of > > your problem. > > > > when you exceed maxmessagesize, that starts the next message, and since > > there > > isn't the syslog header at that point, it parses incorrectly, causing the > > type > > of problem that you are having. > > > > David Lang > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Long line, can't understand forward truncation reason
> > > Hi everyone, > > > > I have a program that is sending long lines into the logs they are > > arriving at the local server and into the logs correctly but are being > > truncated when being received on a remote server, and I can't understand > why. > > what is your maxmessagesize on the two systems? that sounds like the cause of > your problem. > > when you exceed maxmessagesize, that starts the next message, and since > there > isn't the syslog header at that point, it parses incorrectly, causing the type > of problem that you are having. > I had thought the same, but I have: $MaxMessageSize 8192k global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" maxMessageSize="8192k") at the top of my receiver config, and the sender has $MaxMessageSize 7168k global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" maxMessageSize="7168k") But what gets me is the small amount of message that's received... that seems smaller than even the default. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Long line, can't understand forward truncation reason
Hi everyone,
I have a program that is sending long lines into the logs they are arriving
at the local server and into the logs correctly but are being truncated when
being received on a remote server, and I can't understand why.
In crontab I have a program being run like so:
*/5 * * * * java foo |& nc -w 240 localhost 1516
Basically it's running the java program and redirecting all IO to netcat, which
is sending it to port 1516 on localhost via the default TCP. That is working
fine, and the local logfile has all the content in it. The problem comes when
I'm trying to forward to a remote host. The local file has a line that goes on
for pages, however the remote end writes the line into the file but truncates
that line after approximately 950 characters and then does really weird things
with the rest of that incoming line. Sometimes it shows up under other servers
(the destination separates by hostname and tag), sometimes it creates new
folders with partial names of servers, etc.
Here's my rule that encompasses the local file write and the forward:
template(name="RMS-ForwardDMA" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
constant(value="retv6030.na.lzb.hq")
constant(value=" ")
constant(value="RMS-DMA:")
property(name="msg" spifno1stsp="on" )
property(name="msg")
}
ruleset(name="RMS-DMA-1516-1531"
queue.filename="Net-1516-1531"
queue.dequeuebatchsize="1024"
queue.discardmark="45000"
queue.DiscardSeverity="0"
queue.maxDiskSpace="1g"
queue.saveOnShutdown="on"
queue.size="5"
queue.spoolDirectory="/var/spool/rsyslog"
queue.type="LinkedList"
){
action(
name="omfile-RMS-ForwardDMA"
type="omfile"
dynafilecachesize="5"
DynaFile="DailyPerHostLogDMA"
template="msgonly-no1sp"
ioBufferSize="64k"
flushOnTXEnd="off"
asyncWriting="on"
dirCreateMode="0755"
)
action(
name="fwd-monvsyslog-1531-RMS-DMA"
queue.dequeuebatchsize="1024"
queue.discardmark="45000"
queue.DiscardSeverity="0"
queue.maxDiskSpace="1g"
queue.saveOnShutdown="on"
queue.size="5"
queue.spoolDirectory="/var/spool/rsyslog"
queue.type="LinkedList"
queue.filename="fwd-monvsyslog-1531-RMS-DMA"
type="omfwd"
TCP_Framing="octet-counted"
protocol="tcp"
Target="monvsyslog.na.lzb.hq"
Port="1531"
template="RMS-ForwardDMA"
)
stop
}
#setup local port listeners for ecomm
input(type="imudp" port="1516" address="127.0.0.1" ruleset="RMS-DMA-1516-1531")
input(type="imptcp" port="1516" address="127.0.0.1" ruleset="RMS-DMA-1516-1531")
And here's my receiving line:
if $syslogtag startswith "RMS-DMA:" then {
action(name="Net-1531-DMA" type="omfile" dynafilecachesize="50"
DynaFile="DailyPerHostLogDMA" ioBufferSize="128k" flushOnTXEnd="off"
asyncWriting="on" dirCreateMode="0755" template="msgonly")
stop
}
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444
| * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D>
www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> |
facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy>
| twitter.com/lazboy<https://twitter.com/lazboy> |
youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>
[cid:lzbVertical_hres.jpg]
This message is intended only for the individual or entity to which it is
addressed. It may contain privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not the intended recipient,
you are strictly prohibited from disseminating or distributing this information
(other than to the intended recipient) or copying this information. If you
have received this communication in error, please notify us immediately by
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] imfile read looping
That would likely explain it, and the randomness of it. I did note that when I had problems the only way to resolve it was to rotate the source logfile. With Tomcat and most java apps the only way to rotate the logs is to use copytruncate. Otherwise it quits writing the log. I can live with it until the next release now that I'm aware of it. Thanks for the info. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David > Lang > Sent: Monday, November 19, 2018 2:23 PM > To: rsyslog-users > Subject: Re: [rsyslog] imfile read looping > > There is a known problem in the current release with a large file size (4G > IIRC, > but it could be 2G) and truncation detection turned on. > > If there is any way to avoid using truncation detection by rotating the log > instead of truncating it, that is a far better option. > > I believe that the fix is in the daily build and will be in the next release. > > David Lang > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] imfile read looping
Hi everyone,
I've found an issue where I'm reading a file with imfile (catalina.out) and
I've seen it get into a loop where it keeps rereading the file in a loop, and
keeps transferring the content repeatedly until I stop rsyslog. I haven't been
able to recreate the issue, but I have ran into it a few times now. It's
looped so many times it takes a file that is originally a few hundred megs and
makes it 700+ gigs on the destination server. The other thing I'm noticing is
the state files on the imfile keep piling up. I thought those were supposed to
be reused, but it looks like it's writing new files constantly.
My imfile and ruleset are below. Any help/comments/suggestions would be
appreciated.
ruleset(name="Rule-catalina"){
action(
Target="monvsyslog.na.lzb.hq"
port="1531"
queue.filename="FWD-catalina-monvsyslog.na.lzb.hq-1531"
name="fwd-catalina-monvsyslog.na.lzb.hq-1531"
protocol="tcp"
type="omfwd"
TCP_Framing="octet-counted"
queue.size="25000"
queue.discardmark="2"
queue.dequeuebatchsize="1024"
queue.type="LinkedList"
queue.spoolDirectory="/var/spool/rsyslog-imfile"
queue.saveOnShutdown="on"
queue.maxDiskSpace="1g"
)
stop
}
input(type="imfile"
file="/var/log/tomcat6/catalina.out"
tag="catalina:"
facility="local6"
PersistStateInterval="100"
ruleset="Rule-catalina"
reopenOnTruncate="on"
discardTruncatedMsg="on"
)
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444
| * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D>
www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> |
facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy>
| twitter.com/lazboy<https://twitter.com/lazboy> |
youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>
[cid:lzbVertical_hres.jpg]
This message is intended only for the individual or entity to which it is
addressed. It may contain privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not the intended recipient,
you are strictly prohibited from disseminating or distributing this information
(other than to the intended recipient) or copying this information. If you
have received this communication in error, please notify us immediately by
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] Internet drop followed by a restart - queue
> One problem with TCP logging is that rsyslog has no visibility after it > submits > the log to the OS, so what is happening here is that your "no connection" > message is going to rsyslog, it still thinks there is a connection open, so it > submits it to the OS and considers it sent. > > also see > https://rainer.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html > > This is exactly the use case that RELP is designed for. > I tried implementing RELP one time... it seems to be quite a bit more expensive on CPU time than standard TCP. I saw my CPU spike between 25-50% over plain TCP when I tried it on a high volume receiver. I would advise caution before implementing it on anything with high volume. In my environment I don't need the guaranteed lossless so I've stuck with TCP. YMMV. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] %HOSTNAME% corruption
Hi Emmanuel, Look into tcp_framing on omfwd. That's my best guess as I was seeing the same thing in the past. https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Emmanuel Seyman > Sent: Tuesday, November 6, 2018 10:27 AM > To: rsyslog@lists.adiscon.com > Subject: [rsyslog] %HOSTNAME% corruption > > > I'm using rsyslog as a central syslog server and storing messages from > each syslog client in its own directory (using logs/rsyslog/%HOSTNAME% > in a template). Messages are sent to a rsyslog relay before then being > sent to the central server. > > I'm now seeing directories that cannot possibly be hostnames being created: > > * logs/rsyslog/mysqlhotcopy > * logs/rsyslog/VERSION > * logs/rsyslog/GET > * logs/rsyslog/OPTIONS > * logs/rsyslog/r > > and so on and so on... > > These look like the syslog message is being corrupted during the transfer > with > part of the message taking the place of the hostname but virtually all of the > syslog transfers are done via TCP, which I thought would prevent this. > > Is this a known problem? Did I misconfigure rsyslog somehow? > > Thanks for any help you can give. > > Emmanuel > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Queue file not created
> > But when I restart rsyslog, I get the following error in the logs: > > > > *Oct 25 10:34:01 hostname rsyslogd: file > > '/var/spool/rsyslog/graylog_queue.qi': open error: No such file or > > directory [v8.38.0 try http://www.rsyslog.com/e/2040 > > <http://www.rsyslog.com/e/2040> ]* > > > > The directory exists, but no file is created. > > > > Any hints would be appreciated. I get this all the time as well. Every time I stop/start Rsyslog. Seems to be a recent development. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Rsyslog crashing repeatedly
No message suppression, I have $RepeatedMsgReduction off in my configs. I'll try and capture it with debug, it's been happening a few times per hour and the server it's on is not a large volume source so it may be possible. It hasn't happened since 1am today though which is unusual. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer > Gerhards > Sent: Friday, September 21, 2018 9:55 AM > To: rsyslog-users > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > sry, pls bear with me a little - been sidestepped by some other > projects. I think we would need to build new packages with debug > symbols. > > Well, one piece of info that may help me if I get to it over the > weekend: do you use repeated message suppression or some other > ratelimiting method? > > If it occurs quickly, could you try go gather a debug log? That would > probably show more precise when it aborts. Interesting are most > probably jast the last 1000 lines or so (you can mail me privately if > you like). > > Rainer > El vie., 21 sept. 2018 a las 15:43, Scot Kreienkamp > () escribió: > > > > Hi Rainer, > > > > Any more info I can provide to help track down the problem? It's hitting > > us on > several servers and driving some of our admins nuts. > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > -Original Message- > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Rainer > > > Gerhards > > > Sent: Wednesday, September 19, 2018 2:47 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > > > > > Yes, could be. Let me go back to computer tomorrow morning to write more > > > detail. Valgrind looks promising. Too bad no symbols. Need to check with > > > our packaging guys. Config would be useful. > > > > > > Possible to create a debug log? Last 1000 lines or so probably > > > interesting. > > > > > > Rainer > > > > > > Sent from phone, thus brief. > > > > > > Scot Kreienkamp schrieb am Mi., 19. Sep. > > > 2018, 19:42: > > > > > > > To my (admittedly non-programmer's eyes) this does look like it might be > > > > related. Hopefully Rainer will weigh in. > > > > > > > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > > > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > > > -Original Message- > > > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > > > > Peter > > > > > Cullen > > > > > Sent: Wednesday, September 19, 2018 1:32 PM > > > > > To: rsyslog-users > > > > > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > > > > > > > > > I wonder, could this be the same or related to > > > > > https://github.com/rsyslog/rsyslog/issues/3021 ? > > > > > > > > > > On Wed, Sep 19, 2018 at 1:03 PM, Scot Kreienkamp < > > > > > scot.kreienk...@la-z-boy.com> wrote: > > > > > > > > > > > I'm not using anything like that in my config. I have a bunch of if > > > > > > statements that compare values, nothing very complicated. It seems > > > > to be > > > > > > mostly complaining about imfile. > > > > > > > > > > > > > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > > > > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 > | | > > > > > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > > > > > -Original Message- > > > > > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf > > > > Of > > > > > > John > > > > > > > Chivian > > > > > > > Sent: Wednesday, September 19, 2018 12:58 PM > > > > > > > To: rsyslog@lists.adiscon.com > >
Re: [rsyslog] Rsyslog crashing repeatedly
Hi Rainer, Any more info I can provide to help track down the problem? It's hitting us on several servers and driving some of our admins nuts. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer > Gerhards > Sent: Wednesday, September 19, 2018 2:47 PM > To: rsyslog-users > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > Yes, could be. Let me go back to computer tomorrow morning to write more > detail. Valgrind looks promising. Too bad no symbols. Need to check with > our packaging guys. Config would be useful. > > Possible to create a debug log? Last 1000 lines or so probably interesting. > > Rainer > > Sent from phone, thus brief. > > Scot Kreienkamp schrieb am Mi., 19. Sep. > 2018, 19:42: > > > To my (admittedly non-programmer's eyes) this does look like it might be > > related. Hopefully Rainer will weigh in. > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > -Original Message- > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > > Peter > > > Cullen > > > Sent: Wednesday, September 19, 2018 1:32 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > > > > > I wonder, could this be the same or related to > > > https://github.com/rsyslog/rsyslog/issues/3021 ? > > > > > > On Wed, Sep 19, 2018 at 1:03 PM, Scot Kreienkamp < > > > scot.kreienk...@la-z-boy.com> wrote: > > > > > > > I'm not using anything like that in my config. I have a bunch of if > > > > statements that compare values, nothing very complicated. It seems > > to be > > > > mostly complaining about imfile. > > > > > > > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > > > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > > > -Original Message- > > > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf > > Of > > > > John > > > > > Chivian > > > > > Sent: Wednesday, September 19, 2018 12:58 PM > > > > > To: rsyslog@lists.adiscon.com > > > > > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > > > > > > > > > I do not know if it relevant to this issue, but I have experienced an > > > > > rsyslog crash that I was able to attribute to... > > > > > > > > > > set $.mlen = strlen($msg) - 3; > > > > > set $.pmsg = substring($msg,2,$.mlen); > > > > > > > > > > ...when $msg wasn't long enough to support being stripped in that > > > manner. > > > > > > > > > > I would think this should not work, but not crash the application. > > > > > > > > > > > > > > > On 9/19/18 10:52 AM, Scot Kreienkamp wrote: > > > > > > OK, ran it under valgrind until it crashed, here's the logfile > > output > > > > from > > > > > valgrind: > > > > > > > > > > > > > > > > > > ==32102== Memcheck, a memory error detector > > > > > > ==32102== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward > > > et > > > > al. > > > > > > ==32102== Using Valgrind-3.8.1 and LibVEX; rerun with -h for > > copyright > > > > info > > > > > > ==32102== Command: /sbin/rsyslogd -f /etc/rsyslog.conf > > > > > > ==32102== Parent PID: 3883 > > > > > > ==32102== > > > > > > ==32107== Warning: invalid file descriptor 65536 in syscall close() > > > > > > ==32102== > > > > > > ==32102== HEAP SUMMARY: > > > > > > ==32102== in use at exit: 199,617 bytes in 2,693 blocks > > > > > > ==32102== total heap usage: 5,889 allocs, 3,196 frees, 479,531 > > bytes > > > > > allocated > > > > > > ==32102== > > > > > > ==32102== LEAK SUMMARY: > > > > >
Re: [rsyslog] multi-line data
