you have a queue of 1024 for rabbitmq, if there are more messages than that
pending, other processing will stop until the queue can accept more messages.
Setup a larger queue (potentially a disk assisted queue) to handle longer
outages.
you may also want to consider configuring the queue to throw away messages if it
gets too full.
David Lang
On Mon, 5 Feb 2024, Alex via rsyslog wrote:
I have rsyslog (8.2310.0) in docker container from latest alpine image as a
syslog collector with forwarding to logstash.local and rabbitmq.local
Rsyslog stops working when rabbitmq is unavailable and work fine when
rabbitmq server is up
How to configure rsyslog to work when the destination is unavailable ?
module(load="omrabbitmq")
module(load="imptcp" threads="3")
input(type="imptcp" port="514" ruleset="syslogCollector")
template(
name="json_syslog"
type="list"
option.json="on"
) {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"type\":\"syslog_json")
constant(value="\",\"tag\":\"")
property(name="syslogtag" format="json")
constant(value="\",\"relayhost\":\"") property(name="fromhost")
constant(value="\",\"relayip\":\"") property(name="fromhost-ip")
constant(value="\",\"logsource\":\"") property(name="source")
constant(value="\",\"hostname\":\"") property(name="hostname"
caseconversion="lower")
constant(value="\",\"program\":\"") property(name="programname")
constant(value="\",\"source\":\"") property(name="app-name"
caseConversion="lower" onEmpty="null")
constant(value="\",\"priority\":\"") property(name="pri")
constant(value="\",\"severity\":\"")
property(name="syslogseverity" caseConversion="upper")
constant(value="\",\"facility\":\"") property(name="syslogfacility")
constant(value="\",\"severity_label\":\"")
property(name="syslogseverity-text")
constant(value="\",\"facility_label\":\"")
property(name="syslogfacility-text")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\",\"end_msg\":\"")
constant(value="\"}\n")
}
ruleset(
name="syslogCollector"
) {
@@elk.local:5000;json_syslog
call send2mqtt
}
ruleset (
name="send2mqtt"
queue.type="LinkedList"
queue.size="1024"
queue.dequeueBatchSize="512"
queue.filename="q_mqtt"
queue.saveonshutdown="off"
queue.highwatermark="450"
queue.lowwatermark="50"
) {
action(
type="omrabbitmq"
host="rabbitmq.local"
verify_peer="off"
verify_hostname="off"
virtual_host="/"
user="xxx"
password="xxx"
exchange="syslog"
routing_key="messages"
body_template="json_syslog"
action.resumeRetryCount="0"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
action.resumeInterval="10"
)
}
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
