rsyslog

The rocket-fast system for log processing pipelines

rsyslog

The rocket-fast system for log processing pipelines

Search Results for: queue

Periodic statistics on rsyslog counters

adisconteamFAQ, , ,

Since rsyslog 5.7.0 (V5-Devel) there is a new module called impstats.

This module provides periodic output of rsyslog internal counters. Note that the whole statistics system is currently under development. So availabilty and format of counters may change and is not yet stable (so be prepared to change your trending scripts when you upgrade to a newer rsyslog version).

The set of available counters will be output as a set of syslog messages. This output is periodic, with the interval being configurable (default is 5 minutes). Be sure that your configuration records the counter messages (default is syslog.info).

Note that loading this module has impact on rsyslog performance. Depending on settings, this impact may be severe (for high-load environments).

Please find below some simple steps how to use that module.

Of course you have to name it additionally in the configure. The configure should look like this (please note that the parameters can be different to your configure, the important thing is ––enable-impstats; this example is for Fedora 13 )

./configure --enable-impstats --sbindir=/sbin --libdir=/lib

The next steps are make and make install

make
make install

Furthermore we have to add that module in the rsyslog config. Below you will find a short excerpt of a sample config.

#### Modules ####
$ModLoad imuxsock
$ModLoad imklog
#$ModLoad immark

$ModLoad impstats
$PStatsInterval 600
$PStatsSeverity 7

syslog.debug  /var/log/rsyslog-stats

$ModLoad impstats – tells rsyslog to load the module impstats

$PStatsInterval 600 – is a configuration directive of impstats

$PStatsSeverity 7 – is also a configuration directive of impstats

Here you will find all information about the impstats module and its configuration directives.

If we have a look at the mentioned output file rsyslog-stats we can see the results of the static module.

The content of that file should look like this

Sep 17 11:43:49 localhost rsyslogd-pstats: umxsock: submitted=16
Sep 17 11:43:49 localhost rsyslogd-pstats: main Q: size=1 enqueued=2403 full=0 maxqsize=2

At the actual point all objects are shown in the results. Every Object has its own counter like

umxsock: (= object) submitted=16 (=counter; 16 logs received by the object umxsock). The main queue of rsyslog is also shown -> main Q with the parameters size (messages in the queue), enqueued (all received messages), full (how often was the queue full) and maxqsize (the maximal amount of messages in the queue).

Please be sure that the features and options of that module will be develeloped soon.

All information about the periodic statistics module you will find in the documentation. There is also a list of rsyslog impstats counters available on the web site.

Changelog for 3.2.2 (v3-stable)

adisconteamChangelog, , ,

Version 3.22.2 [v3-stable] (rgerhards), 2010-08-05

  • bugfix: comment char (‘#’) in literal terminated script parsing and thus could not be used.
    but tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=119
  • enhance: imrelp now also provides remote peer’s IP address[if librelp != 1.0.0 is used]
  • bugfix: sending syslog messages with zip compression did not work
  • bugfix: potential hang condition on queue shutdown
  • bugfix: segfault on startup when -q or -Q option was given
    bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=157
    Thanks to Jonas Nogueira for reporting this bug.
  • clarified use of $ActionsSendStreamDriver[AuthMode/PermittedPeers]in doc set (require TLS drivers)
  • bugfix: $CreateDirs variable not properly initialized, default thuswas random (but most often “on”)
  • bugfix: potential segfault when -p command line option was usedthanks to varmojfekoj for pointing me at this bug
  • bugfix: programname filter in ! configuration can not be resetThanks to Kiss Gabor for the patch.

rsyslog 5.5.5 (devel) released

adisconteamNews, Release Announcement, ,

Hi all,

We have just released rsyslog 5.5.5, a member of the devel branch. This is a bug-fixing release which contains a single fix that solves a potential hang condition on system shutdown when infinite action retries are configured for an asynchronous action using a queue in disk-assisted mode and the action was suspended. This is probably not a very common case, but a configuration recommended by our doc samples. If you do not use such a configuration, there is no need to update at this time. See Changelog for more details.

ChangeLog:

http://www.rsyslog.com/article461/

Download:

http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-204.phtml

As always, feedback is appreciated.

