Adapting the rate limiting of rsyslog

Rate limiting os rsyslog has advantages and disadvantages. An advantage is that it makes sure that your computer resources are not depleted while processing syslog messages from log too much. A disadvantage is that it’s possible that a lot of useful log records are missed due to the rate limiting of rsyslog.

Problem

As you all know, the logs on a Ubuntu installation are usually stored in /var/log. The main syslog file is /var/log/syslog. While troubleshooting, this message appears a lot in the syslog file.

rsyslogd-xxxx: imuxsock begins to drop messages from pid xxx due to rate-limiting

Troubleshooting a problem becomes difficult if the useful log message are rate limited. That’s why we want to change the default settings.

Solution

By default, the rate limiting of rsyslog is configured to drop log records when when more then 200 messages in 5 seconds are received from a process. The values can be adapted by adding the following 2 lines to /etc/rsyslog.conf. That is the main configuration file of rsyslog.

$SystemLogRateLimitInterval 2
$SystemLogRateLimitBurst 500

I’ve already set them to the values that I use on my systems. You can still adapt them to your needs. It’s not advised to disable the rate limitting completely. Without rate limitting, a single process would be able to fill up your logging partitions completely in a relatively short time.

rsyslog doesn’t reload its configuration file automatically. We have to restart it manually.

# service rsyslog restart

More info can be found on the following page:
http://www.rsyslog.com/changing-the-settings/

Leave a Reply

Your email address will not be published. Required fields are marked *