On Wed, 25 Apr 2018, sophie.loewenthal--- via rsyslog wrote:
From a rsyslog view what sort of acknowledgement should it receive to know the
destination servers are filling up? The destinations run Logstash.
when you are delivering messages via TCP (as you are in this case), your only
indication is that the TCP buffers fill up, and the output then gets suspended.
But if all your logs run through the same flow, the logs showing that the output
is suspended are stuck behind the messages waiting to be delivered :-/
what I do is to define impstats to use a different ruleset (with it's own queue,
so it doesn't get stuck in the main queue)
something like:
module(load="impstats" interval="60" format="json" ruleset="high-p")
ruleset(name="high-p" queue.type="array" queue.size="1000" queue.fileiname="high-p"
queue.saveonshutdown="on" ){
action(name="high-p-parse" type="mmnormalize"
rule=["version=2","rule=stats:%.:json%","rule=stats:%-:whitespace%%.:json%"])
@destination;format
/var/log/pstats
}
This will process your stats data to a file and (if not too busy) a remote
system so that you can then alert on queues filling up
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
