Linux/Rsyslog/Queues
Message Flow
- Flow:
- Msg received
Pre-Processor -> Main message queue
- Rule-processor deque, run parsing and filtering engine, according to /etc/ryslog.conf
- Each action has its own action queue, that receives messaged for action processors to work on.
- Several actions can run simultaneously on one msg.
- action queue can by by passed, direct queues.
- If action fails, action queue gets notified, and after some time will be attempted again by action.
![/!\](/moin_static1911/modern/img/alert.png "/!\")
Recommended to use dedicated action queues for outputs to network/db to allow these to q off main q, preventing blocked main queue.
Queue Types - Where type = MainMsg or action $<object>QueueType <type>
direct - Default for action queue, perfect for writing to local file. $ActionQueueType Direct
- linkedlist - in-memory, recommended
- fixedarray - in-memory, 10k
disk - Slow, reliable, 10Mb default, can set size and name-prefix $objectQueueMaxFileSize size
- Combine in-memory and disk with disk-assisted in-memory queue
- Add settings to normal in-memory queue
$objectQueueFileName
Set Watermark - number=# msg in queue, remember to replace <object> with MainMsg or Action
$objectQueueHighWatermark number ; $objectQueueLowWatermark number
- Add settings to normal in-memory queue
MainMsg Queue
- Default limit 10k
- Rsyslog log buffering
Location set by variable: $?WorkDirectory /var/lib/rsyslog
For forwarding to server e.g. example.com, with in-memory queue, and disk-assisted
$ActionQueueType LinkedList $ActionQueueFileName example_fwd $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on *.* @@example.com:6514
Or new style config prefered
*.* action(type="omfwd" queue.type="linkedlist" queue.filename="example_fwd" action.resumeRetryCount="-1" queue.saveOnShutdown="on" target="example.com" port="6514" protocol="tcp" )Msg's kept in memory, and when full disk queue /var/lib/ryslog/example_fd<number> used.