it's important to realize how Rsyslog processes the config files.
It does not care what you have in what file.
if you start rsyslog with -o /path/to/file then the file will have the config as
rsyslog sees it.
When rsyslog starts, it goes through the file and finds all the module and input
commands (and a few others) and processes them. Then it sits and waits for log
events to happen. When a log event happens, it then processes all the actions
in the combined files for the ruleset that the log event happens in (unless you
bind a ruleset to an input as Mariusz describes, they all are in the default
ruleset)
so you may have put an input in a file along with the actions that you want to
take for that input, but that's not what rsyslog sees, the different files are
purely for administrative convieninece, rsyslog doesn't care if every line in
the config is in a separate file or if they are all in one file, it will do
exactly the same thing.
David Lang
On Thu, 16 Jun 2022, Mariusz Kruk via rsyslog wrote:
Date: Thu, 16 Jun 2022 17:51:35 +0200
From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Mariusz Kruk <k...@epsilon.eu.org>
Subject: Re: [rsyslog] multiple rsyslog instances
On 16.06.2022 17:28, Mariusz Kruk via rsyslog wrote:
On 16.06.2022 16:21, vijay kumar via rsyslog wrote:
Hi Team,
My rsyslog service is getting restarted very frequently and we
understand
it is due to race between the various threads, which causes one
thread to
free a message field while another tries to read/write it.
[cut]
would be to have multiple rsyslog instances, which is possible if the
traffic is split between ports. If yes could you please suggest how to
configure??
Multiple instances are multiple processes so there is no way for the
threads from two different processes to interact with each other.
That's what we have process-separation at OS-level for ;-)
The question is - what is your rsyslog version (and whether you're
hitting some well-known and already fixed bug). And what is your config.
OK. From the config you posted I see that you do _not_ have multiple
rsyslog instances. You have multiple inputs defined within a single
instance. There's nothing unusual with that. I have several setups with
rsyslog listening on multiple ports or multiple IPs and nothing bad happens.
You didn't post the global /etc/rsyslogd.conf but I assume it's pretty
typical package-supplied config with the include directive at the end so
all the logic happens in those files you posted.
Anyway, what I can advise from experience, since you have many inputs,
many outputs and a bit of magic routing those inputs to outputs - since
you're separating the inputs by port, it's more convenient (and allows
you to set up separate queues to process each such pipeleine) to bind
each output with a specific ruleset processing just this type of events.
At the moment you're putting all events into main processing queue and
then you're calling various filters to match specific event types to
specific actions. That's a bit ineffective. And separating events into
dedicated queues gives you better accounting.
So instead of defining all inputs as "generic" ones and then calling
your filters like this:
## Input-to-Output Flows
#
# Process incoming events from UDP 514
if (re_match($inputname, "udp514"))
then {
call syslog.qradar
call qradar.local
stop
}
You can simply do
ruleset (name="process_qradar [... queue parameters ...]) {
call syslog.qradar
call qradar.local
stop
}
input(type="imudp" port="514" name="udp514" ruleset="process_qradar")
You could also do single input and dynamically assign ruleset based on
the source IP but that's a completely different story.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
