By default in Linux there are a few different mechanisms in place that may rate limit logging. These are primarily the systemd journal and rsyslog rate limits that are in place by default.

Here we cover modifying or removing rate limiting for logging.

Why Rate Limiting?

Rate limitations on logging are in place to prevent logging from using excessive levels of system resources. To log an event, it needs to be written to disk which uses system resources. If there are too many of these events coming in that need to be recorded to disk they can overwhelm a system and cause more important services to respond slowly or fail.

For this reason it is generally not recommended to completely disable rate limiting, but to tweak it as required. At the same time we do not want to drop important messages that may be required to generate a critical alert, so a balance needs to be found.

Systemd Journal Rate Limiting

How do we know if the journal limits are actually causing us to drop log messages? Generally you will see similar messages in the log files as below.

Jan  9 09:18:07 server1 journal: Suppressed 7124 messages from /system.slice/named.service

In this particular case we have a DNS server running Bind which is logging all DNS queries. 7124 messages were suppressed and dropped (not logged) because they were coming in too fast in this example.

By default systemd allows 1,000 messages within a 30 second period.

The limits are controlled in the /etc/systemd/journald.conf file.

RateLimitInterval=0

RateLimitBurst=0

If more messages than the amount specified in RateLimitBurst are received within the time defined by RateLimitInterval, all further messages within the interval are dropped until the interval is over.

You can modify these values as you see fit, you can completely disable systemd journal logging rate limiting by setting both to 0.

If you make any changes to /etc/systemd/journald.conf you will need to restart the systemd-journald service to apply the changes.

systemctl restart systemd-journald

Rsyslog Rate Limiting

The systemd journal limit is hit before any default rsyslog limits as its default limits are smaller. By default rsyslog will accept 20,000 messages within a 10 minute period.

Therefore if you increase the rate limiting of the systemd journal logging as shown above you may then start to receive similar messages in your syslog logs as shown below.

....

Jan  9 22:42:35 server1 rsyslogd-2177: imjournal: begin to drop messages due to rate-limiting

Jan  9 22:51:26 server1 rsyslogd-2177: imjournal: 143847 messages lost due to rate-limiting

...

The first message states that messages will be dropped as the limit has been reached, and once the interval is over (after 10 minutes by default) the amount of messages that were lost due to rate limiting will then be logged.

The limits are controlled in the /etc/rsyslog.conf file.

$SystemLogRateLimitInterval 0

$SystemLogRateLimitBurst 3000

For further information see the imjournal rsyslog documentation.

Again you can modify these values as you like, and they can be completely disabled by setting both to 0.

If you make any changes to the /etc/rsyslog.conf file you will need to restart the rsyslog service to apply the changes.

systemctl restart rsyslog

Summary

As shown we can check our log files to find out if logs are being dropped due to either systemd journal or syslog rate limits. The systemd journal default rate limit is much lower than the syslog default rate limit so it will be triggered first. Once you increase the rate limiting on the systemd journal logging you may then start to experience additional rate limiting by syslog, which can then also be increased if required.

实例配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
vim /etc/rsyslog.conf
 
 
 
#### MODULES ####
 
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$imjournalRatelimitInterval 0
$SystemLogRateLimitInterval 0
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability
 
 
 
 
systemctl restart rsyslog

How To Change Log Rate Limiting In Linux的更多相关文章

  1. 删除DSO Change Log表数据

    声明:原创作品,转载时请注明文章来自SAP师太技术博客( 博/客/园www.cnblogs.com):www.cnblogs.com/jiangzhengjun,并以超链接形式标明文章原始出处,否则将 ...

  2. Overview & Change Log

    Overview & Change Log Nova Framework is a PHP 5.5+ MVC Framework. It's designed to be lightweigh ...

  3. Commit message 和 Change log 编写指南

    来源:http://www.ruanyifeng.com/blog/2016/01/commit_message_change_log.html Git 每次提交代码,都要写 Commit messa ...

