How to disable rsyslog Rate-Limiting in Red Hat Enterprise Linux 6?

Environment

• Red Hat Enterprise Linux 6
• rsyslog-5.8
• rsyslog7

Issue

• system log is not working, restarting rsyslogd/crond to make it working again.

• The following messages have been reported in /var/log/messages:

Jul  3 08:50:16 localhost rsyslogd-2177: imuxsock lost 838 messages from pid 4713 due to rate-limiting
Jul  3 08:50:17 localhost rsyslogd-2177: imuxsock begins to drop messages from pid 4713 due to rate-limiting

• How to disable rsyslog rate-limiting in order to prevent these messages?

Resolution

Perform the steps given below to disable rsyslog rate-limiting.

1.Edit /etc/rsyslog.conf

2.Add the following parameters under "$ModLoad imuxsock # needs to be done just once" section.

$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$IMUXSockRateLimitBurst 0
$IMUXSockRateLimitInterval 0
$IMUXSockRateLimitSeverity 7

3.Restart rsyslog:

# service rsyslog restart

More details about the parameters mentioned above:

$SystemLogRateLimitInterval [number]
$SystemLogRateLimitBurst [number]

The SystemLogRateLimitInterval determines the amount of time that is being measured for rate limiting. By default this is set to 5 seconds. The SystemLogRateLimitBurst defines the amount of messages, that have to occur in the time limit of SystemLogRateLimitInterval, to trigger rate limiting. Here, the default is 200 messages. For creating a more effective test, we will alter the default values.

$IMUXSockRateLimitBurst [number] - equivalent to: RateLimit.Burst, specifies the rate-limiting burst in number of messages. Default is 200.

$IMUXSockRateLimitSeverity [numerical severity] - equivalent to: RateLimit.Severity, which specifies the severity of messages that shall be rate-limited.

• For achieving the same on RHEL 7, refer How to disable rate limiting in Red Hat Enterprise Linux 7?

Note: if This content is not included.remote logging is configured on your system (or will be configured), disabling Rate-Limiting can be a further cause of isues, up to the point of affecting other applications using syslog. In this case, please implement action queues in order to avoid this.

Root Cause

• Those messages means that in 5 seconds, a process sends more than 200 messages to rsyslog. At this point, rsyslog will drop messages if rate limiting is enabled.

• NOTICE: This is a safeguard measure to prevent logs from filling the /var partition. Exercise care if you disable rate limiting, as it might fill your log partition. It is often better to investigate which process is flooding the logs with messages and resolve this issue. Often, an application will be set at a "debug" log level, which will cause very verbose logging. If the logging is not needed, please consult the application documentation to lower the logging level.

• If the server is being used as a central log server it is strongly recommended that you ensure you are running the rsyslog7 packages which resolve a number of severe issues related to maintaining multiple input streams with the rsyslog-5 versions. Please see the yum shell method described in Upgrading to rsyslog7 without removing cron and dependency package ?.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.