Changelog for 7.4.7 (v7-stable)
Version 7.4.7 [v7.4-stable] 2013-12-10
- bugfix: limiting queue disk space did not work properly
- queue.maxdiskspace actually initializes queue.maxfilesize
- total size of queue files was not checked against queue.maxdiskspace for disk assisted queues.
Thanks to Karol Jurak for the patch.
- bugfix: linux kernel-like ratelimiter did not work properly with all inputs (for example, it did not work with imdup). The reason was that the PRI value was used, but that needed parsing of the message, which was done too late.
- bugfix: disk queues created files in wrong working directory if the $WorkDirectory was changed multiple times, all queues only used the last value set.
- bugfix: legacy directive $ActionQueueWorkerThreads was not honored
- bugfix: segfault on startup when certain script constructs are used
e.g. “if not $msg …” - bugfix: imuxsock: UseSysTimeStamp config parameter did not work correctly
Thanks to Tomas Heinrich for alerting us and provinding a solution suggestion. - bugfix: $SystemLogUseSysTimeStamp/$
SystemLogUsePIDFromSystem did not work
Thanks to Tomas Heinrich for the patch. - improved checking of queue config parameters on startup
- bugfix: call to ruleset with async queue did not use the queue
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=443 - bugfix: if imtcp is loaded and no listeners are configured (which is uncommon), rsyslog crashes during shutdown.
Changelog for 8.1.3 (v8-devel)
Version 8.1.3 [devel] 2013-12-06
THIS VERSION CAN BE CONSIDERED A “NORMAL” DEVEL RELEASE. It’s no longer
highly experimental. This assertion is based on real-world feedback.
- changes to the strgen module interface
- new output module interface for transactional modules
- performance improvements
- reduced number of malloc/frees due to further changes to the output module interface
- reduced number of malloc/frees during string template processing
We now re-use once allocated string template memory for as long as the worker thread exists. This saves us from doing new memory allocs (and their free counterpart) when the next message is processed. The drawback is that the cache always is the size of the so-far largest message processed. This is not considered a problem, as in any case a single messages’ memory footprint should be far lower than that of a whole set of messages (especially on busy servers). - used variable qualifiers (const, __restrict__) to hopefully help the compiler generate somewhat faster code
- failed action detection more precisely for a number of actions
If an action uses string parameter passing but is non-transactional it can be executed immediately, giving a quicker indicatio of action failure. - bugfix: limiting queue disk space did not work properly
- queue.maxdiskspace actually initializes queue.maxfilesize
- total size of queue files was not checked against queue.maxdiskspace for disk assisted queues.
Thanks to Karol Jurak for the patch.
rsyslog 8.1.2 (v8-devel) released
We have just released 8.1.2 of the v8-devel branch. This is primarily a maintenance release, but offers some improvements. Thanks to Pavel Levshin, mmnormalize now offers higher performance and we have added the ability to link directly to jemalloc. Also, usability of queue settings has been improved by using better (and dynamic) defaults for a range of settings.
ChangeLog:
http://www.rsyslog.com/changelog-for-8-1-2-v8-devel/
Download:
http://www.rsyslog.com/rsyslog-8-1-2-v8-devel/
Feedback is *very much* appreciated.
Best regards,
Florian Riedl
Changelog for 8.1.2 (v8-devel)
Version 8.1.2 [devel] 2013-11-28
- support for liblognorm1 added – results in performance improvements
Thanks to Pavel Levshin for his work in this regard. - support for jemalloc added via –enable-jemalloc
Thanks to Pavel Levshin for suggesting jemalloc - queue defaults have changed
- high water mark is now dynamically 90% of queue size
- low water makr is now dynamically 70% of queue size
- queue.discardMark is now dynamically 98% of queue size
- queue.
workerThreadMinimumMessage set to queue.size / num workers
For queues with very low queue.maxSize (< 100), “emergency” defaults will be used.
Note that build system is experimental at this stage. - bugfix: disk queues created files in wrong working directory
if the $WorkDirectory was changed multiple times, all queues only used the last value set. - bugfix: legacy directive $ActionQueueWorkerThreads was not honored
- bugfix: mmrfc5424addhmac: “key” parameter was not properly processed
rsyslog 7.5.7 (v7-devel) released
This is primarily a bug-fixing release, but offers some improvements in worker thread handling (thanks to Pavel Levshin!) as well as usability improvements when working changing queue sizes.
