On Wed, 13 Apr 2011, Anders Synstad wrote:
My guess is that this configuration doesn't work great with tcp syslogging.
However, the "epoll_ctl failed on fd" goes absolutely mental. So far today,
it's logged 5.6G worth of just that error :)
So two questions;
1) Is there a way to make rsyslog put the network interface in promiscuous
mode for logging, so I don't need these rewrite rules, and it acts more like
a silent observer (like SNORT and friends).
2) Is "epoll_ctl failed on fd" error something that perhaps is related to an
unhandled exception in rsyslog? Or at least an exception that isn't handled
very gracefully?
I believe that the fundamental problem is that TCP requires full two-way
communication with the sender, so you can't just clone the packets and
have things work (the receiver sends information back to the sender, and
unless the sender gets it and adjusts future packets appropriately the
receiver will decide something is very wrong)
if you were to use UDP you won't have this limitation.
one other trick you can pull with UDP (assuming your production and
preprod servers don't need to talk directly to each other) is that you can
put the IP address of the production server on the loopback interface of
your preprod server. If you do this and have something in the middle clone
the packets (but change their MAC address) then you should receive them
normally.
two possible problems with this.
1. you may have to fix the checksums as well as the MAC address (I don't
think so, but I'm only 90% or so sure)
2. if you are on the same VLAN (broadcast domain) as the production
server, you may have to configure arptables (a variation of iptables) to
make sure that your preprod server does not respond to any ARP requests
intended for the production server. for ARP purposes, Linux considers the
IP addresses assigned to the machine, not any particular interface, and
will respond on any interface queried if it has the IP address on any
other interface
another option you may want to consider is multicast MAC with UDP. This
allows you to have multiple machines with the same IP address on one
network. you can even use CLUSTERIP (part of iptables) to do load
balancing of inbound traffic across multiple machines. To have multiple
machines get the same traffic, configure CLUSTERIP to make each machine
think it is the only box with that IP address.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
