Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
backup forwarding server with legacy ruleset
rsyslog at lists
Sep 19, 2022, 8:20 AM
Post #1 of 2 (227 views)
Permalink
Hi.

I have a farm of X systems all forwarding logs to a central rsyslog server. My plan is to add a second system and configure the clients to forward the logs on the secondary one if for some reason the primary rsyslog server fails.

I went through the documentation and the example provided is straight forward.


if($msg contains "error") then {
action(type="omfwd" target="primary-syslog.example.com" port="10514"
protocol="tcp")
action(type="omfwd" target="secondary-1-syslog.example.com" port="10514"
action.execOnlyWhenPreviousIsSuspended="on")
action(type="omfile" tag="failover" file="/var/log/localbuffer"
action.execOnlyWhenPreviousIsSuspended="on")
}


I am using action queue (linked list) on my forwarding in order to buffer logs when the remote server is down.

$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwd_spool
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.* @@remoteA.server.net:514

The documentation states that when using asynchronous queue like LinkedList, this config will not work and the solution is to add everything inside a RuleSet and assign a queue to the ruleset.

This is when it starts getting rough for me. Within the farm, I have numerous systems running rsyslog 5.8.10 which unfortunately (very very unfortunately) cannot be updated at the moment.

My questions are:


1. Is there a way to implement this solution (Ruleset + backup system + spooling) with a syntax that will work on both rsyslog5 and rsyslog8 versions? As far as I understood, I must use omruleset module, but I am not sure how this will behave with rsyslog8.
2.
3. Why would one use omfile as last resort since you have the option to use LinkedList? I mean, with omfile the logs won't be forwarded but instead will be saved on disk. With linkedList, logs will be automatically forwarded once the remote system is available plus, spooled messages will be cleared.

Thanks
Dimi
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: backup forwarding server with legacy ruleset [ In reply to ]
rsyslog at lists
Sep 19, 2022, 10:20 AM
Post #2 of 2 (226 views)
Permalink
rsyslog maintains backwards compatibility, so you can use the rsyslog 5 syntax
on rsyslog 8, but especially with queues, it's not recommended because it's far
less clear what's happening

I don't know that rsyslog 5 will support queues on a ruleset (rsyslog 5 is so
old you really should not be using it)

the reason that your approach won't work if there are queues on the action is
that moving the message to the queue counts as success, only if the queue is
full will it suspend the action (and even then, by default it will block)

you should also look at RELP if you are concerned about reliable delivery,
delivering via TCP cam lose messages when there are network/server issues.

linkedlist is one of the two in-memory queue options, it doesn't save messages
to disk, you have the option to turn it into a disk assisted queue, which will
save some of the messages to disk (but still keeps some in memory), so saving to
a local file is a different way of addressing the problem of what to do when you
can't reach the destination.

David Lang

On Mon, 19 Sep 2022, Dimi Onobodies via rsyslog
wrote:

> Hi.
>
> I have a farm of X systems all forwarding logs to a central rsyslog server. My plan is to add a second system and configure the clients to forward the logs on the secondary one if for some reason the primary rsyslog server fails.
>
> I went through the documentation and the example provided is straight forward.
>
>
> if($msg contains "error") then {
> action(type="omfwd" target="primary-syslog.example.com" port="10514"
> protocol="tcp")
> action(type="omfwd" target="secondary-1-syslog.example.com" port="10514"
> action.execOnlyWhenPreviousIsSuspended="on")
> action(type="omfile" tag="failover" file="/var/log/localbuffer"
> action.execOnlyWhenPreviousIsSuspended="on")
> }
>
>
> I am using action queue (linked list) on my forwarding in order to buffer logs when the remote server is down.
>
> $WorkDirectory /var/lib/rsyslog
> $ActionQueueFileName fwd_spool
> $ActionQueueMaxDiskSpace 1g
> $ActionQueueSaveOnShutdown on
> $ActionQueueType LinkedList
> $ActionResumeRetryCount -1
> *.* @@remoteA.server.net:514
>
> The documentation states that when using asynchronous queue like LinkedList, this config will not work and the solution is to add everything inside a RuleSet and assign a queue to the ruleset.
>
> This is when it starts getting rough for me. Within the farm, I have numerous systems running rsyslog 5.8.10 which unfortunately (very very unfortunately) cannot be updated at the moment.
>
> My questions are:
>
>
> 1. Is there a way to implement this solution (Ruleset + backup system + spooling) with a syntax that will work on both rsyslog5 and rsyslog8 versions? As far as I understood, I must use omruleset module, but I am not sure how this will behave with rsyslog8.
> 2.
> 3. Why would one use omfile as last resort since you have the option to use LinkedList? I mean, with omfile the logs won't be forwarded but instead will be saved on disk. With linkedList, logs will be automatically forwarded once the remote system is available plus, spooled messages will be cleared.
>
> Thanks
> Dimi
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal