Log Analyzer / rsyslog queuing?

Everything which is related to the installation of phpLogCon.

Google Ads


Log Analyzer / rsyslog queuing?

Postby arrrghhh » Tue Aug 28, 2012 12:50 am

Hello,

I have recently migrated from logzilla to log analyzer. logzilla employed syslog-ng, and of course log analzyer uses rsyslog. Logzilla/syslog-ng worked great - Log Analyzer / rsyslog does not.

My question is, why would rsyslog or log analyzer not log everything that came into it, as it comes in? Every day I check my log analyzer interface, and it's 9am - but messages are coming in from 1am. I check around 4pm, and messages are coming in from 2:30am. So log analyzer / rsyslog is still taking in information, but it is severely delayed.

I find that if I restart the rsyslog server, the messages come in quickly again. However, after another overnight period, the server goes back to its 'usual' behavior of being way behind.

Is there some configuration that I have messed up? I didn't change the configuration much at all from either rsyslog or log analyzer. The only change I made to rsyslog was a DynaFile line, so it would break out log files by hostname. That is working.

So I am logging to mysql and local files. Perhaps is this the issue? I will post my configs for rsyslog shortly.
Last edited by arrrghhh on Tue Aug 28, 2012 1:00 am, edited 1 time in total.
arrrghhh
Advanced
 
Posts: 27
Joined: Thu Aug 16, 2012 7:03 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Log Analyzer / rsyslog queuing?

Postby arrrghhh » Tue Aug 28, 2012 12:55 am

Here's the ls -la from /etc/rsyslog.d:
Code: Select all
ls -la /etc/rsyslog.d/
total 24
drwxr-xr-x  2 root root 4096 Aug 16 11:49 .
drwxr-xr-x 98 root root 4096 Aug 23 09:04 ..
-rw-r--r--  1 root root  311 Mar 17 08:30 20-ufw.conf
-rw-r--r--  1 root root 1787 Aug 21 17:20 50-default.conf
-rw-------  1 root root  419 Aug 16 11:50 mysql.conf
-rw-r--r--  1 root root   42 Aug 16 11:49 relp.conf


Here are all my files:

/etc/rsyslog.conf
Code: Select all
cat /etc/rysyslog.conf
#  /etc/rsyslog.confConfiguration file for rsyslog.
#
#For more information see
#/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


# Custom files for everything
$template DynaFile,"/var/log/system/%HOSTNAME%/%$year%/%$month%/system-%HOSTNAME%.log"
*.* -?DynaFile

#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging

# Rate Limiting
#$SystemLogRateLimitInterval 1
#$SystemLogRateLimitBurst 2000

$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


/etc/rsyslog.d/mysql.conf:
Code: Select all
cat /etc/rsyslog.d/mysql.conf
### Configuration file for rsyslog-mysql
### Changes are preserved

$ModLoad ommysql
*.* :ommysql:localhost,Syslog,rsyslog,<password>

# Buffering stuff:
$WorkDirectory /var/rsyslog/work # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName dbq    # set file name, also enables disk mode
$ActionResumeRetryCount -1  # infinite retries on insert failure


/etc/rsyslog.d/relp.conf:
Code: Select all
cat /etc/rsyslog/.d/relp.conf
$ModLoad imrelp
$InputRELPServerRun 20514


/etc/rsyslog.d/50-default.conf:
Code: Select all
cat /etc/rsyslog.d/50-default.conf
#  Default rules for rsyslog.
#
#For more information see rsyslog.conf(5) and /etc/rsyslog.conf


# Custom stuff for routers
#$template DynaFile,"/var/log/system/%HOSTNAME%/%$year%/%$month%/system-%HOSTNAME%.log"
#*.* -?DynaFile
#
# First some standard log files.  Log by facility.
#
auth,authpriv.*/var/log/auth.log
*.*;auth,authpriv.none-/var/log/syslog
#cron.*/var/log/cron.log
#daemon.*-/var/log/daemon.log
kern.*-/var/log/kern.log
#lpr.*-/var/log/lpr.log
mail.*-/var/log/mail.log
#user.*-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info-/var/log/mail.info
#mail.warn-/var/log/mail.warn
mail.err/var/log/mail.err

#
# Logging for INN news system.
#
news.crit/var/log/news/news.crit
news.err/var/log/news/news.err
news.notice-/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#auth,authpriv.none;\
#news.none;mail.none-/var/log/debug
#*.=info;*.=notice;*.=warn;\
#auth,authpriv.none;\
#cron,daemon.none;\
#mail,news.none-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#news.=crit;news.=err;news.=notice;\
#*.=debug;*.=info;\
#*.=notice;*.=warn/dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn|/dev/xconsole


/etc/rsyslog.d/20-ufw.conf:
Code: Select all
cat /etc/rsyslog.d/20-ufw.conf
# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& ~
arrrghhh
Advanced
 
Posts: 27
Joined: Thu Aug 16, 2012 7:03 pm

Re: Log Analyzer / rsyslog queuing?

