if you are delivering logs over a local switch, simple UDP is very reliable.
Yes you will loose messages if your destination is down, but if you use relp, if
your destination goes down you stop being able to process messages entirely and
things stop on your sending machine (unless you setup separate queues for your
relp action, and setup watermark parameters to throw away logs when the queues
fill up)
the real question you need to answer is what you want to happen if the log
cannot be delivered.
1. do you want to loose log messages and keep operating
or
2. do you want to have your systems halt (note that you cannot even ssh into a
box without generating a login message)
relp is great for when you are sending logs over a long distance link, because
those are far less reliable, but if the messages are just being sent over a
local switch, you should think hard before making the logs too reliable :-)
David Lang
On Fri, 11 Oct 2013, Jeremy Hoel wrote:
I would recommend that if you are copying to another server for second
record keeping, use relp or at least tcp to ensure that those omfwd
logs make it to the backup server.
This is the same practice we use (plus sending a smaller subset to
splunk for analysis) but going to relp for the backup gave us a bit
more comfort.
On Fri, Oct 11, 2013 at 9:38 AM, robert s <[email protected]> wrote:
Great, thanks
Robert
On Fri, Oct 11, 2013 at 11:32 AM, Rainer Gerhards
<[email protected]> wrote:
The snippet looks good.
On Fri, Oct 11, 2013 at 5:28 PM, robert s <[email protected]> wrote:
Hello Everyone,
I would like to be able to send a message to a secondary location for
file preservation. So I figured I send the message to a mounted share
(NFS) and then "forward it to the second destination.
If I wanted to forward the message would the config below be correct?
:hostname, contains, "foo" {
action (type="omfile"
DirCreateMode="0700"
FileCreateMode="0644"
File="/var/log/foo"
FlushOnTXEnd="on"
IOBufferSize="8k"
)
action (type="omfwd"
Target="192.168.166.50"
Port="514"
Protocol="udp")
stop
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
