Control: severity -1 important
Control: tags -1 moreinfo
Am 07.08.2015 um 12:19 schrieb Norbert Weinhold:
> Package: rsyslog
> Version: 8.4.2-1
> Severity: critical
> Justification: breaks the whole system
>
> rsyslog consumes after running for around 11 hours following resources.
> It also made the kernel kill processes because out-of-memory.
> Two machine shows the same behaviour,
>
> Machine A
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 483 root 20 0 557792 310640 2976 S 0.0 15.1 1:27.76 rsyslogd
>
> Machine B
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 30590 root 20 0 410336 161060 2896 S 0.0 7.8 1:21.88 rsyslogd
>
> Both machines are have the same purpose, but machine B has load usually, that
> is why I assume
> less memory is consumed.
>
> Regards,
> Norbert
>
> -- System Information:
> Debian Release: 8.1
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages rsyslog depends on:
> ii init-system-helpers 1.22
> ii initscripts 2.88dsf-59
> ii libc6 2.19-18
> ii libestr0 0.1.9-1.1
> ii libjson-c2 0.11-4
> ii liblogging-stdlog0 1.0.4-1
> ii liblognorm1 1.0.1-3
> ii libuuid1 2.25.2-6
> ii lsb-base 4.1+Debian13+nmu1
> ii zlib1g 1:1.2.8.dfsg-2+b1
>
> Versions of packages rsyslog recommends:
> ii logrotate 3.8.7-1+b1
>
> Versions of packages rsyslog suggests:
> pn rsyslog-doc <none>
> pn rsyslog-gnutls <none>
> pn rsyslog-gssapi <none>
> pn rsyslog-mongodb <none>
> pn rsyslog-mysql | rsyslog-pgsql <none>
> pn rsyslog-relp <none>
>
> -- Configuration Files:
> /etc/logrotate.d/rsyslog changed:
> /var/log/debug
> /var/log/syslog
> {
> rotate 7
> daily
> missingok
> notifempty
> delaycompress
> compress
> postrotate
> invoke-rc.d rsyslog rotate > /dev/null
> endscript
> }
> /var/log/mail.info
> /var/log/mail.warn
> /var/log/mail.err
> /var/log/mail.log
> /var/log/daemon.log
> /var/log/kern.log
> /var/log/auth.log
> /var/log/user.log
> /var/log/lpr.log
> /var/log/cron.log
> /var/log/messages
> {
> rotate 4
> weekly
> missingok
> notifempty
> compress
> delaycompress
> sharedscripts
> postrotate
> invoke-rc.d rsyslog rotate > /dev/null
> endscript
> }
>
> /etc/rsyslog.conf changed:
> $ModLoad imuxsock # provides support for local system logging
> $ModLoad imklog # provides kernel logging support
> $SystemLogRateLimitInterval 0
> $SystemLogRateLimitBurst 0
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> $FileOwner root
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
> $Umask 0022
> $WorkDirectory /var/spool/rsyslog
> $IncludeConfig /etc/rsyslog.d/*.conf
> auth,authpriv.* /var/log/auth.log
> *.*;auth,authpriv.none -/var/log/syslog
> daemon.* -/var/log/daemon.log
> kern.* -/var/log/kern.log
> lpr.* -/var/log/lpr.log
> mail.* -/var/log/mail.log
> user.* -/var/log/user.log
> mail.info -/var/log/mail.info
> mail.warn -/var/log/mail.warn
> mail.err /var/log/mail.err
> news.crit /var/log/news/news.crit
> news.err /var/log/news/news.err
> news.notice -/var/log/news/news.notice
> *.=debug;\
> auth,authpriv.none;\
> news.none;mail.none -/var/log/debug
> *.=info;*.=notice;*.=warn;\
> auth,authpriv.none;\
> cron,daemon.none;\
> mail,news.none -/var/log/messages
> *.emerg :omusrmsg:*
> daemon.*;mail.*;\
> news.err;\
> *.=debug;*.=info;\
> *.=notice;*.=warn |/dev/xconsole
> *.* @monitoring-1.example.net
> *.* @monitoring-2.example.netDo you have any includes in /etc/rsyslog.d/, if so, please attach them? What amount of data is logged in that 11/8 hours? Can you pinpoint the leak to a specific rule? Have you tried to remove the remote logging for example -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
