rsyslog omfwd-tcp在一段时间后停止发送

时间:2018-10-30 15:33:34

标签: rsyslog

我有一个rsyslog应该只转发消息。它具有常规的514-UDP端口打开并接收消息。转发到omfwd-tcp可以工作一段时间,然后停止。

 if $syslogfacility != 1 then {
  action(Name="syslog-fwd" Type="omfwd" Target="127.0.0.1" Port="10514" >template="JSONDefaultstr" Action.ResumeInterval="5" Protocol="tcp")
stop
}

在日志中,我可以看到以下内容:

2093.110977082:syslog-fwd queue:Reg/w0: wti 0x55e240948920: wti.c: worker awoke from idle processing
2093.110980024:syslog-fwd queue:Reg/w0: queue.c: DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
2093.110982399:syslog-fwd queue:Reg/w0: queue.c: doDeleteBatch: delete batch from store, new sizes: log 1, phys 1
2093.110984879:syslog-fwd queue:Reg/w0: syslog-fwd queue: queue.c: dequeued 1 consumable elements, szlog 0 sz phys 1
2093.110991750:syslog-fwd queue:Reg/w0: ../action.c: action 'syslog-fwd': is transactional - executing in commit phase
2093.110994557:syslog-fwd queue:Reg/w0: omfwd.c: omfwd: beginTransaction
2093.110997258:syslog-fwd queue:Reg/w0: omfwd.c: omfwd: doTryResume 127.0.0.1 iRet 0
2093.110999651:syslog-fwd queue:Reg/w0: ../action.c: action[syslog-fwd] transitioned to state: itx
2093.111002109:syslog-fwd queue:Reg/w0: ../action.c: processBatchMain: i 0, processMsgMain iRet -2121
2093.111004393:syslog-fwd queue:Reg/w0: ../action.c: processBatchMain: i 0, COMM state set
2093.111006850:syslog-fwd queue:Reg/w0: ../action.c: actionCommit[syslog-fwd]: enter, 1 msgs
2093.111009128:syslog-fwd queue:Reg/w0: ../action.c: actionCommit[syslog-fwd]: processing...
2093.111011368:syslog-fwd queue:Reg/w0: ../action.c: actionTryCommit[syslog-fwd] enter
2093.111013724:syslog-fwd queue:Reg/w0: ../action.c: doTransaction: have commitTransaction IF, using that, pWrkrInfo 0x55e2409489f0
2093.111016211:syslog-fwd queue:Reg/w0: ../action.c: entering actionCallCommitTransaction[syslog-fwd], state: itx, nMsgs 1
2093.111018502:syslog-fwd queue:Reg/w0: omfwd.c: omfwd: doTryResume 127.0.0.1 iRet 0
2093.111020942:syslog-fwd queue:Reg/w0: omfwd.c:  127.0.0.1:10514/tcp
2093.111024094:syslog-fwd queue:Reg/w0: omfwd.c: omfwd: add 227 bytes to send buffer (curr offs 0)
2093.111047664:syslog-fwd queue:Reg/w0: omfwd.c: omfwd: TCP sent 227 bytes, requested 227
2093.111051182:syslog-fwd queue:Reg/w0: ../action.c: actionCallCommitTransaction[syslog-fwd] state: itx mod commitTransaction returned 0
2093.111053587:syslog-fwd queue:Reg/w0: ../action.c: action[syslog-fwd] transitioned to state: rdy
2093.111055999:syslog-fwd queue:Reg/w0: ../action.c: actionCommit[syslog-fwd]: return actionTryCommit 0
2093.111058371:syslog-fwd queue:Reg/w0: ../action.c: actionCommit[syslog-fwd]: done, iRet 0
2093.111060964:syslog-fwd queue:Reg/w0: queue.c: regular consumer finished, iret=0, szlog 0 sz phys 1
2093.111063484:syslog-fwd queue:Reg/w0: queue.c: DeleteProcessedBatch: etry 0 state 3
2093.111066649:syslog-fwd queue:Reg/w0: queue.c: DeleteProcessedBatch: we deleted 1 objects and enqueued 0 objects
2093.111069152:syslog-fwd queue:Reg/w0: queue.c: doDeleteBatch: delete batch from store, new sizes: log 0, phys 0
2093.111071641:syslog-fwd queue:Reg/w0: syslog-fwd queue: queue.c: dequeued 0 consumable elements, szlog 0 sz phys 0
2093.111074225:syslog-fwd queue:Reg/w0: queue.c: regular consumer finished, iret=4, szlog 0 sz phys 0
2093.111076514:syslog-fwd queue:Reg/w0: wti.c: syslog-fwd queue:Reg/w0: worker IDLE, waiting for work.
2093.280167252:imtcp.c        : nsdpoll_ptcp.c: epoll returned 1 entries
2093.280182600:imtcp.c        : tcpsrv.c: tcpsrv: ready to process 1 event entries
...

这很好...但是突然之间:

2093.280485033:syslog-fwd queue:Reg/w0: wti 0x55e240948920: wti.c: worker awoke from idle processing
2093.280488998:syslog-fwd queue:Reg/w0: queue.c: DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
2093.280491486:syslog-fwd queue:Reg/w0: queue.c: doDeleteBatch: delete batch from store, new sizes: log 2, phys 2
2093.280494077:syslog-fwd queue:Reg/w0: syslog-fwd queue: queue.c: dequeued 2 consumable elements, szlog 0 sz phys 2
2093.293312843:imtcp.c        : nsdpoll_ptcp.c: epoll returned 1 entries
2093.293326156:imtcp.c        : tcpsrv.c: tcpsrv: ready to process 1 event entries

再也不会出现“ wti 0x55e240948920:wti.c:工作者从空闲处理中醒来”的情况。 队列被填满:

2094.037943773:main Q:Reg/w0  : ../action.c: action 'syslog-fwd': called, logging to builtin:omfwd (susp 0/0, direct q 0)
2094.037946442:main Q:Reg/w0  : syslog-fwd queue: queue.c: qqueueAdd: entry added, size now log 11, phys 13 entries
2094.037948880:main Q:Reg/w0  : syslog-fwd queue: queue.c: EnqueueMsg advised worker start
2094.037951334:main Q:Reg/w0  : ../action.c: action 'syslog-fwd': set suspended state to 0

...

2363.077252235:main Q:Reg/w0  : ../action.c: action 'syslog-fwd': called, logging to builtin:omfwd (susp 0/0, direct q 0)
2363.077255829:main Q:Reg/w0  : syslog-fwd queue: queue.c: queue nearly full (3000 entries), but could not drop msg (iRet: 0, severity 6)
2363.077258619:main Q:Reg/w0  : syslog-fwd queue: queue.c: doEnqSingleObject: queue FULL - waiting 2000ms to drain.

现在有趣的是:当我添加以下规则(在其他规则之前)

if $syslogfacility == 4 then {
        action(Name="write4" Type="omfile" File="/var/log/syslog4" )
        stop
}

一切正常。邮件中

Oct 31 07:54:26 otherhost.com sssd_be: GSSAPI client step 2
Oct 31 07:54:27 somehost.com sssd_be: GSSAPI client step 1

有人提示吗?

1 个答案:

答案 0 :(得分:0)

我自己也观察到相同的问题,并将其作为错误提出:

https://github.com/rsyslog/rsyslog/issues/3273

就我而言,它与我使用omrelp发送的omfwd无关,而是导致问题的imfile。