On Wed, 5 Nov 2014, Damian wrote:
Hi,
I'm currently working on trying to use rsyslog as a basic load balancer, by
selecting the output on a time basis. I'm using the discussion posted here as
my starting point:
http://lists.adiscon.net/pipermail/rsyslog/2013-October/034442.html
In this discussion, the authors looked at using:
if ($uptime % 3 == 0) then action1
if ($uptime % 3 == 1) then action2
if ($uptime % 3 == 2) then action2
To use the system uptime to decide which way to send the events (so it would
average over the three destinations). However, this didn't work in 7.4, as
uptime is not available outside templates. I also found 8.4.2 to not like this
parameter.
try accessing $$uptime (yes it's ugly, but it's a combination of $ to refer to
the property name and the property name being named $uptime for legacy reasons).
In some versions I think this is magically combined so you can just use $uptime,
but I dont't remember what versions (if any) this worked in
For the original discussion, what eventually seemed to work was:
field($timegenerated,':',3);
However - it's not clear how this was used, and I can't see how it would refer
to three different destinations. It seems more of a string operation than a
modulus. When I try using this, rsyslog debug mode generates no errors, so it
seems to work. If I try something like:
if ($timegenerated % 3 == 0) then call output_0
if ($timegenerated % 3 == 1) then call output_1
if ($timegenerated % 3 == 2) then call output_2
Then it gives errors for these lines; it doesn't seem to work as an operation.
$timegenerated is a string, so it's not surprising that this fails.
Can anyone clarify what the field($...) operation does, and how I can use it.
Alternatively, any suggestions as to how I can basically call a different
ruleset if the system/event seconds value is modulus 0, 1, or 2.
I would actually approach this on the receiving end instead.
on the sender, set the rebindinterval to something like 1000 and then on the
receiving end setup your multiple receivers to share an IP address and split
traffic between them using the iptables CLUSTERIP feature. I talk about this in
the presentation I gave at LISA 2012, video and paper are available at:
https://www.usenix.org/conference/lisa12/technical-sessions/presentation/lang_david
This will spread the traffic across the machines roughly every 1000 messages,
and while it uses a different mechanism, I think it ends up being cleaner. It's
definantly easier to add new machines to the cluster as needed, and you can have
something like corosync (http://http://clusterlabs.org/) to detect failures to
the recieving servers and adjust the traffic load appropriately.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
