Hello,
My system is a Debian 11 with rsyslog 8.2102.0-2+deb11u1.
It is said in https://www.rsyslog.com/doc/v8-stable/concepts/queues.html#filled-up-queues :
"For example, throttling the local log socket too long would cause the system at whole come to a standstill. To prevent this, rsyslogd times out after a configured period (”$<object>QueueTimeoutEnqueue“, specified in milliseconds) if no space becomes available. As a last resort, it then discards the newly arrived message."
And I read in the warning section of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-working_with_queues_in_rsyslog :
"If an output plug-in is unable to deliver a message, it is stored in the preceding message queue. If the queue fills, the inputs block until it is no longer full. This will prevent new messages from being logged via the blocked queue. In the absence of separate action queues this can have severe consequences, such as preventing SSH logging, which in turn can prevent SSH access. Therefore it is advised to use dedicated action queues for outputs which are forwarded over a network or to a database."
I find these two statements contradictory because according the first one, when the main message queue is full, rsyslog will enventually drop newly arrived messages when according to the second one "the inputs block until it is no longer full".
I would like to be sure that the processes loging to rsyslog via unix socket won't be blocked in the cas my main message queue is full.
thanks,
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
My system is a Debian 11 with rsyslog 8.2102.0-2+deb11u1.
It is said in https://www.rsyslog.com/doc/v8-stable/concepts/queues.html#filled-up-queues :
"For example, throttling the local log socket too long would cause the system at whole come to a standstill. To prevent this, rsyslogd times out after a configured period (”$<object>QueueTimeoutEnqueue“, specified in milliseconds) if no space becomes available. As a last resort, it then discards the newly arrived message."
And I read in the warning section of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-working_with_queues_in_rsyslog :
"If an output plug-in is unable to deliver a message, it is stored in the preceding message queue. If the queue fills, the inputs block until it is no longer full. This will prevent new messages from being logged via the blocked queue. In the absence of separate action queues this can have severe consequences, such as preventing SSH logging, which in turn can prevent SSH access. Therefore it is advised to use dedicated action queues for outputs which are forwarded over a network or to a database."
I find these two statements contradictory because according the first one, when the main message queue is full, rsyslog will enventually drop newly arrived messages when according to the second one "the inputs block until it is no longer full".
I would like to be sure that the processes loging to rsyslog via unix socket won't be blocked in the cas my main message queue is full.
thanks,
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.