[rsyslog-notify] Forum Thread: Re: RSyslog not sending messages - (Mode 'reply')

Sun Jan 25 02:29:29 CET 2015

User: lethalduck 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25196#p25196

Message: 
----------
[quote:3vvwzgq9]when the resent packet hits the new router, it doesn't have
the state needed to know about it and so it ignores the packet (causing a
timeout)[/quote:3vvwzgq9]

Ah, of course, unless the fresh router shares the state also, which from
memory is quite common?

[quote:3vvwzgq9]I think it needs to be up at the top not at the
end.[/quote:3vvwzgq9]

Ah, cool. Moved it now.

Cheers for the history behind the xconsole config!

[quote:3vvwzgq9]look at what they are outputting and decide if that's how
you want the data to appear.[/quote:3vvwzgq9]

Yeah, I was going to get to that once I knew I had the loging as reliable
as I could.

[quote:3vvwzgq9]I usually do this filtering by programname, not
facility/severity[/quote:3vvwzgq9]

OK. I'll keep this in mind when I start modifying that config.

[quote:3vvwzgq9]but please follow the links in the post he gave, including
those going back to the RFCs and those showing that other people have also
'discovered' this problem.[/quote:3vvwzgq9]

At this stage until it's determined that papertrail is at fault I can't do
much about using RELP. If they are not at fault, then it's something on my
end, which I still need to find out.

[quote:3vvwzgq9]I think that this is the core misunderstanding that you
have.[/quote:3vvwzgq9]

You're explanation makes sense to me. I'm not aware of any misunderstanding
there.

[quote:3vvwzgq9]Also, don't confuse a pure Disk Queue with a Disk Assisted
Queue[/quote:3vvwzgq9]

There's no confusion that I"m aware of.

Thanks for the docs.

[quote:3vvwzgq9]I don't see any errors in the snippet you attached. Are you
sure that this includes time after the logs talking about action 18 being
resumed? I would expect to see the action18 line with non-zero values in
the time after that log entry was made.[/quote:3vvwzgq9]

Yes, the time is shown as per MissingEvents5_Action18Resumed.png and the
impstats log shows no errors and no non-zero values other than the obvious
processed cumulative values.

[quote:3vvwzgq9]In the timeframe provided, the queue size hit a max of 2,
both on the main queue and on the separate queue for action 18, but it had
no errors and was never syspended or resumed (and a total of 141 messages
processed)[/quote:3vvwzgq9]

Yeah, so not helpful in any way?

Thanks for the syntax info.

I've attached the relevant impstatsOutput1.txt with some comments.
I've attached the relevant rsyslog-debug1.log. What stands out to me in
this is the [code:3vvwzgq9]TCPSendBuf error -2078, destruct TCP
Connection![/code:3vvwzgq9] just after Jan 25 07:46:24 or maybe the
[code:3vvwzgq9]unexpected GnuTLS error [/code:3vvwzgq9] just above it.
I couldn't see anything in /etc/init.d/rsyslog or /etc/default/rsyslog in
the way of options that the rsyslogd runs with. It just has an empty string
[code:3vvwzgq9]RSYSLOGD_OPTIONS=""[/code:3vvwzgq9] I'm assuming this means
that rsyslogd is running with no options by default?
[code:3vvwzgq9]/etc/init.d/rsyslog status[/code:3vvwzgq9] shows that
the only option provided is [code:3vvwzgq9]-n[/code:3vvwzgq9] So I ran in
debug with no other arguments passed in.

Now as far as I can see from wireshark, the event I'm expecting to see in
the papertrail web UI for 07:36:24 is sent and acknowledged by papertrail.
The packets look exactly the same appart from the obvious sequence numbers.
For the event I'm expecting to see in papertrail at 07:46:24 a new
connection is being established (TCP handshake) preceding by a DNS query.
My server then sends 7 TCP Dup ACKs to papertrail.