Interesting point. I am just concerned with the virtual-ness of our servers and crossing the datacenter back and forth. Everything tends to stay up, so I figured relp would be good. but that's a good point you make.
Thanks! On Fri, Oct 11, 2013 at 11:09 AM, David Lang <[email protected]> wrote: > if you are delivering logs over a local switch, simple UDP is very reliable. > > Yes you will loose messages if your destination is down, but if you use > relp, if your destination goes down you stop being able to process messages > entirely and things stop on your sending machine (unless you setup separate > queues for your relp action, and setup watermark parameters to throw away > logs when the queues fill up) > > the real question you need to answer is what you want to happen if the log > cannot be delivered. > > 1. do you want to loose log messages and keep operating > > or > > 2. do you want to have your systems halt (note that you cannot even ssh into > a box without generating a login message) > > > relp is great for when you are sending logs over a long distance link, > because those are far less reliable, but if the messages are just being sent > over a local switch, you should think hard before making the logs too > reliable :-) > > David Lang > > > On Fri, 11 Oct 2013, Jeremy Hoel wrote: > >> I would recommend that if you are copying to another server for second >> record keeping, use relp or at least tcp to ensure that those omfwd >> logs make it to the backup server. >> >> This is the same practice we use (plus sending a smaller subset to >> splunk for analysis) but going to relp for the backup gave us a bit >> more comfort. >> >> On Fri, Oct 11, 2013 at 9:38 AM, robert s <[email protected]> wrote: >>> >>> Great, thanks >>> >>> Robert >>> >>> >>> On Fri, Oct 11, 2013 at 11:32 AM, Rainer Gerhards >>> <[email protected]> wrote: >>>> >>>> The snippet looks good. >>>> >>>> >>>> On Fri, Oct 11, 2013 at 5:28 PM, robert s <[email protected]> >>>> wrote: >>>> >>>>> Hello Everyone, >>>>> >>>>> I would like to be able to send a message to a secondary location for >>>>> file preservation. So I figured I send the message to a mounted share >>>>> (NFS) and then "forward it to the second destination. >>>>> >>>>> If I wanted to forward the message would the config below be correct? >>>>> >>>>> :hostname, contains, "foo" { >>>>> action (type="omfile" >>>>> DirCreateMode="0700" >>>>> FileCreateMode="0644" >>>>> File="/var/log/foo" >>>>> FlushOnTXEnd="on" >>>>> IOBufferSize="8k" >>>>> ) >>>>> action (type="omfwd" >>>>> Target="192.168.166.50" >>>>> Port="514" >>>>> Protocol="udp") >>>>> stop >>>>> } >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> myriad >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T LIKE THAT. >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T >>>> LIKE THAT. >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