> that's why we have the option. Be aware that various other things are going > to > make assumptions on newlines (mmnormalize for example). I don't have a > list of > everything, just be aware if you run into issues, this may be a cause Thanks for the warning, but I don't think I'll run into many issues. Rsyslog is strictly used as a transport mechanism for logs in my environment. We don't do any processing or manipulation of any kind (right now, anyway). I process 800k or so messages on average per minute, spiking up to 2x that. Other than volume my usage of rsyslog is very simple. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] multi-line data
I have java output among other things that do multi-line, so leaving it as original to preserve the readability would be their preference if it's workable. I only have rsyslog in my environment so it doesn't have to play nice with anyone else. I'm using TCP for all my connections and it looks like it's defaulted to on in imptcp, so I just need to enable it on the sender. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David > Lang > Sent: Wednesday, September 19, 2018 4:10 PM > To: rsyslog-users > Subject: Re: [rsyslog] multi-line data > > you need to either escape the newlines, or use octet mode when > transferring the > message (the syslog RFCs for network communications specify that newline > is the > end of a message, the octet mode is a rsyslog modification to the protocol to > support this) > > I would suggest escaping control characters so that it becomes a single line. > > David Lang > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] multi-line data
Hi everyone, I'm having a problem with multi-line data being forwarded to a central syslog collector server. Looks like the lines are not being treated as parts of the same message when being transferred over the network even though they show up as all one single message in /var/log/messages at the source. I'm aware of the multi-line regex but I'm not sure that's the best fit. Can't really find much else yet. Is there anything else in the docs for dealing with multi-line messages other than the regex? Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Rsyslog crashing repeatedly
To my (admittedly non-programmer's eyes) this does look like it might be related. Hopefully Rainer will weigh in. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Peter > Cullen > Sent: Wednesday, September 19, 2018 1:32 PM > To: rsyslog-users > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > I wonder, could this be the same or related to > https://github.com/rsyslog/rsyslog/issues/3021 ? > > On Wed, Sep 19, 2018 at 1:03 PM, Scot Kreienkamp < > scot.kreienk...@la-z-boy.com> wrote: > > > I'm not using anything like that in my config. I have a bunch of if > > statements that compare values, nothing very complicated. It seems to be > > mostly complaining about imfile. > > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > > > -Original Message- > > > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > > John > > > Chivian > > > Sent: Wednesday, September 19, 2018 12:58 PM > > > To: rsyslog@lists.adiscon.com > > > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > > > > > I do not know if it relevant to this issue, but I have experienced an > > > rsyslog crash that I was able to attribute to... > > > > > > set $.mlen = strlen($msg) - 3; > > > set $.pmsg = substring($msg,2,$.mlen); > > > > > > ...when $msg wasn't long enough to support being stripped in that > manner. > > > > > > I would think this should not work, but not crash the application. > > > > > > > > > On 9/19/18 10:52 AM, Scot Kreienkamp wrote: > > > > OK, ran it under valgrind until it crashed, here's the logfile output > > from > > > valgrind: > > > > > > > > > > > > ==32102== Memcheck, a memory error detector > > > > ==32102== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward > et > > al. > > > > ==32102== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright > > info > > > > ==32102== Command: /sbin/rsyslogd -f /etc/rsyslog.conf > > > > ==32102== Parent PID: 3883 > > > > ==32102== > > > > ==32107== Warning: invalid file descriptor 65536 in syscall close() > > > > ==32102== > > > > ==32102== HEAP SUMMARY: > > > > ==32102== in use at exit: 199,617 bytes in 2,693 blocks > > > > ==32102== total heap usage: 5,889 allocs, 3,196 frees, 479,531 bytes > > > allocated > > > > ==32102== > > > > ==32102== LEAK SUMMARY: > > > > ==32102==definitely lost: 0 bytes in 0 blocks > > > > ==32102==indirectly lost: 0 bytes in 0 blocks > > > > ==32102== possibly lost: 0 bytes in 0 blocks > > > > ==32102==still reachable: 199,617 bytes in 2,693 blocks > > > > ==32102== suppressed: 0 bytes in 0 blocks > > > > ==32102== Rerun with --leak-check=full to see details of leaked > memory > > > > ==32102== > > > > ==32102== For counts of detected and suppressed errors, rerun with: - > v > > > > ==32102== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 40 > > > from 9) > > > > ==32107== Thread 4: > > > > ==32107== Invalid read of size 2 > > > > ==32107==at 0x168982: ratelimitMsg (in /sbin/rsyslogd) > > > > ==32107==by 0x168DFA: ratelimitAddMsg (in /sbin/rsyslogd) > > > > ==32107==by 0x6C3B4A5: ??? (in /lib64/rsyslog/imfile.so) > > > > ==32107==by 0x6C3C65B: ??? (in /lib64/rsyslog/imfile.so) > > > > ==32107==by 0x6C3CB18: ??? (in /lib64/rsyslog/imfile.so) > > > > ==32107==by 0x6C3857C: ??? (in /lib64/rsyslog/imfile.so) > > > > ==32107==by 0x6C3C10F: ??? (in /lib64/rsyslog/imfile.so) > > > > ==32107==by 0x6C3C54E: ??? (in /lib64/rsyslog/imfile.so) > > > > ==32107==by 0x170C36: ??? (in /sbin/rsyslogd) > > > > ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) > > > > ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) > > > > ==32107== Address 0x64af2d8 is 8 bytes inside a block of size 104 > > free'd > > > > ==32107==at 0x4A06
Re: [rsyslog] Rsyslog crashing repeatedly
I'm not using anything like that in my config. I have a bunch of if statements that compare values, nothing very complicated. It seems to be mostly complaining about imfile. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of John > Chivian > Sent: Wednesday, September 19, 2018 12:58 PM > To: rsyslog@lists.adiscon.com > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > I do not know if it relevant to this issue, but I have experienced an > rsyslog crash that I was able to attribute to... > > set $.mlen = strlen($msg) - 3; > set $.pmsg = substring($msg,2,$.mlen); > > ...when $msg wasn't long enough to support being stripped in that manner. > > I would think this should not work, but not crash the application. > > > On 9/19/18 10:52 AM, Scot Kreienkamp wrote: > > OK, ran it under valgrind until it crashed, here's the logfile output from > valgrind: > > > > > > ==32102== Memcheck, a memory error detector > > ==32102== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. > > ==32102== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info > > ==32102== Command: /sbin/rsyslogd -f /etc/rsyslog.conf > > ==32102== Parent PID: 3883 > > ==32102== > > ==32107== Warning: invalid file descriptor 65536 in syscall close() > > ==32102== > > ==32102== HEAP SUMMARY: > > ==32102== in use at exit: 199,617 bytes in 2,693 blocks > > ==32102== total heap usage: 5,889 allocs, 3,196 frees, 479,531 bytes > allocated > > ==32102== > > ==32102== LEAK SUMMARY: > > ==32102==definitely lost: 0 bytes in 0 blocks > > ==32102==indirectly lost: 0 bytes in 0 blocks > > ==32102== possibly lost: 0 bytes in 0 blocks > > ==32102==still reachable: 199,617 bytes in 2,693 blocks > > ==32102== suppressed: 0 bytes in 0 blocks > > ==32102== Rerun with --leak-check=full to see details of leaked memory > > ==32102== > > ==32102== For counts of detected and suppressed errors, rerun with: -v > > ==32102== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 40 > from 9) > > ==32107== Thread 4: > > ==32107== Invalid read of size 2 > > ==32107==at 0x168982: ratelimitMsg (in /sbin/rsyslogd) > > ==32107==by 0x168DFA: ratelimitAddMsg (in /sbin/rsyslogd) > > ==32107==by 0x6C3B4A5: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C65B: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3CB18: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3857C: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C10F: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C54E: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x170C36: ??? (in /sbin/rsyslogd) > > ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) > > ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) > > ==32107== Address 0x64af2d8 is 8 bytes inside a block of size 104 free'd > > ==32107==at 0x4A06430: free (vg_replace_malloc.c:446) > > ==32107==by 0x6C3C641: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3CB18: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3857C: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C10F: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C54E: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x170C36: ??? (in /sbin/rsyslogd) > > ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) > > ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) > > ==32107== > > ==32107== Invalid read of size 4 > > ==32107==at 0x168989: ratelimitMsg (in /sbin/rsyslogd) > > ==32107==by 0x168DFA: ratelimitAddMsg (in /sbin/rsyslogd) > > ==32107==by 0x6C3B4A5: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C65B: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3CB18: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3857C: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C10F: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x6C3C54E: ??? (in /lib64/rsyslog/imfile.so) > > ==32107==by 0x170C36: ??? (in /sbin/rsyslogd) > > ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) > > ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) > > ==32107== Address 0x64af2f8 is 40 bytes inside a block of size 104 free'd > > ==32
Re: [rsyslog] Rsyslog crashing repeatedly
==at 0x148010: getTimeReported (in /sbin/rsyslogd) ==32107==by 0x12CBC5: ??? (in /sbin/rsyslogd) ==32107==by 0x17700B: tplToString (in /sbin/rsyslogd) ==32107==by 0x16EB51: ??? (in /sbin/rsyslogd) ==32107==by 0x16F2AA: ??? (in /sbin/rsyslogd) ==32107==by 0x163793: ??? (in /sbin/rsyslogd) ==32107==by 0x15FEE4: wtiWorker (in /sbin/rsyslogd) ==32107==by 0x15FB11: ??? (in /sbin/rsyslogd) ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) ==32107== Address 0x14ecceb8 is not stack'd, malloc'd or (recently) free'd ==32107== ==32107== Invalid write of size 8 ==32107==at 0x148374: getTimeReported (in /sbin/rsyslogd) ==32107==by 0x12CBC5: ??? (in /sbin/rsyslogd) ==32107==by 0x17700B: tplToString (in /sbin/rsyslogd) ==32107==by 0x16EB51: ??? (in /sbin/rsyslogd) ==32107==by 0x16F2AA: ??? (in /sbin/rsyslogd) ==32107==by 0x163793: ??? (in /sbin/rsyslogd) ==32107==by 0x15FEE4: wtiWorker (in /sbin/rsyslogd) ==32107==by 0x15FB11: ??? (in /sbin/rsyslogd) ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) ==32107== Address 0x14ecceb8 is not stack'd, malloc'd or (recently) free'd ==32107== ==32107== Invalid read of size 1 ==32107==at 0x14F510: ??? (in /sbin/rsyslogd) ==32107==by 0x148383: getTimeReported (in /sbin/rsyslogd) ==32107==by 0x12CBC5: ??? (in /sbin/rsyslogd) ==32107==by 0x17700B: tplToString (in /sbin/rsyslogd) ==32107==by 0x16EB51: ??? (in /sbin/rsyslogd) ==32107==by 0x16F2AA: ??? (in /sbin/rsyslogd) ==32107==by 0x163793: ??? (in /sbin/rsyslogd) ==32107==by 0x15FEE4: wtiWorker (in /sbin/rsyslogd) ==32107==by 0x15FB11: ??? (in /sbin/rsyslogd) ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) ==32107== Address 0x14eccf3d is not stack'd, malloc'd or (recently) free'd ==32107== ==32107== Invalid read of size 1 ==32107==at 0x14F545: ??? (in /sbin/rsyslogd) ==32107==by 0x148383: getTimeReported (in /sbin/rsyslogd) ==32107==by 0x12CBC5: ??? (in /sbin/rsyslogd) ==32107==by 0x17700B: tplToString (in /sbin/rsyslogd) ==32107==by 0x16EB51: ??? (in /sbin/rsyslogd) ==32107==by 0x16F2AA: ??? (in /sbin/rsyslogd) ==32107==by 0x163793: ??? (in /sbin/rsyslogd) ==32107==by 0x15FEE4: wtiWorker (in /sbin/rsyslogd) ==32107==by 0x15FB11: ??? (in /sbin/rsyslogd) ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) ==32107== Address 0x5 is not stack'd, malloc'd or (recently) free'd ==32107== ==32107== ==32107== Process terminating with default action of signal 11 (SIGSEGV) ==32107== Access not within mapped region at address 0x5 ==32107==at 0x14F545: ??? (in /sbin/rsyslogd) ==32107==by 0x148383: getTimeReported (in /sbin/rsyslogd) ==32107==by 0x12CBC5: ??? (in /sbin/rsyslogd) ==32107==by 0x17700B: tplToString (in /sbin/rsyslogd) ==32107==by 0x16EB51: ??? (in /sbin/rsyslogd) ==32107==by 0x16F2AA: ??? (in /sbin/rsyslogd) ==32107==by 0x163793: ??? (in /sbin/rsyslogd) ==32107==by 0x15FEE4: wtiWorker (in /sbin/rsyslogd) ==32107==by 0x15FB11: ??? (in /sbin/rsyslogd) ==32107==by 0x4E3BAA0: start_thread (in /lib64/libpthread-2.12.so) ==32107==by 0x5F72C4C: clone (in /lib64/libc-2.12.so) ==32107== If you believe this happened as a result of a stack ==32107== overflow in your program's main thread (unlikely but ==32107== possible), you can try to increase the size of the ==32107== main thread stack using the --main-stacksize= flag. ==32107== The main thread stack size used in this run was 10485760. ==32107== ==32107== HEAP SUMMARY: ==32107== in use at exit: 17,220,952 bytes in 26,819 blocks ==32107== total heap usage: 19,871,535 allocs, 19,844,716 frees, 3,105,437,638 bytes allocated ==32107== ==32107== LEAK SUMMARY: ==32107==definitely lost: 666 bytes in 3 blocks ==32107==indirectly lost: 908 bytes in 7 blocks ==32107== possibly lost: 8,404,737 bytes in 29 blocks ==32107==still reachable: 8,814,641 bytes in 26,780 blocks ==32107== suppressed: 0 bytes in 0 blocks ==32107== Rerun with --leak-check=full to see details of leaked memory ==32107== ==32107== For counts of detected and suppressed errors, rerun with: -v ==32107== ERROR SUMMARY: 17502 errors from 12 contexts (suppressed: 43 from 9) Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Wednesday, September 19, 2018 9:53 AM > To: rsyslog-users > Subject: Re: [rsyslog] Rsyslog crashing repeated
Re: [rsyslog] Rsyslog crashing repeatedly
It's rsyslog-8.37.0-1.el6.x86_64 on RHEL6, installed from the Adiscon repo at http://rpms.adiscon.com/v8-stable/epel-6/x86_64. This is a production server so I have to be cautious but I should be able to. Any particular switches to valgrind you want me to use? I've never used it before. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Wednesday, September 19, 2018 9:53 AM > To: rsyslog-users > Subject: Re: [rsyslog] Rsyslog crashing repeatedly > > Interesting! Version? Installed from? Distro? Can you run it under valgrind? > > Rainer > > Sent from phone, thus brief. > > Scot Kreienkamp schrieb am Mi., 19. Sep. > 2018, 15:47: > > > Hi everyone, > > > > I'm getting the following errors from dmesg on one of my servers where > > rsyslog is crashing several times per day at random. I have no idea how to > > go about troubleshooting them though. I can't re-create the segfaults on > > demand and it's not a config problem. I did try cleaning everything out of > > the spool directory thinking it might be a corrupted file but it's still > > crashing. Any help in understanding what's going on would be appreciated. > > > > traps: in:imfile[17113] general protection ip:7f44fbc01f57 sp:7f44f8758278 > > error:0 in rsyslogd[7f44fbbc5000+9e000] > > rs:main Q:Reg[4788]: segfault at 7f780008 ip 7f78700b3837 sp > > 7f785f7fdc48 error 4 in rsyslogd[7f787005b000+9e000] > > rs:main Q:Reg[29904]: segfault at 7fb2000a ip 7fb2a0744837 sp > > 7fb28fffec48 error 4 in rsyslogd[7fb2a06ec000+9e000] > > rs:main Q:Reg[25467]: segfault at 7fed000a ip 7fed90c43837 sp > > 7fed7fffec48 error 4 in rsyslogd[7fed90beb000+9e000] > > rs:main Q:Reg[20758]: segfault at 7f54000a ip 7f5502081837 sp > > 7f54fdbbdc48 error 4 in rsyslogd[7f5502029000+9e000] > > traps: in:imfile[2193] general protection ip:7f368f71df57 sp:7f368c274278 > > error:0 in rsyslogd[7f368f6e1000+9e000] > > rs:main Q:Reg[2712]: segfault at 7f02000a ip 7f02a5346837 sp > > 7f02a0e82c48 error 4 in rsyslogd[7f02a52ee000+9e000] > > rs:main Q:Reg[20098]: segfault at 7fe70008 ip 7fe77af9b837 sp > > 7fe776ad7c48 error 4 in rsyslogd[7fe77af43000+9e000] > > traps: in:imfile[1617] general protection ip:7f756db6ff57 sp:7f756a6c6278 > > error:0 in rsyslogd[7f756db33000+9e000] > > rs:main Q:Reg[26659]: segfault at 7fec000a ip 7fece4c40837 sp > > 7fecd3ffec48 error 4 in rsyslogd[7fece4be8000+9e000] > > rs:main Q:Reg[29470]: segfault at 7fe40008 ip 7fe4659c7837 sp > > 7fe461503c48 error 4 in rsyslogd[7fe46596f000+9e000] > > rs:main Q:Reg[18733]: segfault at 7f720008 ip 7f72253f5837 sp > > 7f7220f31c48 error 4 in rsyslogd[7f722539d000+9e000] > > traps: in:imfile[9437] general protection ip:7f56b1a2cf57 sp:7f56ae583278 > > error:0 in rsyslogd[7f56b19f+9e000] > > traps: in:imfile[19045] general protection ip:7fd3bd5bdf57 sp:7fd3ba114278 > > error:0 in rsyslogd[7fd3bd581000+9e000] > > rs:fwd-rslog_so[27949]: segfault at 180ca6d8 ip 7f6a2925dc7f sp > > 7f6a0f5fdb10 error 4 in rsyslogd[7f6a29239000+9e000] > > traps: in:imfile[12569] general protection ip:7f8f0ff85f57 sp:7f8f04adc278 > > error:0 in rsyslogd[7f8f0ff49000+9e000] > > traps: in:imfile[434] general protection ip:7f19f75daf57 sp:7f19efffa278 > > error:0 in rsyslogd[7f19f759e000+9e000] > > rs:main Q:Reg[32395]: segfault at 7fd6000a ip 7fd6d0970837 sp > > 7fd6bfffec48 error 4 in rsyslogd[7fd6d0918000+9e000] > > rs:main Q:Reg[30511]: segfault at 7fd2000a ip 7fd293518837 sp > > 7fd28b3fcc48 error 4 in rsyslogd[7fd2934c+9e000] > > traps: in:imfile[22900] general protection ip:7fd17fe5af57 sp:7fd17c9b1278 > > error:0 in rsyslogd[7fd17fe1e000+9e000] > > rs:main Q:Reg[28304]: segfault at 7f3f000a ip 7f3fc093d837 sp > > 7f3fb7ffec48 error 4 in rsyslogd[7f3fc08e5000+9e000] > > rs:main Q:Reg[2030]: segfault at 7fab000a ip 7fabb1054837 sp > > 7fabacb90c48 error 4 in rsyslogd[7fabb0ffc000+9e000] > > rs:main Q:Reg[24618]: segfault at 7fce0008 ip 7fce40c8f837 sp > > 7fce2fffec48 error 4 in rsyslogd[7fce40c37000+9e000] > > rs:main Q:Reg[16219]: segfault at 7fa5000a ip 7fa5d36ca837 sp > > 7fa5cf206c48 error 4 in rsyslogd[7fa5d3672000+9e000] > > rs:main Q:Reg[7879]: segfault at 7fe80008 ip 7fe824958837 sp &g
