you would need to put the queue on the action to send remote rather than on the
ruleset. Putting the queue on the ruleset means that when you can't send the
logs remotely, all processing of the ruleset pauses.
David Lang
On Fri, 8 Apr 2022, Dimi
Onobodies via rsyslog wrote:
Date: Fri, 8 Apr 2022 14:00:23 +0000
From: Dimi Onobodies via rsyslog <[email protected]>
To: rsyslog-users <[email protected]>
Cc: Dimi Onobodies <[email protected]>
Subject: [rsyslog] store imtcp logs locally and forward to remote server
Hi. I am trying to implement a solution which does not work when remote server
is not reachable.
-overview-
client --> serverA --> serverB
on ServerA what we need is:
1. store local logs to default "/var/log" location
2. store logs coming from imtcp to a different partition "/remoteLogs/"
3. forward logs from imtcp further to another server (serverB)
I came up with the following configuration
----------------
module(load="imtcp")
ruleset(
name="forwarding"
queue.spoolDirectory="/var/lib/rsyslog"
queue.filename="syslog001"
queue.maxdiskspace="10g"
queue.saveonshutdown="on"
queue.type="LinkedList"
){
*local1.* action(name="imtcplogs" type="omfile" File="/remoteLogs/tcp_local1")
*local2.* action(name="imtcplogs" type="omfile" File="/remoteLogs/tcp_local2")
*.* action(name="forward_to_B" type="omfwd" target="serverB.example.com" port="514"
protocol="tcp" action.resumeRetryCount="-1")
}
*.* action(name="local_messages" type="omfile" File="/var/log/messages")
input(name="imtcp" type="imtcp" port="514" Ruleset="forwarding")
------------------
Everything works great with the above configuration, however I realized that if
the remote serverB is not available then the imtcp messages on serverA (coming
from clients) are not stored locally. They are as soon as serverB comes back
online.
Is there a way to solve this? Meaning, store imtcp logs regardless if the
forwarding endpoint is down?
Thanks.
D.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
