0

Is there any way to configure rsyslog to send logs to a remote instance so that it does not loose several minutes of messages? I am finding this difficult in following scenario:

  1. Yank the ethernet cable away from a logging device(client)
  2. Wait 5 minutes
  3. Reboot the device
  4. Put ethernet cable back

I've been trying to do this with disk queue and TCP/RELP. Even though the actual network transfer is reliable it seems that I always bump into this fundamental problem of:

rsyslog (disk queue) marks a log entry as "sent" when it "sends" it over a connection. and the "sends" here means that it passes it to lower layers. So (if my analysis is correct) hundreds of logs can be stuck e.g. in TCP buffers and they disappear if you reboot the device.

fastfox
  • 101
  • 1
  • I think it was so crazy that I didn't want anyone to actually use it. :) But maybe you are right. I'll do that. – fastfox Aug 24 '22 at 18:29

1 Answers1

0

You can workaround this problem by misusing rebinding parameter meant for load balancers.

RebindInterval=1

This will force a new TCP connection to every log message that is sent -> rsyslog will immediately notice if server is not reachable.

Establishing and tearing down TCP connection for every log message you transfer is kinda DoS attack against your server. I can recommend this only in case you have just few log lines per second and few clients.

fastfox
  • 101
  • 1
  • 1
    `Establishing and tearing down TCP connection for every log message you transfer is kinda DoS attack against your server.` This really is not the case in 2022. Hardware is so much more powerful, the TCP overhead is negligible. Also note that using TCP alone is not a solution to this, products such as Splunk and Windows native eventing use mechanisms to keep track of the last log message sent successfully. – Greg Askew Aug 24 '22 at 19:44