Re: [rsyslog] rate limiting logs written to a file

Tue, 02 Apr 2024 18:29:10 -0700

rate limiting output will just cause things to back up, it doesn't throw away the messages. It would be better for you to detect these messages and feed them into an external event correlation engine (Simple Event Correltator for example), and have that engine then send you logs that you keep (which could be 'system X sent Y OOM messages in the last 5 min' or something like that) 

David Lang



 On Tue, 2 Apr 2024, Prasad Koya via rsyslog wrote:


Date: Tue, 2 Apr 2024 18:25:01 -0700
From: Prasad Koya via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Prasad Koya <pra...@arista.com>
Subject: [rsyslog] rate limiting logs written to a file

Hi


module( load="imuxsock" )
module( load="imklog" )

if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") then {
     action(type="omfile" queue.size="1000" queue.type="LinkedList"
queue.dequeueSlowDown="3600000000" file="/var/log/oom")
}


If we have a flurry of, for example, "Out of memory" messages from the
facility 'kern', we'd like to keep only, say, one per hour in a
separate file.

https://rsyslog.readthedocs.io/en/latest/rainerscript/queue_parameters.html
says do not set low value for queue.size.

Above page also says queue.dequeueslowdown can be used as
rate-limiting. Maybe that doesn't apply for "omfile" as I don't see
above rsyslog.conf working. high and low watermarks are not applicable
here as it's not a disk based queue. Appreciate any pointers.

Thank you.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to