Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

state indicators in rsyslog 8.10

This is the place for developers to discuss bugs, new features and everything else about code changes.

Moderator: alorbach

Google Ads


state indicators in rsyslog 8.10

Postby qzrrbz » Wed Jul 29, 2015 8:54 pm

i am interested in how i can tell when events that i care about
have happened.

the scenario is:

i gather logs on one host. i use 'omfwd' via tcp to another host, no RELP
in play. pstats enabled/captured "out of band" (as in direct to file) on
both ends.

assume "steady state" is loglines are being generated on the sending host
and sent successfully to the receiving host.

how can i ascertain various "state" changes? examples include "rcv system
unreachable", "rcv system slow" causing logline backup, "sending system
exceeds DA space limits", etc.

what are the indicators i can look to here? any helpful hints would be
greatly appreciated!

thanks!
qzrrbz
New
 
Posts: 5
Joined: Tue Jul 14, 2015 5:15 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: state indicators in rsyslog 8.10

Postby dlang » Wed Jul 29, 2015 10:32 pm

I think you asked the same question on the rsyslog mailing list on friday

> i am interested in how i can tell when events that i care about are or
> have happened.
>
> the scenario is:
>
> i gather logs on one host. i use 'omfwd' via tcp to another host, no RELP
> in play. pstats enabled/captured "out of band" (as in direct to file) on
> both ends.
>
> assume "steady state" is loglines are being generated on the sending host
> and sent successfully to the receiving host.
>
> how can i ascertain various "state" changes? examples include "rcv system
> unreachable", "rcv system slow" causing logline backup, "sending system
> exceeds DA space limits", etc.
>
> what are the indicators i can look to here? any helpful hints would be
> greatly appreciated!


I'll give you the same answer I gave you there

on the sending system, look for log messages from rsyslog about suspended outputs

in the pstats you will see suspended outputs when the remote system is not
available, and you will see the queue size climb if the receiving system can't
keep up.

there are log messages when you run out of DA space (assuming that the log
message can still be written locally) and the queue size in the pstats will hit
the max size allowed.


if you have more specific questions, please clarify what you are asking
dlang
Frequent Poster
 
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: state indicators in rsyslog 8.10

Postby qzrrbz » Wed Jul 29, 2015 10:39 pm

thanks for the reply, yes i had posted the same text (the wonders of c&p ;) ), but as i am batch mode and have not seen the batch containing your answer, i wasn't sure if it had been seen or dealt with. i do apologize for duping it!

at any rate, some documentation somewhere suggested the forums as a better place to ask questions, so i figured i'd go here from now on. i don't know if the audiences are mutually exclusive or not (your answering in both places kind of indicates that "folks who know about this" do indeed read both places!)

i am attempting to react to pstats counter transitions for deriving state information, as that's the file i can get at as an unpriv user in my world. that's where the other post in this forum came from, the fact that resumed=N is *not* useful, as it's never incremented in the current codebase.
qzrrbz
New
 
Posts: 5
Joined: Tue Jul 14, 2015 5:15 pm

Re: state indicators in rsyslog 8.10

Postby dlang » Wed Jul 29, 2015 10:44 pm

at any rate, some documentation somewhere suggested the forums as a better place to ask questions, so i figured i'd go here from now on.


that documentation is incorrect, the mailing list is the better place (and if you know where in the documentation that is, please let me know so we can get it changed :-)

if you can configure the pstats file to be readable, you can configure rsyslog to write it's logs (fromhost-ip == 127.0.0.1 programname startswith 'rsyslog') to a file you can read as well.

the queue size should always be pretty low, it it's any noticable size, something is wrong. If it's shrinking, you are in recovery, when it first starts to grow, you just had a problem happen

the only way you will see the queues fill is if you either know what their max size is when you look at their size in the pstats data, or you see the log messages from rsyslog
dlang
Frequent Poster
 
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: state indicators in rsyslog 8.10

Postby qzrrbz » Wed Jul 29, 2015 10:53 pm

one of my wishes is to be able to see any connect to the remote server fails, and judge their duration/frequency. i noted in one of the N conf builds that i've churned through that "suspended=N" could be caused to increment, as well as "suspended.duration", but i'm having trouble getting a direct causal stimulus-response kind of mental map of what the triggers are for this to change (hence the request for any state maps that can be known here!).

i have since lost the ability to make those counters change, so i'm at a loss as to how i even got them to change in the first place! :-)
qzrrbz
New
 
Posts: 5
Joined: Tue Jul 14, 2015 5:15 pm

Re: state indicators in rsyslog 8.10

Postby qzrrbz » Wed Jul 29, 2015 11:03 pm

fwiw, http://www.rsyslog.com/windows-agent/support/ has Support Forum as number one with a bullet method of support. so, by inference the forum would seem to be preferred. i think i saw something more explicit, but this is a start? :-)

way off in the lower right hand corner is mention of the mailinglist ... :-)
qzrrbz
New
 
Posts: 5
Joined: Tue Jul 14, 2015 5:15 pm

Google Ads



Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 1 guest

cron