do any of your local selectors throw away messages? (i.e. the ~
destination)
if you put a *.* /var/log/testfile before any of the local selectors does
it also show now messages?
the immark module is an input module, as such it only produces a mark
message if there is no input of any kind for the time period.
If there are any input messages, even if they are thrown away before your
forwarding selector, they will prevent the immark module from creating
mark messages.
note that immark is not used very frequently, so it's very possible that
there is a bug in it.
I actually wouldn't suggest using immark. Instead I would create a process
that sends useful information out every minute, something like
nohup vmstat 60 |logger -t vmstat >/dev/null 2>&1 &
this runs vmstat every minute, spitting it's output into the log. it means
you will have something every minute, and as a bonus, if something goes
wrong on the box you have the vmstat output to see what was happening.
I do the same thing with iostat -x, but that's substantially more verbose.
vmstat outputs one line per minute, plus a hearder line every half hour
or so. iostat -x outputs 5 lines plus one line per mounted partition every
minute. I find the iostat info useful enough when troubleshooting to do
it, but you may not.
David Lang
On Tue, 30 Aug 2011, Andreas Piesk wrote:
On 30.08.2011 21:57, [email protected] wrote:
were there really _no_ messages of any sort during those 20 mintues? not even a
debug level message
from CRON when it runs?
remember that MARK will only fire if there are no messages at all.
yes i know but there were absolutely no messages, checked with wireshark:
16:36:48.231520 10.2.122.90 -> 10.2.146.7 RSH <30>2011-08-30T16:36:48+02:00
server1 ntpd[4975]:
synchronized to 10.1.0.200, stratum 2\n
16:36:48.231842 10.2.146.7 -> 10.2.122.90 TCP 514 > 47156 [ACK] Seq=1
Ack=860 Win=71 Len=0
TSV=3458217482 TSER=82188663
16:46:48.230337 10.2.146.7 -> 10.2.122.90 TCP [TCP Keep-Alive] 514 > 47156
[ACK] Seq=0 Ack=860
Win=71 Len=0 TSV=3458817482 TSER=82188663
16:46:48.230347 10.2.122.90 -> 10.2.146.7 TCP [TCP Keep-Alive ACK] 47156 >
514 [ACK] Seq=860
Ack=1 Win=46 Len=0 TSV=82788669 TSER=3458217482
16:56:48.228824 10.2.146.7 -> 10.2.122.90 TCP [TCP Keep-Alive] 514 > 47156
[ACK] Seq=0 Ack=860
Win=71 Len=0 TSV=3459417482 TSER=82788669
16:56:48.228835 10.2.122.90 -> 10.2.146.7 TCP [TCP Keep-Alive ACK] 47156 >
514 [ACK] Seq=860
Ack=1 Win=46 Len=0 TSV=83388674 TSER=3458217482
16:59:29.231075 10.2.122.90 -> 10.2.146.7 RSH <30>2011-08-30T16:59:29+02:00
server1 ntpd[4975]:
synchronized to 10.2.0.200, stratum 2\n
16:59:29.231414 10.2.146.7 -> 10.2.122.90 TCP 514 > 47156 [ACK] Seq=1
Ack=950 Win=71 Len=0
TSV=3459578485 TSER=83549678
you see, 16:36 - 16:59 no messages, just some TCP keep-alive packets. i
decreased MarkMessagePeriod
down to 5mins and rerun the test, no MARK messages, not a single one.
regards,
-ap
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
