I see Alec is using imfile and omelasticsearch so I suppose he is tailing a log file. By any chance, are you using Cassandra to capture multiline logs (using the startmsg.regex setting)? That would explain why the last log line is not sent until restart.
Ciprian -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Sun, Dec 13, 2015 at 6:45 AM, David Lang <[email protected]> wrote: > On Sat, 12 Dec 2015, Alec Swan wrote: > > David, I don't have name= attribute in the action statement. However, there >> are log messages from omelasticsearch module after rsyslog restart (see my >> previous email). >> >> Cassandra does not generate a log of logs and I noticed that the few that >> get generated are not sent to elasticsearch until rsyslog is restarted. It >> feels like logs are being buffered and then sent to ES on subsequent >> startup. >> >> So, here is what I see happening: >> 1. I start Rsyslog >> 2. I start Cassandra and it generates several dozens of log lines >> 3. No logs show up in ES (even if I restart Cassandra several times) >> 4. I restart Rsyslog >> 5. The logs generated in step 2 show up in ES >> > > This does not sound like rsyslog is buffering the logs, but that there is > some other problem. > > > how are the logs getting from Cassandra to rsyslog? > > can you enable impstats so that you can see how many logs are received, > and how many are processed by the various actions? > > it would help to name new style actions so that it's easier to track them. > > in your debug log (the output of -dn), track a known message that > Cassandra generates and see exactly what happens to it. > > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
