Andre and all, in my experience, 90% of those cases simply go away when you upgrade to a *project-supported* version (remember: that is 7.4). I spent days debugging known issues and that's a big waste of time. If s/o needs to have an old version supported, there are support contracts. This is also a good test if a company is serious about there no-update policy. If it is, it will happily pay the fee.
In other words: I stongly suggest either upgrading to 7.4 or closing this case. Rainer On Wed, Aug 7, 2013 at 9:32 AM, Andre Lorbach <alorb...@adiscon.com> wrote: > A debuglog would properly give some insight. As this is an older RSyslog > Version, it could also be an already fixed bug. > Have you tried to setup two actions queues? > > Like this: > ---------------------- > RULES > $ActionQueueType LinkedList # run asynchronously > $ActionQueueFileName mgmtlocal # unique name prefix for spool files > $ActionQueueSaveOnShutdown on # save messages to disk on shutdown > $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as > possible) > > # Log anything except authpriv, cron, syslog, of level info or higher. > *.info;local0.none;authpriv.none;cron.none;syslog.none /var/log/messages > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log cron stuff > cron.* /var/log/cron > > # Keep syslog separate > syslog.* /var/log/syslog > > # Keep mail separate > mail.* /var/log/maillog > > # Everybody gets emergency messages > *.emerg;local0.none * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > $ActionQueueType LinkedList # run asynchronously > $ActionQueueFileName mgmtfwd # unique name prefix for spool files > $ActionResumeRetryCount -1 # infinite retries if host is down > $ActionQueueSaveOnShutdown on # save messages to disk on shutdown > $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as > possible) > >>driver mode settings<< > *.info;local0.* @@SOME_IP:SOME_PORT > -------------------------------------- > > Best regards, > Andre Lorbach > > > -----Original Message----- > > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- > > boun...@lists.adiscon.com] On Behalf Of Rodrian, Logan P (IS) > > Sent: Tuesday, August 06, 2013 11:18 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Local persistence issue when no TCP connection > > > > Yes. I will include my reply to David's message from last week, where I > > included the full ruleset. > > > > David- > > > > I do have an ActionQueue before my TCP destination, but do also have > > retries set to -1 as you pointed out. Here is a more complete set of > rules: > > > > ---------------------- > > RULES > > > > # Log anything except authpriv, cron, syslog, of level info or higher. > > *.info;local0.none;authpriv.none;cron.none;syslog.none > /var/log/messages > > > > # The authpriv file has restricted access. > > authpriv.* /var/log/secure > > > > # Log cron stuff > > cron.* /var/log/cron > > > > # Keep syslog separate > > syslog.* /var/log/syslog > > > > # Keep mail separate > > mail.* > /var/log/maillog > > > > # Everybody gets emergency messages > > *.emerg;local0.none * > > > > # Save news errors of level crit and higher in a special file. > > uucp,news.crit /var/log/spooler > > > > # Save boot messages also to boot.log > > local7.* > /var/log/boot.log > > > > $ActionQueueType LinkedList # run asynchronously > > $ActionQueueFileName mgmtfwd # unique name prefix for spool files > > $ActionResumeRetryCount -1 # infinite retries if host is down > > $ActionQueueSaveOnShutdown on # save messages to disk on shutdown > > $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as > possible) > > >>driver mode settings<< > > *.info;local0.* @@SOME_IP:SOME_PORT > > > > -------------------------------------- > > > > Hopefully a larger context of the rules may help. I DO see the startup > log > > printed to /var/log/syslog, as you mentioned, yet it seems all > subsequent > > logs don't get processed to their destinations. Any ideas? > > > > Along the lines of the ActionResumeRetryCount, I am under the impression > > that setting it to -1 means that the TCP socket will try infinitely to > send to the > > remote host, but will use the ActionQueueFileName to save the data if it > > cannot connect/send. Does it have other implications with regard to > writing > > to the ActionQueueFileName and not merely connecting/sending? > > > > > > > > Logan Rodrian > > > > > > -----Original Message----- > > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- > > boun...