Information: Forum is in read-only mode
For details and other support options see

forwarding fo fails when server problem should trigger it

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: alorbach

Google Ads

forwarding fo fails when server problem should trigger it

Postby jdeich » Wed Nov 01, 2017 4:04 pm

We have an rsyslog use case where we use the configuration
snipet below in /etc/rsyslog.d/web-audit.conf

module(load="imfile" mode="inotify")

$template NPACFMT,"%msg% type=%syslogtag%"

ruleset(name="GENERAL") {
action(type="omfwd" Target="server01" Port="514" Protocol="tcp"

action(type="omfwd" Target="server02" Port="514" Protocol="tcp"



more file monitored below


The issue is is the fail-over in the rule set above. Which is
designed fail-over deliver to server02 when server01 is down.

The ports on these servers are tcp syslog ports to splunk heavy
forwarders on server01 and server02. Normal deliver works fine.
Fail-over delivery work fine as long as it is triggered by
shutting down the receiving splunk application.

_The problem comes if server1 fails or is rebooted. When these
server level failures happen, the fail-over to server2 does not
occur and delivery stops_. We think this may be due to the receiving
syslog port not shutting down neatly in tcp.

This post may be a good description of our issue: ... 27912.html

We are using rsyslog 7.4.7 and don't seem to have 8+ version in our
repository and upgrading could present organizational issue.
We had want to use keep alive / heart beat testing, but it's not recognized.

Any help so our fail-over becomes more reliable with server issue would
be appreciated.
Posts: 2
Joined: Wed Oct 25, 2017 8:59 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads

Return to Configuration

Who is online

Users browsing this forum: No registered users and 2 guests