[rsyslog] Rsyslog crashing repeatedly
[7f60c4d36000+9e000] rs:main Q:Reg[26912]: segfault at 7fa50008 ip 7fa54ad92837 sp 7fa5468cec48 error 4 in rsyslogd[7fa54ad3a000+9e000] rs:main Q:Reg[23958]: segfault at 7f830008 ip 7f8383c6f837 sp 7f837bbfdc48 error 4 in rsyslogd[7f8383c17000+9e000] rs:main Q:Reg[17899]: segfault at 7f2d0002 ip 7f2e0ded2e84 sp 7f2e09a0ebb0 error 4 in rsyslogd[7f2e0de7a000+9e000] traps: in:imfile[1482] general protection ip:7ff28d47ef57 sp:7ff289fd5278 error:0 in rsyslogd[7ff28d442000+9e000] rs:main Q:Reg[25618]: segfault at 7f74000a ip 7f74e8d95837 sp 7f74e48d1c48 error 4 in rsyslogd[7f74e8d3d000+9e000] traps: in:imfile[16407] trap stack segment ip:7f47c31b52fb sp:7f47bfd08de0 error:0 in rsyslogd[7f47c3176000+9e000] rs:main Q:Reg[29778]: segfault at 7f61000a ip 7f61f2ba0837 sp 7f61ee6dcc48 error 4 in rsyslogd[7f61f2b48000+9e000] rs:main Q:Reg[6398]: segfault at 7f520002 ip 7f52d2731e84 sp 7f52ce26dbb0 error 4 in rsyslogd[7f52d26d9000+9e000] Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Line order integrity - is it possible?
Thanks for the in-depth response David. It illustrates very well the problems faced in that challenge. I was hoping there was a way but it sounds like I either accept the fact that it could be arriving out of order or I find a different way. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, July 16, 2018 7:33 PM To: rsyslog-users Subject: Re: [rsyslog] Line order integrity - is it possible? On Mon, 16 Jul 2018, Scot Kreienkamp wrote: > The logs will be output from a program that will be sent to syslog, most > likely by piping them into logger, and not written to disk on the client at > all. Logger will send them to rsyslog on the local server. I need to > transfer them to my central syslog receiver and have them written in the same > order as the original rsyslog received them on the client. Is there any way > to guarantee line order integrity while using queues? I know the obvious > answer is not to use queueing, but that seems like a bad idea since I don't > want to lose any logs also. rsyslog does not have any mechanism to guarantee in-order delivery, there are just too many possible things that can re-order logs (from UDP packets 'passing' each other on networks with redundancy to multi-threaded operation where two threads are sending different chunks of messages at the same time, to network outages causing messages to be queued to disk and sent later...) Given the large number of ways that messages could get mis-ordered, rsyslog has opted to not make keeping the order a requirement, and has a lot of performance based features that could cause logs to be re-ordered. If you had no queues (or disk-only queues), and used relp as your delvery method, ensured that you never had more than one thread in operation, don't have redundant delivery paths, set your batch size to 1, and forced a fsync for the file and directory after each method, you would approach reliable in-order delivery. you would also slow down your throughput by a factor of 1000x or more, and since you are generating the messages by streaming them to logger, you would still have failure modes that could loose you messages For in-order delivery you need to tag each message with a monotomically incrementing number (which is itself something that's hard to do without a lot of failure modes) and then have something on the recieving end check the numbers and re-order, de-dup, and detect gaps. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Line order integrity - is it possible?
Hi everyone, I know with rsyslog queues the logfiles produced can end up with lines in the wrong order due to the incoming lines being processed before the lines in the queue. Shortly I'll be working on something where the line ordering is important, and it needs to stay in the same order on my central receiver as it is on the client that's sending it. The logs will be output from a program that will be sent to syslog, most likely by piping them into logger, and not written to disk on the client at all. Logger will send them to rsyslog on the local server. I need to transfer them to my central syslog receiver and have them written in the same order as the original rsyslog received them on the client. Is there any way to guarantee line order integrity while using queues? I know the obvious answer is not to use queueing, but that seems like a bad idea since I don't want to lose any logs also. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] rsyslog 8.36.0 (v8-stable) released
Just FYI, the changelog link still shows 8.35, last updated May 14'th. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Florian Riedl Sent: Tuesday, June 26, 2018 10:38 AM To: rsyslog-users Subject: [rsyslog] rsyslog 8.36.0 (v8-stable) released Hi all, today, we release rsyslog 8.36.0. The biggest enhancement is that rsyslog now provides support for opennssl for encryption in addition to the existing gnutls driver. For the packages there will be an additional package called rsyslog-openssl, while self-building users can enable this by running the configure with --enable-openssl. Openssl support is currently still experimental, but will become the preferred TLS driver. Feedback about this is especially appreciated. Some time in the future, we will also retire support for liblogging-stdlog, as we suspected it is never used in practice. The plan is to disable use of liblogging-stdlog by default during configure. So users (and distros!) can still opt-in to have it enabled if they desire. A couple of releases later, we want to completely remove the functionality, except if there has desire been shown in the meantime which justifies to keep liblogging-stdlog. There were also a lot of bugfixes added to this release, so please make sure to read the changelog. ChangeLog: https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog Download: http://www.rsyslog.com/downloads/download-v8-stable/ As always, feedback is appreciated. Best regards, Florian Riedl ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Queue stops writing to disk
I have SELinux disabled on this server. Too many problems with it and there's no security requirement where it sits in our network. I'll check the number of messages later, have to wait for it to occur again. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, May 7, 2018 2:23 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Queue stops writing to disk On Mon, 7 May 2018, Scot Kreienkamp wrote: > The only action I see in that config that isn't named is the email one, and > that shouldn't be hitting any more. I'm going through the config this morning > and trying to put names on anything missing in any file. that helps > Would the stuck action be in that ruleset or could it be in another ruleset? We are seeing messages going into this ruleset, which has it's own queue. So if that queue is building up, there needs to be something inside this ruleset that is blocking or not keeping up. IIRC, it is showing no messages being processed by any of the actions inside this ruleset. The difficulty is figuring out why. Is there any chance that permissions (including SELinux permissions) have gotten broken on any of the files? can you check the queue stats, make sure that the size in increasing by the number of enqueued messages, not by some smaller amount that would indicate that messages are being processed, just slowly. you have retries=2, which should make everything keep working (just slowing down and loosing logs) David Lang > There's about 19 different config files with 200-300 actions in them. It's > our central syslog repository. > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David > Lang > Sent: Friday, May 4, 2018 5:20 PM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Queue stops writing to disk > > Ok, that helps. > > the one thing I notice is that your e-mail action at the top doesn't have a > queue on it, so if your mail server can't keep up, you can fall behind and > start > queuing. > > It's also one of the few actions that doesn't have a name on it, so it's hard > to > find in the logs. (it looks like it and action 283 are part of what you > stripped > out of the log, they don't show up after 10:30) > > > On Fri, 4 May 2018, Scot Kreienkamp wrote: > >> Date: Fri, 4 May 2018 18:42:12 + >> From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com> >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> >> To: rsyslog-users <rsyslog@lists.adiscon.com> >> Subject: Re: [rsyslog] Queue stops writing to disk >> >> Thought that part of my config would help too... >> >> https://pastebin.com/smQnxpDZ >> >> >> >> >> Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate >> One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | >> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com >> -Original Message- >> From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David >> Lang >> Sent: Thursday, May 3, 2018 5:41 PM >> To: rsyslog-users <rsyslog@lists.adiscon.com> >> Subject: Re: [rsyslog] Queue stops writing to disk >> >> it's good that you have impstats running, it will let us track this down >> >> what you need to look for is to find which of the 13 if statements inside the >> ruleset are getting blocked and preventing the ruleset from progressing. If >> those are action() statements you can name them to make them easy to find in >> the >> pstats output, otherwise they will just be Action number. >> >> David Lang >> >> >> On Thu, 3 May 2018, Scot >> Kreienkamp wrote: >> >>> Date: Thu, 3 May 2018 16:52:36 + >>> From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com> >>> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> >>> To: rsyslog-users <rsyslog@lists.adiscon.com> >>> Subject: [rsyslog] Queue stops writing to disk >>> >>> Hi everyone, >>> >>> I keep running into a situation where a queue will just stop processing >>> until rsyslog is restarted, and I can't figure out why. Any help would be >>> a
Re: [rsyslog] Queue stops writing to disk
The only action I see in that config that isn't named is the email one, and that shouldn't be hitting any more. I'm going through the config this morning and trying to put names on anything missing in any file. Would the stuck action be in that ruleset or could it be in another ruleset? There's about 19 different config files with 200-300 actions in them. It's our central syslog repository. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Friday, May 4, 2018 5:20 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Queue stops writing to disk Ok, that helps. the one thing I notice is that your e-mail action at the top doesn't have a queue on it, so if your mail server can't keep up, you can fall behind and start queuing. It's also one of the few actions that doesn't have a name on it, so it's hard to find in the logs. (it looks like it and action 283 are part of what you stripped out of the log, they don't show up after 10:30) On Fri, 4 May 2018, Scot Kreienkamp wrote: > Date: Fri, 4 May 2018 18:42:12 + > From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com> > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Queue stops writing to disk > > Thought that part of my config would help too... > > https://pastebin.com/smQnxpDZ > > > > > Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David > Lang > Sent: Thursday, May 3, 2018 5:41 PM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Queue stops writing to disk > > it's good that you have impstats running, it will let us track this down > > what you need to look for is to find which of the 13 if statements inside the > ruleset are getting blocked and preventing the ruleset from progressing. If > those are action() statements you can name them to make them easy to find in > the > pstats output, otherwise they will just be Action number. > > David Lang > > > On Thu, 3 May 2018, Scot > Kreienkamp wrote: > >> Date: Thu, 3 May 2018 16:52:36 + >> From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com> >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> >> To: rsyslog-users <rsyslog@lists.adiscon.com> >> Subject: [rsyslog] Queue stops writing to disk >> >> Hi everyone, >> >> I keep running into a situation where a queue will just stop processing >> until rsyslog is restarted, and I can't figure out why. Any help would be >> appreciated. >> >> I've moved some of my incoming messages to its own queue so it doesn't >> affect everything in the main queue, but occasionally this queue will just >> go into queueing mode and quit writing to disk until rsyslog is restarted. >> It happens at seemingly random times, as much as a month apart or as close >> as two hours later. I've ran the pstats through the analyzer and it found >> nothing. Here's the pstats of that queue from an occurrence this morning >> when it quit writing to disk: >> >> May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: >> origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 >> maxqsize=0 >> May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: >> origin=core.queue size=0 enqueued=2067518 full=0 discarded.full=0 >> discarded.nf=0 maxqsize=3695 >> May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: >> origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 >> maxqsize=0 >> May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: >> origin=core.queue size=0 enqueued=2337424 full=0 discarded.full=0 >> discarded.nf=0 maxqsize=3695 >> May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: >> origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 >> maxqsize=0 >> May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: >> origin=core.queue size=0 enqueued=2457977 full=0 discarded.full=0 >> discarded.nf=0 maxqsize=3695 >> May 3 10:20:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: >> origin=core.queue size=0 enqueued=0 fu
Re: [rsyslog] Queue stops writing to disk
Thought that part of my config would help too... https://pastebin.com/smQnxpDZ Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, May 3, 2018 5:41 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Queue stops writing to disk it's good that you have impstats running, it will let us track this down what you need to look for is to find which of the 13 if statements inside the ruleset are getting blocked and preventing the ruleset from progressing. If those are action() statements you can name them to make them easy to find in the pstats output, otherwise they will just be Action number. David Lang On Thu, 3 May 2018, Scot Kreienkamp wrote: > Date: Thu, 3 May 2018 16:52:36 + > From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com> > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: [rsyslog] Queue stops writing to disk > > Hi everyone, > > I keep running into a situation where a queue will just stop processing until > rsyslog is restarted, and I can't figure out why. Any help would be > appreciated. > > I've moved some of my incoming messages to its own queue so it doesn't affect > everything in the main queue, but occasionally this queue will just go into > queueing mode and quit writing to disk until rsyslog is restarted. It > happens at seemingly random times, as much as a month apart or as close as > two hours later. I've ran the pstats through the analyzer and it found > nothing. Here's the pstats of that queue from an occurrence this morning > when it quit writing to disk: > > May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=2067518 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=2337424 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=2457977 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:20:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:20:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=1333045 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=175505 enqueued=194024 full=0 discarded.full=0 > discarded.nf=0 maxqsize=175505 > May 3 10:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=176105 enqueued=600 full=0 discarded.full=0 > discarded.nf=0 maxqsize=176105 > May 3 10:50:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:50:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=176705 enqueued=600 full=0 discarded.full=0 > discarded.nf=0 maxqsize=176705 > May 3 11:00:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 11:00:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=177305 enqueued=600 full=0 discarded.full=0 > discarded.nf=0 maxqsize=177305 > May 3 11:10:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 11:10:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-15
Re: [rsyslog] Queue stops writing to disk
