Mailing List Archive

Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)?
Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? That is, I need to forward logs to a server where the server can be reached via two independent IP addresses. Obviously I could easily just configure forwarding to both addresses - but then I end up with log duplication....?


-----------------------------------------------------------------------------------------------------------------------
Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. that
is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or
distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately and then delete all copies, including any attachments.
-----------------------------------------------------------------------------------------------------------------------
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
Does anyone know how to configure log forwarding to a multihomed host (with
no log duplication)?  That is, I need to forward logs to a server where the
server can be reached via two independent IP addresses.  Obviously I could
easily just configure forwarding to both addresses - but then I end up with
log duplication....?



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
P.S. The idea here is for redundancy: if one of the server's IP addresses cannot be reached, the forwarding should be performed to the other IP address.
________________________________
From: Butler, Peter <pbutler@rbbn.com>
Sent: Thursday, October 15, 2020 4:35 PM
To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com>
Subject: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)?

Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? That is, I need to forward logs to a server where the server can be reached via two independent IP addresses. Obviously I could easily just configure forwarding to both addresses - but then I end up with log duplication....?


-----------------------------------------------------------------------------------------------------------------------
Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. that
is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or
distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately and then delete all copies, including any attachments.
-----------------------------------------------------------------------------------------------------------------------
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
I assume there is a reason you aren't just picking one IP and forwarding to
that.

configure a DNS name that has both IP addresses and forward to the name.

or is there something else you are wanting as well?

David Lang

On Thu, 15 Oct 2020, Peter via rsyslog wrote:

> Date: Thu, 15 Oct 2020 13:36:24 -0700 (MST)
> From: Peter via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Peter <pbutler@rbbn.com>
> Subject: [rsyslog] Does anyone know how to configure log forwarding to a
> multihomed host (with no log duplication)?
>
> Does anyone know how to configure log forwarding to a multihomed host (with
> no log duplication)?  That is, I need to forward logs to a server where the
> server can be reached via two independent IP addresses.  Obviously I could
> easily just configure forwarding to both addresses - but then I end up with
> log duplication....?
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
Ok, this gives us some additional context

with two IP addresses on different networks, you would need to do something with
the if-last-action-failed to send it to the second IP if the first fails.

David Lang

On Thu, 15 Oct 2020, Butler, Peter via rsyslog wrote:

> P.S. The idea here is for redundancy: if one of the server's IP addresses cannot be reached, the forwarding should be performed to the other IP address.
> ________________________________
> From: Butler, Peter <pbutler@rbbn.com>
> Sent: Thursday, October 15, 2020 4:35 PM
> To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com>
> Subject: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)?
>
> Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? That is, I need to forward logs to a server where the server can be reached via two independent IP addresses. Obviously I could easily just configure forwarding to both addresses - but then I end up with log duplication....?
>
>
> -----------------------------------------------------------------------------------------------------------------------
> Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. that
> is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or
> distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended
> recipient, please notify the sender immediately and then delete all copies, including any attachments.
> -----------------------------------------------------------------------------------------------------------------------
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
Ok thanks for the info. I assume that TCP would be required (as opposed to
UDP) so as to detect an undeliverable message? Or RELP?



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
Yes, you cannot detect many failures with UDP. RELP is the most reliable, but
getting it to failover to a second destination is more difficult (I think that
round-robin DNS will do it, but some testing would be needed)

see Rainer's post on the unreliability of TCP

All this being said, think hard about your actual reliability and delivery
latency requirements and the various failure modes you are trying to defend
against. You can spend a lot of time and effort defending against one rare case
and end up being vulnerable to loss from a much more common case.

David Lang

On Thu, 15 Oct
2020, Peter via rsyslog wrote:

> Date: Thu, 15 Oct 2020 16:49:55 -0700 (MST)
> From: Peter via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Peter <pbutler@rbbn.com>
> Subject: Re: [rsyslog] Does anyone know how to configure log forwarding to a
> multihomed host (with no log duplication)?
>
> Ok thanks for the info. I assume that TCP would be required (as opposed to
> UDP) so as to detect an undeliverable message? Or RELP?
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
Thanks for all the info - I will play around with various config options.
Aside: for what it's worth, SCTP would automatically resolve this issue.
Not sure if this has been considered for rsyslog or not.



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
rsyslog does support multicast, but I've never used it.

David Lang

On Thu, 15 Oct 2020, Peter via rsyslog wrote:

> Date: Thu, 15 Oct 2020 17:08:50 -0700 (MST)
> From: Peter via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Peter <pbutler@rbbn.com>
> Subject: Re: [rsyslog] Does anyone know how to configure log forwarding to a
> multihomed host (with no log duplication)?
>
> Thanks for all the info - I will play around with various config options.
> Aside: for what it's worth, SCTP would automatically resolve this issue.
> Not sure if this has been considered for rsyslog or not.
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
Hi David

I'm able to get the fail-over to work (from the primary server IP to the
secondary server IP) using an if-last-action-failed construct. However, I
can't seem to get it to do so 'quickly'. If I drop the primary connection
from the server side, it take around 15 minutes for the client side to
detect this and then do the fail-over. I've tried playing with the
following parameters (using various settings):

$InputTCPServerKeepAlive on
$InputTCPServerKeepAlive_probes 1
$InputTCPServerKeepAlive_time 1
$InputTCPServerKeepAlive_intvl 1


and have confirmed using tcpdump that these do indeed have an effect (for
example, number of seconds between keep-alive pings), but still the rsyslog
client still doesn't perform the fail-over for around 15 minutes. Any
ideas? The idea here is for the fail-over to occur as quickly as possible
as this is a high-availability environment (all nodes in the mesh are
interconnected with two Ethernet fabrics using SCTP, but rsyslog is only
using TCP, hence we need this failover mechanism to work).

Peter



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Does anyone know how to configure log forwarding to a multihomed host (with no log duplication)? [ In reply to ]
I'd go for RELP with relatively short timeout settings on client's side
(Timeout and Conn.Timeout parameters).

Mariusz Kruk
Ekspert ds. Bezpiecze?stwa IT
COMP S.A.
Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
e-mail: mariusz.kruk@comp.com.pl
e-mail: mariusz.kruk@safecomp.com
tel: +48 608 623 299

On 19.10.2020 15:55, Peter via rsyslog wrote:
> Hi David
>
> I'm able to get the fail-over to work (from the primary server IP to the
> secondary server IP) using an if-last-action-failed construct. However, I
> can't seem to get it to do so 'quickly'. If I drop the primary connection
> from the server side, it take around 15 minutes for the client side to
> detect this and then do the fail-over. I've tried playing with the
> following parameters (using various settings):
>
> $InputTCPServerKeepAlive on
> $InputTCPServerKeepAlive_probes 1
> $InputTCPServerKeepAlive_time 1
> $InputTCPServerKeepAlive_intvl 1
>
>
> and have confirmed using tcpdump that these do indeed have an effect (for
> example, number of seconds between keep-alive pings), but still the rsyslog
> client still doesn't perform the fail-over for around 15 minutes. Any
> ideas? The idea here is for the fail-over to occur as quickly as possible
> as this is a high-availability environment (all nodes in the mesh are
> interconnected with two Ethernet fabrics using SCTP, but rsyslog is only
> using TCP, hence we need this failover mechanism to work).
>
> Peter
>
>
>
> --
> Sent from: http://rsyslog-users.1305293.n2.nabble.com/
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.