Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

25.5.4. Using the New Syntax for rsyslog queues

In the new syntax available in rsyslog 7, queues are defined inside the action() object that can be used both separately or inside a ruleset in /etc/rsyslog.conf. The format of an action queue is as follows:
action(type="action_type" queue.size="queue_size" queue.type="queue_type" queue.filename="file_name")
Replace action_type with the name of the module that is to perform the action and replace queue_size with a maximum number of messages the queue can contain. For queue_type, choose disk or select from one of the in-memory queues: direct, linkedlist or fixedarray. For file_name specify only a file name, not a path. Note that if creating a new directory to hold log files, the SELinux context must be set. See Section 25.5.2, “Creating a New Directory for rsyslog Log Files” for an example.

Example 25.13. Defining an Action Queue

To configure the output action with an asynchronous linked-list based action queue which can hold a maximum of 10,000 messages, enter a command as follows:
action(type="omfile" queue.size="10000" queue.type="linkedlist" queue.filename="logfile")
The rsyslog 7 syntax for a direct action queues is as follows:
*.* action(type="omfile" file="/var/lib/rsyslog/log_file
     )
The rsyslog 7 syntax for an action queue with multiple parameters can be written as follows:
*.* action(type="omfile"
              queue.filename="log_file"
              queue.type="linkedlist"
              queue.size="10000"
     )
The default work directory, or the last work directory to be set, will be used. If required to use a different work directory, add a line as follows before the action queue:
global(workDirectory="/directory")

Example 25.14. Forwarding To a Single Server Using the New Syntax

The following example is based on the procedure Procedure 25.2, “Forwarding To a Single Server” in order to show the difference between the traditional sysntax and the rsyslog 7 syntax. The omfwd plug-in is used to provide forwarding over UDP or TCP. The default is UDP. As the plug-in is built in it does not have to be loaded.
Use the following configuration in /etc/rsyslog.conf or create a file with the following content in the /etc/rsyslog.d/ directory:
*.* action(type="omfwd"
      queue.type="linkedlist"
      queue.filename="example_fwd"
      action.resumeRetryCount="-1"
      queue.saveOnShutdown="on"
      target="example.com" port="6514" protocol="tcp"
     )
Where:
  • queue.type="linkedlist" enables a LinkedList in-memory queue,
  • queue.filename defines a disk storage. The backup files are created with the example_fwd prefix, in the working directory specified by the preceding global workDirectory directive,
  • the action.resumeRetryCount -1 setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
  • enabled queue.saveOnShutdown="on" saves in-memory data if rsyslog shuts down,
  • the last line forwards all received messages to the logging server, port specification is optional.