I put the full impstats output up on https://pastebin.com/Yr2vvLck, hopefully you can spot something I'm missing. I filtered out the noise (all the lines where everything equals zero), otherwise it's all there. The problem was first noticed at 10:30am so I posted the 10am to 11am ipmstats output. Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, May 3, 2018 5:41 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Queue stops writing to disk it's good that you have impstats running, it will let us track this down what you need to look for is to find which of the 13 if statements inside the ruleset are getting blocked and preventing the ruleset from progressing. If those are action() statements you can name them to make them easy to find in the pstats output, otherwise they will just be Action number. David Lang On Thu, 3 May 2018, Scot Kreienkamp wrote: > Date: Thu, 3 May 2018 16:52:36 + > From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com> > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: [rsyslog] Queue stops writing to disk > > Hi everyone, > > I keep running into a situation where a queue will just stop processing until > rsyslog is restarted, and I can't figure out why. Any help would be > appreciated. > > I've moved some of my incoming messages to its own queue so it doesn't affect > everything in the main queue, but occasionally this queue will just go into > queueing mode and quit writing to disk until rsyslog is restarted. It > happens at seemingly random times, as much as a month apart or as close as > two hours later. I've ran the pstats through the analyzer and it found > nothing. Here's the pstats of that queue from an occurrence this morning > when it quit writing to disk: > > May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=2067518 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=2337424 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=2457977 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:20:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:20:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=0 enqueued=1333045 full=0 discarded.full=0 > discarded.nf=0 maxqsize=3695 > May 3 10:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=175505 enqueued=194024 full=0 discarded.full=0 > discarded.nf=0 maxqsize=175505 > May 3 10:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=176105 enqueued=600 full=0 discarded.full=0 > discarded.nf=0 maxqsize=176105 > May 3 10:50:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 10:50:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=176705 enqueued=600 full=0 discarded.full=0 > discarded.nf=0 maxqsize=176705 > May 3 11:00:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]: > origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0 > maxqsize=0 > May 3 11:00:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531: > origin=core.queue size=177305 enqueued=600 full=0 discarded.full=0 > discarded.nf=0 maxqsize=177305 > May 3 11:10:08
[rsyslog] Queue stops writing to disk
Hi everyone,
I keep running into a situation where a queue will just stop processing until
rsyslog is restarted, and I can't figure out why. Any help would be
appreciated.
I've moved some of my incoming messages to its own queue so it doesn't affect
everything in the main queue, but occasionally this queue will just go into
queueing mode and quit writing to disk until rsyslog is restarted. It happens
at seemingly random times, as much as a month apart or as close as two hours
later. I've ran the pstats through the analyzer and it found nothing. Here's
the pstats of that queue from an occurrence this morning when it quit writing
to disk:
May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 09:50:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=0 enqueued=2067518 full=0 discarded.full=0
discarded.nf=0 maxqsize=3695
May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 10:00:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=0 enqueued=2337424 full=0 discarded.full=0
discarded.nf=0 maxqsize=3695
May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 10:10:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=0 enqueued=2457977 full=0 discarded.full=0
discarded.nf=0 maxqsize=3695
May 3 10:20:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 10:20:07 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=0 enqueued=1333045 full=0 discarded.full=0
discarded.nf=0 maxqsize=3695
May 3 10:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 10:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=175505 enqueued=194024 full=0 discarded.full=0
discarded.nf=0 maxqsize=175505
May 3 10:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 10:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=176105 enqueued=600 full=0 discarded.full=0
discarded.nf=0 maxqsize=176105
May 3 10:50:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 10:50:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=176705 enqueued=600 full=0 discarded.full=0
discarded.nf=0 maxqsize=176705
May 3 11:00:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 11:00:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=177305 enqueued=600 full=0 discarded.full=0
discarded.nf=0 maxqsize=177305
May 3 11:10:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 11:10:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=177905 enqueued=600 full=0 discarded.full=0
discarded.nf=0 maxqsize=177905
May 3 11:20:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 11:20:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=178505 enqueued=600 full=0 discarded.full=0
discarded.nf=0 maxqsize=178505
May 3 11:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 11:30:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=179105 enqueued=600 full=0 discarded.full=0
discarded.nf=0 maxqsize=179105
May 3 11:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531[DA]:
origin=core.queue size=0 enqueued=0 full=0 discarded.full=0 discarded.nf=0
maxqsize=0
May 3 11:40:08 monvsyslog.na.lzb.hq rsyslogd-pstats: Net-1531:
origin=core.queue size=179705 enqueued=600 full=0 discarded.full=0
discarded.nf=0 maxqsize=179705
The truncated config for the queue is:
ruleset(name="Net-1531"
queue.type="LinkedList"
queue.size="25"
queue.discardmark="20"
queue.dequeueBatchSize="2048"
queue.workerThreads="1"
queue.workerThreadMinimumMessages="5"
queue.filename="Net-1531"
){
13 if statements that determine where to log the info to
}
input(type="imudp" port="
Re: [rsyslog] Can a single logfile be part of multiple imfile configs?
Scot Kreienkamp |Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive| Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of > deoren > Sent: Friday, January 26, 2018 4:36 PM > To: rsyslog@lists.adiscon.com > Subject: Re: [rsyslog] Can a single logfile be part of multiple imfile > configs? > > On 1/26/2018 3:29 PM, Scot Kreienkamp wrote: > > Hi everyone, > > > > My basic question: Can the same logfile be used in two imfile inputs? > > > There may be other ways of doing this, but this comes to mind: There are other ways of doing it, and I know another way that would work better. This config is driven through puppet and that's the current structure. Right now I'm just trying to understand why it's not working so I know how to refactor the puppet module. I don't want to make any wrong assumptions, quite possibly like I already did. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Can a single logfile be part of multiple imfile configs?
Hi everyone, My basic question: Can the same logfile be used in two imfile inputs? I have a single logfile that I need to send to a two distinct destinations. The config is stored in a single file, so I just duplicated that file and changed the naming of the rules and stuff in it so there would be no collision. This resulted in two paragraphs like so (for brevity, I removed the actual ruleset being called): input(type="imfile" file="/opt/oracle/domains/py/soa_domain/mserver/soa_domain/servers/vm_bam_server1/logs/vm_bam_server1.out" tag="rslog_soapy1_bam1out:" facility="local6" PersistStateInterval="100" ruleset="Rule-splunk_soapy1_bam1out" reopenOnTruncate="on" ) input(type="imfile" file="/opt/oracle/domains/py/soa_domain/mserver/soa_domain/servers/vm_bam_server1/logs/vm_bam_server1.out" tag="rslog_soapy1_bam1out:" facility="local6" PersistStateInterval="100" ruleset="Rule-rslog_soapy1_bam1out" reopenOnTruncate="on" ) What I'm seeing is that the content is not being sent to the second destination. So does this mean that a logfile can only be used in a single imfile input? Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] preserving metadata on message split
Yep, Rainer confirmed that I can go into the megabytes in size; I had mine set to 128k as I had read somewhere in the mail archive that was the max. Or maybe it was the max for RELP, not sure as that was at least a year ago. Either way, I don't use RELP so I'm at 4 megs now and it shouldn't be a problem anymore. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, November 9, 2017 3:20 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] preserving metadata on message split increase the max message size so that the messages don't get split? what is the source of the messages? (TCP, UDP, imfile, etc) David Lang On Thu, 9 Nov 2017, Scot Kreienkamp wrote: > Hi David, > > Any ideas on any way to get around this if there's no way to preserve the > metadata on an oversized message? > > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David > Lang > Sent: Monday, November 6, 2017 4:49 PM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] preserving metadata on message split > > No, because when the message hits the max size, the processing of the next > message (which is a fragment) is completely independent of the first message. > > now, if this is a message where the metadata should be available in processing > the second fragment, I agree that it should be available. > > can you give an example of a message where the metadata is lost? > > David Lang > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > This message is intended only for the individual or entity to which it is > addressed. It may contain privileged, confidential information which is > exempt from disclosure under applicable laws. If you are not the intended > recipient, you are strictly prohibited from disseminating or distributing > this information (other than to the intended recipient) or copying this > information. If you have received this communication in error, please notify > us immediately by e-mail or by telephone at the above number. Thank you. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] preserving metadata on message split
I have no plans to use RELP so I'll try setting it to 2 meg then. That should give it plenty of overhead, more than enough to resolve it for now. I have no control over the message size, it's whatever Oracle spits out. The limits for rsyslog and relp would be good info to add to the docu. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Thursday, November 9, 2017 11:27 AM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] preserving metadata on message split larger 128k currently seems to be a problem when RELP is used. Otherwise, we have configs which actually have set it to a couple of MB (and occasionally use it). Rainer 2017-11-09 17:25 GMT+01:00 deoren <rsyslog-users-lists.adiscon@whyaskwhy.org>: > On 11/9/2017 10:24 AM, Scot Kreienkamp wrote: >> >> I have it set at 128k now... I thought I read in the list archives that >> was the maximium value? > > > https://github.com/rsyslog/rsyslog/issues/1741 > > Looks like it (for now). > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] preserving metadata on message split
I have it set at 128k now... I thought I read in the list archives that was the maximium value? Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Thursday, November 9, 2017 10:00 AM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] preserving metadata on message split 2017-11-09 14:46 GMT+01:00 Scot Kreienkamp <scot.kreienk...@la-z-boy.com>: > Hi David, > > Any ideas on any way to get around this if there's no way to preserve the > metadata on an oversized message? You need to increase the message size. It's a simple config parmater [global(maxmessagesize="xx")] I mean. Rainer > > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David > Lang > Sent: Monday, November 6, 2017 4:49 PM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] preserving metadata on message split > > No, because when the message hits the max size, the processing of the next > message (which is a fragment) is completely independent of the first message. > > now, if this is a message where the metadata should be available in processing > the second fragment, I agree that it should be available. > > can you give an example of a message where the metadata is lost? > > David Lang > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > This message is intended only for the individual or entity to which it is > addressed. It may contain privileged, confidential information which is > exempt from disclosure under applicable laws. If you are not the intended > recipient, you are strictly prohibited from disseminating or distributing > this information (other than to the intended recipient) or copying this > information. If you have received this communication in error, please notify > us immediately by e-mail or by telephone at the above number. Thank you. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] preserving metadata on message split
Nope, just using TCP as the transport, nothing additional like RELP. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of deoren Sent: Thursday, November 9, 2017 10:07 AM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] preserving metadata on message split On 11/9/2017 9:00 AM, Rainer Gerhards wrote: > 2017-11-09 14:46 GMT+01:00 Scot Kreienkamp <scot.kreienk...@la-z-boy.com>: >> Hi David, >> >> Any ideas on any way to get around this if there's no way to preserve the >> metadata on an oversized message? > > You need to increase the message size. It's a simple config parmater > [global(maxmessagesize="xx")] I mean. > > Rainer Scot, I didn't see in your previous posts whether you're using RELP for sending/receiving messages, but just in case you, are please be aware that there appears to be a bug where imrelp does not use the maxmessagesize value. Instead, you will have to set imrelp's MaxDataSize parameter value (in my case equal to maxmessagesize). More info: https://github.com/rsyslog/rsyslog/issues/1782#issuecomment-339124192 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] preserving metadata on message split
Hi David, Any ideas on any way to get around this if there's no way to preserve the metadata on an oversized message? Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, November 6, 2017 4:49 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] preserving metadata on message split No, because when the message hits the max size, the processing of the next message (which is a fragment) is completely independent of the first message. now, if this is a message where the metadata should be available in processing the second fragment, I agree that it should be available. can you give an example of a message where the metadata is lost? David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] preserving metadata on message split
I have lots of them on my system but I can't give the individual message, just the results of the metadata not being present. Here's my template example again: template (name="messages" type="string" string="/opt/syslog/%HOSTNAME%/messages-%$YEAR%-%$MONTH%-%$DAY%") Following the template, this is an ls -l in /opt/syslog: drwxr-xr-x 2 root root 32 Nov 6 10:00 15099804145432 drwxr-xr-x 2 root root 32 Nov 6 11:00 15099840135432 drwxr-xr-x 2 root root 32 Nov 6 12:00 15099876035432 drwxr-xr-x 2 root root 32 Nov 6 12:00 15099876135432 drwxr-xr-x 2 root root 40 Nov 6 12:01 15099876755432 drwxr-xr-x 2 root root 40 Nov 6 13:00 15099912135432 drwxr-xr-x 2 root root 40 Nov 6 14:00 15099948155432 drwxr-xr-x 2 root root 40 Nov 6 15:00 15099984135432 drwxr-xr-x 2 root root 32 Nov 6 16:00 15100020135432 drwxr-xr-x 2 root root 40 Nov 6 17:00 15100056185432 drwxr-xr-x 3 root root 4096 Nov 6 00:55 corpvely.na.lzb.hq drwxr-xr-x 2 root root 4096 Nov 6 00:55 corpvskreienfs1.na.lzb.hq drwxr-xr-x 2 root root 4096 Nov 6 00:55 corpvskreienfs2.na.lzb.hq drwxr-xr-x 3 root root 4096 Nov 6 00:55 corpvskreienl.na.lzb.hq drwxr-xr-x 2 root root 4096 Nov 6 00:55 dayaglecpd.na.lzb.hq drwxr-xr-x 2 root root 4096 Nov 6 00:55 dayaglpd01.na.lzb.hq drwxr-xr-x 2 root root 4096 Nov 6 00:55 dayaglpd02.na.lzb.hq drwxr-xr-x 2 root root 32 Oct 31 09:01 sax drwxr-xr-x 2 root root 40 Oct 31 09:02 schema And the contents of one directory: [skreien@monvsyslog 15099876135432]$ cat messages-2017-11-06 Nov 6 12:00:16 15099876135432 Anything that ends in .na.lzb.hq is correct, anything that isn't is picking up the value from a split message. I know this because I get messages in my system logs about messages being split. Underneath all the incorrect folder names is a messages file following the template correctly, but because the HOSTNAME metadata is not available it tries to pick it up from the fragment that's left since it's processing it as a separate message, so of course it's wrong. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, November 6, 2017 4:49 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] preserving metadata on message split No, because when the message hits the max size, the processing of the next message (which is a fragment) is completely independent of the first message. now, if this is a message where the metadata should be available in processing the second fragment, I agree that it should be available. can you give an example of a message where the metadata is lost? David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] preserving metadata on message split
Hey all, When messages are split due to size the metadata seems to go with the first part of the message. I'm doing hostname based logging, so when a message is split the metadata it needs to log the rest of the message to the correct file is gone. Is there any way to preserve that metadata, so the rest of the message is appended to the same logfile as the first part? Here's my file template: template (name="DailyPerHostDebugAll" type="string" string="/opt/syslog/%HOSTNAME%/debug-%$YEAR%-%$MONTH%-%$DAY%") Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Split messages options
>From my config text, I'm not writing a disk queue so that won't be a problem,
>and my network queues I'm assuming are single threaded by default so that
>shouldn't be a problem either.
