I think the most probable cause is that the lost messages were in the in-memory queue, which got wiped during restart. To fix that, you'd have to make it disk-assisted and set queue.saveonshutdown to yes. I think you'll find the details in those two links:
http://www.rsyslog.com/doc/queues.html http://www.rsyslog.com/doc/node32.html 2014/1/17 David Lang <[email protected]> > RELP will prevent logs from being lost in transit, but if the log arrived > on the server, but was in the queue when rsyslog was killed, and rsyslog > didn't have time to write it out, you can still loose things. > > how did you kill the rsyslog receiver? > > what does your config look like? (how much stuff are you doing with the > logs?) > > do you have any idea what your queue stats looked like? (impstats) > > If you are having the logs written to a database or something like that, > it's not uncommon for it to take long enough to get the logs out that > rsyslog isn't able to do so at shutdown. > > David Lang > > > On Fri, 17 Jan 2014, Assaf Gordon wrote: > > Hello, >> >> I've setup rsyslogd (version 7.5.8) with RELP and TLS on two machines >> (one server, one client). >> >> For testing purposes, I've sent repeated messages from the client to the >> server, but killed and restarted the server during those messages. >> The result is that I've lost some messages, despite using RELP. >> >> It was my understanding the RELP will ensure message delivery, even if >> the connection fails for a little while - perhaps I understood incorrectly? >> or configured something incorrectly? >> >> Any help will be appreciated. >> Thanks! >> -gordon >> >> >> My setup is as follows: >> >> Server side: >> -- >> $ cat server.conf >> module(load="imrelp" ruleset="relp") >> input(type="imrelp" port="20517" tls="on") >> ruleset (name="relp") { action(type="omfile" file="/tmp/server.log") } >> $ rsyslogd -f /tmp/server.conf -p /tmp/server.pid >> -- >> >> Client side: >> -- >> $ cat client.conf >> module(load="imuxsock" SysSock.Use="off") >> module(load="omrelp") >> input(type="imuxsock" Socket="/tmp/client.sock" CreatePath="on") >> action(type="omrelp" target="1.2.3.4" port="20517" tls="on") >> $ rsyslogd -f /tmp/client.conf -p /tmp/client.pid >> -- >> >> Sending messages from the client side: >> -- >> $ for i in $(seq 100) ; do echo "Message $i" ; sleep 1 ; done | \ >> logger -u /tmp/client.sock -d >> -- >> >> The messages (E.g. "Message 1", "Message 2", etc.) appear as expected in >> the server log "/tmp/server.log". >> >> I then kill the server process, and restart it immediately. >> >> Few seconds later, the rest of the messages start arriving (e.g. "Message >> 48", "Message 49"), >> >> BUT, >> The messages that were sent during the server downtime (e.g. "Message >> 18", "Message 20") never arrive, or at least do not appear in the log. >> >> The log has one additional message, appearing after the first "resumed" >> message: >> === >> 2014-01-17T21:11:56.616438+00:00 ip-10-9-133-98 rsyslogd0: action >> '(null)' resumed [try http://www.rsyslog.com/e/0 ] >> === >> Not sure if this is an error or not. >> >> >> I'm using: >> librelp 1.2.2 >> libee 0.4.1 >> libestr 0.1.9 >> libjsonc 0.11 >> liblognorm 0.3.7 >> rsyslogd 7.5.8 >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

