Mailing List Archive

Ubuntu 22.04LTS
Rsyslog 8.2112.0

This server is setup to receive Syslog data from up to 13 sources, mostly networking like Cisco and Meraki. Recently had been troubleshooting an issue where the Rsyslog daemon will quit after 4-5 days. Have not been able to determine an actual cause.. but when looking at the server I began to tail the rsyslog_stat.log file. Today over the course of ~7 hours the enqueued value for the `firewall` log for example, rose from 0 to 3.8M. There were no signs of it ever emptying. The same goes with Meraki and VSCA.

So I found the document here: https://www.rsyslog.com/doc/master/examples/high_performance.html Made some changes to what I think might help but so far it?s been ~4 hours and the stats log is exhibiting the same things as before.

Is this a valid way to determining the performance of Rsyslog? If not, is there a better way?
Am I understanding queues correctly in that they should not just increase in count forever?

Yesterday at around 3pm EST I restarted rsyslog, checking this morning the `enequeue` values for meraki is 37.5M, vcsa 7.4M and firewalls 3.4M. I feel like I?m doing something wrong here..

Below are the related conf files:

Rsyslog.conf:
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability

module(load="imudp" threads="2" timeRequery="8" batchSize="128")
input(type="imudp" port=["514","20514","20515","20516","20517","20518","20519","20520","20525","20526","20527","20528","20529","20530"]
name="" name.appendPort="on")

module(load="impstats" interval="10" log.file="/var/log/rsyslog_stats.log" log.syslog="off")
module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")

/etc/rsyslog.d/05-remote-syslog.conf:

ruleset(name="switches20514" queue.type="linkedlist" queue.workerThreads="4" queue.workerThreadMinimumMessages="3000"){
action(type="omfile" file="/var/log/remote-syslog/switches.log")
}
ruleset(name="routers20515" queue.type="linkedlist" queue.workerThreads="2" queue.workerThreadMinimumMessages="3000"){
action(type="omfile" file="/var/log/remote-syslog/routers.log")
}

ruleset(name="wlan20516" queue.type="linkedlist" queue.workerThreads="1" queue.workerThreadMinimumMessages="5000"){
action(type="omfile" file="/var/log/remote-syslog/wlan.log")
}

ruleset(name="firewalls20517" queue.type="fixedArray" queue.size="250000" queue.dequeueBatchSize="4096" queue.workerThreads="6" queue.workerThreadMinimumMessages="60000"){
action(type="omfile" file="/var/log/remote-syslog/firewalls.log" ioBufferSize="64K" flushOnTXEnd="off")
}

ruleset(name="stealth20518" queue.type="linkedlist" queue.workerThreads="2" queue.workerThreadMinimumMessages="5000"){
action(type="omfile" file="/var/log/remote-syslog/stealth.log")
}

ruleset(name="nexus20519" queue.type="linkedlist" queue.workerThreads="2" queue.workerThreadMinimumMessages="5000"){
action(type="omfile" file="/var/log/remote-syslog/nexus.log")
}

ruleset(name="lomsmx20521" queue.type="linkedlist" queue.workerThreads="1" queue.workerThreadMinimumMessages="6000"){
action(type="omfile" file="/var/log/remote-syslog/lom_smx11.log")
}

ruleset(name="vcsa20525" queue.type="linkedlist" queue.workerThreads="4" queue.workerThreadMinimumMessages="3000"){
action(type="omfile" file="/var/log/remote-syslog/vcsa.log")
}

ruleset(name="ciscoasa20526" queue.type="linkedlist" queue.workerThreads="2" queue.workerThreadMinimumMessages="3000"){
action(type="omfile" file="/var/log/remote-syslog/asa.log")
}

ruleset(name="pwrapc20527" queue.type="linkedlist" queue.workerThreads="1" queue.workerThreadMinimumMessages="3000"){
action(type="omfile" file="/var/log/remote-syslog/power_apc.log")
}

ruleset(name="pwrraritan20528" queue.type="linkedlist" queue.workerThreads="4" queue.workerThreadMinimumMessages="6000"){
action(type="omfile" file="/var/log/remote-syslog/power_raritan.log")
}
ruleset(name="ise20529" queue.type="linkedlist" queue.workerThreads="4" queue.workerThreadMinimumMessages="5000"){
action(type="omfile" file="/var/log/remote-syslog/ise.log")
}

ruleset(name="meraki20530" queue.type="fixedArray" queue.size="250000" queue.dequeueBatchSize="4096" queue.workerThreads="4" queue.workerThreadMinimumMessages="60000"){
action(type="omfile" file="/var/log/remote-syslog/meraki.log" ioBufferSize="64K" flushOnTXEnd="off")
}

input(type="imudp" port="20514" ruleset="switches20514")
input(type="imudp" port="20515" ruleset="routers20515")
input(type="imudp" port="20516" ruleset="wlan20516")
input(type="imudp" port="20517" ruleset="firewalls20517")
input(type="imudp" port="20518" ruleset="stealth20518")
input(type="imudp" port="20519" ruleset="nexus20519")
input(type="imudp" port="20521" ruleset="lomsmx20521")
input(type="imudp" port="20525" ruleset="vcsa20525")
input(type="imudp" port="20526" ruleset="ciscoasa20526")
input(type="imudp" port="20527" ruleset="pwrapc20527")
input(type="imudp" port="20528" ruleset="pwrraritan20528")
input(type="imudp" port="20529" ruleset="ise20529")
input(type="imudp" port="20530" ruleset="meraki20530")






[Jamf]


Ben Hart
IT Systems Administrator II
100 Washington Ave S, Minneapolis, MN 55401
[Phone]
+00 1 989 424 0187
[Email]
ben.hart@jamf.com
[Web]
www.jamf.com<https://www.jamf.com>
[Facebook] [Twitter] [LinkedIn] [YouTube]