More detailed information is available in the changelog.
ChangeLog:
http://www.rsyslog.com/changelog-for-7-5-7-v7-devel/
Download:
http://www.rsyslog.com/rsyslog-7-5-7-v7-devel/
As always, feedback is appreciated.
Best regards,
Tim Eifler
How to use impstats
This summary was contributed by David Caplinger through the mailing list.
First, enable the module with something like:
module(load="impstats" interval="660" severity="7")
This will start generating logs tagged with “rsyslogd-pstats” every 600 seconds. If you like, you can use that tag to filter them into their own file:
if $syslogtag contains 'rsyslogd-pstats' then {
action(type="omfile" queue.type="linkedlist" queue.discardmark="980"
name="pstats" file="/var/log/pstats")
stop
}You’ll wind up with several log lines at each interval, all showing current counters (since rsyslog restart). So to determine inter-interval deltas, you’d have to import these into a spreadsheet. (Newer rsyslog can emit just the deltas in the log lines, but that’s in v7.5.x I believe.)
For example, if you want to filter based on some property (such as source IP address) and send the matching logs to both a local file and on to a remote destination, you might use something like:
if $fromhost-ip ==
[ "1.1.1.1",
"2.2.2.2" ]
then {
action (type="omfwd" queue.type="linkedlist" queue.discardmark="980"
action.resumeretrycount="-1" name="NET.forward" target="10.10.10.10"
port="514" protocol="tcp")
action (type="omfile" queue.type="linkedlist" queue.discardmark="980"
name="NET.local" file="/var/log/messages")
stop
}Which is a log flow like:
source -> imudp -> main Q -> NET.local (to local files) & NET.forward (to remote)
Here’s an example of a batch of pstats output (re-ordered slightly) from the above config:
Nov 13 14:31:35 loghost rsyslogd-pstats: imudp(*:514): submitted=23035 Nov 13 14:31:35 loghost rsyslogd-pstats: main Q: size=15 enqueued=89624087 full=0 discarded.full=0 discarded.nf=0 maxqsize=444 Nov 13 14:31:35 loghost rsyslogd-pstats: NET.local: size=0 enqueued=11541 full=0 discarded.full=0 discarded.nf=0 maxqsize=7 Nov 13 14:31:35 loghost rsyslogd-pstats: NET.local: processed=11541 failed=0 Nov 13 14:31:35 loghost rsyslogd-pstats: NET.forward: size=0 enqueued=11541 full=0 discarded.full=0 discarded.nf=0 maxqsize=7 Nov 13 14:31:35 loghost rsyslogd-pstats: NET.forward: processed=11541 failed=0 Nov 13 14:31:35 loghost rsyslogd-pstats: pstats: size=0 enqueued=65508 full=0 discarded.full=0 discarded.nf=0 maxqsize=25 Nov 13 14:31:35 loghost rsyslogd-pstats: pstats: processed=65500 failed=0
In this case we have:
1) A UDP input (imudp)
This logs message counts “submitted” to rsyslog via UDP port 514.
2) A main queue (main Q)
This shows messages entering the queue (enqueued), as well as any dropped messages (discarded.full=0, discarded.nf=0). It also shows how many times the queue has become completely full (full=0) and it keeps a running total of the maximum size the queue has ever hit (maxqsize=444). (All these counters are since rsyslog startup.)
3) Two output/action queues (NET.local, NET.forward)
These logs queue stats like above, as well as successfully “processed” (via omfile and omfwd in this case), indicating successful delivery to their final destination (local file or remote TCP receiver, in this case).
4) Another queue to handle pstats output itself (as I described above)
This example doesn’t happen to include DA-mode, which adds another pstats log line for the DA portion of the associated action queue.
If you don’t give your action queues names, you’ll wind up with pstats logs referring to things like “action 2”, and have a hard time figuring out what is going on.
A well-behaved queue will have zero discarded.full and discarded.nf, and a low maxqsize, meaning that everything entering the queue is leaving promptly. In a backlog situation, you’ll see size and maxqsize for an action/output queue increase over time, until maxqsize hits your configured queue.size parameter. Then the main Q will start increasing in size (and maxqsize) until it approaches and exceeds full. Then the discarded.nf and discarded.full counters will start climbing.
action.execOnlyWhenPreviousIsSuspended preciseness
The “action.execOnlyWhenPreviousIsSuspended” parameter permits to conditionally execute an action only if the previous one is suspended. When an action actually gets suspended depends on the output module implementing the action, but the general rule is that an action suspends itself if there is a problem doing it’s job (e.g. a target server is down). This setting is generally used to implement failover destinations. So let’s call actions which have this attribute set “failover actions”.
