Estou usando o servidor rsyslog para manter log de vários servidores. Recentemente eu adicionei 20 servidores em rsyslog, depois que rsyslog é freqüentemente trava o serviço (não receber log até a reinicialização do serviço). Eu observei o uso de memória e quando a memória atinge 456MB, ele trava.

Como posso me livrar desse problema? Servidor Rsyslog tem 16 GB de RAM, não usa mais de 2 GB.

Olá Thiago,

Obrigado pela sua resposta rápida, por favor encontre o seu log requerido.

sudo cat / var / log / messages | grep rsyslog

[root@rsyslog ~]# cat /var/log/messages | grep rsyslog
Sep  4 23:38:54 rsyslog rsyslogd: -- MARK --
Sep  5 11:25:08 rsyslog rsyslogd: -- MARK --
Sep  5 15:50:12 rsyslog kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep  5 15:50:12 rsyslog rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="10706" x-info="http://www.rsyslog.com"] start
Sep  5 15:50:12 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 15:50:12 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 3:"RSYSLOG_DEBUG="Debug NoStdOut""
Sep  5 15:50:12 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 15:50:12 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 15:50:12 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 4:"RSYSLOG_DEBUGLOG="/var/log/syslog-debug""
Sep  5 15:50:12 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 15:50:12 rsyslog rsyslogd-2124: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
Sep  5 16:11:24 rsyslog kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep  5 16:11:24 rsyslog rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="10919" x-info="http://www.rsyslog.com"] start
Sep  5 16:11:24 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 16:11:24 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 3:"RSYSLOG_DEBUG="Debug NoStdOut""
Sep  5 16:11:24 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 16:11:24 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 16:11:24 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 4:"RSYSLOG_DEBUGLOG="/var/log/syslog-debug""
Sep  5 16:11:24 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 16:11:24 rsyslog rsyslogd-2124: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
Sep  5 16:54:59 rsyslog kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep  5 16:54:59 rsyslog rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="11231" x-info="http://www.rsyslog.com"] start
Sep  5 16:54:59 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 16:54:59 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 3:"RSYSLOG_DEBUG="Debug NoStdOut""
Sep  5 16:54:59 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 16:54:59 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 16:54:59 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 4:"RSYSLOG_DEBUGLOG="/var/log/syslog-debug""
Sep  5 16:54:59 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 16:54:59 rsyslog rsyslogd-2124: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
Sep  5 17:42:53 rsyslog kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep  5 17:42:53 rsyslog rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="11562" x-info="http://www.rsyslog.com"] start
Sep  5 17:42:53 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 17:42:53 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 3:"RSYSLOG_DEBUG="Debug NoStdOut""
Sep  5 17:42:53 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 17:42:53 rsyslog rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Sep  5 17:42:53 rsyslog rsyslogd: the last error occured in /etc/rsyslog.conf, line 4:"RSYSLOG_DEBUGLOG="/var/log/syslog-debug""
Sep  5 17:42:53 rsyslog rsyslogd: warning: selector line without actions will be discarded
Sep  5 17:42:53 rsyslog rsyslogd-2124: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
Sep  5 17:59:16 rsyslog kernel: fuse init (API version 7.14)
Sep  5 17:59:16 rsyslog seahorse-daemon[11835]: DNS-SD initialization failed: Daemon not running
Sep  5 17:59:16 rsyslog seahorse-daemon[11835]: init gpgme version 1.1.8
Sep  5 17:59:18 rsyslog polkitd[12048]: started daemon version 0.96 using authority implementation 'local' version '0.96'
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] Unable to locate theme engine in module_path: "clearlooks",
Sep  5 17:59:19 rsyslog vmusr[11909]: [ warning] [Gtk] gtk_disable_setlocale() must be called before gtk_init()
Sep  5 18:00:28 rsyslog ntpd[6805]: ntpd exiting on signal 15
Sep  5 18:00:28 rsyslog ntpd[12245]: ntpd [email protected] Sat Nov 23 18:21:48 UTC 2013 (1)
Sep  5 18:00:28 rsyslog ntpd[12246]: proto: precision = 0.061 usec
Sep  5 18:00:28 rsyslog ntpd[12246]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Sep  5 18:00:28 rsyslog ntpd[12246]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Sep  5 18:00:28 rsyslog ntpd[12246]: Listen and drop on 1 v6wildcard :: UDP 123
Sep  5 18:00:28 rsyslog ntpd[12246]: Listen normally on 2 lo 127.0.0.1 UDP 123
Sep  5 18:00:28 rsyslog ntpd[12246]: Listen normally on 4 eth0 fe80::250:56ff:feba:de61 UDP 123
Sep  5 18:00:28 rsyslog ntpd[12246]: Listen normally on 5 lo ::1 UDP 123
Sep  5 18:00:28 rsyslog ntpd[12246]: peers refreshed
Sep  5 18:00:28 rsyslog ntpd[12246]: Listening on routing socket on fd #22 for interface updates
Sep  5 18:00:28 rsyslog ntpd[12246]: 0.0.0.0 c016 06 restart
Sep  5 18:00:28 rsyslog ntpd[12246]: 0.0.0.0 c012 02 freq_set kernel -39.564 PPM
Sep  5 18:02:44 rsyslog init: tty (/dev/tty1) main process ended, respawning
Sep  5 18:02:53 rsyslog rsyslogd: -- MARK --
Sep  5 18:03:42 rsyslog ntpd[12246]: 0.0.0.0 c615 05 clock_sync
Sep  5 18:22:53 rsyslog rsyslogd: -- MARK --
Sep  5 18:42:53 rsyslog rsyslogd: -- MARK --
Sep  5 19:02:53 rsyslog rsyslogd: -- MARK --
Sep  5 19:22:53 rsyslog rsyslogd: -- MARK --
Sep  6 12:30:35 rsyslog kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep  6 12:30:35 rsyslog rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="18673" x-info="http://www.rsyslog.com"] start
Sep  6 12:50:35 rsyslog rsyslogd: -- MARK --

