On 16.06.2022 17:28, Mariusz Kruk via rsyslog wrote:
On 16.06.2022 16:21, vijay kumar via rsyslog wrote:
Hi Team,
My rsyslog service is getting restarted very frequently and we
understand
it is due to race between the various threads, which causes one
thread to
free a message field while another tries to read/write it.
[cut]
would be to have multiple rsyslog instances, which is possible if the
traffic is split between ports. If yes could you please suggest how to
configure??
Multiple instances are multiple processes so there is no way for the
threads from two different processes to interact with each other.
That's what we have process-separation at OS-level for ;-)
The question is - what is your rsyslog version (and whether you're
hitting some well-known and already fixed bug). And what is your config.
OK. From the config you posted I see that you do _not_ have multiple
rsyslog instances. You have multiple inputs defined within a single
instance. There's nothing unusual with that. I have several setups with
rsyslog listening on multiple ports or multiple IPs and nothing bad happens.
You didn't post the global /etc/rsyslogd.conf but I assume it's pretty
typical package-supplied config with the include directive at the end so
all the logic happens in those files you posted.
Anyway, what I can advise from experience, since you have many inputs,
many outputs and a bit of magic routing those inputs to outputs - since
you're separating the inputs by port, it's more convenient (and allows
you to set up separate queues to process each such pipeleine) to bind
each output with a specific ruleset processing just this type of events.
At the moment you're putting all events into main processing queue and
then you're calling various filters to match specific event types to
specific actions. That's a bit ineffective. And separating events into
dedicated queues gives you better accounting.
So instead of defining all inputs as "generic" ones and then calling
your filters like this:
## Input-to-Output Flows
#
# Process incoming events from UDP 514
if (re_match($inputname, "udp514"))
then {
call syslog.qradar
call qradar.local
stop
}
You can simply do
ruleset (name="process_qradar [... queue parameters ...]) {
call syslog.qradar
call qradar.local
stop
}
input(type="imudp" port="514" name="udp514" ruleset="process_qradar")
You could also do single input and dynamically assign ruleset based on
the source IP but that's a completely different story.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
