When using control structures to create some case filtering, there are some things to consider when formatting this. In general, a control structure can be as simple as this: if $msg contains “word” then action() else action() While this is correct and will work as expected, it is generally better style to encase expressions and […]
action.execOnlyWhenPreviousIsSuspended preciseness
The “action.execOnlyWhenPreviousIsSuspended” parameter permits to conditionally execute an action only if the previous one is suspended. When an action actually gets suspended depends on the output module implementing the action, but the general rule is that an action suspends itself if there is a problem doing it’s job (e.g. a target server is down). This […]
Lower Bound for Queue Sizes
The queue.size parameter permits to specify the maximum queue size in number of messages. While not technically enforced, there is a lower limit on this parameter. Setting it to very low values (roughly below 100 messages) is not supported and can lead to unpredictable results. Also, future version my automatically adjust to a safe lower […]
Why does the rsyslog testbench sometimes fail?
Rsyslog contains a set of automatted tests, the so-called “testbench”. It is invoked via the standard method of “make check” and “make distcheck”. Since its introduction in version 3, the testbench has been continously enhanced and extended. It now contains around 150 individual tests, which sum up to around 80 tests from the autoconf point […]
How to use rate limiting in rsyslog?
This article is tested with rsyslog 5.7.1 on Fedora 13. It will not work with version of rsyslog prior to 5.7.1. In rsyslog 5.7.1 we introduced rate limiting. This is a option for the Unix Socket Input module called imuxsock. In short, this option limits the amount of messages written into logfiles by a process, […]
Second try to test rate limiting
Go back to How to build test-tools? After building the test tool syslog caller, we can give the testing another try. The syslog caller tool will be one process that creates the designated amount of messages. Since it has a very large output, we need it to produce a lot of messages to see the […]
How to build the testing tools?
This article has been tested with rsyslog 5.7.1 on Fedora 13. It is part of the article “How to use rate limiting?” Go back to First try to test rate limiting (fail) When building a configuration for rsyslog, you will sometimes stumble upon the question, if your setup really works. To prove this in your […]
Periodic statistics on rsyslog counters
Since rsyslog 5.7.0 (V5-Devel) there is a new module called impstats. This module provides periodic output of rsyslog internal counters. Note that the whole statistics system is currently under development. So availabilty and format of counters may change and is not yet stable (so be prepared to change your trending scripts when you upgrade to […]
Preserving syslog sender over NAT
Question: I have a number of syslog clients behind a NAT device. The receiver receives syslog messages that travelled over the NAT device. This leads the receiver to believe that all messages originated from the same IP address. With stock syslogd, I can not differentiate between the senders. Is there any way to record the […]
Does rsyslog support RFC3195/COOKED?
Rsyslog support RFC3195 RAW and COOKED. The COOKED profile does not support PATH elements, but there is also currently no sender known to use them.