Re: [rsyslog] Input from udp/514 - output appears in logfile with delay
Upgrade at least to the latest 5.8 version, better a supported one. 99% sure this will fix your issue. Sent from phone, thus brief. Ursprüngliche Nachricht Von: ulrich.her...@t-systems.com Datum: 04.04.2013 13:44 (GMT+01:00) An: rsyslog@lists.adiscon.com Betreff: [rsyslog] Input from udp/514 - output appears in logfile with delay Hi, We have a rsyslog 5.8.1: Input comes on UDP/514 (from a cisco device), output is directed to a logfile - but there it appears with a delay from about 60 seconds. This is a low-throughput input, so maybe, our file buffer just fills to slow. Can I configure that somewhere so that this is written with short delay to my logfile ? I've found: $OMFileFlushInterval But the documentation for this parameter is not useful at all (Defines a template to be used for the output.) for me. I've tried setting this to 1 - but the delay is just about 1 minute (ok, maybe the 1 does mean minutes, not seconds) Any Ideas ? Uli ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Input from udp/514 - output appears in logfile with delay
Try starting rsyslog with the -x option to disable DNS lookups. If that solves your problem, check that you have reverse DNS working well. Rsyslog will try to lookup the IP address of the system sending the logs to it. David Lang On Thu, 4 Apr 2013, ulrich.her...@t-systems.com wrote: Some additional information: We see the data coming on UDP with tcpdump in time on the rsyslog server, so we know, that the cisco device logs everything in time. Just the log data in the log file is with delay. Uli -Ursprüngliche Nachricht- Von: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] Im Auftrag von Herbst, Ulrich Gesendet: Donnerstag, 4. April 2013 13:44 An: rsyslog@lists.adiscon.com Betreff: [rsyslog] Input from udp/514 - output appears in logfile with delay Hi, We have a rsyslog 5.8.1: Input comes on UDP/514 (from a cisco device), output is directed to a logfile - but there it appears with a delay from about 60 seconds. This is a low-throughput input, so maybe, our file buffer just fills to slow. Can I configure that somewhere so that this is written with short delay to my logfile ? I've found: $OMFileFlushInterval But the documentation for this parameter is not useful at all (Defines a template to be used for the output.) for me. I've tried setting this to 1 - but the delay is just about 1 minute (ok, maybe the 1 does mean minutes, not seconds) Any Ideas ? Uli ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Input from udp/514 - output appears in logfile with delay
If you are upgrading anyway, you should see how far you can upgrade. The current version is 7.2 (with 7.4 due shortly based off the current 7.3) There are a lot of cleanups and a new config language that can significantly clarify more complex configurations in the new versions. David Lang On Thu, 4 Apr 2013, ulrich.her...@t-systems.com wrote: Date: Thu, 4 Apr 2013 15:02:24 +0200 From: ulrich.her...@t-systems.com Reply-To: rsyslog-users rsyslog@lists.adiscon.com To: rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Input from udp/514 - output appears in logfile with delay Great. That was exactly my problem. But nevertheless - I will upgrade as suggested by Gerhard. Uli -Urspr?ngliche Nachricht- Von: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] Im Auftrag von David Lang Gesendet: Donnerstag, 4. April 2013 14:24 An: rsyslog-users Betreff: Re: [rsyslog] Input from udp/514 - output appears in logfile with delay Try starting rsyslog with the -x option to disable DNS lookups. If that solves your problem, check that you have reverse DNS working well. Rsyslog will try to lookup the IP address of the system sending the logs to it. David Lang On Thu, 4 Apr 2013, ulrich.her...@t-systems.com wrote: Some additional information: We see the data coming on UDP with tcpdump in time on the rsyslog server, so we know, that the cisco device logs everything in time. Just the log data in the log file is with delay. Uli -Urspr?ngliche Nachricht- Von: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] Im Auftrag von Herbst, Ulrich Gesendet: Donnerstag, 4. April 2013 13:44 An: rsyslog@lists.adiscon.com Betreff: [rsyslog] Input from udp/514 - output appears in logfile with delay Hi, We have a rsyslog 5.8.1: Input comes on UDP/514 (from a cisco device), output is directed to a logfile - but there it appears with a delay from about 60 seconds. This is a low-throughput input, so maybe, our file buffer just fills to slow. Can I configure that somewhere so that this is written with short delay to my logfile ? I've found: $OMFileFlushInterval But the documentation for this parameter is not useful at all (Defines a template to be used for the output.) for me. I've tried setting this to 1 - but the delay is just about 1 minute (ok, maybe the 1 does mean minutes, not seconds) Any Ideas ? Uli ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.