Well, it depends. For a busy system, the default timeout in the main queue is way to long (I think I have shortened it recently, but still). This means while the message ultimately gets deleted, the system can become sluggish to a point where it looks totally unresponsive.
HOWEVER, you can change the default via config, and you can also set the timeout to zero, which means "immediately". I suggest this for many scenarios. Obviously, it causes loss of logs, but usually this is preferred over loss of function. Just be aware that attackers may use this approach to hide their traces. HTH Rainer El lun, 31 jul 2023 a las 15:13, David Lang via rsyslog (<rsyslog@lists.adiscon.com>) escribió: > > the inputs block, but eventually many inputs will drop messages (think network > connections) > > you can configure how to drop messages (look at the watermark configs) > > In general, when the queue is full, anything attempting to put messages into > the > queue blocks, if that thing is reading messages from a source that can wait, > the > messages wait, if the source can't wait, the message gets dropped. > > David Lang > > On Mon, 31 Jul 2023, Raphaël Laguerre via rsyslog wrote: > > > Date: Mon, 31 Jul 2023 14:15:59 +0200 > > From: Raphaël Laguerre via rsyslog <rsyslog@lists.adiscon.com> > > To: rsyslog@lists.adiscon.com > > Cc: Raphaël Laguerre <rlague...@easter-eggs.com> > > Subject: [rsyslog] What happens when the main message queue is full ? > > > > Hello, > > > > My system is a Debian 11 with rsyslog 8.2102.0-2+deb11u1. > > > > It is said in > > https://www.rsyslog.com/doc/v8-stable/concepts/queues.html#filled-up-queues > > : > > > > "For example, throttling the local log socket too long would cause the > > system at whole come to a standstill. To prevent this, rsyslogd times out > > after a configured period (”$<object>QueueTimeoutEnqueue“, specified in > > milliseconds) if no space becomes available. As a last resort, it then > > discards the newly arrived message." > > > > And I read in the warning section of > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-working_with_queues_in_rsyslog > > : > > > > "If an output plug-in is unable to deliver a message, it is stored in the > > preceding message queue. If the queue fills, the inputs block until it is > > no longer full. This will prevent new messages from being logged via the > > blocked queue. In the absence of separate action queues this can have > > severe consequences, such as preventing SSH logging, which in turn can > > prevent SSH access. Therefore it is advised to use dedicated action queues > > for outputs which are forwarded over a network or to a database." > > > > I find these two statements contradictory because according the first one, > > when the main message queue is full, rsyslog will enventually drop newly > > arrived messages when according to the second one "the inputs block until > > it is no longer full". > > > > I would like to be sure that the processes loging to rsyslog via unix > > socket won't be blocked in the cas my main message queue is full. > > > > thanks, > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
