Thanks for you reply sir, [image: Inline image 1] 1- There are about 13000 files of 1.1 MB accumulated to 13 GB on disk. When I remove low and high water marks on main and action queue to make it only In-memmory queues, it still create these files. Why is that? 2- How about if rsyslog receive at 30000EPS but main queue is about 500k and action queue 100k. 3- what is meant by dequeuebatch size and how can i add delay to control speed.
Thanks On Fri, Dec 18, 2015 at 1:09 AM, David Lang <[email protected]> wrote: > the config you list has only one action, sending to localhost on TCP 5170 > > there's nothing in this config that writes to anything else, did you > forget to include something? > > the error messages that you show talk about '~', but it doesn't appear > anywhere in the config you provided. > > does the user syslog have the rights to create files in the > /var/spool/rsyslog directory? > > David Lang > > On Thu, 17 Dec 2015, Muhammad Asif wrote: > > Date: Thu, 17 Dec 2015 22:53:29 +0500 >> From: Muhammad Asif <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] Every log written in syslog >> >> >> Dear David, >> >> Please see my rsyslog configs below. Pastbin is not open here so i use >> email page. >> >> # /etc/rsyslog.conf Configuration file for rsyslog. >> # >> # For more information see >> # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html >> # >> # Default logging rules can be found in /etc/rsyslog.d/50-default.conf >> >> >> ################# >> #### MODULES #### >> ################# >> >> $ModLoad imuxsock # provides support for local system logging >> $ModLoad imklog # provides kernel logging support (previously done by >> rklogd) >> #$ModLoad immark # provides --MARK-- message capability >> >> # provides UDP syslog reception >> $ModLoad imudp >> $UDPServerRun 514 >> >> # provides TCP syslog reception >> $ModLoad imtcp >> $InputTCPServerRun 514 >> >> ########################### >> #### GLOBAL DIRECTIVES #### >> ########################### >> >> # >> # Use traditional timestamp format. >> # To enable high precision timestamps, comment out the following line. >> # >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> >> # Filter duplicated messages >> $RepeatedMsgReduction on >> >> # >> # Set the default permissions for all log files. >> # >> $FileOwner syslog >> $FileGroup adm >> $FileCreateMode 0640 >> $DirCreateMode 0755 >> $Umask 0022 >> $PrivDropToUser syslog >> $PrivDropToGroup syslog >> >> # >> # Where to place spool files >> # >> $WorkDirectory /var/spool/rsyslog >> $template msg,"%msg%" >> $template msgonly,"%rawmsg%\n" >> >> >> main_queue( >> queue.filename="main_queue" # write to disk if needed >> queue.maxdiskspace="5g" # when to stop writing to disk >> queue.highwatermark="1500000" # start spilling to disk at this size >> queue.lowwatermark="500000" # stop spilling when it gets back to this size >> queue.saveonshutdown="on" # write queue contents to disk on shutdown >> queue.dequeueBatchSize="5000" >> queue.workerthreads="4" >> queue.size="2000000" # absolute max queue size >> ) >> >> action(type="omfwd" target="127.0.0.1" port="5170" protocol="tcp" >> template="msgonly" >> queue.filename="forwarding" queue.size="1000000" >> queue.maxdiskspace="5g" queue.highwatermark="900000" >> queue.lowwatermark= "200000" queue.dequeuebatchsize="1000" >> queue.type="LinkedList" >> ) >> >> >> if $fromhost-ip == '172.20.16.25' then stop >> >> >> Please help in these tasks >> >> 1- I want to stop logs to be written in syslog file. >> 2- I am also facing this problem. >> >> Dec 17 22:44:03 rdsaparser rsyslogd: [origin software="rsyslogd" >> swVersion="8.14.0" x-pid="659" x-info="http://www.rsyslog.com";] start >> Dec 17 22:44:04 rdsaparser rsyslogd-2040: fatal error on disk queue 'main >> Q[DA]', emergency switch to direct mode [v8.14.0 try >> >> http://www.rsyslog.com/e/2040 ] >> Dec 17 22:44:04 rdsaparser rsyslogd-2040: fatal error on disk queue >> 'action >> 4 queue[DA]', emergency switch to direct mode [v8.14.0 try >> >> http://www.rsyslog.com/e/2040 ] >> Dec 17 22:44:03 rdsaparser rsyslogd-2307: warning: ~ action is deprecated, >> consider using the 'stop' statement instead [v8.14.0 try >> >> http://www.rsyslog.com/e/2307 ] >> Dec 17 22:44:03 rdsaparser rsyslogd-2307: warning: ~ action is deprecated, >> consider using the 'stop' statement instead [v8.14.0 try >> >> http://www.rsyslog.com/e/2307 ] >> Dec 17 22:44:03 rdsaparser rsyslogd: imklog: cannot open kernel log >> (/proc/kmsg): Operation not permitted. >> Dec 17 22:44:03 rdsaparser rsyslogd-2145: activation of module imklog >> failed [v8.14.0 try http://www.rsyslog.com/e/2145 ] >> Dec 17 22:44:03 rdsaparser rsyslogd: rsyslogd's groupid changed to 104 >> Dec 17 22:44:03 rdsaparser rsyslogd: rsyslogd's userid changed to 101 >> >> 3- I want to emit logs 1000/sec >> 4- I want impstat on TCP. >> >> Thanks >> >> >> On Thu, Dec 17, 2015 at 9:41 PM, David Lang <[email protected]> wrote: >> >> On Thu, 17 Dec 2015, Muhammad Asif wrote: >>> >>> Hi Guys, >>> >>>> >>>> I have a rsyslog server which is receiving logs from different sources >>>> and >>>> then sending to fluentd. Problem is that our rsyslog sending logs to >>>> fluentd and also writing all logs in syslog file which increases to >>>> 20GB. >>>> I don't want to write coming logs in syslog. How can i achieve my goal. >>>> >>>> >>> short answer, change your config to not write to the file. >>> >>> long answer, we can't tell you exactly how to change your config without >>> knowing more about it. >>> >>> either remove the lines that write to the file if you don't want anything >>> there, or have a 'if..then' statement in your config that does a stop >>> after >>> the log is written to fluentd and before it's written to the file to only >>> not write to the file sometimes. >>> >>> David Lang >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. >
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