ruleset(name="RMS-Ecomm-1514-1531"){
action(
name="omfile-Ecomm.log"
type="omfile"
dynafilecachesize="5"
DynaFile="DailyPerHostLogEcomm"
template="msgonly-no1sp"
ioBufferSize="64k"
flushOnTXEnd="off"
asyncWriting="on"
dirCreateMode="0755"
)
action(
name="fwd-monvsyslog-1531"
type="omfwd"
Target="monvsyslog.na.lzb.hq"
Port="1531"
Protocol="tcp"
template="RMS-ForwardEcomm"
)
stop
}
input(type="imudp" port="1514" address="127.0.0.1"
ruleset="RMS-Ecomm-1514-1531")
input(type="imptcp" port="1514" address="127.0.0.1"
ruleset="RMS-Ecomm-1514-1531")
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Monday, July 10, 2017 5:12 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Split messages options
If you have multiple threads working to process messages, thread 1 will grab
messages 1-10 and start processing them, thread 2 will grab messages 11-20 and
start processing them in parallel, so ordering will be lost.
avoid using multiple threads when processing them, and you avoid that problem.
If logs get written to a disk queue, when new messages arrive they are processed
first, and messages from the queue get read and processed interspersed with the
new messages. The only way to avoid this problem is to not use a disk queue.
David Lang
On Mon, 10 Jul 2017, Scot Kreienkamp wrote:
> Yep, understood on the ordering. Log4j is sending to rsyslog@localhost via
> UDP, rsyslog is relaying via TCP. For my usage, vast majority of the time is
> just fine.
>
> I would have assumed that rsyslog would attempt processing of messages from
> any queue in the order received though... No?
>
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David
> Lang
> Sent: Monday, July 10, 2017 4:56 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Split messages options
>
> note that there is some potential for messages to get out of order (over the
> network with UDP, and inside rsyslog if you use disk queues or multiple
> threads)
>
> UDP messages can be dropped if the network is busy as well (by any
> router/firewall or receiving host)
>
> but the vast majority of the time, everything will be in order.
>
> David Lang
>
> On Mon, 10 Jul 2017, Scot Kreienkamp wrote:
>
>> Date: Mon, 10 Jul 2017 20:49:42 +
>> From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com>
>> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>> Subject: Re: [rsyslog] Split messages options
>>
>> That makes sense, I wasn't aware of the limitation in log4j. And yes, it is
>> a very old implementation and getting them to update would likely take
>> years. :-)
>>
>> In my case I'm transporting the logfile from the prod servers to a common
>> collector server internally that the devs can have access to; all I need to
>> do is reconstitute the file exactly as is on the other side. I'll change
>> syslogappender to a non-default port and use a custom template to forward it
>> on so I can force the correct tag on all forwarded messages, that way the
>> splitting won't matter and the logfile will be written on the destination
>> exactly as the source. That will solve my problem for now.
>>
>> Thanks for the bit about log4j. I'll have to do some more research there.
>>
>>
>> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
>> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
>> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
Re: [rsyslog] Split messages options
Yep, understood on the ordering. Log4j is sending to rsyslog@localhost via UDP, rsyslog is relaying via TCP. For my usage, vast majority of the time is just fine. I would have assumed that rsyslog would attempt processing of messages from any queue in the order received though... No? Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, July 10, 2017 4:56 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Split messages options note that there is some potential for messages to get out of order (over the network with UDP, and inside rsyslog if you use disk queues or multiple threads) UDP messages can be dropped if the network is busy as well (by any router/firewall or receiving host) but the vast majority of the time, everything will be in order. David Lang On Mon, 10 Jul 2017, Scot Kreienkamp wrote: > Date: Mon, 10 Jul 2017 20:49:42 + > From: Scot Kreienkamp <scot.kreienk...@la-z-boy.com> > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Split messages options > > That makes sense, I wasn't aware of the limitation in log4j. And yes, it is > a very old implementation and getting them to update would likely take years. > :-) > > In my case I'm transporting the logfile from the prod servers to a common > collector server internally that the devs can have access to; all I need to > do is reconstitute the file exactly as is on the other side. I'll change > syslogappender to a non-default port and use a custom template to forward it > on so I can force the correct tag on all forwarded messages, that way the > splitting won't matter and the logfile will be written on the destination > exactly as the source. That will solve my problem for now. > > Thanks for the bit about log4j. I'll have to do some more research there. > > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | > Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David > Lang > Sent: Monday, July 10, 2017 4:38 PM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] Split messages options > > ahh, if this is a very old log4j, it will refuse to send UDP messages >1K in > size, so it splits things before they get to rsyslog, and your maxmessagesize > isn't going to help. > > normally I am not in favor of writing to disk and then reading them, but if > you > are stuck with an old log4j, that may be your best option. > > older log4j implementations are UDP only with a 1000 byte max size > > slightly newer implementations support TCP with larger message sizes (but I've > seen some that still limit you to 2k) > > current implementations are far more flexible. > > David Lang > >> I'm not bringing them in with imfile, log4j is using the builtin syslog >> appender to submit it directly to syslog over UDP 514, the default UDP >> listener port. I was assuming rsyslog is doing the splitting of the >> messages due to size. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > This message is intended only for the individual or entity to which it is > addressed. It may contain privileged, confidential information which is > exempt from disclosure under applicable laws. If you are not the intended > recipient, you are strictly prohibited from disseminating or distributing > this information (other than to the intended recipient) or copying this > information. If you have received this communication in error, please notify > us immediately by e-mail or by telephone at the above number. Thank you. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our cont
Re: [rsyslog] Split messages options
That makes sense, I wasn't aware of the limitation in log4j. And yes, it is a very old implementation and getting them to update would likely take years. :-) In my case I'm transporting the logfile from the prod servers to a common collector server internally that the devs can have access to; all I need to do is reconstitute the file exactly as is on the other side. I'll change syslogappender to a non-default port and use a custom template to forward it on so I can force the correct tag on all forwarded messages, that way the splitting won't matter and the logfile will be written on the destination exactly as the source. That will solve my problem for now. Thanks for the bit about log4j. I'll have to do some more research there. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, July 10, 2017 4:38 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Split messages options ahh, if this is a very old log4j, it will refuse to send UDP messages >1K in size, so it splits things before they get to rsyslog, and your maxmessagesize isn't going to help. normally I am not in favor of writing to disk and then reading them, but if you are stuck with an old log4j, that may be your best option. older log4j implementations are UDP only with a 1000 byte max size slightly newer implementations support TCP with larger message sizes (but I've seen some that still limit you to 2k) current implementations are far more flexible. David Lang > I'm not bringing them in with imfile, log4j is using the builtin syslog > appender to submit it directly to syslog over UDP 514, the default UDP > listener port. I was assuming rsyslog is doing the splitting of the messages > due to size. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Split messages options
Hi David, I'm not bringing them in with imfile, log4j is using the builtin syslog appender to submit it directly to syslog over UDP 514, the default UDP listener port. I was assuming rsyslog is doing the splitting of the messages due to size. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Monday, July 10, 2017 3:59 PM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Split messages options you don't show us your imfile config, check to see if the java program is outputting multi-line messages (and if so, are you handling them correctly) with current rsyslo versions, I have set the maxmessagesize larger than 64k unfortunantly, rsyslog processes each message it sees independently, so there's no good way to reference the prior 'message' when messages get split. You need to work to avoid having them split before rsyslog processes them. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Split messages options
Hi everyone,
I have a java program that is using log4j to write into rsyslog. The messages
are so large they are getting split, which causes the sorting rule (if
$syslogtag == 'RMS-Tomcat:' then) to write the first part to the correct file,
but the second part goes into messages because it has no header info. I'm at a
loss as to the best way to deal with this. The log4j implementation is fairly
old and doesn't seem to have any controls that we can use to help with this
problem, and getting them to update it is a year-long chore at best. I already
have $MaxMessageSize 64k set before the module load lines in my config, so I'm
fairly certain that the entries I'm receiving are larger than 64k. Not certain
if I could go larger, old mail messages seemed to indicate 64k was the ceiling
and higher values would be ignored. Is raising that value the best way to deal
with this problem, and do I need the old directive with the global directive
present?
Thanks for any help.
Relevent snippets of config:
$umask
$FileCreateMode 0644
$DirCreateMode 0755
$RepeatedMsgReduction off
$EscapeControlCharactersOnReceive off
$MaxMessageSize 64k
$RepeatedMsgReduction off
$WorkDirectory /var/spool/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$MaxOpenFiles 4096
module(load="imfile") #needs to be done just once
module(load="imudp") # needs to be done just once for listener only
module(load="imptcp") # needs to be done just once for listener only
global(workDirectory="/var/spool/rsyslog" preserveFQDN="on"
maxMessageSize="64k")
main_queue(
queue.size="5" # or this many messages
queue.discardmark="4"
queue.DiscardSeverity="0"
queue.dequeueBatchSize="1024"
queue.spoolDirectory="/var/spool/rsyslog" # where to write on disk
queue.fileName="rsyslogmainqueue"
queue.maxDiskSpace="1g"# it will stop at this much disk space
queue.saveOnShutdown="on" # save memory queue contents to disk
when rsyslog is exiting
queue.type="LinkedList"
)
#Dynafile template for Ecomm logs
template (name="DailyPerHostLogEcomm" type="string"
string="/var/log/tomcat6/Ecomm-%$YEAR%-%$MONTH%-%$DAY%")
#activate listener on localhost address
input(type="imudp" port="514" address="127.0.0.1")
input(type="imptcp" port="514" address="127.0.0.1")
if $syslogtag == 'RMS-Ecomm:' then {
action(
name="omfile-Ecomm.log"
type="omfile"
dynafilecachesize="5"
DynaFile="DailyPerHostLogEcomm"
template="msgonly-no1sp"
ioBufferSize="64k"
flushOnTXEnd="off"
asyncWriting="on"
dirCreateMode="0755"
)
stop
}
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444
| * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D>
www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> |
facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy>
| twitter.com/lazboy<https://twitter.com/lazboy> |
youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>
[cid:lzbVertical_hres.jpg]
This message is intended only for the individual or entity to which it is
addressed. It may contain privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not the intended recipient,
you are strictly prohibited from disseminating or distributing this information
(other than to the intended recipient) or copying this information. If you
have received this communication in error, please notify us immediately by
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] rsyslog-8.27.0-3 requires libksi.so.7
No problem. Thanks for the fast response. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Florian Riedl Sent: Wednesday, May 31, 2017 11:26 AM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] rsyslog-8.27.0-3 requires libksi.so.7 Hi, sorry for the inconvenience. There snuck an error into the newest package build. The libksi requirement should not be needed for the rsyslog base RPM. We reverted the online library back to the previous version, so the latest version is 8.27.0-2. This will not have the unnecessary libksi requirement. Please note, for yum to properly register the correct RPM, you might need to clean the yum cache first before installing/updating rsyslog. Again, sorry for the inconvenience. Best regards, Florian Riedl Adiscon 2017-05-31 17:06 GMT+02:00 Scot Kreienkamp <scot.kreienk...@la-z-boy.com>: > Hi everyone, > > My systems are trying to install the rsyslog-8.27.0-3.el6 RPM from Adiscons > RPM repo and it's giving me an unresolvable requirement of libksi.so.7. > Anyone know where I can get this library? This seems to be a new requirement. > > Thanks! > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * > 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> > www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | > facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> > | twitter.com/lazboy<https://twitter.com/lazboy> | > youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> > > [cid:lzbVertical_hres.jpg] > > > > This message is intended only for the individual or entity to which it is > addressed. It may contain privileged, confidential information which is > exempt from disclosure under applicable laws. If you are not the intended > recipient, you are strictly prohibited from disseminating or distributing > this information (other than to the intended recipient) or copying this > information. If you have received this communication in error, please notify > us immediately by e-mail or by telephone at the above number. Thank you. > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] rsyslog-8.27.0-3 requires libksi.so.7
Hi everyone, My systems are trying to install the rsyslog-8.27.0-3.el6 RPM from Adiscons RPM repo and it's giving me an unresolvable requirement of libksi.so.7. Anyone know where I can get this library? This seems to be a new requirement. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Creating a mirror of the rsyslog apt/yum repos
Can't speak to apt, but yum is easy. Install the yum-utils package and use the reposync command. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of James A. Peltier Sent: Tuesday, February 21, 2017 7:15 AM To: rsyslog-users <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Creating a mirror of the rsyslog apt/yum repos Ping. Is there any way to permorm an rsync from these repositories? - On 15 Feb, 2017, at 16:42, James A. Peltier jpelt...@sfu.ca wrote: | We run a number of clusters and would like to look into mirroring the rsyslog | yum and apt repositories. I can't seem to find any details on the web site as | to how to go about doing this. Can anyone help? | | -- | James A. Peltier | IT Services - Research Computing Group | Simon Fraser University - Burnaby Campus | Phone : 604-365-6432 | Fax : 778-782-3045 | E-Mail : jpelt...@sfu.ca | Website : http://www.sfu.ca/itservices | Twitter : @sfu_rcg | Powering Engagement Through Technology | ___ | rsyslog mailing list | http://lists.adiscon.net/mailman/listinfo/rsyslog | http://www.rsyslog.com/professional-services/ | What's up with rsyslog? Follow https://twitter.com/rgerhards | NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of | sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE | THAT. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Error during config processing: STOP is followed by unreachable statements
He wasn't trying to give you syntax, he was trying to help you understand what
you had written by rewriting it so it was easier to understand.
