Disk files are not forwarded to aggregation server using rsyslog Rsyslog version: 8.4.2 Queue type: Disk assisted Memory Queue Almost 380 servers send several OS and application logs to the log aggregation server in my case. Some of the Errors on the servers (even after restart of rsyslog): Jan 10 18:30:14 XXX.HOST.NAME rsyslogd0: action 'action 12' resumed (module 'builtinmfwd') May 4 14:25:08 XXX.HOST.NAME rsyslogd0: action 'action 11' resumed (module 'builtinmfwd') May 4 14:25:08 XXX.HOST.NAME rsyslogd-2359: action 'action 11' resumed (module 'builtinmfwd') Sometimes, I don't see any errors at all. NOTE: This is not happening on all servers. Configuration: $WorkDirectory /var/lib/rsyslog # where to place spool files $ActionQueueFileName SIEMForward # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down authpriv.*,local2.*,local4.*,local5.*,local6.*,local7.*,cron.*,*.info,mail.*,uucp,news.crit @@xxxxxx-AGG-SERVER:10514 Observation: The location /var/lib/rsyslog is filled with SIEMForward* files without doing any forwards. Could someone please help me resolve this issue. Thanks in advance.
