syslog msgs not being written to disk in realtime

Postby Intelligent_Silicon » Fri May 26, 2017 5:30 pm

Got a configuration where the syslog messages are being written slowly to disk. Slowly can be from a few seconds to at most 10minutes seen so far before its written to disk.
If I sudo service rsyslog stop the messages get written during the forced shutdown.
This is seen on various raspberry pi's using latest raspbian as well as Ubuntu from 14.04 to 17.04 on gamer spec laptops with SSD drives so I'm happy its not a hardware spec issue.

Below is the rsyslog.conf file to use to reproduce the behaviour, I know its not how most people setup (r)syslog log files, but it was discovered when testing the performance and matching messages sent and then written to disk.

Looking through the debug output the syslog messages are being received and processed by rsyslog, but its not being written to disk in straight away, and in order to automate the monitoring of various systems ideally these files would be written to disk in realtime.

Is there something missed or misunderstood by using the below conf file?


swVersion 8.16.0

Code: Select all
$DebugFile /var/rsyslog/debug.log
$DebugLevel 2

$ModLoad imuxsock
$ModLoad imklog
$ModLoad immark

$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

$WorkDirectory /var/rsyslog/spool

$MaxMessageSize 64k

$MainMsgQueueSize 1000000
$MaxOpenFiles 5000
# on for RPi A & B's only
$OptimiseForUniProcessor off
# on for RPi A & B's only

$MainMsgQueueHighWaterMark 600000
$MainMsgQueueWorkerThreadMinimumMessages 100000
$MainMsgQueueDiscardMark 800000

$template syslogformat, "%msgid% %timereported:::date-rfc3339% %procid% %timegenerated:::date-rfc33339% %app-name% %HOSTNAME% %msg% %protocol-version%\n"
$ActionFileDefaultTemplate syslogformat

$template 0SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.0_emerg_panic"
$template 1SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.1_alert"
$template 2SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.2_crit"
$template 3SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.3_err_error"
$template 4SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.4_warn_warning"
$template 5SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.5_notice"
$template 6SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.6_info"
$template 7SeverityFile, "/var/rsyslog/%$YEAR%%$MONTH%%$DAY%/%timegenerated:::date-rfc3339%.7_debug"

*.=emerg; *.=panic -?0SeverityFile
*.=alert -?1SeverityFile
*.=crit -?2SeverityFile
*.=err; *.=error -?3SeverityFile
*.=warn; *.=warning -?4SeverityFile
*.=notice -?5SeverityFile
*.=info -?6SeverityFile
*.=debug -?7SeverityFile
Re: syslog msgs not being written to disk in realtime

Postby rgerhards » Mon May 29, 2017 7:58 am

8.16 is pretty old. Please update to 8.27. I think the problem will then be gone.