This was what you had written:
:msg, startswith, "Failed to reset devices.list" stop
& stop
You already have a stop after your msg line, then on the next line you tell it
to stop again after the previous line (the ampersand appends whatever is on
that line to the previous line). That's why rsyslog is complaining, because
the second stop can never be reached because you already have a stop on the
previous line. You're telling it to stop twice on the same line by using the
ampersand after a line that already has stop in it. So this is basically what
you wrote:
:msg, startswith, "Failed to reset devices.list" stop stop
The second stop is unnecessary, so rsyslog complains about it.
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Saint Germain
Sent: Wednesday, November 2, 2016 7:47 AM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] Error during config processing: STOP is followed by
unreachable statements
Hello agan,
Sorry to bother the mailing-list again, but I really don't understand
what I should put as filter rules.
The syntax provided by David Lang doesn't work unfortunately.
Thanks
On Thu, 27 Oct 2016 20:44:25 +0200, Saint Germain <saint...@gmail.com>
wrote :
> Hum when I enter exactly that, I got again:
> rsyslogd-2207: error during config processing: STOP is followed by
> unreachable statements! [v8.16.0 try http://www.rsyslog.com/e/2207 ]
>
> On Thu, 27 Oct 2016 11:35:27 -0700 (PDT), David Lang <da...@lang.hm>
> wrote :
>
> > looking at your original, another way of viewing it is:
> >
> > :msg, startswith, "Starting Cleanup" stop
> > :msg, startswith, "Started Cleanup" stop
> > :msg, startswith, "Failed to reset devices.list" {
> >stop
> >stop
> > }
> >
> > it was the last stop that it was complaining about.
> >
> > David Lang
> >
> > On Thu, 27 Oct 2016, Saint Germain wrote:
> >
> > > I have removed all the stop except the one on the last line and it
> > > seems to work.
> > >
> > > Thanks a lot !
> > >
> > > On Thu, 27 Oct 2016 13:27:06 +0200, Rainer Gerhards
> > > <rgerha...@hq.adiscon.com> wrote :
> > >
> > >> You have stop twice.
> > >>
> > >> Sent from phone, thus brief.
> > >>
> > >> Am 27.10.2016 1:24 PM schrieb "Saint Germain"
> > >> <saint...@gmail.com>:
> > >>
> > >>> Hello,
> > >>>
> > >>> Perhaps is my previous message gone in the spam folders ?
> > >>> Can someone give me some hints on how to solve the problem
> > >>> described below ?
> > >>>
> > >>> Thanks in advance !
> > >>>
> > >>> On Thu, 22 Sep 2016 11:17:52 +0200, Saint Germain
> > >>> <saint...@gmail.com> wrote :
> > >>>
> > >>>> Hello,
> > >>>>
> > >>>> I am using rsyslog 8.16 on Debian Jessie (package is coming
> > >>>> from backports) and I have trouble filtering my logs.
> > >>>>
> > >>>> I wanted to filter out the following logs in /var/log/syslog:
> > >>>> systemd[1]: Starting Cleanup of Temporary Directories...
> > >>>> systemd[1]: Failed to reset devices.list
> > >>>> on /system.slice/systemd-tmpfiles-clean.service: No such file
> > >>>> or directory systemd[1]: Started Cleanup of Temporary
> > >>>> Directories.
> > >>>>
> > >>>> I have create a file with the following content
> > >>>> in /etc/rsyslog.d: :msg, startswith, "Starting Cleanup" stop
> > >>>> :msg, startswith, "Started Cleanup" stop
> > >>>> :msg, startswith, "Failed to reset devices.list" stop
> > >>>> & stop
> > >>>>
> > >>>> But each time I start rsyslog I got the following message:
> > >>>> rsyslogd-2207: error during config processing: STOP is followed
> > >>>> by unreachable statements! [v8.16.0 try
> > >>>> http://www.rsyslog.com/e/2207 ]
> > >>>>
Re: [rsyslog] Problem with queues configuration
Almost forgot, I also implemented async and IO buffering on dynafile, which
lowered my CPU usage and disk churn greatly.
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:23 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration
On Thu, 27 Oct 2016, Scot Kreienkamp wrote:
> I have one centralized collector, and it was having trouble keeping up. It
> normally runs 20-30 meg (combined in and out) during the day, bursting as high
> as 90 meg. It has 228 if statements, mostly checking syslogtag, but some
> checking sending hostname, times, etc. To eliminate some processing time I
> changed the higher traffic apps to come in on their own dedicated ports so I
> could bind a much smaller ruleset to the inputs, and everything else comes in
> on the default port. So now the largest number of if statements in a ruleset
> is 49 with many being 15 or less.
Ok, I would be interested in looking to simplify the receiving config, that
doesn't seem like an excessive amount of traffic, we should be able to handle it
on a single port. I've run servers handling many GB of logs per day with rather
complex rulesets.
a couple hints to start with.
can you use arrays in if statements?
if $syslogtag == ['foo', 'bar', baz'] then {}
if you have a large enough ruleset, and lots of sets of tags being handled the
same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b'
etc.
Can you use dynafiles (especially in combination with the above capabilities) to
set variables that are then used in filenames to output the files in fewer
statements?
nest if statements instead of having a lot of complex filters
if $syslogtag == 'foo' then {
if ... then {}
if ... then {}
}
(note: doing this may let you use rulesets for some of the inner conditions,
greatly simplifying your config)
And finally (and most simply), rsyslog is sensitive to the order of the rules,
so if you have some very common logs, process them first and then have a stop
action once you know that they aren't going to match anything else in the
config.
David Lang
> My original intent behind the question was not because I was using a large
> amount of ports, but so I could group everything outbound from the clients
> into one outbound queue and have something reusable by selecting a new port
> instead of writing a new ruleset, actions, and queues for every outbound port.
>
> Welcome back :-)
>
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 2:49 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem with queues configuration
>
> no, you cannot use a variable for a port.
>
> catching up on this, I'm trying to understand why you are using so many
> different ports. Each message has the original hostname in it, and you can
> split
> the logs on that at the central system rather easily, why split it on the
> sending side to different ports?
>
> If the receiver can't keep up, having lots of different queues on the sender
> is
> just going to mean you have a lot of queues filling up, the order that they
> then
> drain is rather unpredictable.
>
> David Lang
>
> On Fri, 21 Oct 2016, Scot Kreienkamp wrote:
>
>> Would something like this work? I wasn't sure a config file variable could
>> be used in the action context.
>>
>>
>> ruleset(name="fwd-centralsyslog-customport"
>>queue.type="LinkedList"
>>queue.size="5"
>>queue.maxDiskSpace="1g"
>>queue.discardmark="45000"
>>queue.dequeueBatchSize="1024"
>>queue.filename="fwd-monvsyslog-514"
>>queue.spoolDirectory="/var/spool/rsyslog"
>>queue.saveOnShutdown="on"
>>){
>>action(
>>name="fwd-syslog-collector"
>>type="omfwd"
>>Target="monvsyslog "
>>Port="$!remoteport"
>>Protocol="tcp"
>>)
>> }
>>
&
Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
That's why I included the line I was using to test, so that anyone reading my
message had the means to produce whatever output they needed if they chose to
look into it further. I don't have a RH6 machine to try this with anymore. My
solution was to upgrade to RH7 where it was no longer an issue.
logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test $(date)"
That logger line, executed on RH7 and delivered to a RH6 host, was not
processed properly. I was filtering it based on syslogtag.
Rsyslog rules I was using:
template (name="NetworkPerIP" type="string"
string="/opt/network/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log")
template (name="FirewallChangeLog" type="string"
string="/opt/network/FirewallChange/%$YEAR%-%$MONTH%-%$DAY%.log")
ruleset(name="Net-1514"){
action(name="Net-1514-omfile" type="omfile" dynafilecachesize="50"
DynaFile="NetworkPerIP" template="RSYSLOG_TraditionalFileFormat"
ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750"
FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured")
if $syslogtag contains "ASA-5-111010" then {
action(name="Net-1514-FWCH" type="omfile"
dynafilecachesize="50" DynaFile="FirewallChangeLog"
template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off"
asyncWriting="on" dirCreateMode="0750" FileCreateMode="0640"
dirGroup="networksecured" fileGroup="networksecured")
}
stop
}
input(type="imudp" port="1514" ruleset="Net-1514")
input(type="imptcp" port="1514" ruleset="Net-1514")
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:24 PM
To: rsyslog-users
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
On Thu, 27 Oct 2016, Scot Kreienkamp wrote:
> I was able to reproduce the problem using the logger command from a RH7
> workstation to an rsyslog server running under RH6 so I am fairly certain the
> problem wasn't on the Cisco side.
samples of the raw logs that are being mis-processed would be a huge help.
David Lang
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 3:12 PM
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
>
> On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote:
>> Hi Everyone,
>>
>> I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
>> repo running in production here. It's a very busy server, but from
>> what I can tell I am not dropping any messages. The queues are
>> usually less than 100 and return to 0 within 60 seconds. I have had
>> the config in place on my server for 1 month now and it had been
>> working flawlessly until the end of last month. I have included the
>> relevant part of my config inline below, any comments on tuning or
>> help with my problem would be appreciated.
>>
>> Here's my problem:
>>
>> Basically, this section of my config is receiving syslogs from an ASA
>> firewall and writing them all to dynafile NetworkPerIP. About 20
>> other hosts are also sending logs hitting this rule. Up through
>> 23:59
>> 9-30-2016 all messages that had a tag that contained "ASA-5-111010"
>> were also written to another dynafile, FirewallChangeLog. That's
>> what
>> I wanted to happen, and as I said, it was working flawlessly until
>> the
>> end of last month. Since the calendar flipped over to Oct 1 the logs
>> have not been written to the FirewallChangeLog. In testing, I
>> simulated a log message from my workstation to this rule like so:
>> logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
>> $(date)".
>> It was written to the FirewallChangeLog but NOT to the NetworkPerIP
>> log; it's only wri
Re: [rsyslog] Problem with queues configuration
Thanks for the hints, I have already done most of them and at the present time
I am able to keep up with the traffic easily. I like the solution of
separating out the major senders by port so there's no possible cross
contamination if tags are reused across different applications. All my if
statements have stop after them so they don't do any further processing, and
they are ordered with the rules that get hit the most at the very top.
What would simplify my config the most was if there was a way to do a case on
the syslogtag instead of multiple if statements. But I haven't found any way
to do that.
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:23 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration
On Thu, 27 Oct 2016, Scot Kreienkamp wrote:
> I have one centralized collector, and it was having trouble keeping up. It
> normally runs 20-30 meg (combined in and out) during the day, bursting as high
> as 90 meg. It has 228 if statements, mostly checking syslogtag, but some
> checking sending hostname, times, etc. To eliminate some processing time I
> changed the higher traffic apps to come in on their own dedicated ports so I
> could bind a much smaller ruleset to the inputs, and everything else comes in
> on the default port. So now the largest number of if statements in a ruleset
> is 49 with many being 15 or less.
Ok, I would be interested in looking to simplify the receiving config, that
doesn't seem like an excessive amount of traffic, we should be able to handle it
on a single port. I've run servers handling many GB of logs per day with rather
complex rulesets.
a couple hints to start with.
can you use arrays in if statements?
if $syslogtag == ['foo', 'bar', baz'] then {}
if you have a large enough ruleset, and lots of sets of tags being handled the
same way, you can use lookup tables that will map foo, bar to 'a' baz to 'b'
etc.
Can you use dynafiles (especially in combination with the above capabilities) to
set variables that are then used in filenames to output the files in fewer
statements?
nest if statements instead of having a lot of complex filters
if $syslogtag == 'foo' then {
if ... then {}
if ... then {}
}
(note: doing this may let you use rulesets for some of the inner conditions,
greatly simplifying your config)
And finally (and most simply), rsyslog is sensitive to the order of the rules,
so if you have some very common logs, process them first and then have a stop
action once you know that they aren't going to match anything else in the
config.
David Lang
> My original intent behind the question was not because I was using a large
> amount of ports, but so I could group everything outbound from the clients
> into one outbound queue and have something reusable by selecting a new port
> instead of writing a new ruleset, actions, and queues for every outbound port.
>
> Welcome back :-)
>
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 2:49 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem with queues configuration
>
> no, you cannot use a variable for a port.
>
> catching up on this, I'm trying to understand why you are using so many
> different ports. Each message has the original hostname in it, and you can
> split
> the logs on that at the central system rather easily, why split it on the
> sending side to different ports?
>
> If the receiver can't keep up, having lots of different queues on the sender
> is
> just going to mean you have a lot of queues filling up, the order that they
> then
> drain is rather unpredictable.
>
> David Lang
>
> On Fri, 21 Oct 2016, Scot Kreienkamp wrote:
>
>> Would something like this work? I wasn't sure a config file variable could
>> be used in the action context.
