[rsyslog] directing logs to a broadcast address fails

Tom Metro tmetro+rsyslog at gmail.com
Tue May 5 08:36:12 CEST 2009 

david at lang.hm wrote:
> Tom Metro wrote:
>> I need to get the syslog broadcast problem resolved...
> 
> what I'm doing for the syslog broadcast is defining a multicast MAC 
> address for a specific IP, and then setting that IP address up on all the 
> systems that need to see the message.  (see
> http://www.linux-ha.org/ClusterIP for info on this and examples of how to 
> set it up for testing) this lets me spread the load between multiple 
> machines in one set while still having multiple sets of boxes recieve the 
> same message.

So to distribute the load you send some messages to multicast group A, 
and others to group B?

Multicast in general makes sense if you are going to be sending a volume 
of messages to N > 1 log servers. (I noticed there was a multicast patch 
for sysklogd sitting in the Debian bug queue.)

In my case I'm looking to distribute critical warning messages only, 
which will be rare, and it wouldn't benefit the network to use 
multicast, so I'd rather avoid the configuration overhead.

See earlier messages in this thread for the details of the problem. The 
summary is that syslog messages directed at a broadcast address 
(x.x.x.255) fail to go anywhere on a Debian Etch box running sysklogd, 
or an Ubuntu 8.04 box running sysklogd or rsyslog, but rsyslog on Ubuntu 
8.10 seems to work. I've backported that version of rsyslog to the 8.04 
box, but it didn't resolve the problem.

Inspecting the source code for the working version of rsyslog shows a 
lack of code to enable the broadcast flag, so I'm not sure why it works 
on 8.10. Patching the code to enable the broadcast flag didn't seem to 
help on 8.04.

I know broadcast UDP packets work on the 8.04 box, as it uses DHCP 
successfully.

I've started looking at the source to a DHCP client to see how it 
configures its socket to permit broadcasting. One thing I haven't tried 
recently is using the interface defined broadcast address 
(255.255.255.255), which is what the DHCP client uses. I tried that 
early on, but once I confirmed that the subnet broadcast address worked 
correctly on other machines, I ceased trying the global address.

My guess is that there is some socket flag that still needs to be 
enabled to get it to work on 8.04.

  -Tom

More information about the rsyslog mailing list