Am 25.05.2016 um 08:26 schrieb Rainer Gerhards:
2016-05-25 8:22 GMT+02:00 Thomas Güttler <[email protected]>:
Am 24.05.2016 um 17:40 schrieb Rainer Gerhards:
2016-05-24 17:10 GMT+02:00 Thomas Güttler <[email protected]>:
Hi,
I have some remote hosts which can't connect to our central host.
Up to now we do dirty file based fetching of log files.
This has a major draw back:
- If logrotate runs, then some lines could get lost.
If you first move the file and only after that HUP rsyslogd, no lines
will get lost. The other way around can loose messages. Rsyslog keeps
the fd open (fd != file name) until HUP, so will write to the moved
files until HUP.
Yes, I am sure, that rsyslog won't loose a single line if you rotate like
you describe it.
But since the logs get fetched, not pushed, I can't synchronise the
fetch and rotate process. ... ok, it could be synchronised, but
this makes things complicated.
Probaly I misunderstand what you mean by "fetched". I assumed that you
a) send logs to rsyslog
b) rsyslog writes them to a file
c) you HUP rsyslog
d) you fetch the file (after HUP and maybe a decent wait)
Do you mean that
- rsyslog reads logs via imfile? That shouldn't change the picture.
- you continously rsync the log files while rsyslog is writing to it?
Yes, we have done rsyncing log files which still get written in the past.
We want to leave this dirty solution.
I think I have a solution now: disk-queues:
http://www.rsyslog.com/doc/v8-stable/concepts/queues.html#disk-queues
Performance is no problem in my current context, but reliability counts.
Up to now we had no permanent internet connection to the remote-host (where
the logs get created). I am not responsible for the network, but AFAIK
up to 3 VPNs get crossed. This means a downtime for some hours happens
several time per year. We need to handle this gracefully.
We could create a permanent ssh tunnel: The rsysylog on remote-hosts gets told
to
transport logs to localhost:SOME-PORT. This port gets provided via
ssh-tunneling.
If one VPN is down because an admin "is playing with the firewall", then the remote-host can't connect to
localhost:SOME-PORT (the central host) and can store all logs on disk, until the
tunnel works again.
Conclusion: This means rsyslog has all we need, and an active fetching is not
needed.
I guess the scenario (remote-host can not connect central host) is quite
uncommon.
Do you think my solution (ssh tunnel) will work? Do you see an easier way?
Regards,
Thomas Güttler
--
Thomas Guettler http://www.thomas-guettler.de/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