>>
>>
>> ruleset(name="fwd-centralsyslog-customport"
>>queue.type="LinkedList"
>>queue.size="5"
>>queue.maxDiskSpace="1g"
>>queue.discardmark="45000"
>>queue.dequeueBatchSize="1024"
>>queue.filename="fwd-m
Re: [rsyslog] help with high CPU usage
After much experimentation I found out that having multiple threads on the network input modules was causing my problems, probably as you said by causing locking issues with the queues. After changing to this: module(load="imudp"threads="1" timeRequery="8" batchSize="128") module(load="imptcp" threads="1") My load is back down to somewhere between .1 and .2. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:06 PM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] help with high CPU usage On Mon, 10 Oct 2016 15:23:22 +, Scot Kreienkamp wrote: > Hi everyone, > > I am troubleshooting a few problems on my rsyslog server, the first > of which is high CPU usage. Top -H is showing 100% CPU usage for the > imptcp module, and I can't figure out why. It doesn't start out that > way when rsyslog is restarted, but after a few minutes it goes right > to the top of the list. Can help direct me as to why the CPU usage > is > so high for IMPTCP? > > Top output showing threads: > PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ > COMMAND > 32670 root 20 0 6161012 204032 2908 R 99.9 1.7 31:57.75 > in:imptcp > 32673 root 20 0 6161012 204032 2908 R 79.4 1.7 21:43.37 > in:imptcp > > > My config is not that complicated, mostly just filtering things to > specific logs by tag. I've included the main queue incoming config > below, I can post the rest if needed but it's fairly long so I'll > defer that unless necessary. I don't seem to have any problems > receiving messages, none are being discarded that I'm aware of. Just > seems to be high CPU usage. > > $umask > $FileCreateMode 0644 > $DirCreateMode 0755 > $RepeatedMsgReduction off > $EscapeControlCharactersOnReceive off > $MaxMessageSize 64k > $RepeatedMsgReduction off > $WorkDirectory /var/spool/rsyslog > > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > $ActionQueueType LinkedList > $ActionQueueWorkerThreads 2 try removing these two lines, it's counter-intuitive, but having too many threads decreases performance because the extra threads end up fighting for locks on the queue. Also, these queue parameters only apply to the next action, so they are almost certinly not what you want. > > global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" > maxMessageSize="64k") > > > # Provides UDP syslog reception > # for parameters see http://www.rsyslog.com/doc/imudp.html > module(load="imudp"threads="1" timeRequery="8" batchSize="128") # > needs to be done just once > #input(type="imudp" port="514") > > # Provides TCP syslog reception > # for parameters see http://www.rsyslog.com/doc/imtcp.html > module(load="imptcp" threads="1") # needs to be done just once > #input(type="imptcp" port="514") > > module(load="impstats" > interval="60" > log.syslog="on" > resetCounters="on" > /* need to turn log stream logging off! */ > /* log.file="/var/log/rsyslogd.stats" */ > ) > > > > main_queue( > queue.workerThreadMinimumMessages="5000" > queue.discardmark="45000" > queue.workerThreads="2" this will actually function, but after you remove the lines above, try removing this line > queue.dequeueBatchSize="2048" > queue.spoolDirectory="/var/spool/rsyslog" # where to write on disk > queue.fileName="rsyslogmainqueue" > queue.maxDiskSpace="5g"# it will stop at this much disk > space > queue.size="5" # or this many messages > queue.saveOnShutdown="on" # save memory queue contents to disk > when rsyslog is exiting > } David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is
Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
I was able to reproduce the problem using the logger command from a RH7 workstation to an rsyslog server running under RH6 so I am fairly certain the problem wasn't on the Cisco side. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:12 PM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6? On Tue, 4 Oct 2016 18:02:39 +, Scot Kreienkamp wrote: > Hi Everyone, > > I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM > repo running in production here. It's a very busy server, but from > what I can tell I am not dropping any messages. The queues are > usually less than 100 and return to 0 within 60 seconds. I have had > the config in place on my server for 1 month now and it had been > working flawlessly until the end of last month. I have included the > relevant part of my config inline below, any comments on tuning or > help with my problem would be appreciated. > > Here's my problem: > > Basically, this section of my config is receiving syslogs from an ASA > firewall and writing them all to dynafile NetworkPerIP. About 20 > other hosts are also sending logs hitting this rule. Up through > 23:59 > 9-30-2016 all messages that had a tag that contained "ASA-5-111010" > were also written to another dynafile, FirewallChangeLog. That's > what > I wanted to happen, and as I said, it was working flawlessly until > the > end of last month. Since the calendar flipped over to Oct 1 the logs > have not been written to the FirewallChangeLog. In testing, I > simulated a log message from my workstation to this rule like so: > logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test > $(date)". > It was written to the FirewallChangeLog but NOT to the NetworkPerIP > log; it's only written to the NetworkPerIP log if I don't tag it with > the "ASA-5-111010". That's what makes me think I'm hitting a bug in > the code somewhere. If I copy this config to a test box running > RHEL7 > with the same version of rsyslog and same config it seems to work OK. > I haven't tried on another RHEL6. I am not hitting the limit of > number of open files, it's set to 15,000 and I'm only at 5,000 last I > checked. And lastly, rsyslogd -N1 doesn't show any errors. I went > ahead and did the upgrade to RHEL7 since it was on my list to upgrade > anyway and the problem has disappeared. > When I see this sort of thing, I suspect that there is a problem with the date format being sent by the ASA, can you send samples of a raw message (either output with $rawmsg or use the RSYSLOG_DebugFormat) I would guess that instead of Oct 1 it's doing Oct 1 or something odd like that. You may want to play around with the pmcisco* modules to try and fix up the cisco specific oddities that we know about. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Problem with queues configuration
I have one centralized collector, and it was having trouble keeping up. It
normally runs 20-30 meg (combined in and out) during the day, bursting as high
as 90 meg. It has 228 if statements, mostly checking syslogtag, but some
checking sending hostname, times, etc. To eliminate some processing time I
changed the higher traffic apps to come in on their own dedicated ports so I
could bind a much smaller ruleset to the inputs, and everything else comes in
on the default port. So now the largest number of if statements in a ruleset
is 49 with many being 15 or less.
My original intent behind the question was not because I was using a large
amount of ports, but so I could group everything outbound from the clients into
one outbound queue and have something reusable by selecting a new port instead
of writing a new ruleset, actions, and queues for every outbound port.
Welcome back :-)
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 2:49 PM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration
no, you cannot use a variable for a port.
catching up on this, I'm trying to understand why you are using so many
different ports. Each message has the original hostname in it, and you can split
the logs on that at the central system rather easily, why split it on the
sending side to different ports?
If the receiver can't keep up, having lots of different queues on the sender is
just going to mean you have a lot of queues filling up, the order that they then
drain is rather unpredictable.
David Lang
On Fri, 21 Oct 2016, Scot Kreienkamp wrote:
> Would something like this work? I wasn't sure a config file variable could
> be used in the action context.
>
>
> ruleset(name="fwd-centralsyslog-customport"
>queue.type="LinkedList"
>queue.size="5"
>queue.maxDiskSpace="1g"
>queue.discardmark="45000"
>queue.dequeueBatchSize="1024"
>queue.filename="fwd-monvsyslog-514"
>queue.spoolDirectory="/var/spool/rsyslog"
>queue.saveOnShutdown="on"
>){
>action(
>name="fwd-syslog-collector"
>type="omfwd"
>Target="monvsyslog "
>Port="$!remoteport"
> Protocol="tcp"
>)
> }
>
>
>
> if $syslogtag == 'Ecomm:' then {
>set $!remoteport = "1531";
>call fwd-centralsyslog-customport
>stop
> }
>
>
>
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, October 13, 2016 8:52 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem with queues configuration
>
> sorry, hit wrong key. Here comes the comnplete message ;)
>
> 2016-10-13 14:49 GMT+02:00 Rainer Gerhards <rgerha...@hq.adiscon.com>:
>> 2016-10-13 13:45 GMT+02:00 Angel L. Mateo <ama...@um.es>:
>>> El 11/10/16 a las 15:17, Angel L. Mateo escribió:
>>>>
>>>> El 11/10/16 a las 15:01, Rainer Gerhards escribió:
>>>>>
>>>>> Can you check if the problem persists with the currently supported 8.22.0
>>>>> version? V7 is very, very old.
>>>>>
>>>> I have to make deeper tests, but it seems to work with 8.22.
>>>>
>>> I can confirm that is working fine with 8.22.0.
>>>
>>> One more question... I have a lot of this rule sending to a remote
>>> syslog depending on different conditions. Is there any way to share the
>>> queue between all these rules?
>>
> The way to do this is to use a ruleset. Instead of doing
>
> action(name="action1" type="omfwd" queue. ...)
> action(name="action2" type="omfwd" queue. ...)
> action(name="action3" type="omfwd" queue. ...)
>
> do
>
> ruleset(name="fwdtodest" queue. ...) {
> action(name="action" type="omfwd" ...) # NO queue params
> }
>
> and replac
Re: [rsyslog] config check omission
Done. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of mostolog Sent: Wednesday, October 26, 2016 3:54 AM To: rsyslog-users Subject: Re: [rsyslog] config check omission Hi Would you mind to pen an issue at rsyslog github? https://github.com/rsyslog/rsyslog Thanks On Tuesday, October 25, 2016, Scot Kreienkamp <scot.kreienk...@la-z-boy.com> wrote: > Hi, > > Just wanted to point out an omission in the config checker in rsyslogd. > When parsing the config it does not check to see if the templates > specified in the config exist or not, at least when it's an omfwd > template. Found that out the hard way. > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One > La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * > 7349151444 | * scot.kreienk...@la-z-boy.com <javascript:;> %7BE-mail%7D> > www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | > facebook.<https://www.facebook.com/lazboy>com //www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy< > http://facebook.com/lazboy> | twitter.com/lazboy<https:// > twitter.com/lazboy> | > youtube.com/<https://www.youtube.com/user/lazboy> > lazboy<https://www.youtube.com/user/lazboy> > > [cid:lzbVertical_hres.jpg] > > > > This message is intended only for the individual or entity to which it > is addressed. It may contain privileged, confidential information > which is exempt from disclosure under applicable laws. If you are not > the intended recipient, you are strictly prohibited from disseminating > or distributing this information (other than to the intended > recipient) or copying this information. If you have received this > communication in error, please notify us immediately by e-mail or by > telephone at the above number. Thank you. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] config check omission
Hi, Just wanted to point out an omission in the config checker in rsyslogd. When parsing the config it does not check to see if the templates specified in the config exist or not, at least when it's an omfwd template. Found that out the hard way. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Problem with queues configuration
Would something like this work? I wasn't sure a config file variable could be
used in the action context.
ruleset(name="fwd-centralsyslog-customport"
queue.type="LinkedList"
queue.size="5"
queue.maxDiskSpace="1g"
queue.discardmark="45000"
queue.dequeueBatchSize="1024"
queue.filename="fwd-monvsyslog-514"
queue.spoolDirectory="/var/spool/rsyslog"
queue.saveOnShutdown="on"
){
action(
name="fwd-syslog-collector"
type="omfwd"
Target="monvsyslog "
Port="$!remoteport"
Protocol="tcp"
)
}
if $syslogtag == 'Ecomm:' then {
set $!remoteport = "1531";
call fwd-centralsyslog-customport
stop
}
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Thursday, October 13, 2016 8:52 AM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration
sorry, hit wrong key. Here comes the comnplete message ;)
2016-10-13 14:49 GMT+02:00 Rainer Gerhards <rgerha...@hq.adiscon.com>:
> 2016-10-13 13:45 GMT+02:00 Angel L. Mateo <ama...@um.es>:
>> El 11/10/16 a las 15:17, Angel L. Mateo escribió:
>>>
>>> El 11/10/16 a las 15:01, Rainer Gerhards escribió:
>>>>
>>>> Can you check if the problem persists with the currently supported 8.22.0
>>>> version? V7 is very, very old.
>>>>
>>> I have to make deeper tests, but it seems to work with 8.22.
>>>
>> I can confirm that is working fine with 8.22.0.
>>
>> One more question... I have a lot of this rule sending to a remote
>> syslog depending on different conditions. Is there any way to share the
>> queue between all these rules?
>
The way to do this is to use a ruleset. Instead of doing
action(name="action1" type="omfwd" queue. ...)
action(name="action2" type="omfwd" queue. ...)
action(name="action3" type="omfwd" queue. ...)
do
ruleset(name="fwdtodest" queue. ...) {
action(name="action" type="omfwd" ...) # NO queue params
}
and replace the action calls with
call fwdtodest
This will make all actions use the single ruleset queue. Note that you
now have a single connection to the destination and thus possibly
different timing. But that's probably what you also wanted.
HTH
Rainer
>>
>>
>> --
>> Angel L. Mateo Martínez
>> Sección de Telemática
>> Área de Tecnologías de la Información
>> y las Comunicaciones Aplicadas (ATICA)
>> http://www.um.es/atica
>> Tfo: 868889150
>> Fax: 86337
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
This message is intended only for the individual or entity to which it is
addressed. It may contain privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not the intended recipient,
you are strictly prohibited from disseminating or distributing this information
(other than to the intended recipient) or copying this information. If you
have received this communication in error, please notify us immediately by
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] how to change syslogtag
That could work, but I was trying to figure out how to alter it in the message itself. I thought there was a way to do it with the property replacer. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- > boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Thursday, October 20, 2016 4:53 AM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Subject: Re: [rsyslog] how to change syslogtag > > you can hardcode a specifc tag inside a template... > > Rainer > > 2016-10-19 21:38 GMT+02:00 Scot Kreienkamp <Scot.Kreienkamp@la-z- > boy.com>: > > Hi everyone, > > > > Can anyone give me a hint on how to change the syslogtag of a message in > rsyslog? Specifically, I'm trying to use imuxsock for some logging from > log4j. > Log4j doesn't support syslogtag, so I'm wondering if I can use imuxsock to get > the logs sent to rsyslog and statically set a syslogtag on that input somehow. > I have the socket open and can send messages to it from logger successfully, > but I can't figure out how to specify the syslogtag property from the rsyslogd > configuration. > > > > Thanks! > > > > Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate > > One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * > 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> > > www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z- > boy.com/> | > facebook.<https://www.facebook.com/lazboy>com<https://www.facebook > .com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook > .com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | > youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://ww > w.youtube.com/user/lazboy> > > > > [cid:lzbVertical_hres.jpg] > > > > > > > > This message is intended only for the individual or entity to which it is > addressed. It may contain privileged, confidential information which is > exempt from disclosure under applicable laws. If you are not the intended > recipient, you are strictly prohibited from disseminating or distributing this > information (other than to the intended recipient) or copying this > information. If you have received this communication in error, please notify > us immediately by e-mail or by telephone at the above number. Thank you. > > > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] how to change syslogtag
Hi everyone, Can anyone give me a hint on how to change the syslogtag of a message in rsyslog? Specifically, I'm trying to use imuxsock for some logging from log4j. Log4j doesn't support syslogtag, so I'm wondering if I can use imuxsock to get the logs sent to rsyslog and statically set a syslogtag on that input somehow. I have the socket open and can send messages to it from logger successfully, but I can't figure out how to specify the syslogtag property from the rsyslogd configuration. Thanks! Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Problem with queues configuration
Thanks for the insight. Those sound more complex than I wanted to go to so
I'll stick to the queue per port.
Thanks!!
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Thursday, October 13, 2016 11:42 AM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration
2016-10-13 16:24 GMT+02:00 Scot Kreienkamp <scot.kreienk...@la-z-boy.com>:
> Ideally I'm trying to group on each sending host by the destination of the
> data. The main queue will be for local disk write and a secondary queue for
> network forwarding so there's no chance it can block the local disk writes.
>
> As I have it written in my example the best I can come up with is a queue for
> each remote port (which is still an improvement over what I have now, so
> thanks for that). I am trying to figure out if there's a way to collapse
> that further into one network forwarding queue instead of a separate queue
> for each remote port, so I end with two queues total. I can't see any way to
> do that while still maintaining the multiple destination ports.
