[rsyslog] omfwd Module sends Logs to remote Syslog Server, although no TCP Connection is established --> logs lost

Michael Schmitts via rsyslog Tue, 08 May 2018 02:00:08 -0700

Hi,

I have a problem with forwarding logs to a remote rsyslog server. My testsetup 
consists of the following:


sender:
                On the sender side, I have a Script, which writes a logline to 
a file every 5 seconds. Rsyslog then has a listener on this file and sends 
every line to the server, called “receiver”.

Following is the configuration of the sender:

##############################################################
input(type="imfile"
    File="/home/sender/Documents/test_to_forward.txt"
    Tag="test_to_forward1"
    reopenOnTruncate="on"
)

$template RAW, "%rawmsg:1:20480%\n"

action(type="omfwd"
    #action.errorfile="/home/sender/Documents/ERROR.TEST"
    Target="192.168.56.201"
    Port="12345"
    Protocol="tcp"
    template="RAW"
    KeepAlive="on"
    KeepAlive.Probes="1"
    KeepAlive.Interval="1"
    KeepAlive.Time="1"
    #compression.stream.flushOnTXEnd="off"
    compression.mode="stream:always"
    ResendLastMSGOnReconnect="on")
& stop
#############################################################
receiver:
                The receiver receives the loglines through imptcp and writes it 
to a file.

                Following is the configuration of the receiver:

                #############################################################
input(type="imptcp"
        name="12345-tcp-test_to_receive"
        compression.mode="stream:always"
        port="12345"
        ruleset="12345-tcp-test_to_receive")

ruleset(name="12345-tcp-test_to_receive"){
        action(type="omfile"
                File="/home/receiver/Documents/test_to_receive.txt"
               template="raw")
        stop
}
############################################################
Forwarding logs is working fine, even when receiver is offline, it resumes and 
I don’t lose loglines. But when I stop the rsyslog service and then restart it 
again, I lose all loglines sent during this time. Although, in /var/log/syslog, 
it shows:

May  7 14:05:47 sender rsyslogd: omfwd: TCPSendBuf error -2027, destruct TCP 
Connection to 192.168.56.201:12345 [v8.32.0 try http://www.rsyslog.com/e/2027 ]
May  7 14:05:47 sender rsyslogd: omfwd: TCPSendBuf error -2027, destruct TCP 
Connection to 192.168.56.201:12345 [v8.32.0 try http://www.rsyslog.com/e/2027 ]
May  7 14:05:47 sender rsyslogd: action 'action 0' suspended (module 
'builtin:omfwd'), retry 0. There should be messages before this one giving the 
reason for suspension. [v8.32.0 try http://www.rsyslog.com/e/2007 ]
May  7 14:05:47 sender rsyslogd: cannot connect to 192.168.56.201:12345: 
Connection refused [v8.32.0 try http://www.rsyslog.com/e/2027 ]
May  7 14:05:47 sender rsyslogd: action 'action 0' suspended (module 
'builtin:omfwd'), next retry is Mon May  7 14:06:17 2018, retry nbr 0. There 
should be messages before this one giving the reason for suspension. [v8.32.0 
try http://www.rsyslog.com/e/2007 ]
May  7 14:05:47 sender rsyslogd: cannot connect to 192.168.56.201:12345: 
Connection refused [v8.32.0 try http://www.rsyslog.com/e/2027 ]
May  7 14:05:47 sender rsyslogd: action 'action 0' suspended (module 
'builtin:omfwd'), retry 1. There should be messages before this one giving the 
reason for suspension. [v8.32.0 try http://www.rsyslog.com/e/2007 ]
May  7 14:05:47 sender rsyslogd: cannot connect to 192.168.56.201:12345: 
Connection refused [v8.32.0 try http://www.rsyslog.com/e/2027 ]

The omfwd module keeps sending messages and deletes them from the queue. 
Shouldn’t rsyslog recognize, that the TCP Connection is refused and save the 
messages in the queue to send it later, and not discard the messages? In 
/var/log/syslog, every few seconds

May  7 14:06:17 sender rsyslogd: cannot connect to 192.168.56.201:12345: 
Connection refused [v8.32.0 try http://www.rsyslog.com/e/2027 ]

appears, but it still forwards the messages and so they get lost. Is this a 
bug? When the receiver is disconnected completely from the network, it 
correctly stores the logs in the queue and sends it, when the receiver is back 
online, but this is not the case, when rsyslog on the receiver is 
stopped/restarted.

Greetings Michael
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] omfwd Module sends Logs to remote Syslog Server, although no TCP Connection is established --> logs lost

Reply via email to