I have just begun to experiment with multiple instances of rsyslog on a
single server but have not experienced an issue with one affecting the
other, nor would I expect to. Make sure everything is segregated
between instances including work directories, config directories, queue
directories, service names and configurations, ports and files used, and
even input, ruleset and action names for ease of identification. That
is to say, make very sure that no instance is trying to do the same
thing as another, especially from a system local event processing
perspective.
I would expect the instance receiving data from the service provider to
have a very simple config using only the input and output modules
needed, with a single input to a single queued output, and no local
system event processing. It would be the simplest of raw message relays.
What version on what OS are you using? Keep in mind that if it's a
distro default it may be somewhat out of date.
Regards,
On 3/7/19 9:21 AM, João Pereira wrote:
Hi all,
We are facing an issue with rsyslog and we cannot find what is happening
behind.
We're using rsyslog to receive logs from one of our providers, the problem
is that the provider stops sending logs (during aprox 10m) when it detects
the receiver is down meaning that every time we restart rsyslog server we
loose logs for ~10m.
As we cannot control what the provider does, we came up with the idea of
having two rsyslog services on our machines. The first would only receive
the logs sent by our provider and forward them to the other rsyslog
service, the latests being responsible for parsing the logs and send it to
elasticsearch. This would allow us to change the configuration on the
second service (which are changes mostly on parsing rules) without having
to restart the forwarding service that contacts with our provider.
That way we would be able to fool our provider because the forwarding
service would always be available, this sounded good on paper but when we
put it in production we realised that when we restart the second service
the first hangs (stops working for a while) and the failure is detected by
our provider which stops sending logs.
Is there any way to improve this setup ? Can we make the forwarding service
to not hang ? Why rsyslog has this behaviour ?
Thanks in advance
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
