here are some things to get you started. When I get to work today I can give you
examples of my live configs.
https://www.usenix.org/publications/login/august-2013-volume-38-number-4/enterprise-logging
https://www.usenix.org/publications/login/october-2013-volume-38-number-5/log-filtering-rsyslog
to handle the problem of network interruptions backing things up, you will need
to create some additional queues (lookup action queues and rulesets). I'll post
more later.
You are on the right track.
David Lang
On Wed, 11 Mar 2015, [email protected] wrote:
Date: Wed, 11 Mar 2015 15:37:19 +0100 (CET)
From: [email protected]
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Spooling server per datacenter
Please let me know i you need more info.
OS : debian wheezy
rsyslog version : 8.8.0.ad1-1
Regards,
Smana
----- Mail original -----
De: [email protected]
À: "rsyslog-users" <[email protected]>
Envoyé: Mercredi 11 Mars 2015 09:44:45
Objet: [rsyslog] Spooling server per datacenter
Hi guys,
Could you please help me to find out the proper configuration for the following
use case ?
* We have multiple datacenters
* All our logs are sent to a central analytic platform
* In each dc we'd like to have a spooling server which will keep to logs in
case of network failure.
* All the logs from the sources servers have to be sent to the spooling server
(no spooling on source servers)
* Relp if it's possible
To summarize :
source servers -> spooling server -> analytics plateform
I tried to use relp but when the destination (analytics pf) is unreachable all
the log flow slows down, even on source servers.
With tcp the source server keeps to send but i don't see my spooling space
growing. I presume i'm loosing data (i'll do further tests)
When i use the option "action.resumeRetryCount="-1" when the destination is
uncheachable the log flow stops completely...
Here is my current configuration
Source server:
module(load="impstats"
format="json"
interval="60"
log.syslog="off"
log.file="/var/log/rsyslog-stats.log"
severity="7")
module(load="imtcp")
input(type="imtcp" port="514")
if $programname startswith 'foo.' then @@bar.domain.tld:514
Spooling server:
module(load="imtcp")
input(type="imtcp" port="514")
module(load="impstats"
format="json"
interval="60"
log.syslog="off"
log.file="/var/log/rsyslog-stats.log"
severity="7")
if $programname startswith 'foo.' then {
action(type="omfwd"
action.resumeRetryCount="-1"
name="spooling"
target="analytics"
port="514"
protocol="tcp"
queue.filename="eggforward"
queue.spoolDirectory="/var/spool/rsyslog"
queue.type="LinkedList")
}
Thanks for your help
Smana
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