  4. 高可用服务设计之二:Rate limiting 限流与降级

    <高可用服务设计之二:Rate limiting 限流与降级> <nginx限制请求之一:(ngx_http_limit_conn_module)模块> <nginx限制 ...

  5. Git_学习_09_Commit message 和 Change log 编写指南

    一.前言 二.Commit message编写 1.规范 2.用空行分开主题和正文 提交时只执行 git commit,这时就会跳出文本编辑器,让你写多行. git commit 主题和正文分开 每次 ...

  6. 【转】获取Jenkins构建时Git Change Log

    原文:https://www.jianshu.com/p/513ab6915dbd 在基于Jenkins进行CI持续集成的工作,在构建后上传蒲公英时想将本次版本的git commit信息同步到蒲公英的 ...

  7. How to change default root@ email address linux / postfix / centos?

    Change root@hostname to different email address By default, any email sent by system is sent to root ...

  8. [log]利用logrotate对Linux log进行管理

    转自:http://feikiss.iteye.com/blog/1402181 https://linux.cn/article-4126-1.html Syslog-ng服务是Linux系统中重要 ...

  9. /var/log目录下的Linux日志文件功能详解_转

    摘自:http://www.niaoyun.com/help/application/386.html 学习linux应该知道日志文件的所在位置以及它们包含的内容,在系统运行正常的情况下学习了解这些不 ...

随机推荐

  1. tomcat启动(一)startup.bat|catalina.bat分析

    环境:windows X64位 Tomcat8.0.47 bootstrap.jar是tomcat的内核 开始位置 startup.bat 查看文本 具体的批处理脚本语法可以查看我整理的文章 http ...

  2. 数据分析--降维--LDA和PCA

    一.因子分析 因子分析是将具有错综复杂关系的变量(或样本)综合为少数几个因子,以再现原始变量和因子之间的相互关系,探讨多个能够直接测量,并且具有一定相关性的实测指标是如何受少数几个内在的独立因子所支配 ...

  3. Solidity两个string的比较

    有三种比较方法 方法一:比较string的哈希值方法二:先比较string的长度,再比较每个对应位置的字母是否相同方法三:先比较string的长度,再比较string的哈希值一.比较string的哈希 ...

  4. Linux下svn服务器搭建

    初次在linux上搭建svn服务器,本来以为很繁琐,其实很简单,主要分为以下几个步骤: 1.  首先安装subversion,命令:yum install subversion 2.  创建svn仓库 ...

  5. 不会几个框架,都不好意思说搞过前端: Node.js & angular.js

    Node.js  菜鸟教程 :http://www.runoob.com/nodejs/nodejs-install-setup.html angular.js  菜鸟教程 :http://www.r ...

  6. RabbitMQ上手记录–part 2 - 安装RabbitMQ

    上一篇<<RabbitMQ 上手记录-part 1>>介绍了一些基础知识,整理了一些基础概念.接下来整理一些安装步骤和遇到的问题. 我在CentOS7和Ubuntu16.4上都 ...

  7. Android应用博客目录

    应用有很多,开个博客都放进来方便查找,也方便修改 1 语言类: 1.1 JAVA 基础语言知识JAVA Collection与Collections,Array与Arrays的区别 JAVA练手--S ...

  8. Mysql5.5升级到5.6步骤详解 小版本大版本

    http://blog.csdn.net/i_team/article/details/9935693 小版本升级,先关闭数据库,然后mv直接全部替换掉mysql目录下的bin/ ,lib/ ,sha ...

  9. Linux系统修改Mysql密码

    一.拥有原来的myql的root的密码: 方法一: 在mysql系统外,使用mysqladmin mysqladmin -u root -p password "test123" ...

  10. [日常] SinaMail项目和技术能力总结

    一.企邮WEBMAIL项目1.完成手机绑定二次验证,绑定手机提升账户的安全性2.登陆验证接口改造,增加一系列登陆限制,增强webmail的系统可靠性3.增加外发限制功能,及时控制用户发信行为,有利于企 ...