[rsyslog-notify] Forum Thread: Issue with omfwd rebindinterval usage - (Mode 'post')

[noreply at adiscon.com]

User: JoiOwen 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26328#p26328

Message: 
----------
We currently have a setup with thousands of network devices sending content
on various ports into an rsyslog server.  It then fowards most of that
content on to a single graylog server.  We're overloading that one graylog
server and wish to convert it into a 2-node cluster, with an haproxy
between rsyslog and graylog. 

With this in mind, I attempted a simple test on my current rsyslog
configuration...  

 [code:m3rt8x8p]
if prifilt("*.notice") then {
    action(type="omfwd" name="fwd.graylog2"
Target="172.16.57.4" Port="10515" Protocol="tcp"
#      RebindInterval="30000"
      queue.type="LinkedList"
      queue.filename="queue.graylog2"
      queue.saveonshutdown="on"
      queue.size="20000"
      queue.highwatermark="19000"
      queue.lowwatermark="2000"
      queue.discardmark="19750"
      queue.discardseverity="7"
    )
  }
[/code:m3rt8x8p]

With the RebindInterval commented, rsyslog creates a single tcp connection
and leaves it open forever, as far as I can tell.  

If I uncomment the RebindInterval and restart syslog, rsyslog opens a
connection to graylog, (state ESTABLISHED), then that connection moves to
TIME_WAIT and a new ESTABLISHED appears... and after 5 or so, it stops, the
existing TIME_WAIT sockets all close, and no more traffic flows.  I don't
know what could be causing this.  I can't find any other omfwd action
settings that could be affecting this.

The graylog server has an input defined specifically for this traffic and
nothing else is sending to it (or able to, as it's on a private VLAN.)  I
can see the traffic stop on the graylog server as well.  If I restart
rsyslog, traffic resumes for a minute or two and then stops again.

Any thoughts?  Or any other suggestions for making rsyslog friendly with a
graylog cluster?  Do we even need an haproxy?  (Manager said install one.)