Postby alorbach » Tue Aug 28, 2012 9:21 am

Sounds like that your logsource is to slow keeping up with the logdata RSyslog sends to it.
Perhaps you should look into performance problems related to Mysql (I guess you are using it).
Try to use the report modules in Loganalyzer, they will create useful indexes which can speed up things.

regards,
Andre
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: Log Analyzer / rsyslog queuing?

Postby arrrghhh » Tue Aug 28, 2012 10:19 pm

alorbach wrote:Sounds like that your logsource is to slow keeping up with the logdata RSyslog sends to it.
Perhaps you should look into performance problems related to Mysql (I guess you are using it).
Try to use the report modules in Loganalyzer, they will create useful indexes which can speed up things.

regards,
Andre


Logzilla used Mysql, no issues.

Also, it seems like it has picked back up... I'm not sure what changed, but I came in today and it was keeping up to date...

So I guess I'll continue to monitor it. Is Mysql optional? I thought that would be required to search/use the web interface.
arrrghhh
Advanced
 
Posts: 27
Joined: Thu Aug 16, 2012 7:03 pm

Re: Log Analyzer / rsyslog queuing?

Postby arrrghhh » Wed Aug 29, 2012 12:05 am

I'm also trying to figure out if it's possible to have log traffic sent to BOTH locations.

I would like to be able to look at syslog info in the web interface, but I would also like the log files in traditional text files so I can easily distribute the files to vendors. I was going to utilize logrotate to help with that.

Is this possible? Can you tell me how to change my config to do this? I had it working, but logrotate wasn't rotating logs - so some of the text files were more than 300 megabytes. So I deleted all the files (the actual syslog .log files only) and restarted rsyslog - but it's not generating new text into the files anymore.
arrrghhh
Advanced
 
Posts: 27
Joined: Thu Aug 16, 2012 7:03 pm

Re: Log Analyzer / rsyslog queuing?

Postby alorbach » Wed Aug 29, 2012 11:01 am

Loganalyzer can perform on Syslog files, Mysql/PostGre and many other databases, and lately MongoDB.
I recommend you install the UserDB System (Requires a mysql db) which will help you configuring new logstream sources.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: Log Analyzer / rsyslog queuing?

Postby arrrghhh » Wed Aug 29, 2012 4:54 pm

alorbach wrote:Loganalyzer can perform on Syslog files, Mysql/PostGre and many other databases, and lately MongoDB.
I recommend you install the UserDB System (Requires a mysql db) which will help you configuring new logstream sources.

best regards,
Andre Lorbach


Hrm, perhaps I need to start over with my Log Analyzer config.

Originally I set it up to work with mysql. I guess it's easier to start with Log Analyzer pushing everything to individual files, then add the mysql database component afterwards?
arrrghhh
Advanced
 
Posts: 27
Joined: Thu Aug 16, 2012 7:03 pm

Re: Log Analyzer / rsyslog queuing?

Postby arrrghhh » Wed Aug 29, 2012 5:26 pm

arrrghhh wrote:Hrm, perhaps I need to start over with my Log Analyzer config.

Originally I set it up to work with mysql. I guess it's easier to start with Log Analyzer pushing everything to individual files, then add the mysql database component afterwards?


Couldn't find the 'edit' button, sorry.

So is there any way to convert Log Analyzer 'back' to a file-only system? I'd prefer to have both - I like the web interface, but I also like the idea of being able to easily distribute the syslog stuff in a file.

Thanks!
arrrghhh
Advanced
 
Posts: 27
Joined: Thu Aug 16, 2012 7:03 pm

Re: Log Analyzer / rsyslog queuing?

Postby alorbach » Wed Aug 29, 2012 9:58 pm

Sure you can switch back to config file based LogAnalyzer, kindly edit config.php and change "UserDBEnabled" to false.
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Google Ads



Return to Installation

Who is online

Users browsing this forum: No registered users and 0 guests

cron