On Thu, Mar 3, 2016, 19:40 David Lang <da...@lang.hm> wrote: > On Fri, 4 Mar 2016, Avleen Vig wrote: > > > Subject: Re: [rsyslog] Forwarding to multiple syslog servers and HA > > > > On Thu, Mar 3, 2016 at 6:30 PM David Lang <da...@lang.hm> wrote: > > > >> On Thu, 3 Mar 2016, Avleen Vig wrote: > >> > >>> Hi folks! > >>> > >>> I'm looking at setting up some systems, where rsyslog is reading logs > >> from > >>> disk and forwarding them to two centralise servers at the same time. > >>> > >>> I have a question around a specific failure scenario: > >>> If one of the two central servers goes down, how does rsyslog behave? > >>> Does it keep sending to the other server? > >>> Is the tracking and queuing for each destination independent, or are > >> logs > >>> sent serially to each destination and one server being down would block > >>> delivery to other remote destinations? > >> > >> this all depends on how you have things configured. > >> > >> the default is not to have separate queues for different outputs, but > >> that's > >> something you can configure. > >> > >> If you use UDP, you don't know if the log is getting to the destination > or > >> not. > >> > >> If you use TCP, and the network queues fill up, processing will stop > until > >> it > >> clears (if you have a separate queue for that output, only processing on > >> that > >> queue will stop, if you share a queue with some other output, processing > >> for > >> that other output will stop as well. > >> > >> > >> each queue has a worker thread that loops through all outputs for that > >> queue, > >> trying to deliver to them in turn. If one blocks that worker has the > choice > >> (configurable) to either block, or throw away the log for that output > and > >> continue to the next one. > >> > >> by default rsyslog has one main queue. you can configure additional > queues > >> for > >> either actions or rulesets. > >> > >> It's strongly recommended that you use a current version and the new > >> syntax when > >> configuring queues. It makes it MUCH clearer what is happening. > >> > > > > Thanks David! > > That's actually exactly what I needed to know. > > > > When you say "current version", do you mean 8.x? > > RHEL ships with 7.4.7, if that's current enough. If not, I'll grab 8.16. > > 7.4.7 is new enough to have the new syntax, but there are a LOT of fixes > and new > features by 8.16 (8.17 is due to be released tuesday). > > For end nodes that just need to send logs in to your central server, 7.4.7 > is > probably good enough (although if you trip over any bugs on it, just go to > a > current version). > > But on your log relays and central servers, or anywhere that you start > doing > more complex stuff, just go to the current version. When you ask questions > here, > we are always going to be thinking in terms of the most current version. > Bugs > get fixed in the most current version and only some get backported by the > distro > to the older versions. >
Perfect. Many thanks again! David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.