[syslog-ng] periodic disconnect of TCP sessions
Wilson, Jonathan
jonathan.wilson at vumc.org
Wed Nov 13 22:03:09 UTC 2019
Hello all,
I am using a pair of syslog-ng OSE 3.22.1 servers that write logfiles which are then scanned by a Splunk Universal Forwarder. They receive messages over TCP, TCP with TLS, and UDP. We have always had devices and systems that send us syslog messages simply send to both syslog-ng servers; however, this resulted in double indexing of the log data in Splunk.
To deal with this we set up a DNS name that round-robins across the two syslog-ng servers' IPs every 30 seconds. The devices and systems that send to us now send to that DNS name. That neatly prevents the double indexing. If the messages are coming in over stateless UDP, the messages are load balanced in that they all go to one server for 30 seconds, then the other. However, TCP sessions are much longer lived, and some senders send many messages every second - they will latch onto one of our syslog servers and stay connected to it all day.
What I am looking for is a way to limit the lifetime of a TCP connection into syslog-ng, either by time or by number of messages received; after the connection is dropped, the sender will reconnect to whichever server is indicated by the round-robin DNS name, and over time about half of the messages will go to each server.
Is there already a way to do this? Failing that, can you suggest a place to start in patching the source?
Thanks,
Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191113/524c11bd/attachment.html>
More information about the syslog-ng
mailing list