On 12/17/2012 05:02 PM, David Lang wrote:
My guess is that something is interrupting the TCP connection and logs then stop (possibly a firewall or NAT timeout), logs are then buffered until something gets restarted and they start flowing again.
Right you were! Tested this out by commenting out the @@loghost.brandeis.edu entry, and things worked locally. I'd prefer to send syslog messages via UDP, anyhow.
I'll play around with this some more in the morning. Pretty clear that I need to read up a bit on syslog overall. Thanks for steering me in the right direction.
John
However, I don't see anything in your config that would spool to disk, so it would have to be a HUP refresh on the sender, or a full restart on the reciever that would get logs flowing again (a full stop on the sender would throw away the logs that it has buffered) Ryslog always buffers logs, but usually only does so for a very short time. The internal structure of rsyslog is that it has one or more threads recieving new messages and adding them to a queue (by default in-memory), and one or more threads pulling messages out of the queue and delivering them (either directly, ot to a secondary queue with yet another thread pulling from that queue for delivery) I notice that you have rsyslog set for TCP relaying of messages, you need to be aware that if rsyslog is unable to deliver messages for long enough that it's internal buffering fills up, it will stop accepting new messages, and this will cause systems trying to log to syslog to stop. Rsyslog has config options to let you tell it to throw away logs if it gets too full, or to spill logs out to disk, but you don't appear to have any of these options configured. David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