@lists.adiscon.com] On Behalf Of David Lang > > Sent: Tuesday, August 06, 2013 1:45 PM > > To: rsyslog-users > > Subject: EXT :Re: [rsyslog] Local persistence issue when no TCP > connection > > > > I am not seeing what's wrong, you do have an action queue defined, so > the > > TCP delivery blocking should not block local logging. > > > > Andre?? > > > > David Lang > > > > On Mon, 5 Aug 2013, Rodrian, Logan P (IS) wrote: > > > > > Date: Mon, 5 Aug 2013 14:36:38 +0000 > > > From: "Rodrian, Logan P (IS)" <logan.rodr...@ngc.com> > > > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com> > > > To: rsyslog-users <rsyslog@lists.adiscon.com> > > > Subject: Re: [rsyslog] Local persistence issue when no TCP connection > > > > > > As an additional point of note, once the remote server comes up and a > > network connection is established, all logs produced during the down > time > > are then visible in /var/log/messages. The scary part is still that no > logs get > > written to the files when the network connection doesn't exist. Please > help. > > > > > > Logan Rodrian > > > > > > ________________________________________ > > > From: rsyslog-boun...@lists.adiscon.com > > > [rsyslog-boun...@lists.adiscon.com] on behalf of David Lang > > > [da...@lang.hm] > > > Sent: Friday, August 02, 2013 11:50 > > > To: rsyslog-users > > > Subject: EXT :Re: [rsyslog] Local persistence issue when no TCP > > > connection > > > > > > On Fri, 2 Aug 2013, Rodrian, Logan P (IS) wrote: > > > > > >> I am running RHEL 6.3 with included rsyslog-5.8.10-2 rpm. > > >> > > >> I am having an issue upon system boot, whereby logs are not being > > written to /var/log/messages when the (later) action to send to another > host > > via TCP cannot make a connection. > > >> > > >> A snippet from my rules are as follows: > > >> > > >> ... > > >> # Log anything except authpriv, cron, syslog, of level info or > higher. > > >> *.info;local0.none;authpriv.none;cron.none;syslog.none > > >> /var/log/messages > > >> > > >>>> more rules<< > > >> > > >>>> action and driver mode settings<< > > >> *.info;local0.* @@SOME_IP:SOME_PORT > > >> > > >> ... > > >> It does not matter if I put the remote rule before or after the one > > directing to /var/log/messages. > > >> > > >> After boot, I test using 'logger -p security.crit some message', > where I > > would expect the string 'some message' to appear in /var/log/messages, > but > > it is not there. > > >> > > >> Using wireshark, I see that the only network traffic upon boot are > ARP > > messages looking for SOME_IP. > > >> > > >> If I restart the rsyslog service, then I can re-execute the 'logger' > command > > and then I do see the expected string in /var/log/messages. Looking > again at > > wireshark, there are still only ARP messages looking for SOME_IP. > > >> > > >> Is there a bug in this version that causes hanging on boot, whereby > some > > dependent service/item isn't running yet that does exist/is ready when > > doing a service restart? The order of services starting are iptables, > network, > > rsyslog, ... > > >> > > >> Any ideas as to what is causing this/how to fix it? > > > > > > remember that when rsyslog starts up it logs a startup message. > > > > > > If that message is unable to be written to one of your destinations, > > > rsyslog will not process additional logs until and unless it decides > > > to stop writing any logs to that destination. > > > > > > one way to deal with this is to create an action queue for the remote > > > message, that way it won't halt processing of logs for other > destinations. > > > > > > If the destination remains unavailable, eventually the action queue > > > will fill up and you will be back in the same situation. > > > > > > The other thing you will need to look at is the retry/discard > > > settings, telling rsyslog how many times to retry sending the log to > > > an output before deciding that it's always going to fail, and what to > do in > > that situation. > > > > > > It's common for people to set retries = -1, which tells rsyslog to > > > never give up, but without seeing your entire config, this is just a > guess. > > > > > > David Lang > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
