We have a requirement to send all our logs to two other servers so we have those configured as destinations in our configuration. However, sometimes their servers go down and the result is that we stop logging anything at all. Is there a way to disable those servers, either temporarily or until restarted if we can't connect? Thanks, -Mark Mark Faine System Administrator SAIC/NICS 215 Wynn Dr. 5065 Huntsville, AL 35805 256-961-1295 (Desk) 256-617-4861 (Work Cell)
Hello,
Is there a way to disable those servers, either temporarily or until restarted if we can’t connect?
You can remove those destinations from their log paths and reload syslog-ng. But the origin of your problem is coming from flow-control, if I understand you correctly. When `flags(flow-control)` is used in a log path, the sources inside that log path will stop receiving messages when any of the attached destinations are slow or unavailable (after they fetched log-iw-size() number of messages that remained unsent in the destinations' queue). If you don't mind losing messages on those 2 destinations in case they are slower than the sources or when they go down, you can create a separate log path for those destinations, where you do not enable flow control. This way, syslog-ng queues log-fifo-size() number of messages in memory for you. If memory queues are full, syslog-ng will drop new messages without stopping the source; so message processing won't stop. Alternatively, you can configure a disk-buffer() if you need to survive longer without losing logs. -- László Várady
Excellent! This is very helpful. Thank you -Mark -----Original Message----- From: László Várady (lvarady) <Laszlo.Varady@oneidentity.com> Sent: Saturday, September 21, 2019 09:10 To: Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov> Cc: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [EXTERNAL] Re: Disregard source if it fails Hello,
Is there a way to disable those servers, either temporarily or until restarted if we can't connect?
You can remove those destinations from their log paths and reload syslog-ng. But the origin of your problem is coming from flow-control, if I understand you correctly. When `flags(flow-control)` is used in a log path, the sources inside that log path will stop receiving messages when any of the attached destinations are slow or unavailable (after they fetched log-iw-size() number of messages that remained unsent in the destinations' queue). If you don't mind losing messages on those 2 destinations in case they are slower than the sources or when they go down, you can create a separate log path for those destinations, where you do not enable flow control. This way, syslog-ng queues log-fifo-size() number of messages in memory for you. If memory queues are full, syslog-ng will drop new messages without stopping the source; so message processing won't stop. Alternatively, you can configure a disk-buffer() if you need to survive longer without losing logs. -- László Várady
participants (2)
-
Faine, Mark R. (MSFC-IS40)[NICS]
-
László Várady (lvarady)