Hi, David! Here are the full configs:
Slightly modified Debian's default rsyslog.conf: http://pastebin.com/wUnLEQF3 Plus files from the /etc/rsyslog.d/: http://pastebin.com/8UpKHH8C - file monitor for some non-syslog log files http://pastebin.com/JC5xRMJj - remote sysloging. Please note, that @@ from the original(failing) config was replaced with @ to make system responsive. Also, there are traces of an attempt to use a separate rule for remote logging, but version 5.8.11 didn't want to work with them for me... That's all. With best regards, Timur Bakeyev. On Thu, Nov 8, 2012 at 9:14 AM, David Lang <[email protected]> wrote: > On Thu, 8 Nov 2012, Rainer Gerhards wrote: > > -----Original Message----- >>>>> From: >>>>> [email protected].**com<[email protected]>[mailto: >>>>> rsyslog- >>>>> [email protected]] On Behalf Of Timur I. Bakeyev >>>>> Sent: Wednesday, November 07, 2012 2:27 PM >>>>> Hi, Rainer! >>>>> >>>>> Of course you know internals of rsyslog better, so can't argue with >>>>> >>>> you >>> >>>> here. But as for the end user such behavior for me looks undesired. >>>>> What >>>>> I'd expect: >>>>> >>>>> 1. All local(imuxsock) go to the local log files. >>>>> 2. All remote messages would be spooled in an $ActionQueueFileName >>>>> file. >>>>> 3. Nothing would block >>>>> >>>> >>>> Yup - so why not configure it that way? >>>> >>> >>> Rainer, >>> >>> looking through his partial config, it looks like he does have a >>> separate >>> action queue with disk assist configured for the sending to the remote >>> host. >>> I'm not that familiar with the disk queues, so I may be missing what >>> he's done >>> wrong here, but shouldn't this queue the logs to disk and not block >>> unless the >>> disk is full? >>> >> >> Autsch - you really got me. This seemd to be the standard "just uncomment >> and be happy" part that is shipped by many distros. That contains a size >> limitation to 1 or 2 gig for the disk subsystem. But... that statement is >> not present! So it looks like I screwed up once more. >> > > it could be, I'm not that familiar with the distro default configs (I > always put everything in /var/log/messages or send it to a remote system > with my own config :-) > > > In that case, a debug log of a failure case would probably be useful (or >> at least of a startup, just to see if the size limitation is still set and >> just not present in the pasted config). >> > > this seems to be a partial config (based on the comment about local files) > > > another possible issue: > > what happens when you hit the rate limit? does it drop messages or block > them? > > David Lang > > > Rainer >> >>> >>> David Lang >>> >>> And configuration: >>>>>>> >>>>>>> $MaxMessageSize 8k >>>>>>> $ModLoad imuxsock # provides support for local system logging >>>>>>> $ModLoad imklog # provides kernel logging support >>>>>>> >>>>>>> # Store PID of the process in the log >>>>>>> $SystemLogUsePIDFromSystem on >>>>>>> # Rate limit for imuxsock >>>>>>> $SystemLogRateLimitInterval 1 >>>>>>> $SystemLogRateLimitBurst 500 >>>>>>> >>>>>>> $WorkDirectory /var/spool/rsyslog >>>>>>> >>>>>>> $ModLoad imfile >>>>>>> $InputFilePollInterval 5 >>>>>>> >>>>>>> $InputFileName /var/log/nginx/access.log >>>>>>> $InputFilePersistStateInterval 100 >>>>>>> $InputFileTag nginx/access: >>>>>>> $InputFileStateFile nginx_access_log_state >>>>>>> $InputFileFacility local7 >>>>>>> $InputFileSeverity notice >>>>>>> $InputRunFileMonitor >>>>>>> >>>>>>> $ActionQueueType LinkedList # enable a >>>>>>> separate queue for this action >>>>>>> $ActionQueueFileName remote # set file >>>>>>> >>>>>> name, >>> >>>> also enables disk mode >>>>>>> $ActionResumeRetryCount -1 # infinite >>>>>>> retries on insert failure >>>>>>> $ActionQueueSaveOnShutdown on >>>>>>> *.* @@10.0.0.200 >>>>>>> >>>>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> >>> >>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>> >>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>> if you DON'T LIKE THAT. >>> >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> >> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
