Hi Ryan! Assuming that your syslog packets are pure UDP and short enough to all fit into one datagram, can be properly parsed as syslog by graylog2 there's no reason round robin shouldn't work. Basically each graylog2 server is independent of the others, just writing to the same ElasticSearch cluster (and index, of course). The only problem arises when using GELF over UDP as that permits splitting the packet across multiple UDP datagrams, which then of course need to be received by the same host.
To further debug the issue I would recommend doing the following: 1) just have one source send data and only have the UDP Syslog input running on the graylog2 nodes (makes it easier to read the logs) 2) configure udp syslog traffic to be round robin to the graylog2 server nodes 3) start the graylog2 nodes with --debug (or enable the corresponding subsystems from the web interface if you don't want to restart) 4) check if the graylog2 nodes process any data That should at least tell you that something went wrong (bad syslog format for example). In this case we'd need to take a look at what makes syslog parsing fail, unfortunately there are so many syslog-like formats that it's nearly impossible to "just parse" them. I strongly suspect that this is the problem you face. In that case you would have to either preprocess the data (via rsyslog or logstash) or use the extractors on the input to properly receive the data. Hope that helps, Kay On Tue, Feb 4, 2014 at 12:07 AM, Ryan Jones <[email protected]> wrote: > I've been browsing around this forum looking for answers but i haven't > quite gotten my question answered. I have a couple of nodes sitting behind > a Zen load balancer cluster. I've tried a couple of different ways to get > my syslog traffic to pass. > > One was just a simple udp 514 to the VIP out Round-robin to my graylog > servers< i didn't expect this to work but i tried anyway. my second attempt > was to use L4NAT which I believe is essentially direct routing. but I still > see no syslog traffic passing. I can't use TCP because 90% of my gear can't > do tcp syslog. I'm using 0.20.0rc.1-1.. > my issue right now isn't really capacity it's HA. Is there anyone that got > a similar setup to work? > > | -----| zen01------ |----GL01 > syslog ------ > |----- |zen02----- |-------| GL02 > |----- GL03 > > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
