Greetings. I'm looking for some advice/help. I would like to send all syslog logs from clients to an syslog server via RELP.
I currently have a syslog-server receiving UDP syslogs. I would like to move to using RELP for obvious reasons (reliability). In the interim, I will send logs to both servers; UDP logs to the existing server and RELP logs to a new syslog server. I will eventually remove the UDP syslog server once this is rolled out. I implemented this strategy with rsyslog 5.8 (rsyslog5 package from CentOS 5) with varied and disappointing results. I had problems with queued logs being sent when the RELP server resumed, queue files not being cleaned up etc. I have since moved to rsyslog v7 stable from the adiscon repo (thank you for providing these RPMs). I have read the docs on queues and actions, but I would appreciate any feedback regarding the configuration below. My requirements are (in my mind) simple: 1) send all syslog logs to a central server reliably. 2) No local log file storage. 3) Queue logs locally if the syslog server is down. 4) Sended queued logs to syslog server when it becomes available. 5) Discard logs if queue are is full. 6) If the syslog server is down, the applications logging should not be impacted. Some information about the environment. The java applications either log to syslog directly (using syslog udp protocol to localhost - the rsyslog daemon forwards them to the relp server) or to a named pipe (read by logger < NAMED_PIPE or tail -F NAMED_PIPE | logger -p local0.info -t application). Any comments are appreciated. I would like to provide the final configuration on the web site as a helpful starting configuration. Thank you for your time, Alan Edmonds [email protected] ======= # Provides kernel logging support (previously done by rklogd) module(load="imklog") # Provides support for local system logging (e.g. via logger command) module(load="imuxsock" SysSock.RateLimit.Interval="0" ) # statistics module(load="impstats" interval="600" facility="16" /* local0 */ ) # action 1 module(load="imudp") input(type="imudp" address="127.0.0.1" port="514") # RELP support module(load="omrelp") # in the case of logging to localhost, ensure hostname is the correct hostname. $Template ForceHostnameFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %$myhostname% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%" $ActionFileDefaultTemplate ForceHostnameFormat $MaxMessageSize 65536 $RepeatedMsgReduction off $WorkDirectory /data/logs/rsyslog/work # default location for work (spool) files #$MainMsgQueueFileName mainq # set file name, also enables disk mode #$MainMsgQueueMaxFileSize 100m $MainMsgQueueTimeoutEnqueue 1 $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down $ActionQueueTimeoutEnqueue 1 # 1 millisecond - don't set to zero! $ActionResumeInterval 5 $ActionQueueDiscardSeverity 8 # dont discard any messages $ActionQueueCheckpointInterval 10000 $ActionQueueDequeueBatchSize 5000 $ActionQueueWorkerThreads 100 $ActionQueueMaxFileSize 100m $ActionQueueMaxDiskSpace 5g # send everything on *.* @syslog-server;ForceHostnameFormat ## send to rsyslogd on dp cluster using relp. #& :omrelp:syslog-relp:20514;ForceHostnameFormat # Everybody gets emergency messages *.emerg :omusrmsg: ===== NOTICE AND DISCLAIMER This email (including attachments) is confidential. If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. Deutsche Telekom (UK) Limited Company Registered Number: 3951860 Registered Office Address: Hatfield Business Park, Hatfield, Hertfordshire, AL10 9BW Registered in England and Wales _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
