Mailing List Archive

If you had multiple messages in the queue, it would send one, then delay before
sending the next (batch actually, not individual messages), but if the queue has
been idle for several seconds it will send the message immediately.

Could you explain a bit more about the problem you are trying to solve? the
dequeueslowdown parameter is a poor mans rate limiting attempt, and almost never
used.

David Lang




On Sat, 14 Jan 2023, Prasad Koya via rsyslog wrote:

> Date: Sat, 14 Jan 2023 01:24:45 +0530
> From: Prasad Koya via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Prasad Koya <prasad@arista.com>
> Subject: [rsyslog] delaying dequeuing of syslogs
>
> Hi
>
> We are using rsyslog-8.2102 and we are trying to delay forwarding of
> syslogs messages to a remote host.
>
> ruleset ( name="ForwardToServer1" queue.size="1000"
> queue.dequeuebatchsize="1" queue.type="LinkedList"
> queue.dequeueslowdown="100000" ) {
>
> if $syslogfacility-text != 'authpriv' and $syslogfacility-text ==
> 'local4' then
> action( type="omfwd" Target="172.24.68.195" Port="514"
> Protocol="udp" template="OUTGOING_MESSAGE_FORMAT2" )
>
> }
>
> call ForwardToServer1
>
>
> Is there anything wrong with the above ruleset which is trying to add
> a delay of 100ms to dequeue a message? I am stracing rsyslogd and I
> see the message going at the next millisecond it was logged by a
> program. I'm generating one syslog every few seconds and it goes out
> in the same millisecond it was received by rsyslogd.
>
> Thank you
> Prasad
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Hi David

Thanks for replying. We have a requirement where we need to forward a
syslog about an ethernet interface going down and coming back up in a
few 10s of milliseconds. If the interface through which the message
gets forwarded itself goes down and comes back up, we'd like to delay
such a specific message and wait for those 50 or 100ms before rsyslog
attempts to forward.

I tried

ruleset ( name="ForwardToServer1" queue.size="1000"
queue.dequeuebatchsize="1" queue.type="FixedArray"
queue.dequeueslowdown="100000" ) {
if $syslogfacility-text == 'local7' then
action( type="omfwd" Target="10.242.248.9" Port="514"
Protocol="udp" template="Msg_ForwardFormat" )

}
call ForwardToServer1

If a burst of syslogs arrives, say 10s after the last message was
forwarded by rsyslogd, the first one is forwarded right away and the
subsequent ones are delayed 100ms as specified above. But we'd like
even the first one to be forwarded after the specified delay. How can
we achieve this with rsyslogd? We are using 8.2102.

Thank you.

On Sat, Jan 14, 2023 at 2:02 AM David Lang <david@lang.hm> wrote:
>
> If you had multiple messages in the queue, it would send one, then delay before
> sending the next (batch actually, not individual messages), but if the queue has
> been idle for several seconds it will send the message immediately.
>
> Could you explain a bit more about the problem you are trying to solve? the
> dequeueslowdown parameter is a poor mans rate limiting attempt, and almost never
> used.
>
> David Lang
>
>
>
>
> On Sat, 14 Jan 2023, Prasad Koya via rsyslog wrote:
>
> > Date: Sat, 14 Jan 2023 01:24:45 +0530
> > From: Prasad Koya via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Prasad Koya <prasad@arista.com>
> > Subject: [rsyslog] delaying dequeuing of syslogs
> >
> > Hi
> >
> > We are using rsyslog-8.2102 and we are trying to delay forwarding of
> > syslogs messages to a remote host.
> >
> > ruleset ( name="ForwardToServer1" queue.size="1000"
> > queue.dequeuebatchsize="1" queue.type="LinkedList"
> > queue.dequeueslowdown="100000" ) {
> >
> > if $syslogfacility-text != 'authpriv' and $syslogfacility-text ==
> > 'local4' then
> > action( type="omfwd" Target="172.24.68.195" Port="514"
> > Protocol="udp" template="OUTGOING_MESSAGE_FORMAT2" )
> >
> > }
> >
> > call ForwardToServer1
> >
> >
> > Is there anything wrong with the above ruleset which is trying to add
> > a delay of 100ms to dequeue a message? I am stracing rsyslogd and I
> > see the message going at the next millisecond it was logged by a
> > program. I'm generating one syslog every few seconds and it goes out
> > in the same millisecond it was received by rsyslogd.
> >
> > Thank you
> > Prasad
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.