Information: Forum is in read-only mode
For details and other support options see

forward fail over not working ....

General discussions here

Moderator: alorbach

Google Ads

forward fail over not working ....

Postby jdeich » Fri Nov 10, 2017 4:52 pm

( Posing here looking for help was not getting help in "configuration" )

We have an rsyslog use case where we use the configuration
snipet below in /etc/rsyslog.d/web-audit.conf

module(load="imfile" mode="inotify")

$template NPACFMT,"%msg% type=%syslogtag%"

ruleset(name="GENERAL") {
action(type="omfwd" Target="server01" Port="514" Protocol="tcp"

action(type="omfwd" Target="server02" Port="514" Protocol="tcp"



more file monitored below


The issue is is the fail-over in the rule set above. Which is
designed fail-over deliver to server02 when server01 is down.

The ports on these servers are tcp syslog ports to splunk heavy
forwarders on server01 and server02. Normal deliver works fine.
Fail-over delivery work fine as long as it is triggered by
shutting down the receiving splunk application.

_The problem comes if server1 fails or is rebooted. When these
server level failures happen, the fail-over to server2 does not
occur and delivery stops_. We think this may be due to the receiving
syslog port not shutting down neatly in tcp.

This post may be a good description of our issue: ... 27912.html

We are using rsyslog 7.4.7 and don't seem to have 8+ version in our
repository and upgrading could present organizational issue.
We had want to use keep alive / heart beat testing, but it's not recognized.

Any help so our fail-over becomes more reliable with server issue would
be appreciated.
Posts: 2
Joined: Wed Oct 25, 2017 8:59 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests