On Tue, 13 Feb 2024, Prasad Koya via rsyslog wrote:
While these messages are deep copied and enqueued to respective action
queues, it's possible that the second message may reach the remote syslog
server before the first message. I'd like to avoid that situation.
How do I define one queue for all syslogs forwarded to a server
by preserving the facility/severity in each message.
you can't. Rsyslog can use multiple threads, and the threads do not even try to
corrdinate between them to make sure they are sending messages in order.
by putting the forward action in a single ruleset, and calling that ruleset
instead of invoking the action, you will make it less likely that things will be
out of order, but only less likely.
At one point in the distant past, rsyslog tried really hard to send the messages
out in the order that they were received, but I pointed out quite a few corner
cases where that would be defeated by the network (especially if sending through
relay servers) and rsyslog abandoned that effort, and in the process increased
it's throughput by several orders of magnatude.
In general, messages still probably arrive in order, but not always. And when
you are talking about logs sent from multiple machines, it becomes even
impossible to guarantee reception of logs from multiple machines in the order
they were generated (and in this case anything you do to make log delivery more
reliable like TCP or RELP, makes the possible delays in message delivery worse)
As noted, you if you care about absolute ordering of logs, you need good, high
precision timestamps, especially across multiple machines.
David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
