@richm Does this problem affect Rsyslog as it affected Fluentd?
If you set the MERGE_JSON_LOGandCDM_UNDEFINED_TO_STRINGenviroment variables totrue, you might receive an Elasticsearch *400* error.

Yes.

@richm Where in the config map is this code added? The console reported the CM is updated, but the code disappears.

Throttling is not supported (yet) by rsyslog.

@richm Is the secure-forward plug-in for Fluentd only?

Yes. We'll have to figure out some other way for rsyslog to forward logs off of the cluster.

should add that to the list of differences between fluentd and rsyslog

Outdated

size of the fluentd.log file or the rsyslog.log file

openshift/origin-aggregated-logging#1722

Seems we don't have an default option here.

@QiaolingTang Thank you. I will correct this throughout. There is no default. The user needs to specify the collector in the CR.

I don't think the default value of RSYSLOG_IMAGE will be docker.io/viaq/rsyslog:latest after the rsyslog's GA. And the RSYSLOG_IMAGE is written in the CSV, it's better not to change the value. Setting environment variable won't make any change.

@mburke5678 I checked the default values of rsyslog's resources, they are:

name: rsyslog
resources:
  limits:
    memory: 358Mi
  requests:
    cpu: 100m
    memory: 358Mi

name: logrotate
resources:
  limits:
    memory: 358Mi
  requests:
    cpu: 100m
    memory: 358Mi

Users can specify the limits and requests.

For fluentd, it's /var/log/fluentd/fluentd.log , for rsyslog, it is /var/log/rsyslog/rsyslog.log

The log files for rsyslog is looks like:
-rw-r--r--. 1 root root 467 Jul 17 03:40 logrotate.log
-rw-r--r--. 1 root root 1007 Jul 17 03:25 rsyslog.log
-rw-r--r--. 1 root root 10382396 Jul 17 02:49 rsyslog.log-20190717-1563331501
-rw-r--r--. 1 root root 12649621 Jul 17 03:02 rsyslog.log-20190717-1563332101
-rw-r--r--. 1 root root 11345789 Jul 17 03:11 rsyslog.log-20190717-1563332701
-rw-r--r--. 1 root root 12271294 Jul 17 03:21 rsyslog.log-20190717-1563333302
-rw-r--r--. 1 root root 23122678 Jul 17 03:40 rsyslog.log-20190717-1563333901

Thank you. I forgot that I wanted an overly-simple example without the full naming to show the rotation. I'm not sure the fluentd log file names I have are accurate for what the user will see.
Do you think this will work to show the rotation, or would using real log file names make more sense?

The following example shows logs in a cluster where the maximum log size is 1Mb and four logs should be retained. When the `log`reaches 1Mb, {product-title}
deletes the current `log.4`, renames the each of the Fluentd logs in turn, and creates a new `log`.

----
log     0b
log.1  1Mb
log.2  1Mb
log.3  1Mb
log.4  1Mb
----

The log rotation of rsyslog is different from fluentd. There has a configmap logrotate-crontab controlls the rsyslog's log rotation. You can get some information from: https://bugzilla.redhat.com/show_bug.cgi?id=1730211#c1

Yes, there is a configmap with a crontab, and one with the logrotate config, but the user doesn't need to use those. Most users will be able to set these environment variables and not need to know the implementation details. I suppose we should document those configmaps, but we should tell users that they probably don't need to touch them.

@QiaolingTang @nhosoi In order to change the log rotation parameters, does the user still edit the rsyslog daemonset or edit the logrotate configmap?

oc set env daemonset/rsyslog LOGGING_FILE_AGE=30 LOGGING_FILE_SIZE=1024000

oc set env cm/logrotate LOGGING_FILE_AGE=30 LOGGING_FILE_SIZE=1024000

This one:

oc set env daemonset/rsyslog LOGGING_FILE_AGE=30 LOGGING_FILE_SIZE=1024000

If an advanced user needs to change the cron or logrotate settings, they would do

oc edit configmap logrotate-bin
or
oc edit configmap logrotate-crontab

@richm Thanks. I didn't see your comment above as I didn't refresh the page.

I thought the rsyslog image would be something like registry.redhat.io/openshift4/ose-logging-rsyslog:v4.2 when the 4.2 GA.

Correct. In 4.2, rsyslog is in the redhat registry like everything else.

@QiaolingTang Thank you. RSYSLOG_IMAGE=quay.io/openshift/origin-logging-rsyslog:latest is what appears in 4.1. I must have gotten this string from 4.1. Fixed!

These logs are not collected by the log collector, they are generated by the log collector.