Hi David, Thanks for your answer. Waiting to hear you again :)
Actually my main issue is to avoid to spool on the source server and send all my logs to the spooling server. Regards, Smana ----- Mail original ----- De: "David Lang" <[email protected]> À: "rsyslog-users" <[email protected]> Envoyé: Mercredi 11 Mars 2015 15:45:22 Objet: Re: [rsyslog] Spooling server per datacenter here are some things to get you started. When I get to work today I can give you examples of my live configs. https://www.usenix.org/publications/login/august-2013-volume-38-number-4/enterprise-logging https://www.usenix.org/publications/login/october-2013-volume-38-number-5/log-filtering-rsyslog to handle the problem of network interruptions backing things up, you will need to create some additional queues (lookup action queues and rulesets). I'll post more later. You are on the right track. David Lang On Wed, 11 Mar 2015, [email protected] wrote: > Date: Wed, 11 Mar 2015 15:37:19 +0100 (CET) > From: [email protected] > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] Spooling server per datacenter > > Please let me know i you need more info. > > OS : debian wheezy > rsyslog version : 8.8.0.ad1-1 > > Regards, > Smana > > > ----- Mail original ----- > De: [email protected] > À: "rsyslog-users" <[email protected]> > Envoyé: Mercredi 11 Mars 2015 09:44:45 > Objet: [rsyslog] Spooling server per datacenter > > Hi guys, > > Could you please help me to find out the proper configuration for the > following use case ? > > * We have multiple datacenters > * All our logs are sent to a central analytic platform > * In each dc we'd like to have a spooling server which will keep to logs in > case of network failure. > * All the logs from the sources servers have to be sent to the spooling > server (no spooling on source servers) > * Relp if it's possible > > To summarize : > source servers -> spooling server -> analytics plateform > > I tried to use relp but when the destination (analytics pf) is unreachable > all the log flow slows down, even on source servers. > With tcp the source server keeps to send but i don't see my spooling space > growing. I presume i'm loosing data (i'll do further tests) > When i use the option "action.resumeRetryCount="-1" when the destination is > uncheachable the log flow stops completely... > > Here is my current configuration > > Source server: > module(load="impstats" > format="json" > interval="60" > log.syslog="off" > log.file="/var/log/rsyslog-stats.log" > severity="7") > > module(load="imtcp") > input(type="imtcp" port="514") > > if $programname startswith 'foo.' then @@bar.domain.tld:514 > > Spooling server: > > module(load="imtcp") > input(type="imtcp" port="514") > > module(load="impstats" > format="json" > interval="60" > log.syslog="off" > log.file="/var/log/rsyslog-stats.log" > severity="7") > > if $programname startswith 'foo.' then { > action(type="omfwd" > action.resumeRetryCount="-1" > name="spooling" > target="analytics" > port="514" > protocol="tcp" > queue.filename="eggforward" > queue.spoolDirectory="/var/spool/rsyslog" > queue.type="LinkedList") > } > > Thanks for your help > Smana > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
