• Linux
• Rsyslog
• FailOver

Linux/Rsyslog/FailOver

• For high availability forward to primary syslog server, and if not available failover to next.
• Note: Cant use udp, must be reliable e.g. tcp / relp to detect failure
• Note: Put actions in ruleset, to allow for usage of queue.

• failover config, if all down to file /var/log/localbuffer

  ruleset(name="forwarding" queue.type="linkedList" queue.filename="fwdq") {
       action(type="omfwd" target="primary-syslog.example.com" port="10514"
              protocol="tcp")
       action(type="omfwd" target="secondary-1-syslog.example.com" port="10514"
              action.execOnlyWhenPreviousIsSuspended="on")
       action(type="omfwd" target="secondary-2-syslog.example.com" port="10514"
              action.execOnlyWhenPreviousIsSuspended="on")
       action(type="omfile" tag="failover" file="/var/log/localbuffer"
              action.execOnlyWhenPreviousIsSuspended="on")
  }
  
  if($msg contains "error") then {
       call forwarding, 
       # msg processing ends here, as the ruleset forwarding, has a queue, async in q.
       stop
       # stop only needed if ruleset no queue, then sync processing.
  }

call

• https://www.rsyslog.com/doc/v8-stable/rainerscript/rainerscript_call.html?highlight=call

• it is like a function call  call rulesetname  to the rulesetname.

== queue settings ===

• https://www.rsyslog.com/doc/v8-stable/rainerscript/queue_parameters.html