One thing we could try is if KEEPALIVE helps. I would need to add this feature to the forwarder (it's usually not required there...).
HOWEVER, this means you would need to compile a 8.3 version from source and install it on your system. Is that something that you can do (I ask because I don't want to waste time implementing something that never gets tested - no hard feelings if you can't do it, then I simply do not implement it and nothing lost). Thanks, Rainer On Fri, Jul 4, 2014 at 12:19 PM, Max Williams <[email protected]> wrote: > Thanks for the replies. > > I changed the configuration back to this: > *.* @@<remote1>:514 > $ActionExecOnlyWhenPreviousIsSuspended on > &@@<remote2>:514 > $ActionExecOnlyWhenPreviousIsSuspended off > > And did a new test where I disconnected the NIC of remote1 (it's a VM). I > still have the same issue. Even after 90 mins the TCP connection is like > this with no failover: > tcp 0 1 <local host>:43671 <remote1>:514 > SYN_SENT 21313/rsyslogd > > Tcpdump shows the rsyslog client host still periodically sending packets > to the remote1 syslog server: > 11:07:00.467511 IP local_host.43668 > remote1.shell: Flags [S], seq > 410913284, win 14600, options [mss 1460,sackOK,TS val 449353897 ecr > 0,nop,wscale 7], length 0 > 11:07:16.467486 IP local_host.43668 > remote1.shell: Flags [S], seq > 410913284, win 14600, options [mss 1460,sackOK,TS val 449369897 ecr > 0,nop,wscale 7], length 0 > 11:07:48.467872 IP local_host.43670 > remote1.shell: Flags [S], seq > 251799711, win 14600, options [mss 1460,sackOK,TS val 449401897 ecr > 0,nop,wscale 7], length 0 > ...every 30s or so. > > Would this be some sort of firewall issue that is preventing the rsyslog > client host from deciding the connection is finished? There is an unknown > amount of network infrastructure between the rsyslog client host and the > syslog server. > Local logging has also stopped on the rsyslog client host, I think this is > expected though as there are no queues configured. > > Kind regards, > Max > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Rainer Gerhards > Sent: 03 July 2014 16:05 > To: rsyslog-users > Subject: Re: [rsyslog] Failover destination doesn't work if TCP connection > not closed properly? > > On Thu, Jul 3, 2014 at 4:58 PM, user01 <[email protected]> wrote: > > > > > Hi > > > > On Wed, 2 Jul 2014 22:59:03 -0700 (PDT) David Lang <[email protected]> > > wrote: > > > > > > > > even with drop a failover should work > > > > Dropping a packet via paketfilter still leaves arp-resolution intact. > > Therefore > > intermediate routers (or your log-client) will not generate a "host > > unreachable" > > or something similar. It would be up to the associated tcp-client > > (rsyslogd in this > > case) to detect subsequent connection failures > > > what rsyslog does is pretty straightforward: it uses the regular (socket) > API calls and expects the OS to return an error if there is one. So I > conclude the OS also does not know this connection is broken. > > Rainer > > > and flag an error. Your OS can`t do > > anything about this situation. > > Maybe dropping arp-resolution for that particular client or server > > could simulate an more accurate "syslog-server has died"? :) > > > > Regards > > user01 > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > > ____________________________ > > The London Metal Exchange is a company incorporated in England and Wales > with registered number 02128666, VAT registered number GB 918 4582 96 and > having its registered office at 56 Leadenhall Street, London EC3A 2DX. > > LME Clear Limited is a company incorporated in England and Wales with > registered number 07611628, VAT registered number GB 918 4582 96 and having > its registered office at 56 Leadenhall Street, London EC3A 2DX. > > The London Metal Exchange is a recognised investment exchange, supervised > by the Financial Conduct Authority (FCA). > > This email may have been sent on behalf of The London Metal Exchange, LME > Clear Limited, or jointly on behalf of both. > > Please note that this message is intended for the named recipient(s) only. > Its contents may be confidential or subject to professional privilege. If > you are not an intended recipient, you may not disclose, copy or use in any > way the information contained in it; please delete it and notify > [email protected] immediately and delete it from your system. > > Unless expressly attributed, the views expressed in this email do not > necessarily represent the views of the London Metal Exchange or LME Clear > Limited. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