Best regards,
Tom Bergfeld

Changelog for 4.7.0 (v4-devel)

adisconteamChangelog, ,

Version 4.7.0 [v4-devel] (rgerhards), 2010-04-14

  • new: support for Solaris added (but not yet the Solaris door API)
  • added function getenv() to RainerScript
  • added new config option $InputUnixListenSocketCreatePath to permit the auto-creation of pathes to additional log sockets. This turns out to be useful if they reside on temporary file systems and rsyslogd starts up before the daemons that create these sockets (rsyslogd always creates the socket itself if it does not exist).
  • added $LogRSyslogStatusMessages configuration directive permitting to turn off rsyslog start/stop/HUP messages.
    See Debian ticket http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463793
  • added new config directive $omfileForceChown to (try to) fix some broken system configs.
    See ticket for details: http://bugzilla.adiscon.com/show_bug.cgi?id=150
  • added $EscapeControlCharacterTab config directive
    Thanks to Jonathan Bond-Caron for the patch.
  • added option to use unlimited-size select() calls
    Thanks to varmjofekoj for the patch
  • debugondemand mode caused backgrounding to fail – close to a bug, but I’d consider the ability to background in this mode a new feature…
  • bugfix (kind of): check if TCP connection is still alive if using TLS
    Thanks to Jonathan Bond-Caron for the patch.
  • imported changes from 4.5.7 and below
  • bugfix: potential segfault when -p command line option was used
    Thanks for varmojfekoj for pointing me at this bug.
  • bugfix: potential segfaults during queue shutdown (bugs require certain non-standard settings to appear)
    Thanks to varmojfekoj for the patch [imported from 4.5.8]

Sending Messages to a Remote Syslog Server

Rainer GerhardsGuides for rsyslog, Some core recipies, The recipies, ,

In this recipe, we forward messages from one system to another one. Typical use cases are:

  • the local system does not store any messages (e.g. has not sufficient space to do so)
  • there is a (e.g. legal) requirement to consolidate all logs on a single system
  • the server may run some advanced alerting rules, and needs to have a full picture or network activity to work well
  • you want to get the logs to a different system in a different security domain (to prevent attackers from hiding their tracks)
  • and many more …

In our case, we forward all messages to the remote system. Note that by applying different filters, you may only forward select entries to the remote system. Also note that you can include as many forwarding actions as you like. For example, if you need to have a backup central server, you can simply forward to both of them, using two different forwarding actions.

To learn how to configure the remote server, see recipe Receiving Messages from a Remote System.

Config Statements

# this is the simplest forwarding action:
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")
# it is equivalent to the following obsolete legacy format line:
*.* @@192.0.2.1:10514 # do NOT use this any longer!
# Note: if the remote system is unreachable, processing will
# block here and discard messages after a while

# so a better use is
*.*  action(type="omfwd" target="192.0.2.2" port="10514" protocol="tcp"
            action.resumeRetryCount="100"
            queue.type="linkedList" queue.size="10000")
# this will de-couple the sending from the other logging actions,
# and prevent delays when the remote system is not reachable. Also,
# it will try to connect 100 times before it discards messages as
# undeliverable.
# the rest below is more or less a plain vanilla rsyslog.conf as 
# many distros ship it - it's more for your reference...
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog
# Log cron stuff
cron.*                                        /var/log/cron
# Everybody gets emergency messages
*.emerg                                       :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                /var/log/spooler
# Save boot messages also to boot.log
local7.*                                      /var/log/boot.log

Things to think about

You need to select the protocol best suitable for your use case. If in doubt, TCP is a decent choice. This recipe uses TCP for that reason.

TCP forwarding is a build-in capability and always present. As such, no plugin needs to be loaded. The target can be specified by DNS name or IP address. Use IP addresses for most robust operations. If you use a DNS name and name resolution fails, forwarding may be disabled for some time. DNS resolution typically fails on the DNS server itself during system startup.

In this example, we forward to port 10514. We could as well remove the port=”…” parameter from the configuration, which would result in the default port being used. However, you need to specify the port address on the server in any case. So it is strongly advised to use an explicit port number to make sure that client and server configuration match each other (if they used different ports, the message transfer would not work.

ChangeLog for 4.5.8 (v4-beta)

adisconteamChangelog, ,

Version 4.5.8 [v4-beta] (rgerhards), 2010-02-10

  • enhanced doc for using PostgreSQL
    Thanks to Marc Schiffbauer for the new/updated doc

  • bugfix: property replacer returned invalid parameters under some (unusual) conditions. In extreme cases, this could lead to garbled logs and/or a system failure.
  • bugfix: invalid length returned (often) when using regular expressions inside the property replacer
  • bugfix: submatch regex in property replacer did not honor “return 0 on no match” config case
  • bugfix: imuxsock incorrectly stated inputname “imudp”
    Thanks to Ryan Lynch for reporting this.

