On Thu, 1 Dec 2016, mosto...@gmail.com wrote:

Hi Bob.

Today we finally found some time to have an eye on our rsyslog-normalizer-indexer which uses omelasticsearch

According to http://www.rsyslog.com/doc/v8-stable/configuration/modules/omelasticsearch.html indexing parameter *errorfile* helps to store failed indexing attempts.

How do you handle those errors?
We are thinking on

* setting errorfile=file
* imfile ruleset=omelasticsearch
* elastic template like: {index="errors" msg="rawmsg" }, and keep an
  eye on that

What do you think?

I think that you are going to end up with some grief, if the message could not be insterted into ES for some reason, I think the odds are good that you will find that rawmsg can't be inserted either.

I would keep the errorfile as a file and look at it periodially. I expect that when you first start things up, you will run into a number of errors, but once you work your way though them, the error rate will be low.

Set your monitoring system to monitor the size of the errorfile, and it it starts growing significantly, generate an alert.

David Lang
rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 

Reply via email to