On 04/13/2011 08:45 AM, [email protected] wrote:
On Wed, 13 Apr 2011, Anders Synstad wrote:
My guess is that this configuration doesn't work great with tcp
syslogging. However, the "epoll_ctl failed on fd" goes absolutely
mental. So far today, it's logged 5.6G worth of just that error :)
So two questions;
1) Is there a way to make rsyslog put the network interface in
promiscuous mode for logging, so I don't need these rewrite rules, and
it acts more like a silent observer (like SNORT and friends).
2) Is "epoll_ctl failed on fd" error something that perhaps is related
to an unhandled exception in rsyslog? Or at least an exception that
isn't handled very gracefully?
I believe that the fundamental problem is that TCP requires full two-way
communication with the sender, so you can't just clone the packets and
have things work (the receiver sends information back to the sender, and
unless the sender gets it and adjusts future packets appropriately the
receiver will decide something is very wrong)
if you were to use UDP you won't have this limitation.
99% of my traffic is UDP logging. It's just some devices that are
logging tcp, but it's enough to make it misbehave. I can just remove the
cloning on the tcp logging, and I still get more than enough traffic.
one other trick you can pull with UDP (assuming your production and
preprod servers don't need to talk directly to each other) is that you
can put the IP address of the production server on the loopback
interface of your preprod server. If you do this and have something in
the middle clone the packets (but change their MAC address) then you
should receive them normally.
two possible problems with this.
1. you may have to fix the checksums as well as the MAC address (I don't
think so, but I'm only 90% or so sure)
2. if you are on the same VLAN (broadcast domain) as the production
server, you may have to configure arptables (a variation of iptables) to
make sure that your preprod server does not respond to any ARP requests
intended for the production server. for ARP purposes, Linux considers
the IP addresses assigned to the machine, not any particular interface,
and will respond on any interface queried if it has the IP address on
any other interface
another option you may want to consider is multicast MAC with UDP. This
allows you to have multiple machines with the same IP address on one
network. you can even use CLUSTERIP (part of iptables) to do load
balancing of inbound traffic across multiple machines. To have multiple
machines get the same traffic, configure CLUSTERIP to make each machine
think it is the only box with that IP address.
In other words, this requires more work than I'm willing to put in for
my development server. It's not that important, but more of a curiosity :)
Thank you for you answer.
Regards,
Anders Synstad
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
