A piece of feedback against
https://www.rsyslog.com/doc/tutorials/random_sampling.html
I know it's obvious for some people but for some it might not be - it
will collect _about_ 20% of logs provided the overall number of events
is big enough. Since it's a random-based mechanism, it's... random.
Additionally, I had a similar thing implemented for load-balancing to
different "backends" and for some reason it didn't work uniformly (I
think I already wrote about this) - one of four backends was never
chosen. The thing is I was choosing not based directly on random(4) but
on (random(some_bigger_integer) % 4) which I thought would yield more
uniform randomness. It appears I was wrong.
MK
On 3.04.2024 08:51, Rainer Gerhards via rsyslog wrote:
This sounds a bit like you are looking for this:
https://www.rsyslog.com/doc/tutorials/log_sampling.html
HTH
Rainer
El mié, 3 abr 2024 a las 3:25, Prasad Koya via rsyslog
(<[email protected]>) escribió:
Hi
module( load="imuxsock" )
module( load="imklog" )
if ($syslogfacility-text == 'kern' and $msg contains "Out of memory") then {
action(type="omfile" queue.size="1000" queue.type="LinkedList"
queue.dequeueSlowDown="3600000000" file="/var/log/oom")
}
If we have a flurry of, for example, "Out of memory" messages from the
facility 'kern', we'd like to keep only, say, one per hour in a
separate file.
https://rsyslog.readthedocs.io/en/latest/rainerscript/queue_parameters.html
says do not set low value for queue.size.
Above page also says queue.dequeueslowdown can be used as
rate-limiting. Maybe that doesn't apply for "omfile" as I don't see
above rsyslog.conf working. high and low watermarks are not applicable
here as it's not a disk based queue. Appreciate any pointers.
Thank you.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
