You can also use previous_action_suspended() to detect the situation
when the output blocks and take appropriate fallback actions.
https://www.rsyslog.com/doc/v8-stable/rainerscript/functions/rs-previous_action_suspended.html
On 22.02.2021 20:50, John Chivian via rsyslog wrote:
Interesting, I didn’t realize that probably because I never experience it.
Something I now realize is attributed to having explicitly defined queues on
all TCP omfwd destinations.
Thanks David, learn something new every day!
On Feb 22, 2021, at 13:40, David Lang <da...@lang.hm> wrote:
if they are reversed and the remote send blocks, you will see 1 log in the
file, then everything will block.
David Lang
On Mon, 22 Feb 2021, John Chivian wrote:
If the first action in the ruleset blocks, then the second action is never
reached (the scenario David is describing). Reverse the order of the actions
so that the file write is first, then see what you get.
But yes, enable impstats… it’s WELL worth the effort!
Regards,
On Feb 22, 2021, at 13:25, David Lang via rsyslog <rsyslog@lists.adiscon.com>
wrote:
the 'typical' cause of this is iptables rules blocking access
if you can't send logs to the target on port 1516, the queue will build
enable impstats and see what the queue looks like (it helps to add name='foo'
to the actions so the impstats output has the names rather than just action #)
David Lang
On Mon, 22 Feb 2021, ryan woods via rsyslog wrote:
Date: Mon, 22 Feb 2021 19:14:31 +0000
From: ryan woods via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: ryan woods <rw170...@gmail.com>
Subject: [rsyslog] Weird issue not able to log to file or remote
Hey all,
So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog
forwarder running rsyslog here is the config I'm using:
$ModLoad imudp
ruleset(name="rulesettt"){
action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp"
Template="RSYSLOG_SyslogProtocol23Format")
action(type="omfile" File="/tmp/output.log")
}
input(type="imudp" port="5155" ruleset=" rulesettt ")
The remote host never receives anything from this and the /tmp/output.log
is never created. I've taken a packet capture from the syslog forwarder and
I can see all the traffic from the devices getting to the forwarder and see
all the syslog messages. I am completely lost as to what this could be.....
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
