On Fri, 4 Mar 2016, Avleen Vig wrote:
Subject: Re: [rsyslog] Forwarding to multiple syslog servers and HA
On Thu, Mar 3, 2016 at 6:30 PM David Lang <[email protected]> wrote:
On Thu, 3 Mar 2016, Avleen Vig wrote:
Hi folks!
I'm looking at setting up some systems, where rsyslog is reading logs
from
disk and forwarding them to two centralise servers at the same time.
I have a question around a specific failure scenario:
If one of the two central servers goes down, how does rsyslog behave?
Does it keep sending to the other server?
Is the tracking and queuing for each destination independent, or are
logs
sent serially to each destination and one server being down would block
delivery to other remote destinations?
this all depends on how you have things configured.
the default is not to have separate queues for different outputs, but
that's
something you can configure.
If you use UDP, you don't know if the log is getting to the destination or
not.
If you use TCP, and the network queues fill up, processing will stop until
it
clears (if you have a separate queue for that output, only processing on
that
queue will stop, if you share a queue with some other output, processing
for
that other output will stop as well.
each queue has a worker thread that loops through all outputs for that
queue,
trying to deliver to them in turn. If one blocks that worker has the choice
(configurable) to either block, or throw away the log for that output and
continue to the next one.
by default rsyslog has one main queue. you can configure additional queues
for
either actions or rulesets.
It's strongly recommended that you use a current version and the new
syntax when
configuring queues. It makes it MUCH clearer what is happening.
Thanks David!
That's actually exactly what I needed to know.
When you say "current version", do you mean 8.x?
RHEL ships with 7.4.7, if that's current enough. If not, I'll grab 8.16.
7.4.7 is new enough to have the new syntax, but there are a LOT of fixes and new
features by 8.16 (8.17 is due to be released tuesday).
For end nodes that just need to send logs in to your central server, 7.4.7 is
probably good enough (although if you trip over any bugs on it, just go to a
current version).
But on your log relays and central servers, or anywhere that you start doing
more complex stuff, just go to the current version. When you ask questions here,
we are always going to be thinking in terms of the most current version. Bugs
get fixed in the most current version and only some get backported by the distro
to the older versions.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
