Interesting, I didn’t realize that probably because I never experience it. Something I now realize is attributed to having explicitly defined queues on all TCP omfwd destinations.
Thanks David, learn something new every day! > On Feb 22, 2021, at 13:40, David Lang <[email protected]> wrote: > > if they are reversed and the remote send blocks, you will see 1 log in the > file, then everything will block. > > David Lang > > On Mon, 22 Feb 2021, John Chivian wrote: > >> If the first action in the ruleset blocks, then the second action is never >> reached (the scenario David is describing). Reverse the order of the >> actions so that the file write is first, then see what you get. >> >> But yes, enable impstats… it’s WELL worth the effort! >> >> Regards, >> >>> On Feb 22, 2021, at 13:25, David Lang via rsyslog >>> <[email protected]> wrote: >>> >>> the 'typical' cause of this is iptables rules blocking access >>> >>> if you can't send logs to the target on port 1516, the queue will build >>> >>> enable impstats and see what the queue looks like (it helps to add >>> name='foo' to the actions so the impstats output has the names rather than >>> just action #) >>> >>> David Lang >>> >>> >>> On Mon, 22 Feb 2021, ryan woods via rsyslog wrote: >>> >>>> Date: Mon, 22 Feb 2021 19:14:31 +0000 >>>> From: ryan woods via rsyslog <[email protected]> >>>> To: [email protected] >>>> Cc: ryan woods <[email protected]> >>>> Subject: [rsyslog] Weird issue not able to log to file or remote >>>> Hey all, >>>> >>>> So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog >>>> forwarder running rsyslog here is the config I'm using: >>>> >>>> $ModLoad imudp >>>> ruleset(name="rulesettt"){ >>>> action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp" >>>> Template="RSYSLOG_SyslogProtocol23Format") >>>> action(type="omfile" File="/tmp/output.log") >>>> } >>>> input(type="imudp" port="5155" ruleset=" rulesettt ") >>>> >>>> >>>> The remote host never receives anything from this and the /tmp/output.log >>>> is never created. I've taken a packet capture from the syslog forwarder and >>>> I can see all the traffic from the devices getting to the forwarder and see >>>> all the syslog messages. I am completely lost as to what this could be..... >>>> _______________________________________________ >>>> rsyslog mailing list >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
