The problem is that you have not de-coupled the flow of actions from each other. So when the forwarding blocks, rsyslog cannot process the others until it times out. You decouple via queues. I guess this resource might be useful for you:
https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/ Feedback would be appreciated as we currently think about doing some new, up-to-the point short demos to answer questions like yours. Rainer El mar., 18 ago. 2020 a las 11:31, PRATIK RANA via rsyslog (<[email protected]>) escribió: > > Dear Cyril, > > Thanks for your help. > > The workaround suggested by you worked!! I changed the rsyslog setting at > client node to : > > $ModLoad imfile > $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem > $DefaultNetstreamDriver gtls > $ActionSendStreamDriverAuthMode anon > $ActionSendStreamDriverMode 1 > $WorkDirectory /var/lib/rsyslog > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > $IncludeConfig /etc/rsyslog.d/*.conf > $OmitLocalLogging on > $IMJournalStateFile imjournal.state > *.info;mail.none;authpriv.none;cron.none /var/log/messages > & > @@172.17.xxx.xxx:11514 > & > @@10.237.xxx.xxx:11514 > & stop > authpriv.* /var/log/secure > & > @@172.17.xxx.xxx:11514 > & > @@10.237.xxx.xxx:11514 > & stop > mail.* -/var/log/maillog > & > @@172.17.xxx.xxx:11514 > & > @@10.237.xxx.xxx:11514 > & stop > cron.* /var/log/cron > & > @@172.17.xxx.xxx:11514 > & > @@10.237.xxx.xxx:11514 > & stop > *.emerg :omusrmsg:* > uucp,news.crit /var/log/spooler > local7.* /var/log/boot.log > & > @@172.17.xxx.xxx:11514 > & > @@10.237.xxx.xxx:11514 > & stop > auth.* /var/log/audit/audit.log > & @@172.17.xxx.xxx:11514 > & @@10.237.xxx.xxx:11514 > & stop > kern.* @@172.17.xxx.xxx:11514 > & @@10.237.xxx.xxx:11514 > & stop > $FileCreateMode 0640 > > After that I stopped the rsyslog service at one of the server and checked > local logging using the logger command. However it would be really helpfull > if you could explain the reason behind this as well , also after shutting > down the syslog service at server, i can see following message at client > side, i think they are general retry message to try rebuilding the > connection with server: > > Aug 18 12:25:37 rsyslogd[80041]: action 'action 4' resumed (module > 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ] > Aug 18 12:25:37 rsyslogd[80041]: action 'action 4' resumed (module > 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ] > Aug 18 12:25:37 rsyslogd[80041]: action 'action 1' resumed (module > 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ] > Aug 18 12:25:37 rsyslogd[80041]: action 'action 1' resumed (module > 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ] > Aug 18 12:28:08 rsyslogd[80041]: action 'action 1' suspended, next retry > is Tue Aug 18 12:28:38 2020 [v8.24.0-34.el7 try > http://www.rsyslog.com/e/2007 ] > Aug 18 12:30:15 rsyslogd[80041]: action 'action 4' suspended, next retry > is Tue Aug 18 12:30:45 2020 [v8.24.0-34.el7 try > http://www.rsyslog.com/e/2007 ] > Aug 18 12:32:22 rsyslogd[80041]: action 'action 10' suspended, next retry > is Tue Aug 18 12:32:52 2020 [v8.24.0-34.el7 try > http://www.rsyslog.com/e/2007 ] > Aug 18 12:47:22 rsyslogd[80041]: action 'action 18' suspended, next retry > is Tue Aug 18 12:47:52 2020 [v8.24.0-34.el7 try > http://www.rsyslog.com/e/2007 ] > > On Tue, Aug 18, 2020 at 1:58 PM Cyril Stoll via rsyslog < > [email protected]> wrote: > > > > > Hi Pratik Rana > > > > Have you tried linking the same ones together and then stopping execution > > like so: > > > > authpriv.* /var/log/secure > > & @@172.17.XXX.XXX:11514 > > & @@10.237.XXX.XXX:11514 > > & stop > > mail.* -/var/log/maillog > > & @@172.17.XXX.XXX:11514 > > & @@10.237.XXX.XXX:11514 > > & stop > > ....... > > ...... > > .... > > > > and so on for all the facilities you are interested in. > > > > Best, > > Cyril > > -- > > Universität Zürich > > Cyril Stoll > > Zentrale Informatik > > Stampfenbachstrasse 73 > > CH-8006 Zürich > > Tel. +41 44 63 5 22 93 > > www.zi.uzh.ch > > > > > > > > Von: "PRATIK RANA via rsyslog" <[email protected]> > > An: [email protected] > > Kopie: "PRATIK RANA" <[email protected]> > > Datum: 18/08/2020 08:47 > > Betreff: [rsyslog] Local logging gets disabled when the connection > > to > > syslog server breaks. > > Gesendet von: "rsyslog" <[email protected]> > > > > > > > > Hi all, > > > > I have two syslog servers at different sites which are receiving logs from > > client nodes configured on various sites. All of my client nodes are > > configured to send logs to both of these syslog servers. But whenever my > > client node gets disconnected to any one of the server node, then the > > rsyslog service stops the local logging of the system(i.e is logging into > > /var/log/messages etc.) as well. > > > > Here is the rsyslog.conf configuration for my client nodes: > > > > $ModLoad imfile > > $ModLoad imuxsock # provides support for local system logging (e.g. via > > logger command) > > $ModLoad imjournal # provides access to the systemd journal > > $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem > > $DefaultNetstreamDriver gtls > > $ActionSendStreamDriverAuthMode anon > > $ActionSendStreamDriverMode 1 > > $WorkDirectory /var/lib/rsyslog > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > $IncludeConfig /etc/rsyslog.d/*.conf > > $OmitLocalLogging on > > $IMJournalStateFile imjournal.state > > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > authpriv.* /var/log/secure > > mail.* -/var/log/maillog > > cron.* /var/log/cron > > *.emerg :omusrmsg:* > > uucp,news.crit /var/log/spooler > > local7.* /var/log/boot.log > > *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none > > @@172.17. XXX.XXX :11514 > > authpriv.* @@172.17. XXX.XXX :11514 > > auth.* /var/log/audit/audit.log > > auth.* @@172.17. XXX.XXX :11514 > > kern.* @@172.17. XXX.XXX :11514 > > mail.* @@172.17. XXX.XXX :11514 > > cron.* @@172.17. XXX.XXX :11514 > > local7.* @@172.17. XXX.XXX :11514 > > *.info;mail.none;authpriv.none;cron.none;auth.none;kern.none;local7.none > > @@10.237. XXX.XXX :11514 > > authpriv.* @@10.237.XXX.XXX:11514 > > auth.* @@10.237. XXX.XXX :11514 > > kern.* @@10.237. XXX.XXX :11514 > > mail.* @@10.237. XXX.XXX :11514 > > cron.* @@10.237. XXX.XXX :11514 > > local7.* @@10.237. XXX.XXX :11514 > > $FileCreateMode 0640 > > > > -- > > Regards, > > *PRATIK RANA* > > *Software Engineer* > > *NEC Technologies India* > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > > -- > Regards, > *PRATIK RANA* > *Software Engineer* > *NEC Technologies India* > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
