4
responses

Hi,

First time post so please go easy....

I have a simplet test Windows 2008 server with nxlog installed with the following config file.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input file_in>
    Module im_file
    File 'D:\\01\\syslogtest.txt'
    Exec $Message = $raw_event;
    SavePos True
    ReadFromLast True
</Input>

<Processor file_transformer>
    Module pm_transformer
    Exec $SourceName = 'offline_testing';
    OutputFormat syslog_bsd
</Processor>

<Output file_out>
    Module      om_udp
    Host        syslog.domain.com
    Port        10000
</Output>

<Route file_route>
    Path        file_in => file_transformer => file_out
</Route>

 

I'm sending my logs to a syslog server running syslog-ng.

When the server is available, everything is good.  What I write to the local Windows text file appears on the syslog-ng server.

I enable Windows firewall to simulate the syslog-ng server down.

I write to the local Windows text file and nothing appears in syslog-ng.  As expected.

I remove the firewall rule and here is where my problem lies.  I don't see what was written to the local text file while the syslog-ng was unavailable on the syslog-ng server.

If I start writing to the text file after disabling the firewall, I see the new stuff coming in but not what was written while the syslog server was "offline".

Can anybody help figure out why this is not working as expected?

Regards,

Victor

AskedApril 27, 2017 - 1:20am

Answer (1)

UDP is not reliable. The messages are lost while the reciever is down. Use TCP.

Comments (3)

  • peepers1970's picture

    Hi b0ti,

    Thank you for your reply.  That's what I thought.

    I set up a test syslog-ng server listening on a TCP port and ran the same tests.

    This time nxlog did transmit the data once the syslog-ng server was back online.  The only issue I did find is that it nxlog would not transmit the first message sent once the connection was down.  All subsequent messages were successfully sent.

    Is there a directive i'm missing to make nxlog send all messages including the first one?  Or is this how nxlog behaves?  The first message is lost which is how nxlog determines the destination syslog server is unavailable?

    Regards,

    Victor

  • b0ti's picture
    (NXLog)

    TCP is not entirely reliable with respect to disconnections as data might get discarded in the socket buffers which is handled by the TCP stack of the operating system. I suspect this is why you are seing the behavior described above.

    A solution to this problem is acknowledged message transfer. The NXLog Enterprise Edition provides two modules for this (om/im_batchcompress) but this is not compatible with syslog-ng. Syslog-ng has its own, rsyslog has RELP, etc. There is no standard. You can use NXLog EE on both sides.