I tested this on both rsyslog 3.12.1 and this morning's
3.12.2 release.
I ran a couple tests with existing log files. E.g., I have
an httpd access_log which is 1.3MB and about 5,000 lines --
nowhere near as large as my real existing log, which is
136MB and over 511,000 lines.
With the smaller file, as soon as I started rsyslog on the
client side, it correctly started to show up on the server
side in:
/var/log/client1/httpd_access_log
And the hostname shows up in the prefix for the message:
Mar 13 15:12:20 client1 tag_access_log:172.16.4.133[snip]
But after a few hundred lines, it suddenly starts logging to:
/var/log/httpd_access_log
And the hostname no longer shows up in the prefix:
Mar 13 15:12:20 tag_access_log:76.8.67.2[snip]
Then, thousands of lines later, it goes back to logging to:
/var/log/client1/httpd_access_log
The other thing is, it never actually finishes the entire
5000 lines. It does 4000-something and then stops.
My gut feeling is this is related to ActionQueue settings.
So I'm going to experiment with a few different parameters.
But the part that I don't get is why it's not all being
logged to the same %HOSTNAME% directory?
I don't know what's useful to send for diagnostics -- the
original files from the client side, the split files from
the server side, the client debug, the server debug. Etc.
But I'd be happy to run any requested tests.
Meanwhile, I'll tweak ActionQueue params.
johnn
3.12.2 release.
I ran a couple tests with existing log files. E.g., I have
an httpd access_log which is 1.3MB and about 5,000 lines --
nowhere near as large as my real existing log, which is
136MB and over 511,000 lines.
With the smaller file, as soon as I started rsyslog on the
client side, it correctly started to show up on the server
side in:
/var/log/client1/httpd_access_log
And the hostname shows up in the prefix for the message:
Mar 13 15:12:20 client1 tag_access_log:172.16.4.133[snip]
But after a few hundred lines, it suddenly starts logging to:
/var/log/httpd_access_log
And the hostname no longer shows up in the prefix:
Mar 13 15:12:20 tag_access_log:76.8.67.2[snip]
Then, thousands of lines later, it goes back to logging to:
/var/log/client1/httpd_access_log
The other thing is, it never actually finishes the entire
5000 lines. It does 4000-something and then stops.
My gut feeling is this is related to ActionQueue settings.
So I'm going to experiment with a few different parameters.
But the part that I don't get is why it's not all being
logged to the same %HOSTNAME% directory?
I don't know what's useful to send for diagnostics -- the
original files from the client side, the split files from
the server side, the client debug, the server debug. Etc.
But I'd be happy to run any requested tests.
Meanwhile, I'll tweak ActionQueue params.
johnn