On Thu, 1 Dec 2016, [email protected] wrote:
Hi Bob.
Today we finally found some time to have an eye on our
rsyslog-normalizer-indexer which uses omelasticsearch
According to
http://www.rsyslog.com/doc/v8-stable/configuration/modules/omelasticsearch.html
indexing parameter *errorfile* helps to store failed indexing attempts.
How do you handle those errors?
We are thinking on
* setting errorfile=file
* imfile ruleset=omelasticsearch
* elastic template like: {index="errors" msg="rawmsg" }, and keep an
eye on that
What do you think?
I think that you are going to end up with some grief, if the message could not
be insterted into ES for some reason, I think the odds are good that you will
find that rawmsg can't be inserted either.
I would keep the errorfile as a file and look at it periodially. I expect that
when you first start things up, you will run into a number of errors, but once
you work your way though them, the error rate will be low.
Set your monitoring system to monitor the size of the errorfile, and it it
starts growing significantly, generate an alert.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.