  • (slightly) enhanced support for FreeBSD by setting _PATH_MODDIR to the correct value on FreeBSD.
    Thanks to Cristiano for the patch.

  • bugfix: -d did not enable display of debug messages regression from introduction of “debug on demand” mode
    Thanks to Michael Biebl for reporting this bug

  • bugfix: blanks inside file names did not terminate file name parsing.
    This could reslult in the whole rest of a line (including comments) to be treated as file name in “write to file” actions.
    Thanks to Jack for reporting this issue.

  • bugfix: rsyslog hang when writing to a named pipe which nobody was reading. Thanks to Michael Biebl for reporting this bug.
  • bugfix: memory leak when sending messages in zip-compressed format
    Thanks to Naoya Nakazawa for analyzing this issue and providing a patch.

  • bugfix: potential segfaults during queue shutdown (bugs require certain non-standard settings to appear)
    Thanks to varmojfekoj for the patch

ChangeLog for 5.5.2 (devel)

adisconteamChangelog, ,

Version 5.5.2 [DEVEL] (rgerhards), 2010-02-05

  • applied patches that make rsyslog compile under Apple OS X.
    Thanks to trey for providing these.

  • replaced data type “bool” by “sbool” because this created some portability issues.
  • added $Escape8BitCharactersOnReceive directive
    Thanks to David Lang for suggesting it.

  • worked around an issue where omfile failed to compile on32 bit platforms under some circumstances (this smells like a gcc problem, but a simple solution was available). Thanks to Kenneth Marshall for some advice.
  • extended testbench
  • bugfix: queues in direct mode could case a segfault, especially if an action failed for action queues. The issue was an invalid increment of a stack-based pointer which lead to destruction of the stack frame and thus a segfault on function return.
    Thanks to Michael Biebl for alerting us on this problem.

  • bugfix: hostname accidently set to IP address for some message sources, for example imudp. Thanks to Anton for reporting this bug. [imported v4]
  • bugfix: ompgsql had problems with transaction support, what actually rendered it unsuable. Thanks to forum user “horhe” for alerting me on this bug and helping to debug/fix it! [imported from 5.3.6]
  • bugfix: $CreateDirs variable not properly initialized, default thus was random (but most often “on”) [imported from v3]

ChangeLog for 5.3.7 (v5-beta)

adisconteamChangelog, ,

Version 5.3.7 [BETA] (rgerhards), 2010-01-27

  • bugfix: queues in direct mode could case a segfault, especially if an action failed for action queues. The issue was an invalid increment of a stack-based pointer which lead to destruction of the stack frame and thus a segfault on function return.
    Thanks to Michael Biebl for alerting us on this problem. [backport from 5.5.2]

  • bugfix: wrong memory assignment for a config variable (probably without causing any harm) [backport from 5.2.2]
  • bugfix: rsyslog hangs when writing to a named pipe which nobody was reading. Thanks to Michael Biebl for reporting this bug.
    Bugzilla entry: http://bugzilla.adiscon.com/show_bug.cgi?id=169 [imported from 4.5.8]

ChangeLog for 4.5.6 (v4-beta)

adisconteamChangelog, ,

Version 4.5.6 [v4-beta] (rgerhards), 2009-11-05

  • bugfix: named pipes did no longer work (they always got an open error) this was a regression from the omfile rewrite in 4.5.0
  • bugfix(minor): diag function returned wrong queue memeber count for the main queue if an active DA queue existed. This had no relevance to real deployments (assuming they are not running the debug/diagnostic module…), but sometimes caused grief and false alerts in the testbench.
  • included some important fixes from v4-stable:
    • bugfix: invalid handling of zero-sized messages
    • bugfix: zero-sized UDP messages are no longer processed
    • bugfix: random data could be appended to message
    • bugfix: reverse lookup reduction logic in imudp do DNS queries too often
  • bugfix(testbench): testcase did not properly wait for rsyslod shutdown thus some unpredictable behavior and a false negative test result could occur. [BACKPORTED from v5]
  • bugfix(testbench): sequence check was not always performed correctly, that could result in tests reporting success when they actually failed
Scroll to top