From d811281650658d99feb66dbb2a2381d99198afc5 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Sun, 16 Jun 2013 11:12:24 +0200 Subject: doc: improve imjournal doc and add ratelimiting paramters --- doc/imjournal.html | 64 +++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 56 insertions(+), 8 deletions(-) diff --git a/doc/imjournal.html b/doc/imjournal.html index df9a436a..30f07ff5 100644 --- a/doc/imjournal.html +++ b/doc/imjournal.html @@ -1,6 +1,6 @@ -Text File Input Monitor +Systemd Journal Input Module back @@ -11,36 +11,84 @@

Description:

Provides the ability to import structured log messages from systemd journal to syslog.

+

Note that this module reads the journal database, what is considered a +relativly performance-intense operation. As such, the performance of a +configuration utilizing this +module may be notably slower then when using +imuxsock. The journal provides imuxsock with a +copy of all "classical" syslog messages, however, it does not provide +structured data. If the latter is needed, imjournal must be used. Otherwise, +imjournal may be simply replaced by imuxsock. +

We suggest to check out our short presentation on +rsyslog journal integration to +learn more details of anticipated use cases. +

Warning: Some versions of systemd journal have problems with database corruption, which leads to the journal to return the same data endlessly in a thight loop. This results in massive message duplication inside rsyslog probably resulting in a denial-of-service when the system ressouces get exhausted. This can be somewhat mitigated by using proper rate-limiters, but -even then there are spikes of old data which are endlessly repeated. -As such, it is strongly recommended to use this plugin only if there +even then there are spikes of old data which are endlessly repeated. By default, +ratelimiting is activated and permits to process 20,000 messages within 10 +seconds, what should be well enough for most use cases. If insufficient, use +the parameters described below to adjust the permitted volume. +It is strongly recommended to use this plugin only if there is hard need to do so.

Configuration Directives:

Module Directives

+ +

Legacy Configuration Directives:

+ + Caveats/Known Bugs:

+

Sample:

The following example shows pulling structured imjournal messages and saving them into /var/log/ceelog

-