Syslog information loss in RedHat 6

We use LinuxSyslogTo record the debug log of the product. Call one of the executable files. After the command is executed, view the debug log information, and the logs after a certain log are lost. After multiple attempts, it is found that logs are lost after a fixed log every time. This blog post will let us explore the details.

I. Problem Discovery

Before discovering the real problem, I made the following attempts:

(1) Does a process exit some logic after a fixed log? Or will a signal be generated in the statement after the fixed log printing result in Process Termination? Print a message at the end of the program to the screen. You can see that the program runs normally and exits.
(2) has the debug log object changed or the debug level changed during running? Print the information in the program and no exception is found.

(3) Check the branch logic of the program through GDB debugging

No problem was found in the above method. In fact, there is another idea: Will syslog discard some log information? But it was first ruled out by me. At that time, there were two reasons: first, this problem did not occur on redhat4/5; second, the RedHat 6 platform products have been released for at least a year, if the debug log is always missing, it should not wait for me to find it. However, it is precisely because of some conventional thinking, or some seemingly rational but not rigorous inferences that the truth is delayed.

Next, I checked the/var/log/messages file first and saw the following error message.6292It is the ID of the previously executed process.

imuxsock begins to drop messages from pid 6292 due to rate-limiting

Obviously, the reason was quickly found out by using the Google artifact, which is related to the rsyslog mechanism in RedHat 6 and can be configured.

2. rsyslog rate limit configuration in RedHat 6

The so-called rate limit refers to the maximum number of logs that can be printed by Syslog within a fixed period of time (more logs will be discarded ). In RedHat 6, it is determined by the following two configuration items in the configuration file/etc/rsyslog. conf:

$ Systemlogratelimitinterval [number1]: Number1 is the set time interval.

$ Systemlogratelimitburst [number2]: Number2 indicates the maximum number of log information output during the specified time interval.

After setting, it indicates that during each number1 interval, logs exceeding the number of number2 will be removed. The default value of number1 is 5 seconds, and that of number2 is 200.However, if you do not want to print a log, you can add or set it in/etc/rsyslog. conf.:

$SystemLogRateLimitInterval 0

After setting, you must restart the rsyslog service by running the following command: Service rsyslog restart) Oh ~~~

Refer:

1. https://bugzilla.redhat.com/show_bug.cgi? Format = multiple & amp; id = 753363

2. http://lists.adiscon.net/pipermail/rsyslog/2011-April/028307.html

3. http://www.rsyslog.com/tag/rate-limiting/