rsyslog

The rocket-fast system for log processing

Changing the settings

Go back to What is imuxsock?

Before we can begin testing on how rate limiting works, we should change the default settings. By default, rate limiting will only work, if a process sends more than 200 messages in 5 seconds.To have some influence on the rate limiting we have basically two options:

$SystemLogRateLimitInterval [number]
$SystemLogRateLimitBurst [number]

The SystemLogRateLimitInterval determines the amount of time that is being measured for rate limiting. By default this is set to 5 seconds. The SystemLogRateLimitBurst defines the amount of messages, that have to occur in the time limit of SystemLogRateLimitInterval, to trigger rate limiting. Here, the default is 200 messages. For creating a more effective test, we will alter the default values.

To change these settings we open the rsyslog configuration. Open the configuration with vi (please note, that we use the default configuration path):

vi /etc/rsyslog.conf

Now we need to search the right spot for the entries. Find the following:

$ModLoad imuxsock.so

This entry will load the imuxsock module.

Now insert two new lines under the ModLoad command and fill them as follows:

$SystemLogRateLimitInterval 2
$SystemLogRateLimitBurst 50

These are the option for the module with some values. This means in plain words, that rate limiting will take effect if more than 50 messages occur in 2 seconds.

To make sure, that we will see all messages that are logged, we insert another entry into the configuration. Go to the section in the rsyslog.conf that holds the "Rules". Insert a new rule that looks like this:

*.* /var/log/everything.log

You can name the file as you want. Every log message will be written into this file for our review.

Save the configuration file and exit vi. Now we need to restart rsyslog. This is necessary because it will only load the configuration once on startup.

Go on to First try to test rate limiting (fail)

7 thoughts on “Changing the settings

  1. Pingback: First try to test rate limiting rsyslog

  2. Pingback: How to use rate limiting in rsyslog? rsyslog

  3. Pingback: Howto adapt the rate limiting of rsyslog | The A to Z of IT

  4. Hey just wanted to give you a quick heads up. The words in your post seem
    to be running off the screen in Safari. I’m not sure if this is a format issue or something to do with
    browser compatibility but I figured I’d post
    to let you know. The layout look great though! Hope you get the problem fixed soon.
    Thanks

  5. Hi,

    we checked, but couldn’t find what you describe as error with Safari. Unfortunately, we could only test with Safari 5 on Windows. Perhaps this is only with newer versions, so we cannot check.

  6. I have an issue where two alternate lines repeat franticly


    Apr 13 03:48:27 afirewall kernel: sd 8:0:0:0: rejecting I/O to offline device
    Apr 13 03:48:27 afirewall kernel: metapage_read_end_io: I/O error
    Apr 13 03:48:27 afirewall kernel: sd 8:0:0:0: rejecting I/O to offline device
    Apr 13 03:48:27 afirewall kernel: metapage_read_end_io: I/O error
    ....

    For a total of 1754 lines per second.

    Does imuxsock.so handle this ? Or does it only deal with syslog lines that refer to PIDs?

  7. I’m a little confused by your statement…

    "To make sure, that we will see all messages that are logged, we insert another entry into the configuration. Go to the section in the rsyslog.conf that holds the "Rules". Insert a new rule that looks like this:"

    Is this statement saying that a *.* rule bypasses rate limiting entirely or are you saying that this will show all messages including all rate-limiting messages? I have reason to need to disable the rate limiting and I was wondering if the suggested *.* rule does this or if I need to still adjust the two parameters to effectively disable it?

    $SystemLogRateLimitInterval 2
    $SystemLogRateLimitBurst 50

    Thanks.

Comments are closed.