Matt Garman via rsyslog
2018-11-13 21:33:52 UTC
Using rsyslog 8.34 on CentOS 6 and 7 (Adiscon RPMs). We are working
on implementing a central logging server.
We somehow made a mistake when configuring the remote forward rule: we
forgot to think about queues (in particular, what happens when the
remote log server is unreachable). This is the rule we were using:
*.* action(type="omrelp" target="central-log-server" port="20514" tls="on")
This worked just fine when things are good. We were adding the above
directive to increasingly more systems, when we started experiencing
issues that resembled a network outage. We stumbled on this message
which gave the "ah-hah" moment:
https://lists.gt.net/rsyslog/users/7949
With the directive I specified above, rsyslog works in "direct queue"
mode (a fancy way to say "no queue"). And apparently, this can lead
to effectively crippling the network interface if the remote server is
unavailable.
That in mind, clearly I need to have a better forwarding config.
Here's what I want, in English: "Try really hard not to lose any
messages by queueing as much as you can; after that wait until the
network comes back." In other words, I'd rather lose log messages
than have the network soft lock.
I may be missing something, but I can't find how to tell rsyslog to
"wait until the network comes back when queue is full". Maybe that's
implicit?
Here's the revised rule I'm working on - am I missing anything?
*.* action(type="omrelp" target="central-log-server" port="20514" tls="on"
# params for in-memory queue
queue.type="LinkedList"
queue.size="1000000"
# params for disk assisted queue, i.e. spillover for in-memory queue
queue.saveOnShutdown="on"
queue.maxDiskSpace="5g"
queue.filename="rsyslog.central-log-server"
# parameters specific to this action
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
)
Thanks!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
on implementing a central logging server.
We somehow made a mistake when configuring the remote forward rule: we
forgot to think about queues (in particular, what happens when the
remote log server is unreachable). This is the rule we were using:
*.* action(type="omrelp" target="central-log-server" port="20514" tls="on")
This worked just fine when things are good. We were adding the above
directive to increasingly more systems, when we started experiencing
issues that resembled a network outage. We stumbled on this message
which gave the "ah-hah" moment:
https://lists.gt.net/rsyslog/users/7949
With the directive I specified above, rsyslog works in "direct queue"
mode (a fancy way to say "no queue"). And apparently, this can lead
to effectively crippling the network interface if the remote server is
unavailable.
That in mind, clearly I need to have a better forwarding config.
Here's what I want, in English: "Try really hard not to lose any
messages by queueing as much as you can; after that wait until the
network comes back." In other words, I'd rather lose log messages
than have the network soft lock.
I may be missing something, but I can't find how to tell rsyslog to
"wait until the network comes back when queue is full". Maybe that's
implicit?
Here's the revised rule I'm working on - am I missing anything?
*.* action(type="omrelp" target="central-log-server" port="20514" tls="on"
# params for in-memory queue
queue.type="LinkedList"
queue.size="1000000"
# params for disk assisted queue, i.e. spillover for in-memory queue
queue.saveOnShutdown="on"
queue.maxDiskSpace="5g"
queue.filename="rsyslog.central-log-server"
# parameters specific to this action
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
)
Thanks!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.