I have a client/server setup of rsyslog, however if the server becomes
unreachable
and the client's memory buffers fill up, everything that needs to log
just hangs/blocks,
such as ssh.
I have enabled disk queueing however it never seems to queue anything
to disk.
What am i doing wrong ?
---
----> Rsyslog version
---
[app-00-0001 ~]# rsyslogd -v
rsyslogd 3.16.1, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
Runtime Instrumentation (slow code): No
---
-----> Here is my rsyslog.conf from the offending box
---
[app-00-0001 ~]# cat /etc/rsyslog.conf
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
# Debug Template
$template MyDebug,"Debug line with all properties:\nFROMHOST:
'%FROMHOST%', fromhost-ip: '%fromhost-ip%', HOSTNAME: '%HOSTNAME%',
PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%',
APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',
\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',
\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
$template Sys23Forward, "<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME
% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%"
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)
$ModLoad lmregexp.so
*.* /var/log/all
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/
messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/
maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/
spooler
# Save boot messages also to boot.log
local7.* /var/log/
boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/spool/rsyslog/ # where to place spool files
$ActionQueueType LinkedList # run asynchronously
$ActionQueueFileName remotelog # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as
possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@(z9)10.238.0.1;RSYSLOG_SyslogProtocol23Format
*.* @@10.238.0.1;Sys23Forward
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
# Note: as of now, you need to use the -t command line option to
# enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
# This will change in later v3 releases.
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
$UDPServerRun 513 # start a UDP syslog server at standard port 514
#$UDPServerAddress
unreachable
and the client's memory buffers fill up, everything that needs to log
just hangs/blocks,
such as ssh.
I have enabled disk queueing however it never seems to queue anything
to disk.
What am i doing wrong ?
---
----> Rsyslog version
---
[app-00-0001 ~]# rsyslogd -v
rsyslogd 3.16.1, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
Runtime Instrumentation (slow code): No
---
-----> Here is my rsyslog.conf from the offending box
---
[app-00-0001 ~]# cat /etc/rsyslog.conf
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
# Debug Template
$template MyDebug,"Debug line with all properties:\nFROMHOST:
'%FROMHOST%', fromhost-ip: '%fromhost-ip%', HOSTNAME: '%HOSTNAME%',
PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%',
APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',
\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',
\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
$template Sys23Forward, "<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME
% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%"
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)
$ModLoad lmregexp.so
*.* /var/log/all
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/
messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/
maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/
spooler
# Save boot messages also to boot.log
local7.* /var/log/
boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/spool/rsyslog/ # where to place spool files
$ActionQueueType LinkedList # run asynchronously
$ActionQueueFileName remotelog # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as
possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@(z9)10.238.0.1;RSYSLOG_SyslogProtocol23Format
*.* @@10.238.0.1;Sys23Forward
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
# Note: as of now, you need to use the -t command line option to
# enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
# This will change in later v3 releases.
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
$UDPServerRun 513 # start a UDP syslog server at standard port 514
#$UDPServerAddress