On Mon, 17 Dec 2012, John Miller wrote:
Hello everyone,
I'm running into a strange problem with some new RHEL 6 servers I've built.
I can go for days without anything appearing to get logged (to any
file/remote server), but then when I restart rsyslog via the provided
initscripts, logs magically appear! Obviously there's some sort of buffering
happening, but where/how? If anyone is familiar with this, and could point
me to the relevant spot in the docs, I'd be grateful.
We're running a pretty bare-bones config (comments removed):
$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
*.info;mail.none;authpriv.*;cron.none @@loghost.unet.brandeis.edu
The initscript calls rsyslog as:
/sbin/rsyslogd -i /var/run/syslogd.pid -c5
I'm running things in debug mode right now, and will post the debug logs once
I read through them a bit.
My guess is that something is interrupting the TCP connection and logs then stop
(possibly a firewall or NAT timeout), logs are then buffered until something
gets restarted and they start flowing again.
However, I don't see anything in your config that would spool to disk, so it
would have to be a HUP refresh on the sender, or a full restart on the reciever
that would get logs flowing again (a full stop on the sender would throw away
the logs that it has buffered)
Ryslog always buffers logs, but usually only does so for a very short time. The
internal structure of rsyslog is that it has one or more threads recieving new
messages and adding them to a queue (by default in-memory), and one or more
threads pulling messages out of the queue and delivering them (either directly,
ot to a secondary queue with yet another thread pulling from that queue for
delivery)
I notice that you have rsyslog set for TCP relaying of messages, you need to be
aware that if rsyslog is unable to deliver messages for long enough that it's
internal buffering fills up, it will stop accepting new messages, and this will
cause systems trying to log to syslog to stop. Rsyslog has config options to let
you tell it to throw away logs if it gets too full, or to spill logs out to
disk, but you don't appear to have any of these options configured.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
