Just wanted to make sure awareness of that option. Agree that it is not often needed.
Rainer El mar, 15 nov 2022 a las 10:02, David Lang (<da...@lang.hm>) escribió: > > I haven't needed to do that to handle 300k messages/sec on UDP input (usually > I > run into bottlenecks in processing the messages long before I have problems > accepting them) > > David Lang > > On Tue, 15 Nov 2022, Rainer Gerhards wrote: > > > let me add: look into setting imudp to realtime priority. Doc: > > > > https://www.rsyslog.com/doc/master/configuration/modules/imudp.html > > > > Rainer > > > > El mar, 15 nov 2022 a las 5:04, David Lang via rsyslog > > (<rsyslog@lists.adiscon.com>) escribió: > >> > >> Some additional comments on the config > >> > >> > >> > >> These action queue configs probably don't do what you intend them to do > >> > >> the first thing is that they only affect the next action, which is > >> authpriv.* to > >> /var/log/secure and you configure 2000 threads to write these logs out. > >> That > >> will create a HUGE amount of contention for the queue lock and under load > >> you > >> should see it maxing out quite quickly > >> > >> what is it that you are attempting to do here? > >> > >> > >> > >> # Performance Tuning # > >> $ActionQueueWorkerThreads 2000 > >> $ActionQueueWorkerThreadMinimumMessages 1000 > >> $ActionQueueSize 1000000 > >> $ActionQueueDiscardMark 800000 > >> $ActionQueueHighWaterMark 600000 > >> > >> #### RULES #### > >> # Log all kernel messages to the console. > >> # Logging much else clutters up the screen. > >> #kern.* /dev/console > >> > >> # Log anything (except mail authpriv, cron) > >> # Dont log private authentication messages! > >> #*.*;mail.none;authpriv.none;cron.none ?RemoteIP > >> > >> # The authpriv file has restricted access. > >> authpriv.* /var/log/secure > >> > >> > >> since the queue only applied to the next action with this config, > >> everything > >> below this is operating from the main queue again as if there was no action > >> queue configuration > >> > >> > >> > >> > >> # Log all the mail messages in one place. > >> mail.* -/var/log/maillog > >> > >> # Log cron stuff > >> cron.* /var/log/cron > >> > >> # Everybody gets emergency messages > >> *.emerg :omusrmsg:* > >> > >> # Save news errors of level crit and higher in a special file. > >> uucp,news.crit /var/log/spooler > >> > >> # Save boot messages also to boot.log > >> # local7.* > >> /var/syslog/boot.log > >> > >> > >> > >> ereregex is a fairly expensive filter to apply, it's much better to figure > >> out a > >> non-regex approach to filtering these. Can you post some examples of what > >> you > >> are trying to filter? mmnormalize to parse the logs and then make > >> decisions on > >> the parsed results id probably much faster. > >> > >> > >> /etc/rsyslog.d/security-config-omsagent.conf > >> # [Firewall Log Filtering] # > >> :msg, ereregex, "(1.1.[0-9]+.[0-9]+)" stop > >> :msg, ereregex, "(1.2.[0-9]+.[0-9]+)" stop > >> :msg, ereregex, "(1.3.[0-9]+.[0-9]+)" stop > >> :msg, ereregex, "(1.4.[0-9]+.[0-9]+)" stop > >> :msg, ereregex, "(1.5.[0-9]+.[0-9]+)" stop > >> :msg, ereregex, "(1.6.1[6-9].[0-9]+)" stop > >> :msg, ereregex, "(1.7.2[0-3].[0-9]+)" stop > >> :msg, ereregex, "(1.8.68.[0-9]+)" stop > >> :msg, ereregex, "(1.9.69.[0-9]+)" stop > >> :msg, ereregex, "(1.10.82.[0-9]+)" stop > >> :msg, ereregex, "(IP multicast routing failed)" stop > >> :msg, ereregex, "(TCP_7680)" stop > >> > >> > >> check the messages to see where CEF: and ASA- are in the message, can you > >> filter > >> on something smaller than rawmsg? (say syslogtag), and can you use > >> 'startswith' > >> instead of 'contains'?, again mmnormalize may be much faster > >> > >> if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then > >> @@127.0.0.1:25226 > >> & stop > >> if $rawmsg contains "infobloxgridmstr" then @127.0.0.1:25224 > >> & stop > >> > >> > >> combining multiple filters into one action, or having the filters call a > >> ruleset > >> can be far more efficient than all of them writing things out > >> independently. > >> > >> the if..then filter structure lets you easily combine filters > >> > >> local0.info @127.0.0.1:25224 > >> & stop > >> local1.info @127.0.0.1:25224 > >> & stop > >> local2.info @127.0.0.1:25224 > >> & stop > >> local3.info @127.0.0.1:25224 > >> & stop > >> local4.info @127.0.0.1:25224 > >> & stop > >> local5.info @127.0.0.1:25224 > >> & stop > >> local6.info @127.0.0.1:25224 > >> & stop > >> local7.info @127.0.0.1:25224 > >> & stop > >> auth.* @127.0.0.1:25224 > >> & stop > >> authpriv.* @127.0.0.1:25224 > >> & stop > >> daemon.info @127.0.0.1:25224 > >> & stop > >> syslog.* @127.0.0.1:25224 > >> & stop > >> ftp.*<ftp://ftp.*> @127.0.0.1:25224 > >> & stop > >> user.* @127.0.0.1:25224 > >> & stop > >> _______________________________________________ > >> rsyslog mailing list > >> https://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
