On Mon, 8 Apr 2024, Prasad Koya wrote:
Yes, we get a lot of flexibility with omprog.
However, changing a syslog's facility/priority isn't possible right?
Please see below.
if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
action(type="omfile"
Yes, we get a lot of flexibility with omprog.
However, changing a syslog's facility/priority isn't possible right?
Please see below.
if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
action(type="omfile"
action.execOnlyOnceEveryInterval="3600"
not easily within rsyslog, with an event correlation engine, you have a lot more
capability (which is why I keep pushing you that way :-) )
you can create a template to use when outputting a log, and that log can say
anything (it can be arbitrary text unrelated to the log you received), but
Thank you. "action.execOnlyOnceEveryInterval" is very useful.
We intend to keep all unfiltered syslogs in a local file, say file1,
but log a rate limited message to file2 and forward that message to a
syslog collector.
Is it possible to change the facility, severity or message for the next
you would need to do the filtering with omprog on the sending machines.
I would suggest that rather than throwing them away, you generate a log every
rate-limiting period along the lines of "X number of messages happened in the
last period"
This is really a job for an event correlation
This sounds like you are looking for
action.execOnlyOnceEveryInterval="3600"
for the action in question.
Doc:
https://www.rsyslog.com/doc/configuration/actions.html
Sample use in ommal doc:
https://www.rsyslog.com/doc/configuration/modules/ommail.html
HTH
Rainer
El lun, 8 abr 2024 a las
Thanks for the replies.
My requirement is that I have a daemon that may generate a burst of
syslogs, say, every minute (when a certain subsystem is overloaded).
We do not want to write all these syslogs to /var/log/messages. We
also do not want to forward so many of those syslogs to a remote
A piece of feedback against
https://www.rsyslog.com/doc/tutorials/random_sampling.html
I know it's obvious for some people but for some it might not be - it
will collect _about_ 20% of logs provided the overall number of events
is big enough. Since it's a random-based mechanism, it's...
This sounds a bit like you are looking for this:
https://www.rsyslog.com/doc/tutorials/log_sampling.html
HTH
Rainer
El mié, 3 abr 2024 a las 3:25, Prasad Koya via rsyslog
() escribió:
>
> Hi
>
>
> module( load="imuxsock" )
> module( load="imklog" )
>
> if ($syslogfacility-text == 'kern' and
(which could be
'system X sent Y OOM messages in the last 5 min' or something like that)
David Lang
On Tue, 2 Apr 2024, Prasad Koya via rsyslog wrote:
Date: Tue, 2 Apr 2024 18:25:01 -0700
From: Prasad Koya via rsyslog
To: rsyslog-users
Cc: Prasad Koya
Subject: [rsyslog] rate limiting logs
Hi
module( load="imuxsock" )
module( load="imklog" )
if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") then {
action(type="omfile" queue.size="1000" queue.type="LinkedList"
queue.dequeueSlowDown="36" file="/var/log/oom")
}
If we have a flurry of, for example,
11 matches
Mail list logo