one problem with the TCP forwarding protocol is that once rsyslog sends the
message to the sending machine's OS, it has no way of knowing if it gets
delivered or not. This is why the RELP protocol was invented (to do acks at the
application layer)
so the attempt to write will block (and timeout if you set a timeout) if the
network stack is unable to open a connection, of if the buffers are full. That's
the point where rsyslog can detect the failure and take action.
David Lang
On Mon, 7 Feb 2022, Marki via rsyslog wrote:
Date: Mon, 7 Feb 2022 20:39:16 +0100
From: Marki via rsyslog <[email protected]>
To: rsyslog-users <[email protected]>
Cc: Marki <[email protected]>
Subject: Re: [rsyslog] TCP zero window on forward
Maybe I should add that we are not running Windows so "reinstalling"
stuff if it "doesn't work" is not really how we usually deal with this.
Instead, we'd like to actually understand the problem.
Thanks.
On 2/7/2022 8:36 PM, DESSEAUX Samuel (Gaz Réseau Distribution France) wrote:
Hello
Thank you
Seems to be crazy and we are blocked.
Maybe reinstall rsyslog?
Télécharger Outlook pour Android <https://aka.ms/AAb9ysg>
------------------------------------------------------------------------
*From:* rsyslog <[email protected]> on behalf of Marki
via rsyslog <[email protected]>
*Sent:* Monday, February 7, 2022 8:21:16 PM
*To:* Marki via rsyslog <[email protected]>
*Cc:* Marki <[email protected]>
*Subject:* [rsyslog] TCP zero window on forward
Hello,
Say you have a config like the following:
*.* @@192.168.1.2:1514
$ActionExecOnlyWhenPreviousIsSuspended on
& /var/log/localbuffer
$ActionExecOnlyWhenPreviousIsSuspended off
...
How do you deal with 192.168.1.2 accepting a connection but stalling it?
I.e. in our case 192.168.1.2 is a Logstash instance, with Elasticsearch
as backend. If Elasticsearch is not available, Logstash stalls the
incoming connections (here rsyslog) using TCP zero window.
This does not seem to trigger the failover action and thus not fail over
to /var/log/localbuffer as configured.
I'm not exactly sure what happened but this seems to have been the
reason why the machine running rsyslog came to a grinding halt and
several of its processes stopped responding.
Thoughts?
Thanks,
Marki
(rsyslog-8.24)
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
/« Ce message est confidentiel et destiné à l'usage du (des) seul(s)
destinataire(s) concerné(s). Il peut également contenir des
informations à usage restreint, soumises à droits d'auteur ou à
d'autres dispositions légales. Si vous l'avez reçu par erreur, nous
vous prions de bien vouloir nous en informer par retour et de
l'effacer de votre système. La copie du message et la communication de
son contenu à quelque personne que ce soit sont interdites. La
transmission erronée de ce message n'entraîne ni la renonciation ni la
levée de la confidentialité et du secret professionnel.
Tous les messages envoyés et reçus par GRDF peuvent faire l'objet de
contrôles visant à garantir le respect des directives internes,
protéger les intérêts de l'entreprise et éliminer les éventuels
logiciels dangereux. Les messages électroniques ne sont pas sécurisés
et sont susceptibles de comporter des erreurs puisqu'ils peuvent être
interceptés, modifiés, perdus, supprimés ou contenir des virus. Toute
personne communiquant avec notre entreprise par message électronique
accepte ces risques. Les délégations de pouvoirs et
d'autorité////peuvent être vérifiées et sont disponibles sur demande »/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
