Only one configuration there. I have all my messages going to directories by host so your method doesn't seem to be working.
I did a tcpdump only on port 514 for a few seconds and I had like 2000 messages. :Luke Marrott On Fri, Nov 9, 2012 at 2:48 PM, David Lang <da...@lang.hm> wrote: > are these two different configs (the sender and the receiver)? > > a simple way to see the message rate is to do a > cut -f 1 -d ' ' logfiles |sort |uniq -c to look at the timestamps and see > how many timestamps you have in a second. > > David Lang > > > On Fri, 9 Nov 2012, Luke Marrott wrote: > > Date: Fri, 9 Nov 2012 13:07:02 -0700 >> From: Luke Marrott <luke.marr...@gmail.com> >> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> >> To: rsyslog-users <rsyslog@lists.adiscon.com> >> >> Subject: Re: [rsyslog] rsyslog dropping logs >> >> Full configuration: >> [root@hostname]# cat /etc/rsyslog.conf >> # if you experience problems, check >> # >> http://www.rsyslog.com/**troubleshoot<http://www.rsyslog.com/troubleshoot>for >> assistance >> >> # rsyslog v3: load input modules >> # If you do not load inputs, nothing happens! >> # You may need to set the module load path if modules are not found. >> >> $ModLoad immark # provides --MARK-- message capability >> $ModLoad imuxsock # provides support for local system logging (e.g. via >> logger command) >> $ModLoad imklog # kernel logging (formerly provided by rklogd) >> >> # Log all kernel messages to the console. >> # Logging much else clutters up the screen. >> #kern.* /dev/console >> >> # Log anything (except mail) of level info or higher. >> # Don't log private authentication messages! >> #*.error;mail.none;authpriv.**none;cron.none >> /var/log/messages >> >> # The authpriv file has restricted access. >> authpriv.* /var/log/secure >> >> # Log all the mail messages in one place. >> mail.* -/var/log/maillog >> >> >> # Log cron stuff >> cron.* -/var/log/cron >> >> # Everybody gets emergency messages >> *.emerg * >> >> # Save news errors of level crit and higher in a special file. >> uucp,news.crit -/var/log/spooler >> >> # Save boot messages also to boot.log >> local7.* /var/log/boot.log >> >> # Remote Logging (we use TCP for reliable delivery) >> # An on-disk queue is created for this action. If the remote host is >> # down, messages are spooled to disk and sent when it is up again. >> #$WorkDirectory /rsyslog/spool # where to place spool files >> #$ActionQueueFileName uniqName # unique name prefix for spool files >> #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) >> #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown >> #$ActionQueueType LinkedList # run asynchronously >> #$ActionResumeRetryCount -1 # infinite retries if host is down >> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional >> #*.* @@remote-host:514 >> >> >> # ######### Receiving Messages from Remote Hosts ########## >> # TCP Syslog Server: >> # provides TCP syslog reception and GSS-API (if compiled to support it) >> $ModLoad imtcp.so # load module >> $InputTCPServerRun 514 # start up TCP listener at port 514 >> >> # UDP Syslog Server: >> $ModLoad imudp.so # provides UDP syslog reception >> $UDPServerRun 514 # start a UDP syslog server at standard port 514 >> >> >> $template Default,"/data/syslog/%**HOSTNAME%/%HOSTNAME%.log" >> *.* ?Default >> >> >> [root@hostname]# >> >> >> What's a good way to look at message ratE? >> >> >> :Luke Marrott >> >> >> >> On Fri, Nov 9, 2012 at 1:03 PM, David Lang <da...@lang.hm> wrote: >> >> On Fri, 9 Nov 2012, Luke Marrott wrote: >>> >>> Sorry. I wasn't real clear. The server runs on a big VM in another >>> >>>> location >>>> completely. No issues with the server during this time. This has been an >>>> ongoing thing. I'm running Splunk on the same box and if I turn off >>>> rsyslog >>>> and turn splunk on the same port it gets all the messages that don't >>>> seem >>>> to get picked up by rsyslog. >>>> >>>> Doesn't appear to be any rate limiting configuration. >>>> >>>> >>> Ok, that is a different situation. In my experience, rsyslog is >>> signicantly better than Splunk at receiving messages. I've testing >>> rsyslog >>> up to 380K messages/sec (gige wire speed) and others have tested rsyslog >>> up >>> to 1M messages/sec, so it's unlikely to be something fundamental to >>> rsyslog, but it could easily be some resource contraint you are running >>> into. >>> >>> can you post your full configuration? >>> >>> what message rate are you seeing? >>> >>> >>> David Lang >>> ______________________________****_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog> >>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> > >>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/> >>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/> >>> > >>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.