Good news. Thanks Rainer. We cannot use blastwave fro the timebeing. I shall see if we can change this.
Forwarding logs to logstation via json template works now after we changed the reciever from TCP to UDP. [cid:[email protected]] From: Rainer Gerhards [mailto:[email protected]] Sent: Thursday, April 26, 2018 8:20 PM To: rsyslog-users Cc: LOEWENTHAL Sophie Subject: Re: [rsyslog] server received messages but rsyslog did not write them into a file As a side note I have asked the team at opencsw.org<http://opencsw.org> to build impstats if they have not done so before. They also have released 8.34 today after some excellent collaboration between them and us. Rainer Sent from phone, thus brief. David Lang <[email protected]<mailto:[email protected]>> schrieb am Do., 26. Apr. 2018, 20:00: On Thu, 26 Apr 2018, [email protected]<mailto:[email protected]> wrote: > We don't have impstats on Solaris. It's a Linux thing. No, pstats is not an OS thing, it's a rsyslog module that reports on the internal state of rsyslog. Whoever is compiling the binary you are using may not be enabling it, but that just means that you need to get them to change or compile it yourself David Lang > > >> -----Original Message----- >> From: David Lang [mailto:[email protected]<mailto:[email protected]>] >> Sent: Wednesday, April 25, 2018 7:38 PM >> To: sophie.loewenthal--- via rsyslog >> Cc: LOEWENTHAL Sophie >> Subject: Re: [rsyslog] server received messages but rsyslog did not write >> them >> into a file >> >> On Wed, 25 Apr 2018, sophie.loewenthal--- via rsyslog wrote: >> >>> From a rsyslog view what sort of acknowledgement should it receive to know >> the destination servers are filling up? The destinations run Logstash. >> >> when you are delivering messages via TCP (as you are in this case), your only >> indication is that the TCP buffers fill up, and the output then gets >> suspended. >> But if all your logs run through the same flow, the logs showing that the >> output >> is suspended are stuck behind the messages waiting to be delivered :-/ >> >> >> what I do is to define impstats to use a different ruleset (with it's own >> queue, >> so it doesn't get stuck in the main queue) >> >> something like: >> >> >> module(load="impstats" interval="60" format="json" ruleset="high-p") >> ruleset(name="high-p" queue.type="array" queue.size="1000" >> queue.fileiname="high-p" queue.saveonshutdown="on" ){ >> action(name="high-p-parse" type="mmnormalize" >> rule=["version=2","rule=stats:%.:json%","rule=stats:%-:whitespace%%.:json%"]) >> @destination;format >> /var/log/pstats >> } >> >> This will process your stats data to a file and (if not too busy) a remote >> system so that you can then alert on queues filling up > This message and any attachments (the "message") is > intended solely for the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since > the internet > cannot guarantee the integrity of this message which may not be reliable, BNP > PARIBAS > (and its subsidiaries) shall not be liable for the message if modified, > changed or falsified. > Do not print this message unless it is necessary, consider the environment. > > ---------------------------------------------------------------------------------------------------------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation de > ce message qui n'est pas conforme a sa destination, toute diffusion ou toute > publication, totale ou partielle, est interdite. L'Internet ne permettant pas > d'assurer > l'integrite de ce message electronique susceptible d'alteration, BNP Paribas > (et ses filiales) decline(nt) toute responsabilite au titre de ce message > dans l'hypothese > ou il aurait ete modifie, deforme ou falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
