We need at least the config of the initial instane. I guess buffering is not properly set up. May also be a volume problem, what impstats will show.
Rainer João Pereira <[email protected]> schrieb am Do., 7. März 2019, 16:21: > Hi all, > > We are facing an issue with rsyslog and we cannot find what is happening > behind. > > We're using rsyslog to receive logs from one of our providers, the problem > is that the provider stops sending logs (during aprox 10m) when it detects > the receiver is down meaning that every time we restart rsyslog server we > loose logs for ~10m. > > As we cannot control what the provider does, we came up with the idea of > having two rsyslog services on our machines. The first would only receive > the logs sent by our provider and forward them to the other rsyslog > service, the latests being responsible for parsing the logs and send it to > elasticsearch. This would allow us to change the configuration on the > second service (which are changes mostly on parsing rules) without having > to restart the forwarding service that contacts with our provider. > > That way we would be able to fool our provider because the forwarding > service would always be available, this sounded good on paper but when we > put it in production we realised that when we restart the second service > the first hangs (stops working for a while) and the failure is detected by > our provider which stops sending logs. > > Is there any way to improve this setup ? Can we make the forwarding service > to not hang ? Why rsyslog has this behaviour ? > > Thanks in advance > > -- > > João Pereira > > <https://www.marfeel.com> > > <https://www.marfeel.com/> > [image: Inline images 4] > < > https://atenea.marfeel.com/atn/marfeel-business/what-it-means-to-be-a-google-certified-publishing-partner > > > [image: Inline images 3] > < > https://atenea.marfeel.com/atn/marfeel-business/what-it-means-to-be-a-facebook-instant-articles-partner > > > > > Avda. Josep Tarradellas 20-30, 6th Floor > > 08029 Barcelona, Spain > > ES: (34) 93 178 59 50 > <%2834%29%2093%20178%2059%2050%20%C2%A0ext.%20107> > US: (1) 917-341-2540 <%281%29%20917-341-2540%20ext.%20107> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