I see two ways:
1. (not sure if all modules support this): use a dedicted queue for
local logging (ruleset="" param for local input module required) and
use the regular main queue for the rest
2. put all forwarding actions into a SINGLE rule set and have some
logic inside it to select which action (aka port) you need to call for
a given message
>
> As a secondary concern, I am pushing this config out to a few hundred servers
> via puppet. If I go with the example configuration I will be creating 12
> queues times 250 rsyslog senders, so I'm concerned about the possibility of
> eating up resources for queues that may never be used on a host. Does
> rsyslog consume any resources for a queue that's never called on a linux host?
Not noticable, except when using "fixedArray" for the in memory queue.
But even then the overhead is very low.
HTH
Rainer
>
>
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, October 13, 2016 9:40 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem with queues configuration
>
> 2016-10-13 15:35 GMT+02:00 Scot Kreienkamp <scot.kreienk...@la-z-boy.com>:
>> Hi Rainer,
>>
>> Thanks for your response. I'm still trying to figure out if there's a way
>> to simplify my configuration a little more, or if I should leave it as is...
>>
>> Right now I have different applications forwarding to one of about a dozen
>> separate incoming ports on my central rsyslog server. Right now they each
>> have individual queues because I didn't want them blocking the main queue,
>> which has happened in my environment. If I were to do this, I would have to
>> create a ruleset for each port as the actions each ruleset contains would
>> have a different destination port. So on each host I would still have about
>> a dozen queues. Down from 50 or so on some hosts so it's still better, but
>> is there any way to collapse it further into one queue? Does rsyslog use
>> any additional resources for a queue that's not called on a linux host? If
>> not, I might be better off to leave each port as its own queue like this.
>
>
> I don't really understand what you would prefer. Where would you like
> to have dedicated queues for, and which objects should use shared
> queues?
>
> Rainer
>>
>> Example of my rulesets that I created from your earlier email.
>>
>> ruleset(name="fwd-monvsyslog-514"
>> queue.type="LinkedList"
>> queue.size="5"
>> queue.maxDiskSpace="5g"
>> queue.discardmark="45000"
>> queue.dequeueBatchSize="1024"
>> queue.filename="fwd-monvsyslog-514"
>> queue.spoolDirectory="/var/spool/rsyslog"
>> queue.saveOnShutdown="on"
>>
>> ){
>> action(
>> name="fwd-monvsyslog-514"
>> type="omfwd"
>> Target="
Re: [rsyslog] Problem with queues configuration
Ideally I'm trying to group on each sending host by the destination of the
data. The main queue will be for local disk write and a secondary queue for
network forwarding so there's no chance it can block the local disk writes.
As I have it written in my example the best I can come up with is a queue for
each remote port (which is still an improvement over what I have now, so thanks
for that). I am trying to figure out if there's a way to collapse that further
into one network forwarding queue instead of a separate queue for each remote
port, so I end with two queues total. I can't see any way to do that while
still maintaining the multiple destination ports.
As a secondary concern, I am pushing this config out to a few hundred servers
via puppet. If I go with the example configuration I will be creating 12
queues times 250 rsyslog senders, so I'm concerned about the possibility of
eating up resources for queues that may never be used on a host. Does rsyslog
consume any resources for a queue that's never called on a linux host?
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Thursday, October 13, 2016 9:40 AM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration
2016-10-13 15:35 GMT+02:00 Scot Kreienkamp <scot.kreienk...@la-z-boy.com>:
> Hi Rainer,
>
> Thanks for your response. I'm still trying to figure out if there's a way to
> simplify my configuration a little more, or if I should leave it as is...
>
> Right now I have different applications forwarding to one of about a dozen
> separate incoming ports on my central rsyslog server. Right now they each
> have individual queues because I didn't want them blocking the main queue,
> which has happened in my environment. If I were to do this, I would have to
> create a ruleset for each port as the actions each ruleset contains would
> have a different destination port. So on each host I would still have about
> a dozen queues. Down from 50 or so on some hosts so it's still better, but
> is there any way to collapse it further into one queue? Does rsyslog use any
> additional resources for a queue that's not called on a linux host? If not,
> I might be better off to leave each port as its own queue like this.
I don't really understand what you would prefer. Where would you like
to have dedicated queues for, and which objects should use shared
queues?
Rainer
>
> Example of my rulesets that I created from your earlier email.
>
> ruleset(name="fwd-monvsyslog-514"
> queue.type="LinkedList"
> queue.size="5"
> queue.maxDiskSpace="5g"
> queue.discardmark="45000"
> queue.dequeueBatchSize="1024"
> queue.filename="fwd-monvsyslog-514"
> queue.spoolDirectory="/var/spool/rsyslog"
> queue.saveOnShutdown="on"
>
> ){
> action(
> name="fwd-monvsyslog-514"
> type="omfwd"
> Target="monvsyslog.na.lzb.hq"
> Port="514"
> Protocol="tcp"
> )
> }
>
> ruleset(name="fwd-monvsyslog-515"
> queue.type="LinkedList"
> queue.size="5"
> queue.maxDiskSpace="5g"
> queue.discardmark="45000"
> queue.dequeueBatchSize="1024"
> queue.filename="fwd-monvsyslog-515"
> queue.spoolDirectory="/var/spool/rsyslog"
> queue.saveOnShutdown="on"
>
> ){
> action(
> name="fwd-monvsyslog-514"
> type="omfwd"
> Target="monvsyslog.na.lzb.hq"
> Port="515"
> Protocol="tcp"
> )
> }
>
>
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com
> [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, October 13, 2016 8:52 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Proble
Re: [rsyslog] Problem with queues configuration
Hi Rainer,
Thanks for your response. I'm still trying to figure out if there's a way to
simplify my configuration a little more, or if I should leave it as is...
Right now I have different applications forwarding to one of about a dozen
separate incoming ports on my central rsyslog server. Right now they each have
individual queues because I didn't want them blocking the main queue, which has
happened in my environment. If I were to do this, I would have to create a
ruleset for each port as the actions each ruleset contains would have a
different destination port. So on each host I would still have about a dozen
queues. Down from 50 or so on some hosts so it's still better, but is there
any way to collapse it further into one queue? Does rsyslog use any additional
resources for a queue that's not called on a linux host? If not, I might be
better off to leave each port as its own queue like this.
Example of my rulesets that I created from your earlier email.
ruleset(name="fwd-monvsyslog-514"
queue.type="LinkedList"
queue.size="5"
queue.maxDiskSpace="5g"
queue.discardmark="45000"
queue.dequeueBatchSize="1024"
queue.filename="fwd-monvsyslog-514"
queue.spoolDirectory="/var/spool/rsyslog"
queue.saveOnShutdown="on"
){
action(
name="fwd-monvsyslog-514"
type="omfwd"
Target="monvsyslog.na.lzb.hq"
Port="514"
Protocol="tcp"
)
}
ruleset(name="fwd-monvsyslog-515"
queue.type="LinkedList"
queue.size="5"
queue.maxDiskSpace="5g"
queue.discardmark="45000"
queue.dequeueBatchSize="1024"
queue.filename="fwd-monvsyslog-515"
queue.spoolDirectory="/var/spool/rsyslog"
queue.saveOnShutdown="on"
){
action(
name="fwd-monvsyslog-514"
type="omfwd"
Target="monvsyslog.na.lzb.hq"
Port="515"
Protocol="tcp"
)
}
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Thursday, October 13, 2016 8:52 AM
To: rsyslog-users
Subject: Re: [rsyslog] Problem with queues configuration
sorry, hit wrong key. Here comes the comnplete message ;)
2016-10-13 14:49 GMT+02:00 Rainer Gerhards <rgerha...@hq.adiscon.com>:
> 2016-10-13 13:45 GMT+02:00 Angel L. Mateo <ama...@um.es>:
>> El 11/10/16 a las 15:17, Angel L. Mateo escribió:
>>>
>>> El 11/10/16 a las 15:01, Rainer Gerhards escribió:
>>>>
>>>> Can you check if the problem persists with the currently supported 8.22.0
>>>> version? V7 is very, very old.
>>>>
>>> I have to make deeper tests, but it seems to work with 8.22.
>>>
>> I can confirm that is working fine with 8.22.0.
>>
>> One more question... I have a lot of this rule sending to a remote
>> syslog depending on different conditions. Is there any way to share the
>> queue between all these rules?
>
The way to do this is to use a ruleset. Instead of doing
action(name="action1" type="omfwd" queue. ...)
action(name="action2" type="omfwd" queue. ...)
action(name="action3" type="omfwd" queue. ...)
do
ruleset(name="fwdtodest" queue. ...) {
action(name="action" type="omfwd" ...) # NO queue params
}
and replace the action calls with
call fwdtodest
This will make all actions use the single ruleset queue. Note that you
now have a single connection to the destination and thus possibly
different timing. But that's probably what you also wanted.
HTH
Rainer
>>
>>
>> --
>> Angel L. Mateo Martínez
>> Sección de Telemática
>> Área de Tecnologías de la Información
>> y las Comunicaciones Aplicadas (ATICA)
>> http://www.um.es/atica
>> Tfo: 868889150
>> Fax: 86337
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow http
Re: [rsyslog] Problem with queues configuration
That is something I have been trying to figure out as well. If that is possible, if someone could provide a working example config it would be much appreciated. Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Angel L. Mateo Sent: Thursday, October 13, 2016 7:45 AM To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Problem with queues configuration El 11/10/16 a las 15:17, Angel L. Mateo escribió: > El 11/10/16 a las 15:01, Rainer Gerhards escribió: >> Can you check if the problem persists with the currently supported 8.22.0 >> version? V7 is very, very old. >> > I have to make deeper tests, but it seems to work with 8.22. > I can confirm that is working fine with 8.22.0. One more question... I have a lot of this rule sending to a remote syslog depending on different conditions. Is there any way to share the queue between all these rules? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] help with high CPU usage
Hi everyone, I am troubleshooting a few problems on my rsyslog server, the first of which is high CPU usage. Top -H is showing 100% CPU usage for the imptcp module, and I can't figure out why. It doesn't start out that way when rsyslog is restarted, but after a few minutes it goes right to the top of the list. Can help direct me as to why the CPU usage is so high for IMPTCP? Top output showing threads: PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND 32670 root 20 0 6161012 204032 2908 R 99.9 1.7 31:57.75 in:imptcp 32673 root 20 0 6161012 204032 2908 R 79.4 1.7 21:43.37 in:imptcp My config is not that complicated, mostly just filtering things to specific logs by tag. I've included the main queue incoming config below, I can post the rest if needed but it's fairly long so I'll defer that unless necessary. I don't seem to have any problems receiving messages, none are being discarded that I'm aware of. Just seems to be high CPU usage. $umask $FileCreateMode 0644 $DirCreateMode 0755 $RepeatedMsgReduction off $EscapeControlCharactersOnReceive off $MaxMessageSize 64k $RepeatedMsgReduction off $WorkDirectory /var/spool/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionQueueType LinkedList $ActionQueueWorkerThreads 2 global(workDirectory="/var/spool/rsyslog" preserveFQDN="on" maxMessageSize="64k") # Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp"threads="1" timeRequery="8" batchSize="128") # needs to be done just once #input(type="imudp" port="514") # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html module(load="imptcp" threads="1") # needs to be done just once #input(type="imptcp" port="514") module(load="impstats" interval="60" log.syslog="on" resetCounters="on" /* need to turn log stream logging off! */ /* log.file="/var/log/rsyslogd.stats" */ ) main_queue( queue.workerThreadMinimumMessages="5000" queue.discardmark="45000" queue.workerThreads="2" queue.dequeueBatchSize="2048" queue.spoolDirectory="/var/spool/rsyslog" # where to write on disk queue.fileName="rsyslogmainqueue" queue.maxDiskSpace="5g"# it will stop at this much disk space queue.size="5" # or this many messages queue.saveOnShutdown="on" # save memory queue contents to disk when rsyslog is exiting } Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444 | * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D> www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy> | twitter.com/lazboy<https://twitter.com/lazboy> | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy> [cid:lzbVertical_hres.jpg] This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Possible date handling bug in dynafile on RHEL6?
Hi Everyone,
I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM repo
running in production here. It's a very busy server, but from what I can tell
I am not dropping any messages. The queues are usually less than 100 and
return to 0 within 60 seconds. I have had the config in place on my server for
1 month now and it had been working flawlessly until the end of last month. I
have included the relevant part of my config inline below, any comments on
tuning or help with my problem would be appreciated.
Here's my problem:
Basically, this section of my config is receiving syslogs from an ASA firewall
and writing them all to dynafile NetworkPerIP. About 20 other hosts are also
sending logs hitting this rule. Up through 23:59 9-30-2016 all messages that
had a tag that contained "ASA-5-111010" were also written to another dynafile,
FirewallChangeLog. That's what I wanted to happen, and as I said, it was
working flawlessly until the end of last month. Since the calendar flipped
over to Oct 1 the logs have not been written to the FirewallChangeLog. In
testing, I simulated a log message from my workstation to this rule like so:
logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test $(date)". It was
written to the FirewallChangeLog but NOT to the NetworkPerIP log; it's only
written to the NetworkPerIP log if I don't tag it with the "ASA-5-111010".
That's what makes me think I'm hitting a bug in the code somewhere. If I copy
this config to a test box running RHEL7 with the same version of rsyslog and
same config it seems to work OK. I haven't tried on another RHEL6. I am not
hitting the limit of number of open files, it's set to 15,000 and I'm only at
5,000 last I checked. And lastly, rsyslogd -N1 doesn't show any errors. I
went ahead and did the upgrade to RHEL7 since it was on my list to upgrade
anyway and the problem has disappeared.
Config snippet:
template (name="NetworkPerIP" type="string"
string="/opt/network/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log")
template (name="FirewallChangeLog" type="string"
string="/opt/network/FirewallChange/%$YEAR%-%$MONTH%-%$DAY%.log")
ruleset(name="Net-1514"
queue.type="LinkedList"
queue.size="25000"
queue.dequeueBatchSize="1024"
queue.workerThreads="3"
queue.workerThreadMinimumMessages="1000"
queue.discardmark="2"){
action(type="omfile" dynafilecachesize="50" DynaFile="NetworkPerIP"
template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off"
asyncWriting="on" dirCreateMode="0750" FileCreateMode="0640"
dirGroup="networksecured" fileGroup="networksecured")
if $syslogtag contains "ASA-5-111010" then {
action(type="omfile" dynafilecachesize="50"
DynaFile="FirewallChangeLog" template="RSYSLOG_TraditionalFileFormat"
ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750"
FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured")
}
stop
}
input(type="imudp" port="1514" ruleset="Net-1514")
input(type="imptcp" port="1514" ruleset="Net-1514")
Thanks!
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | * 734-384-6403 | | * 7349151444
| * scot.kreienk...@la-z-boy.com<mailto:%7BE-mail%7D>
www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> |
facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy>
| twitter.com/lazboy<https://twitter.com/lazboy> |
youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>
[cid:lzbVertical_hres.jpg]
This message is intended only for the individual or entity to which it is
addressed. It may contain privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not the intended recipient,
you are strictly prohibited from disseminating or distributing this information
(other than to the intended recipient) or copying this information. If you
have received this communication in error, please notify us immediately by
e-mail or by telephone at the above number. Thank you.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
