rsyslog taking huge memory

Question

I am using rsyslog to send messages to remote machines over TCP. A java service is writing to a logger in syslog named local4. The memory sage starts from 1MB and grows till 4-5GB. I am not sure how to debug this issue and figure out what in Rsyslog is taking so much memory and how it can be reduced. Below is my rsyslog.conf:

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support

$ModLoad imudp
$UDPServerRun 514

$KLogPermitNonKernelFacility on


$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$RepeatedMsgReduction on

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none,local4.none              -/var/log/syslog

mail.*                          -/var/log/mail.log



$template RTFormat,"%msg%\n"
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRuleRTLogs1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 4gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down

$MaxMessageSize 5k
local4.* @@internal-elb.amazonaws.com:5149;RTFormat

Any help would be great.

Answer 1

Is this box receiving logs from other host? If not, UDP server enabled is not necessary. In terms of collecting log is this a client or a server?

Also: are you sure logs are received on the TCP endpoint? Having

$ActionResumeRetryCount -1

means all logs will be stored on disk but loaded in memory when trying to ship them to the server.