Page 1 sur 1

rsyslog, imrelp et perte de log

Publié : jeu. 12 sept. 2019 15:41
par gizmo78
Salut à vous!

Bon je suis sur un truc qui me les brises depuis 1 semaine quasi...

j'ai des VMs avec du rsyslog qui renvoie ça vers un rsyslog + elk, jusque la tradi.

de chaque côté ça utilise le module relp de rsyslog qui est sensé prévenir la perte de log sauf que si je redémarre la VM elk, je perds les logs le temps du reboot, ils ne sont pas renvoyés et je pige pas pk...

ma conf cliente :
template (name="LongTagForwardFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%$.suffix%%msg:::sp-if-no-1st-sp%%msg%")

ruleset(name="sendToLogserver") {
  action(type="omrelp"
    target="nelk"
    port="20514"
    Template="LongTagForwardFormat"
    action.resumeRetryCount="-1"
    queue.type="LinkedList"
    queue.size="100000"
    queue.spoolDirectory="/var/spool/rsyslog"
    queue.filename="queue_file"
    queue.saveonshutdown="on"
    queue.discardmark="90000"
    queue.highwatermark="60000"
    queue.syncqueuefiles="on"
    #tls="off"
    )
}
ma conf rsyslog serveur :
#  /etc/rsyslog.conf	Configuration file for rsyslog.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

#module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

module(load="imrelp")
input(type="imrelp" port="20514")

###########################
#### GLOBAL DIRECTIVES ####
###########################

global(
  defaultNetstreamDriver="ptcp"
)


#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
#$WorkDirectory /var/spool/rsyslog
$WorkDirectory /conteneur/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
L'objectif que j'ai c'est de pouvoir redémarrer la VM elk et que les logs soient retransmis quand elle revient UP (ce qui n'est pas le cas actuellement).

Vous avez déjà rencontré ça?

j'ai essayé de passer de relp à tcp basic mais pas mieux

Merci

Re: rsyslog, imrelp et perte de log

Publié : ven. 13 sept. 2019 14:19
par gizmo78
La réponse est simplement dans le début de la doc : c'est pas encore implémenté...

Provides the ability to receive syslog messages via the reliable RELP protocol. This module requires librelp to be present on the system. From the user’s point of view, imrelp works much like imtcp or imgssapi, except that no message loss can occur. Please note that with the currently supported relp protocol version, a minor message duplication may occur if a network connection between the relp client and relp server breaks after the client could successfully send some messages but the server could not acknowledge them. The window of opportunity is very slim, but in theory this is possible. Future versions of RELP will prevent this. Please also note that rsyslogd may lose a few messages if rsyslog is shutdown while a network connection to the server is broken and could not yet be recovered. Future version of RELP support in rsyslog will prevent that. Please note that both scenarios also exists with plain tcp syslog. RELP, even with the small nits outlined above, is a much more reliable solution than plain tcp syslog and so it is highly suggested to use RELP instead of plain tcp. Clients send messages to the RELP server via omrelp.

https://www.rsyslog.com/doc/v8-stable/c ... mrelp.html

https://github.com/rsyslog/rsyslog/issues/3820

Re: rsyslog, imrelp et perte de log

Publié : ven. 13 sept. 2019 19:57
par poulpito
STFU & RTFM NOOB :o


:lol: :lol: :lol: désolé

Re: rsyslog, imrelp et perte de log

Publié : ven. 13 sept. 2019 21:59
par gizmo78
le truc est vendu pour palier à ça alors bon :o