On Wed, 14 Oct 2015, Randy Baca wrote:
Thank you for all the help getting this architecture working. All is going well except now that we are rolling it out to a second and third site we are only getting a subset of events forwarded. On the inbound side we are seeing logs from a dozen hosts on udp/514, about 100 events per second overall. On the forward side, only about 10 to 20 events every 30 seconds or so are being sent. Both the localhost on udp/515 and the remote host on tcp/514 are getting the same events forwarded. It is almost as if the rsyslog service intermittently grabs a few logs and forwards them about every 30 seconds. Any ideas?
you are forwarding via tcp, so delays on the receiving system can cause problems. What is the receiving system, and is there any chance that it's getting restarted every minute to roll logs?
you could be sending logs that are getting lost on restart or something like that.
Is the network traffic choppy as well? (tcpdump on the receiving system) David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
