I have a stack of  nxlog -> om_ssl -> tcp input ->logstash.  And after i do kill -9 i lose a bunch of messages. i looked up buffered data in logstash and switch it to 1. tested it and if i read file i can lose about max 5 messages. So i tried to look up in nxlog, data_timeout is there 30 sec.  so as i looked up with data lose over time  it looks it might be it. Is there a chance to change this value after installing rpm ?  or i have to compile it with changed value in the code.  

AskedJuly 21, 2015 - 12:12pm

Answer (1)

This is an issue in the protocol since there in no acknowledgement built in (i.e. it is half-duplex). Any data that is sent is first passed to the OS and the OS will then accept it and it is then considered as sent. Now when the application is killed or the connection is forcibly terminated, all data that is still unsent by the OS (i.e. in the socket buffer) will be lost.

The solution to this problem is using another protocol that has acknowledgement in it. The NXLog Enterprise Edition has modules for this, there is also om_http and im_http. Some other tools have their own protocols , e.g. RELP in rsyslog, lumberjack in logstash, etc. Unfortunately there is no standard.