[rsyslog] Queue system Rsyslog

[noalex via rsyslog]

Hi,

I'm trying to set up a Rsyslog client which will store the log locally as well 
as forwarding them to a Rsyslog Collector.

To give you an overview, below is what I have so far:

#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

#### MODULES ####
module(load="imuxsock")
module(load="imjournal" StateFile="imjournal.state")

#### RULES ####
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

# ### Forwarding rule ###
action(type="omfwd"
       queue.filename="fwdRule1"
       queue.size="10000"
       queue.highwatermark="9600"
       queue.lowwatermark="100"
       queue.maxdiskspace="100m"
       queue.saveonshutdown="on"
       queue.type="LinkedList"
       action.resumeRetryCount="-1"
       Target="192.168.1.25"
       Port="514"
       Protocol="tcp")

What I would like to do is:
- Store all the logs locally following the above rules - I don't need a queue 
here but I need them to be store locally in case I need them
- Forward all the logs to the remote Rsyslog server. If the there is connection 
failure between rsyslog client and server, store in memory with a threshold of 
9600 messages and then store on disk until the disk storage reach 100mo. After 
that drop the messages (for the last action).
- When the connection is up again, forward the log to the Rsyslog Server if it 
didn't reach the threshold.

However, it's like the first rules (used to store locally) take the queue 
parameters used by the forwarding action. When the disk space is 100mo, they 
stop storing locally and store in memory ... I cannot make it work and be 
comfortable about the behaviour of Rsyslog.

Could you please advise what I am doing wrong or if I misunderstood anything?

System Used: Centos
Rsyslog version: 8.24.0

Cheers
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.