Mailing List Archive

Not able to send to secondary server.
Hi,

I am trying to do failover scenarios in rsyslog.
I am sending logs to primary server, now in primary server am just doing
the packet drop using this command.
sudo iptables -A INPUT -p tcp --dport 10515 -j DROP
but after this am expecting rsyslog should send logs to seconadry server
but it is not sending logs to secondary server.

Here is the rsyslog.con file content to send logs to remote server.

######################################################
Ruleset for Log messages to send to Remote server

######################################################
ruleset(name="sendToLogserver" queue.Type="LinkedList"
queue.timeoutenqueue="0") {
#PRIMARY-IP-ADDRESS#
action(type="omfwd" target="1.1.1.1" port="10515" protocol="tcp"
Template="TraditionalFormatWithPRI" )
#SECONDARY-IP-ADDRESS#
action(type="omfwd" target="2.2.2.2" port="10515" protocol="tcp"
Template="TraditionalFormatWithPRI"
action.execOnlyWhenPreviousIsSuspended="on")
}

Please help me to fix this if anything need to do.
Send to secondary server, when primary server is dropping the packets
rsyslog should send logs to secondary server.

Here is the pcap from rsyslog client side seeing TCP retransmission.
here
rsyslog-client: 10.74.136.52
server: 10.74.136.69

[image: image]
<https://user-images.githubusercontent.com/49853320/185047220-4d7ae831-6f4b-4b2a-b396-ffa6eadd4128.png>

After pcap analysis am seeing client is trying to retransmitting the packet
and after trying for 15 mins the retransmitation timeout happens on the tcp
connection and switches to secondary server. In order to speed this up i
tried to apply keepalive.
here is the configuration
######################################################
Ruleset for Log messages to send to Remote server

######################################################
ruleset(name="sendToLogserver" queue.Type="LinkedList"
queue.timeoutenqueue="0") {
#PRIMARY-IP-ADDRESS#
action(type="omfwd" target="10.74.136.69" port="10515" protocol="tcp"
keepalive="on" keepalive.probes="3" keepalive.time="30"
keepalive.interval="10" Template="TraditionalFormatWithPRI")
#SECONDARY-IP-ADDRESS#
action(type="omfwd" target="10.74.136.96" port="10515" protocol="tcp"
keepalive="on" keepalive.probes="3" keepalive.time="30"
keepalive.interval="10" Template="TraditionalFormatWithPRI"
action.execOnlyWhenPreviousIsSuspended="on")
}

with this configuration am expecting the client to send RST packets to
primary after 60 seconds and reconnect to secondary server after 60 seconds
which is total of 120 seconds after which i should receive logs on the
secondary server.
This configuration however does not work and it is falling back to
retransmission time out of 15 mins.

Could someone help me to understand configuration is correct if anything
missed.
[image: image]
<https://user-images.githubusercontent.com/49853320/185046210-51dce7ba-d7e7-4ae8-bb8f-8047e77f17f4.png>

Thanks,
Sachin
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Not able to send to secondary server. [ In reply to ]
it's probably just waiting to detect that the logs aren't getting delivered, try
changing the DROP to REJECT to have the failover happen faster.

David Lang


On Thu, 18 Aug 2022, sachin sachu via rsyslog wrote:

> Date: Thu, 18 Aug 2022 12:18:12 +0530
> From: sachin sachu via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: sachin sachu <sachusachin622@gmail.com>
> Subject: [rsyslog] Not able to send to secondary server.
>
> Hi,
>
> I am trying to do failover scenarios in rsyslog.
> I am sending logs to primary server, now in primary server am just doing
> the packet drop using this command.
> sudo iptables -A INPUT -p tcp --dport 10515 -j DROP
> but after this am expecting rsyslog should send logs to seconadry server
> but it is not sending logs to secondary server.
>
> Here is the rsyslog.con file content to send logs to remote server.
>
> ######################################################
> Ruleset for Log messages to send to Remote server
>
> ######################################################
> ruleset(name="sendToLogserver" queue.Type="LinkedList"
> queue.timeoutenqueue="0") {
> #PRIMARY-IP-ADDRESS#
> action(type="omfwd" target="1.1.1.1" port="10515" protocol="tcp"
> Template="TraditionalFormatWithPRI" )
> #SECONDARY-IP-ADDRESS#
> action(type="omfwd" target="2.2.2.2" port="10515" protocol="tcp"
> Template="TraditionalFormatWithPRI"
> action.execOnlyWhenPreviousIsSuspended="on")
> }
>
> Please help me to fix this if anything need to do.
> Send to secondary server, when primary server is dropping the packets
> rsyslog should send logs to secondary server.
>
> Here is the pcap from rsyslog client side seeing TCP retransmission.
> here
> rsyslog-client: 10.74.136.52
> server: 10.74.136.69
>
> [image: image]
> <https://user-images.githubusercontent.com/49853320/185047220-4d7ae831-6f4b-4b2a-b396-ffa6eadd4128.png>
>
> After pcap analysis am seeing client is trying to retransmitting the packet
> and after trying for 15 mins the retransmitation timeout happens on the tcp
> connection and switches to secondary server. In order to speed this up i
> tried to apply keepalive.
> here is the configuration
> ######################################################
> Ruleset for Log messages to send to Remote server
>
> ######################################################
> ruleset(name="sendToLogserver" queue.Type="LinkedList"
> queue.timeoutenqueue="0") {
> #PRIMARY-IP-ADDRESS#
> action(type="omfwd" target="10.74.136.69" port="10515" protocol="tcp"
> keepalive="on" keepalive.probes="3" keepalive.time="30"
> keepalive.interval="10" Template="TraditionalFormatWithPRI")
> #SECONDARY-IP-ADDRESS#
> action(type="omfwd" target="10.74.136.96" port="10515" protocol="tcp"
> keepalive="on" keepalive.probes="3" keepalive.time="30"
> keepalive.interval="10" Template="TraditionalFormatWithPRI"
> action.execOnlyWhenPreviousIsSuspended="on")
> }
>
> with this configuration am expecting the client to send RST packets to
> primary after 60 seconds and reconnect to secondary server after 60 seconds
> which is total of 120 seconds after which i should receive logs on the
> secondary server.
> This configuration however does not work and it is falling back to
> retransmission time out of 15 mins.
>
> Could someone help me to understand configuration is correct if anything
> missed.
> [image: image]
> <https://user-images.githubusercontent.com/49853320/185046210-51dce7ba-d7e7-4ae8-bb8f-8047e77f17f4.png>
>
> Thanks,
> Sachin
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.