By default in Linux there are a few different mechanisms in place that may rate limit logging. These are primarily the systemd journal and rsyslog rate limits that are in place by default.

Here we cover modifying or removing rate limiting for logging.

Why Rate Limiting?

Rate limitations on logging are in place to prevent logging from using excessive levels of system resources. To log an event, it needs to be written to disk which uses system resources. If there are too many of these events coming in that need to be recorded to disk they can overwhelm a system and cause more important services to respond slowly or fail.

For this reason it is generally not recommended to completely disable rate limiting, but to tweak it as required. At the same time we do not want to drop important messages that may be required to generate a critical alert, so a balance needs to be found.

Systemd Journal Rate Limiting

How do we know if the journal limits are actually causing us to drop log messages? Generally you will see similar messages in the log files as below.

Jan  9 09:18:07 server1 journal: Suppressed 7124 messages from /system.slice/named.service

In this particular case we have a DNS server running Bind which is logging all DNS queries. 7124 messages were suppressed and dropped (not logged) because they were coming in too fast in this example.

By default systemd allows 1,000 messages within a 30 second period.

The limits are controlled in the /etc/systemd/journald.conf file.

RateLimitInterval=0

RateLimitBurst=0

If more messages than the amount specified in RateLimitBurst are received within the time defined by RateLimitInterval, all further messages within the interval are dropped until the interval is over.

You can modify these values as you see fit, you can completely disable systemd journal logging rate limiting by setting both to 0.

If you make any changes to /etc/systemd/journald.conf you will need to restart the systemd-journald service to apply the changes.

systemctl restart systemd-journald

Rsyslog Rate Limiting

The systemd journal limit is hit before any default rsyslog limits as its default limits are smaller. By default rsyslog will accept 20,000 messages within a 10 minute period.

Therefore if you increase the rate limiting of the systemd journal logging as shown above you may then start to receive similar messages in your syslog logs as shown below.

....

Jan  9 22:42:35 server1 rsyslogd-2177: imjournal: begin to drop messages due to rate-limiting

Jan  9 22:51:26 server1 rsyslogd-2177: imjournal: 143847 messages lost due to rate-limiting

...

The first message states that messages will be dropped as the limit has been reached, and once the interval is over (after 10 minutes by default) the amount of messages that were lost due to rate limiting will then be logged.

The limits are controlled in the /etc/rsyslog.conf file.

$SystemLogRateLimitInterval 0

$SystemLogRateLimitBurst 3000

For further information see the imjournal rsyslog documentation.

Again you can modify these values as you like, and they can be completely disabled by setting both to 0.

If you make any changes to the /etc/rsyslog.conf file you will need to restart the rsyslog service to apply the changes.

systemctl restart rsyslog

Summary

As shown we can check our log files to find out if logs are being dropped due to either systemd journal or syslog rate limits. The systemd journal default rate limit is much lower than the syslog default rate limit so it will be triggered first. Once you increase the rate limiting on the systemd journal logging you may then start to experience additional rate limiting by syslog, which can then also be increased if required.

实例配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
vim /etc/rsyslog.conf
 
 
 
#### MODULES ####
 
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$imjournalRatelimitInterval 0
$SystemLogRateLimitInterval 0
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability
 
 
 
 
systemctl restart rsyslog

How To Change Log Rate Limiting In Linux的更多相关文章

  1. 删除DSO Change Log表数据

    声明:原创作品,转载时请注明文章来自SAP师太技术博客( 博/客/园www.cnblogs.com):www.cnblogs.com/jiangzhengjun,并以超链接形式标明文章原始出处,否则将 ...

  2. Overview & Change Log

    Overview & Change Log Nova Framework is a PHP 5.5+ MVC Framework. It's designed to be lightweigh ...

  3. Commit message 和 Change log 编写指南

    来源:http://www.ruanyifeng.com/blog/2016/01/commit_message_change_log.html Git 每次提交代码,都要写 Commit messa ...

  4. 高可用服务设计之二:Rate limiting 限流与降级

    <高可用服务设计之二:Rate limiting 限流与降级> <nginx限制请求之一:(ngx_http_limit_conn_module)模块> <nginx限制 ...

  5. Git_学习_09_Commit message 和 Change log 编写指南

    一.前言 二.Commit message编写 1.规范 2.用空行分开主题和正文 提交时只执行 git commit,这时就会跳出文本编辑器,让你写多行. git commit 主题和正文分开 每次 ...

  6. 【转】获取Jenkins构建时Git Change Log

    原文:https://www.jianshu.com/p/513ab6915dbd 在基于Jenkins进行CI持续集成的工作,在构建后上传蒲公英时想将本次版本的git commit信息同步到蒲公英的 ...

  7. How to change default root@ email address linux / postfix / centos?

    Change root@hostname to different email address By default, any email sent by system is sent to root ...

  8. [log]利用logrotate对Linux log进行管理

    转自:http://feikiss.iteye.com/blog/1402181 https://linux.cn/article-4126-1.html Syslog-ng服务是Linux系统中重要 ...

  9. /var/log目录下的Linux日志文件功能详解_转

    摘自:http://www.niaoyun.com/help/application/386.html 学习linux应该知道日志文件的所在位置以及它们包含的内容,在系统运行正常的情况下学习了解这些不 ...

随机推荐

  1. linux一键安装php环境

    1.下载一键安装包: http://pan.baidu.com/s/1o6lWyeu 2.unzip -x sh.zip chmod -R 755 sh ./install.sh 等待半小时左右 3. ...

  2. 从n个字符中,找出m个排列组合

    #include <string.h> #include <stdio.h> #include <stdlib.h> void combine(char *valu ...

  3. redis实战笔记(2)-第2章 使用 Redis构建Web应用

    第2章 使用 Redis构建Web应用 本章主要内容   1.登录cookie 2.购物车cookie 3.缓存生成的网页 4.缓存数据库行 5.分析网页访问记录   本章的所有内容都是围绕着发现并解 ...

  4. Lucene系列-facet--转

    https://blog.csdn.net/whuqin/article/details/42524825 1.facet的直观认识 facet:面.切面.方面.个人理解就是维度,在满足query的前 ...

  5. textarea的placeholder属性内容折行显示(PC和移动端端)

    1.PC端折行方法 placeholder="字体 字体" 可以使其折行显示   2.移动端折行方法 webkit内核 textarea::-webkit-input-placeh ...

  6. CUBA 7:崭新的篇章

    原文链接:https://www.cuba-platform.com/blog/cuba-7-the-new-chapter 最近(2019年春节前夕)发布的 CUBA 和 Studio 的第7个版本 ...

  7. 添加右键使用 SublimeText 打开

    最近修改了系统,重新安装 SublimeText 但是在安装的时候忘记设置右键使用 SublimeText 打开,所以就需要写注册表. 可以复制下面的代码到一个记事本,然后保存为 sublime_ad ...

  8. jQuery设置下拉框select 默认选中第一个option

    $("#id option:first").prop("selected", 'selected');

  9. hdu Rescue 1242

    Rescue Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others)Total Subm ...

  10. ARM体系结构和汇编指令

    第一节 可编程器件的编程原理 1. 可编程器件的特点 1 . CPU在固定频率的时钟控制下节奏运行 2 . CPU可以通过总线读取外部存储设备中的二进制指令集,然后解码执行 3 . 这些可以被CPU解 ...