[rsyslog-notify] Forum Thread: Re: RSyslog not sending messages - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Jan 21 22:05:54 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25184#p25184
Message:
----------
Ok, I don't know what your config is, but there are a number of ways that
messages can be lost in normal operation.
if you are using TCP to send the messages (@@IP for example), then you
could be loosing messages when a firewall between the sender and receiver
cuts the connection an forces rsyslog to re-establish it (Rsyslog will have
some messages that it thinks it sent, but that are lost on the network).
the resumed messages you point out would be consistant with this.
If you are using UDP to send messags (@IP), then messages will be lost if
the network, router/firewall, or receiver run out of capacity.
If the queues are getting overloaded and you have rsyslog configured with
watermark settings, that tells rsyslog to throw away messages when too many
are waiting to be sent.
you would need to be using RELP to avoid loosing messages due to network
hiccups, because the RELP protocol adds application level acknowlegements
so that the sender knows for sure that the receiver has the message.
If you aren't running impstats in your config, you should look into adding
it. The stats it produces show when you run into errors with an output, and
also the state of the queues.
It is not normal for rsyslog to loose messages if everything is working,
but when things go wrong, there are many different ways that messages can
be lost. The items listed above are the more common ones (if Rsyslog gets
killed, the box dies, etc there are additional ones for example)
More information about the rsyslog-notify
mailing list