Changing the settings
Go back to What is imuxsock?
Before we can begin testing on how rate limiting works, we should change the default settings. By default, rate limiting will only work, if a process sends more than 200 messages in 5 seconds.To have some influence on the rate limiting we have basically two options:
$SystemLogRateLimitInterval [number] $SystemLogRateLimitBurst [number]
The SystemLogRateLimitInterval determines the amount of time that is being measured for rate limiting. By default this is set to 5 seconds. The SystemLogRateLimitBurst defines the amount of messages, that have to occur in the time limit of SystemLogRateLimitInterval, to trigger rate limiting. Here, the default is 200 messages. For creating a more effective test, we will alter the default values.
To change these settings we open the rsyslog configuration. Open the configuration with vi (please note, that we use the default configuration path):
vi /etc/rsyslog.conf
Now we need to search the right spot for the entries. Find the following:
$ModLoad imuxsock.so
This entry will load the imuxsock module.
Now insert two new lines under the ModLoad command and fill them as follows:
$SystemLogRateLimitInterval 2 $SystemLogRateLimitBurst 50
These are the option for the module with some values. This means in plain words, that rate limiting will take effect if more than 50 messages occur in 2 seconds.
To make sure, that we will see all messages that are logged, we insert another entry into the configuration. Go to the section in the rsyslog.conf that holds the “Rules”. Insert a new rule that looks like this:
*.* /var/log/everything.log
You can name the file as you want. Every log message will be written into this file for our review.
Save the configuration file and exit vi. Now we need to restart rsyslog. This is necessary because it will only load the configuration once on startup.