Mailing List Archive

store imtcp logs locally and forward to remote server
Hi. I am trying to implement a solution which does not work when remote server is not reachable.

-overview-

client --> serverA --> serverB

on ServerA what we need is:

1. store local logs to default "/var/log" location
2. store logs coming from imtcp to a different partition "/remoteLogs/"
3. forward logs from imtcp further to another server (serverB)


I came up with the following configuration

----------------
module(load="imtcp")


ruleset(
name="forwarding"
queue.spoolDirectory="/var/lib/rsyslog"
queue.filename="syslog001"
queue.maxdiskspace="10g"
queue.saveonshutdown="on"
queue.type="LinkedList"
){

*local1.?* action(name="imtcplogs" type="omfile" File="/remoteLogs/tcp_local1")
*local2.?* action(name="imtcplogs" type="omfile" File="/remoteLogs/tcp_local2")

*.* action(name="forward_to_B" type="omfwd" target="serverB.example.com" port="514" protocol="tcp" action.resumeRetryCount="-1")

}

*.* action(name="local_messages" type="omfile" File="/var/log/messages")

input(name="imtcp" type="imtcp" port="514" Ruleset="forwarding")

------------------

Everything works great with the above configuration, however I realized that if the remote serverB is not available then the imtcp messages on serverA (coming from clients) are not stored locally. They are as soon as serverB comes back online.

Is there a way to solve this? Meaning, store imtcp logs regardless if the forwarding endpoint is down?

Thanks.
D.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: store imtcp logs locally and forward to remote server [ In reply to ]
you would need to put the queue on the action to send remote rather than on the
ruleset. Putting the queue on the ruleset means that when you can't send the
logs remotely, all processing of the ruleset pauses.

David Lang

On Fri, 8 Apr 2022, Dimi
Onobodies via rsyslog wrote:

> Date: Fri, 8 Apr 2022 14:00:23 +0000
> From: Dimi Onobodies via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Dimi Onobodies <dimi_kdj@hotmail.com>
> Subject: [rsyslog] store imtcp logs locally and forward to remote server
>
> Hi. I am trying to implement a solution which does not work when remote server is not reachable.
>
> -overview-
>
> client --> serverA --> serverB
>
> on ServerA what we need is:
>
> 1. store local logs to default "/var/log" location
> 2. store logs coming from imtcp to a different partition "/remoteLogs/"
> 3. forward logs from imtcp further to another server (serverB)
>
>
> I came up with the following configuration
>
> ----------------
> module(load="imtcp")
>
>
> ruleset(
> name="forwarding"
> queue.spoolDirectory="/var/lib/rsyslog"
> queue.filename="syslog001"
> queue.maxdiskspace="10g"
> queue.saveonshutdown="on"
> queue.type="LinkedList"
> ){
>
> *local1.?* action(name="imtcplogs" type="omfile" File="/remoteLogs/tcp_local1")
> *local2.?* action(name="imtcplogs" type="omfile" File="/remoteLogs/tcp_local2")
>
> *.* action(name="forward_to_B" type="omfwd" target="serverB.example.com" port="514" protocol="tcp" action.resumeRetryCount="-1")
>
> }
>
> *.* action(name="local_messages" type="omfile" File="/var/log/messages")
>
> input(name="imtcp" type="imtcp" port="514" Ruleset="forwarding")
>
> ------------------
>
> Everything works great with the above configuration, however I realized that if the remote serverB is not available then the imtcp messages on serverA (coming from clients) are not stored locally. They are as soon as serverB comes back online.
>
> Is there a way to solve this? Meaning, store imtcp logs regardless if the forwarding endpoint is down?
>
> Thanks.
> D.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.