=============================================== ====

arquivo rsyslog.conf

arquivo de configuração do rsyslog v5

RSYSLOG_DEBUG="Depurar NoStdOut"

RSYSLOG_DEBUGLOG="/ var / log / syslog-debug"

Para mais informações, consulte / usr / share / doc / rsyslog - * / rsyslog_conf.html

Se você tiver problemas, consulte o link

MÓDULOS

$ ModLoad imuxsock # fornece suporte para o registro do sistema local (por exemplo, por meio do comando logger) $ ModLoad imklog # fornece suporte ao registro do kernel (feito anteriormente pelo rklogd) $ ModLoad immark # fornece capacidade de mensagem --MARK-- $ ModLoad ommysql

Fornece recepção de syslog UDP

$ ModLoad imudp $ UDPServerRun 514

Fornece recepção de syslog TCP

$ ModLoad imtcp $ InputTCPServerRun 514

DIRETRIZES GLOBAIS

Usar o formato de data e hora padrão

$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

A capacidade de sincronização de arquivos está desativada por padrão. Esse recurso geralmente não é necessário,

não é útil e um hit de desempenho extremo

$ ActionFileEnableSync em

Inclua todos os arquivos de configuração em /etc/rsyslog.d /

$ IncludeConfig /etc/rsyslog.d / *. conf

REGRAS

Registre todas as mensagens do kernel no console.

Registrar muito mais desordena a tela.

kern. * / dev / console

kern. * / var / log / console

Registre qualquer coisa (exceto mail) de informações de nível ou superior.

Não registre mensagens de autenticação privadas!

*. info; mail.none; authpriv.none; cron.none / var / log / messages

O arquivo authpriv tem acesso restrito.

authpriv. * / var / log / secure

Registre todas as mensagens de e-mail em um só lugar.

mail. * - / var / log / maillog

Coisas do cron de registro

cron. * / var / log / cron

Todos recebem mensagens de emergência

*. emerg *

Salvar erros de notícias de nível crítico e superiores em um arquivo especial.

uucp, news.crit / var / log / spooler

Salvar mensagens de inicialização também no boot.log

local7. * /var/log/boot.log

$ AllowedSender TCP, 127.0.0.1, 192. **** $ AllowedSender UDP, 127.0.0.1, 192. ****

$ AllowedSender TCP, 127.0.0.1, 192. **** $ AllowedSender UDP, 127.0.0.1, 192. ****

. : ommysql: 127.0.0.1, rsyslogdb, rsyslog, mypassword

### regra de encaminhamento inicial

A declaração entre o começo ... end define um encaminhamento SINGLE

regra. Eles pertencem juntos, não os dividam. Se você criar vários

regras de encaminhamento, duplique o bloco inteiro!

Log remoto (usamos TCP para entrega confiável)

#

Uma fila no disco é criada para esta ação. Se o host remoto for

para baixo, as mensagens são colocadas em spool no disco e enviadas quando estão no ar novamente.

$ WorkDirectory / var / lib / rsyslog # onde colocar os arquivos em spool

$ ActionQueueFileName fwdRule1 # prefixo de nome exclusivo para arquivos de spool

$ ActionQueueMaxDiskSpace 1g # 1gb limite de espaço (use o máximo possível)

$ ActionQueueSaveOnShutdown em # salvar mensagens no disco durante o desligamento

$ ActionQueueType LinkedList # é executado de forma assíncrona

$ ActionResumeRetryCount -1 # tentativas infinitas se o host estiver inativo

host remoto é: nome / ip: porta, por exemplo 192.168.0.1:514, porta opcional

. @@ remote-host: 514

### fim da regra de encaminhamento

Um modelo para registros de data e hora de precisão mais altos + registro de gravidade

$ template SpiceTmpl, "% TIMESTAMP%.% TIMESTAMP ::: data-subseconds%% syslogtag%% syslogseverity-text%:% msg ::: sp-if-no-1st-sp %% msg ::: drop-last-lf% \ n "

: programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl