Hello,
We have an rsyslog instance in front of our ELK
(Elasticsearch/Logstash/Kibana) cluster. (-> Rsyslog -> Logstash ->
Elasticsearch)
The main reason for this is to still have plain-text logs in case the
more complex ELK stuff fails.
When the disk fills up, Elasticsearch stops indexing. Logstash (in front
of Elasticsearch) keeps the TCP connections from Rsyslog open, but sets
zero window. As a consequence, everything is coming to a grinding halt.
Rsyslog version is v8.33.1, and the configuration is pretty
straightforward:
-------------------------------------
module(load="imtcp")
input(type="imtcp" port="514")
module(load="imudp")
input(type="imudp" port="514")
template(name="RSYSLOG_SyslogProtocolFormatFallback" type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME%
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n")
template(name="FileNameByHost" type="string"
string="/syslog/%fromhost-ip%.log")
*.* action(type="omfile" dynaFile="FileNameByHost"
template="RSYSLOG_FileFormat")
action(type="omfwd" target="log02e.secu.lu" port="1514" protocol="tcp"
template="RSYSLOG_ForwardFormat")
action(type="omfwd" target="log03e.secu.lu" port="1514" protocol="tcp"
template="RSYSLOG_ForwardFormat"
action.execOnlyWhenPreviousIsSuspended="on")
action(type="omfile" file="/syslog/localbuffer"
template="RSYSLOG_SyslogProtocolFormatFallback"
action.execOnlyWhenPreviousIsSuspended="on")
-------------------------------------
Neither the first nor the last call to omfile has any effect if omfwd
stalls...
What can be done about this?
Thanks,
Marki
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
We have an rsyslog instance in front of our ELK
(Elasticsearch/Logstash/Kibana) cluster. (-> Rsyslog -> Logstash ->
Elasticsearch)
The main reason for this is to still have plain-text logs in case the
more complex ELK stuff fails.
When the disk fills up, Elasticsearch stops indexing. Logstash (in front
of Elasticsearch) keeps the TCP connections from Rsyslog open, but sets
zero window. As a consequence, everything is coming to a grinding halt.
Rsyslog version is v8.33.1, and the configuration is pretty
straightforward:
-------------------------------------
module(load="imtcp")
input(type="imtcp" port="514")
module(load="imudp")
input(type="imudp" port="514")
template(name="RSYSLOG_SyslogProtocolFormatFallback" type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME%
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n")
template(name="FileNameByHost" type="string"
string="/syslog/%fromhost-ip%.log")
*.* action(type="omfile" dynaFile="FileNameByHost"
template="RSYSLOG_FileFormat")
action(type="omfwd" target="log02e.secu.lu" port="1514" protocol="tcp"
template="RSYSLOG_ForwardFormat")
action(type="omfwd" target="log03e.secu.lu" port="1514" protocol="tcp"
template="RSYSLOG_ForwardFormat"
action.execOnlyWhenPreviousIsSuspended="on")
action(type="omfile" file="/syslog/localbuffer"
template="RSYSLOG_SyslogProtocolFormatFallback"
action.execOnlyWhenPreviousIsSuspended="on")
-------------------------------------
Neither the first nor the last call to omfile has any effect if omfwd
stalls...
What can be done about this?
Thanks,
Marki
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.