> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Xavier Fustero > Sent: Friday, July 20, 2012 12:43 PM > To: rsyslog-users > Subject: Re: [rsyslog] Messages lost and AWS Security Group > > Hi, > > I reply inline. > > On 20 July 2012 10:54, Rainer Gerhards <[email protected]> wrote: > > > > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Xavier Fustero > > > Sent: Friday, July 20, 2012 10:51 AM > > > To: rsyslog-users > > > Subject: [rsyslog] Messages lost and AWS Security Group > > > > > > Hey, > > > > > > I have two questions. > > > > > > I have setup a rsyslog using relp. If the client is in the same network > > > than the server, we send the logs using relp with plain text. If it is > > in a > > > different network then the traffic is encrypted using stunnel. Our > > rsyslog > > > server is in the cloud (amazon). I have defined a security group with > > > protocol TCP and its port. It is working. However, I have two questions: > > > > > > *Q1*. If the firewall blocks the tcp connection then the messages are > > lost. > > > I though they will be queued until it is unblocked but no. Is this the > > > normal behaviour? Here I paste a piece of my client config file: > > > > > > $WorkDirectory /mnt/rsyslog # default location for work (spool) files > > > > > > $ActionQueueType LinkedList # use asynchronous processing > > > $ActionQueueFileName srvrfwd # set file name, also enables disk mode > > > $ActionResumeRetryCount -1 # infinite retries on insert failure > > > $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts > down > > > > > > $template lala,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% > > > %syslogtag% > > > %msg%\n" > > > *.* :omrelp:myrsyslog-server.tarari.com:20500;lala > > > > Is this the exact snippet without any other statements in between? Than it > > should work as you expect. > > > > Unfortunately it doesn't seem to work. I know I am using an old version of > rsyslog (4.2) but even that, it should work. > > My rsyslog server uses an elastic IP. I have created a cname to test to it. > The rsyslog client points to this cname and sends everything using relp > module on port 20500. > > If I allow connections on my AWS firewall everything works: > protocol:*TCP* IPs:*10.0.0.0/8* port:*20500* > > However, if I remove the above line then all messages sent are lost. I can > only see them in local files but they are not resend later. > > I have tested it using logger: > > logger -p mail.info -t sendmail "Mary in Maryland with d..." > logger -p mail.info -t sendmail "Pettery in Finland with d..." > > I have attached a debug log to see is someone undertand why.
You have two relp actions, the first one with 127.0.0.1 as target and the second one with target rsyslog1.test.rightscale.com. The first one has the proper action parameters, but the second not. You need to repeat action parameters if you want them to be applied to the second action as well: $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts This is far more intuitive in v6 config language. Note that 4.2.x is very old and there are lots of bugs which have been fixed already. However, this looks just like a config problem. Rainer > Thanks a log, > Xavi > > > > > > > > > > > > > > and the Amazon rule: Allow: - protocol:*TCP* port:*20500* > > group:*syslog* > > > > > > > > > *Q2*. This is an academic question :-). The rule in the firewall uses > > > TCP:port. However, we are using RELP. Is relp basically an improved TCP? > > > > RELP (like http or SMTP) works on top of TCP, so it simply is higher up in > > the stack, so it *is* TCP. > > > > Rainer > > > > > > Thanks a log, > > > Xavi > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
