[rsyslog-notify] Forum Thread: Re: Issue with omfwd rebindinterval usage - (Mode 'reply')

[noreply at adiscon.com]

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26331#p26331

Message: 
----------
remember that your receiver needs to handle the full load of messages for
those 8 seconds

I usually try to aim for ~1 sec or so (if the receiver can handle the
load). Inside one datacenter, anything over ~0.1 sec should be good. You
will start to run out of sockets at somewhere around 1600 connections/sec

If you saw thousands of connections opened when the receiving system was
not listening yet, then something else is going wrong. Rsyslog will attempt
to open the connection, but if nothing accepts the connection, it will fail
and not open more. There is a retry mechanism that is completely
independent of the rebindinterval stuff.

now, when a connection gets closed, it doesn't disappear from the netstat
output instantly, it goes into a time_wait state that prevents the port
from being re-used for a bit to avoid confusion if packets aimed at the old
socket arrive from someplace a long ways away on the Internet. IIRC, they
remain in this state for 2 min by default. the 1600 connections/sec is the
~30K port numbers available by default for outbound connections divided by
the 2 min time_wait default.

so if you are seeing rsyslog make a connection to greylog, then close it
and open a new one, but the new one doesn't work, I would start checking
for errors on the greylog side. Is it reporting any problems accepting the
socket? do you see the socket established on both sides? if you do a lsof
on the greylog side, does it show that greylog has the socket.