Add: $ModLoad impstats
to the top of your rsyslog.conf and restart. Then look for lines like: Nov 9 14:58:29 scribe1 [syslog.info<46>] rsyslogd-pstats:main Q: size=3771664 enqueued=2498832464 full=22295 maxqsize=8000000 every 5 minutes. Subtract the smaller enqueued value from the larger, divide by 300, and that's your rate per second. ----- Original Message ----- > From: "Luke Marrott" <luke.marr...@gmail.com> > To: "rsyslog-users" <rsyslog@lists.adiscon.com> > Sent: Friday, November 9, 2012 3:07:02 PM > Subject: Re: [rsyslog] rsyslog dropping logs > > Full configuration: > [root@hostname]# cat /etc/rsyslog.conf > # if you experience problems, check > # http://www.rsyslog.com/troubleshoot for assistance > > # rsyslog v3: load input modules > # If you do not load inputs, nothing happens! > # You may need to set the module load path if modules are not found. > > $ModLoad immark # provides --MARK-- message capability > $ModLoad imuxsock # provides support for local system logging (e.g. > via > logger command) > $ModLoad imklog # kernel logging (formerly provided by rklogd) > > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* /dev/console > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > #*.error;mail.none;authpriv.none;cron.none > /var/log/messages > > # The authpriv file has restricted access. > authpriv.* > /var/log/secure > > # Log all the mail messages in one place. > mail.* > -/var/log/maillog > > > # Log cron stuff > cron.* > -/var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit > -/var/log/spooler > > # Save boot messages also to boot.log > local7.* > /var/log/boot.log > > # Remote Logging (we use TCP for reliable delivery) > # An on-disk queue is created for this action. If the remote host is > # down, messages are spooled to disk and sent when it is up again. > #$WorkDirectory /rsyslog/spool # where to place spool files > #$ActionQueueFileName uniqName # unique name prefix for spool files > #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as > possible) > #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown > #$ActionQueueType LinkedList # run asynchronously > #$ActionResumeRetryCount -1 # infinite retries if host is down > # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional > #*.* @@remote-host:514 > > > # ######### Receiving Messages from Remote Hosts ########## > # TCP Syslog Server: > # provides TCP syslog reception and GSS-API (if compiled to support > it) > $ModLoad imtcp.so # load module > $InputTCPServerRun 514 # start up TCP listener at port 514 > > # UDP Syslog Server: > $ModLoad imudp.so # provides UDP syslog reception > $UDPServerRun 514 # start a UDP syslog server at standard port 514 > > > $template Default,"/data/syslog/%HOSTNAME%/%HOSTNAME%.log" > *.* ?Default > > > [root@hostname]# > > > What's a good way to look at message ratE? > > > :Luke Marrott > > > > On Fri, Nov 9, 2012 at 1:03 PM, David Lang <da...@lang.hm> wrote: > > > On Fri, 9 Nov 2012, Luke Marrott wrote: > > > > Sorry. I wasn't real clear. The server runs on a big VM in another > >> location > >> completely. No issues with the server during this time. This has > >> been an > >> ongoing thing. I'm running Splunk on the same box and if I turn > >> off > >> rsyslog > >> and turn splunk on the same port it gets all the messages that > >> don't seem > >> to get picked up by rsyslog. > >> > >> Doesn't appear to be any rate limiting configuration. > >> > > > > Ok, that is a different situation. In my experience, rsyslog is > > signicantly better than Splunk at receiving messages. I've testing > > rsyslog > > up to 380K messages/sec (gige wire speed) and others have tested > > rsyslog up > > to 1M messages/sec, so it's unlikely to be something fundamental to > > rsyslog, but it could easily be some resource contraint you are > > running > > into. > > > > can you post your full configuration? > > > > what message rate are you seeing? > > > > > > David Lang > > ______________________________**_________________ > > rsyslog mailing list > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT. > -- Rick Brown Office of Information Technology Georgia Institute of Technology 258 4th Street N.W. Atlanta, GA 30332-0715 email: r...@gatech.edu ph: (404) 894-6175 Calendar: https://mail.gatech.edu/home/r...@mail.gatech.edu?fmt=freebusy _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.