let me add: look into setting imudp to realtime priority. Doc: https://www.rsyslog.com/doc/master/configuration/modules/imudp.html
Rainer El mar, 15 nov 2022 a las 5:04, David Lang via rsyslog (<rsyslog@lists.adiscon.com>) escribió: > > Some additional comments on the config > > > > These action queue configs probably don't do what you intend them to do > > the first thing is that they only affect the next action, which is authpriv.* > to > /var/log/secure and you configure 2000 threads to write these logs out. That > will create a HUGE amount of contention for the queue lock and under load you > should see it maxing out quite quickly > > what is it that you are attempting to do here? > > > > # Performance Tuning # > $ActionQueueWorkerThreads 2000 > $ActionQueueWorkerThreadMinimumMessages 1000 > $ActionQueueSize 1000000 > $ActionQueueDiscardMark 800000 > $ActionQueueHighWaterMark 600000 > > #### RULES #### > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* /dev/console > > # Log anything (except mail authpriv, cron) > # Dont log private authentication messages! > #*.*;mail.none;authpriv.none;cron.none ?RemoteIP > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > > since the queue only applied to the next action with this config, everything > below this is operating from the main queue again as if there was no action > queue configuration > > > > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg :omusrmsg:* > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > # local7.* /var/syslog/boot.log > > > > ereregex is a fairly expensive filter to apply, it's much better to figure > out a > non-regex approach to filtering these. Can you post some examples of what you > are trying to filter? mmnormalize to parse the logs and then make decisions on > the parsed results id probably much faster. > > > /etc/rsyslog.d/security-config-omsagent.conf > # [Firewall Log Filtering] # > :msg, ereregex, "(1.1.[0-9]+.[0-9]+)" stop > :msg, ereregex, "(1.2.[0-9]+.[0-9]+)" stop > :msg, ereregex, "(1.3.[0-9]+.[0-9]+)" stop > :msg, ereregex, "(1.4.[0-9]+.[0-9]+)" stop > :msg, ereregex, "(1.5.[0-9]+.[0-9]+)" stop > :msg, ereregex, "(1.6.1[6-9].[0-9]+)" stop > :msg, ereregex, "(1.7.2[0-3].[0-9]+)" stop > :msg, ereregex, "(1.8.68.[0-9]+)" stop > :msg, ereregex, "(1.9.69.[0-9]+)" stop > :msg, ereregex, "(1.10.82.[0-9]+)" stop > :msg, ereregex, "(IP multicast routing failed)" stop > :msg, ereregex, "(TCP_7680)" stop > > > check the messages to see where CEF: and ASA- are in the message, can you > filter > on something smaller than rawmsg? (say syslogtag), and can you use > 'startswith' > instead of 'contains'?, again mmnormalize may be much faster > > if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then @@127.0.0.1:25226 > & stop > if $rawmsg contains "infobloxgridmstr" then @127.0.0.1:25224 > & stop > > > combining multiple filters into one action, or having the filters call a > ruleset > can be far more efficient than all of them writing things out independently. > > the if..then filter structure lets you easily combine filters > > local0.info @127.0.0.1:25224 > & stop > local1.info @127.0.0.1:25224 > & stop > local2.info @127.0.0.1:25224 > & stop > local3.info @127.0.0.1:25224 > & stop > local4.info @127.0.0.1:25224 > & stop > local5.info @127.0.0.1:25224 > & stop > local6.info @127.0.0.1:25224 > & stop > local7.info @127.0.0.1:25224 > & stop > auth.* @127.0.0.1:25224 > & stop > authpriv.* @127.0.0.1:25224 > & stop > daemon.info @127.0.0.1:25224 > & stop > syslog.* @127.0.0.1:25224 > & stop > ftp.*<ftp://ftp.*> @127.0.0.1:25224 > & stop > user.* @127.0.0.1:25224 > & stop > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
