I’m running into some issues with RELP and I just want to make sure if the following messages that I seeing in the logs are critical or not. The messages below occur in batches on the syslog server. This last batch had well over 50 of messages below all within the same second.
2024-02-15T16:53:02.362118+00:00 mdtnj01log-col rsyslogd: imrelp[2809]: error 'error sending relp: Broken pipe', object 'lstn 2809: conn to clt 10.10.10.149/10.10.10.149' - input may not work as intended [v8.2312.0 try https://www.rsyslog.com/e/2353 ] 2024-02-15T16:53:02.362140+00:00 mdtnj01log-col rsyslogd: imrelp[2809]: error 'io error, session broken', object 'lstn 2809: conn to clt 10.10.10.149/10.10.10.149' - input may not work as intended [v8.2312.0 try https://www.rsyslog.com/e/2353 ] 2024-02-15T16:53:02.362173+00:00 mdtnj01log-col rsyslogd: imrelp[2809]: error 'error sending relp: Broken pipe', object 'lstn 2809: conn to clt 10.10.10.149/10.10.10.149' - input may not work as intended [v8.2312.0 try https://www.rsyslog.com/e/2353 ] 2024-02-15T16:53:02.362193+00:00 mdtnj01log-col rsyslogd: imrelp[2809]: error 'io error, session broken', object 'lstn 2809: conn to clt 10.10.10.149/10.10.10.149' - input may not work as intended [v8.2312.0 try https://www.rsyslog.com/e/2353 ] On my client side (sender) which is on RHEL 7.9 and running rsyslog-8.24.0-57.el7_9.3.x86_64. Using the following omrelp configuration. action(type="omrelp" name="fwd-ldap" target="mdtnj01log-col" port="2809" template="Tmpl-ReWrite-ForwardFormat" Timeout="120" #; Close the connection if there is no activity. We need to set this high Conn.Timeout="5" #; Amount of time to wait in seconds to establish a connection action.writeAllMarkMessages="off" #; Send all MARK messages action.repeatedmsgcontainsoriginalmsg="off" #; Disable duplicate message reporting action.reportSuspension="on" #; Generate a message if this connection is suspended action.reportSuspensionContinuation="on" #; Generate a message when the connection resumes queue.Type="LinkedList" #; Queue type. LinkList is best of both worlds memory and disk queue.spoolDirectory="/var/lib/rsyslog" #; Directory where the queue files are stored queue.filename="q-ldap-fwd" #; Queue file name queue.size="50000" #: Number of messages that can be queued in memory queue.highWatermark="40000" #; When this number of messages reaches this value memory queued messages are written to disk queue.lowWatermark="20000" #; When this number is reached new messages stop being written to disk queue.dequeueBatchSize="2048" #; Send the specified number of messages to remote system when dequeuing messages queue.workerThreads="2" #; Number of worker threads to be used queue.maxFileSize="1g" #; Max size for a queue file can be before a new queue file is created queue.saveOnShutdown="on") #; Save all the messages if rsyslog is stop On my server side which is on RHEL 9.2 running rsyslog-8.2312.0-1.el9.x86_64. Using the following configuration. input(type="imrelp" address="mdtnj01log-col " port="2809" name="input-ldap-relp-acc-v4" ruleset="rule-ldap-acc-v4") ruleset(name="rule-ldap-acc-v4") { #; Local file storage for logs. Single file created for everything on this stream. #: These logs should only be maintained for 7 to 14 days. These are used for troubleshooting action(type="omfile" name="output-ldap-acc-v4" template="Tmpl-ReWrite-IP-FileFormat" dynafile="Tmpl-DynaFile-LDAP-Acc" #; Dynamic file naming template to be used (daily files) dynafilecachesize="14" #; Number of dynamic file names to keep in cache closetimeout="5" #; Close the file after so many minutes with no activity flushinterval="5" #; Flush the buffers every so many seconds asyncwriting="on" #; Enable asynchronous writes iobuffersize="256k" #; Chunk the writes to disk dirowner="root" #; Owner for the directory where the log file is stored dirgroup="apache" #; Group for the directory where the log file is stored dircreatemode="0750" #; Permissions for the directory where the log file is stored fileowner="root" #; Owner for the log file filegroup="apache" #; Group for the log file filecreatemode="0640" #; Permissions for log file failonchownfailure="off") #; Continue on if we cannot not set the file ownerships } I have looked the 2353 error code, and I am not using or have enable TLS. Any help would be great! Thanks Bob Kong _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