Note that many action implement transactions to improve performance. If so, usually the success or error state of the action is only available after the transaction has been comitted. At this point, the messages have already been submitted to the action and the action could not set suspension state — simply because at that point everything looked fine. So when the failover action was about to be executed, the suspended flag was not set and the action not executed. Depending on system configuration, this can lead to loss of some messages during the failover process. If this seems totally unacceptable to you, you need to make sure that the transaction is committed after each message — this permits the output to obtain the actual success state (note that with some technologies, even this is not totally possible – a prime example is plain TCP syslog protocol).
To ensure commit of each message, the queue’s maximum batch size needs to be reduced to one. This can be done via the “queue.dequeuebatchsize” parameter. Note that reducing the batch size can have severe performance impact. Unfortunately, it is impossible to to have both high performance and precise failover actions. The simple reason is that for precise failover actions we need to know the result of the commit operation, which makes it necessary to do immediate commits.
impstats delayed or lost? – cause and cure
Some users report that they do not receive all impstats log records or that these log records are delayed. The common thing about these questions is that those user tend to have very large main message queues.
By default, impstats is run in-band, which means that it’s messages are submitted to the main message queue just like any other messages are. So if the main queue takes very long to processs, impstats messages get delayed as well. They may be discarded, too, based on queue settings and queue full status. In this scenarios, impstats obviously has problems reporting what is going on.
A simple solution is to run impstats off-band. This is done by simply instructing it to directly write to file. In that mode, the rsyslog engine is not used at all, and output will always be available and happen right on the interval. There is a drawback, though: as the rsyslog core engine is not involved, things like dynafiles, different templates or forwarding to another host are not possible.
Note that impstats can submit messages both to a file and the regular message stream. This may be an interesting alternative if the main queue causes trouble but usually logs shall be gathered at some central place.
Example for writing to a local file:
module(load="impstats" interval="600" severity="7" log.file="/var/log/impstats")
rsyslog 7.5.4 (v7-devel) released
This release offers some interesting features. It provides a new module called mmpstrucdata to parse RFC5424 structured data into json message properties. Also the default queue.size values have been altered to more suitable values. Omfwd and omfile received new parameters and we changed a bigger portion of the documentation to improve usability by linking relevant web ressources to quickly find additional information. Finally, there have been a few other changes and bugfixes.
More detailed information is available in the changelog.
ChangeLog:
http://www.rsyslog.com/changelog-for-7-5-4-v7-devel/
Download:
http://www.rsyslog.com/rsyslog-7-5-4-v7-devel/
As always, feedback is appreciated.
Best regards,
Florian Riedl
Changelog for 7.5.4 (v7-devel)
Version 7.5.4 [devel] 2013-10-07
- mmpstrucdata: new module to parse RFC5424 structured data into json message properties
- change main/ruleset queue defaults to be more enterprise-like
new defaults are queue.size 100,000 max workers 2, worker activation after 40,000 msgs are queued, batch size 256. These settings are much more useful for enterprises and will not hurt low-end systems that much. This is part of our re-focus on enterprise needs. - omfwd: new action parameter “maxErrorMessages” added
- omfile: new module parameters to set action defaults added
* dirCreateMode
* fileCreateMode - mmutf8fix: new module to fix invalid UTF-8 sequences
- imuxsock: handle unlimited number of additional listen sockets
- doc: improve usability by linking to relevant web ressources
The idea is to enable users to quickly find additional information, samples, HOWTOs and the like on the main site. At the same time, (very) slightly remove memory footprint when few listeners are monitored. - bugfix: omfwd parameter streamdrivermmode was not properly handled
It was always overwritten by whatever value was set via the legacy directive $ActionSendStreamDriverMode - imtcp: add streamdriver.name module parameter
permits overriding the system default stream driver (gtls, ptcp) - bugfix: build system: libgcrypt.h needed even if libgrcypt was disabled
Thanks to Jonny Törnbom for reporting this problem - imported bugfixes from 7.4.4