This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Reliability of Kiwi sysloger when "Forward to remote host "action is specified

Hi,

I am evaluating Kiwi sysloger. I am wondering about the reliability of msg delivery when "Forward to remote host" action is specified.

I saw in the help section that there exists a KRDP protocol which can resend the logs msgs that didnt reach the remote host (lets say another syslog server running in linux box).

It would be great if someone can point me to the documents which will describe various possible option to ensure reliable delivery of msgs. And also if the answer is to use KRDP then what are the required changes in the remote host to enable reliable communication?

  • KRDP is a proprietary protocol designed to be used between Kiwi Syslog Servers.

    If you're forwarding to a linux syslog daemon then KRDP won't work.

    If your linux syslog daemon supports syslog over TCP then you could use that instead.
    KRDP is built on top of TCP, and TCP is more reliable than UDP.

  • Thanks Kuz for quick reply. I can send logs via TCP to linux syslog daemon.

    The use case that I am trying to understand here is if lets say remote syslog server is down for some time and then again comes up. Then, in this case, will kiwi syslog server will re-send the msgs that were received when remote syslog server was down or these msgs will never reach the remote syslog server?

  • The messages will be lost.  

    KRDP is the only protocol that supports resending of messages if the remote host is down, and for that to work you would need another Kiwi Syslog Server instance as the recipient.

  • Thanks Kuz.

    I am wondering if there is any way to specify failover remote host to Kiwi syslog server.

    Something like:

    remote_syslog_server1:port, remote_syslog_server2:port

    Here, Kiwi will forward the msgs to remote_syslog_server2 only when remote_syslog_server1 isn't available.

  • Although we don't support this feature directly, you can achieve this with a Custom RunScript.

    Create a RunScript action, just before your "Forward to another host" action.

    Here's a sample script (not tested, just off the top of my head).  It will ping a specific machine and decide if it's offline or not.  If the machine is deemed to be offline, then the current syslog message will be forwarded to a "failover" machine.


    VBScript (Full Read/Write options) "FailoverForward.vbs"

    Function Main()

     

    Dim objWinMgmts

    Dim objPing  

    Dim objStatus  

    Dim strComputer  

     

    Dim FailoverHost

    Dim FailoverPort

    Dim FailoverProtocol

     

    FailoverHost = "192.168.1.1"

    FailoverPort = Fields.VarLocalPort

    FailoverProtocol = Fields.VarInputSource

     

    strComputer = "10.190.2.205" 'IP Address or Name  

    Set objWinMgmts = GetObject("winmgmts:{impersonationLevel=impersonate}") 

    Set objPing = objWinMgmts.ExecQuery("select Replysize from Win32_PingStatus where address = '" & strComputer & "'")  

     

    bOffline = false

    For Each objStatus in objPing  

    If IsNull(objStatus.ReplySize) Then  

    'computer is offline  

    bOffline = true

    End If  

    Next  

     

     

    Set objStatus = Nothing  

    Set objPing = Nothing 

    Set objWinMgmts = Nothing

     

    If bOffline Then

    'strComputer is offline, so forward syslog message to failover host

    Call Fields.ActionSendSyslog(FailoverHost, Fields.VarRawMessageText, FailoverPort, FailoverProtocol) 

    End If

     

    ' Set the return value to indicate that the script ran correctly

    Main = "OK"

     

    End Function

     

    Change "FailoverHost" to the IP address of your failover machine.
    Change "strComputer" to the IP address of the machine to check offline status of.

  • Thanks Kuz, this was helpful. I will try this approach.

  • No problem.

    A word of warning though - the script above will ping the machine on *every* syslog message received.

    If your syslog throughput is very high you will definately *not* want to implement it in your default rule (for a couple of reasons):
    1.  Waiting on a ping result for every syslog message received will slow down the syslog processing pipeline markedly.
    2.  Sending that many pings over the network may be a problem for you (or your network admin) 

     

    I'd recommend to limit the number of pings sent, by breaking the script into two parts.

    Part 1:  Triggered by a Keep-alive, fired every 'N' seconds.  Will ping the machine to determine it's "online/offline" status.

    Part 2:  Runs for every syslog message received, but instead of sending a ping everytime will just check the "online/offline" status set by the keep alive trigger in (1).

     

    To Enable KeepAlive:

    Setup > Inputs > Keep-alive, and set frequency to suitable value.

     

    Rule 'Default'

    +Action

    --RunScript "FailoverForward.vbs" (VBScript, Full Read/Write)

     

    Rule 'OfflineStatusCheck'

    +Filter

    -InputSource = KeepAlive

    +Action

    --RunScript "OfflineStatusCheck.vbs" (VBScript, Full Read/Write)

     

    'OfflineStatusCheck.vbs

    Function Main()

     

    Dim objWinMgmts

    Dim objPing  

    Dim objStatus  

    Dim strComputer  

     

    strComputer = "10.190.2.205" 'IP Address or Name  

    Set objWinMgmts = GetObject("winmgmts:{impersonationLevel=impersonate}") 

    Set objPing = objWinMgmts.ExecQuery("select Replysize from Win32_PingStatus where address = '" & strComputer & "'")  

     

    bOffline = false

    For Each objStatus in objPing  

    If IsNull(objStatus.ReplySize) Then  

    'computer is offline  

    bOffline = true

    End If  

    Next  

     

    Set objStatus = Nothing  

    Set objPing = Nothing 

    Set objWinMgmts = Nothing

     

    ' Save Online/Offline status in Global Vairable (accessible from all scripts)

    Fields.VarGlobal01 = bOffline

     

    ' Set the return value to indicate that the script ran correctly

    Main = "OK"

     

    End Function

     

     

    'FailoverForward.vbs

    Function Main()

     

    Dim FailoverHost

    Dim FailoverPort

    Dim FailoverProtocol

     

    FailoverHost = "192.168.1.1"

    FailoverPort = Fields.VarLocalPort

    FailoverProtocol = Fields.VarInputSource

     

    ' Fetch Online/Offline status in Global Vairable (accessible from all scripts)

    bOffline = Fields.VarGlobal01

    If bOffline Then

    'Computer is offline, so forward syslog message to failover host

    Call Fields.ActionSendSyslog(FailoverHost, Fields.VarRawMessageText, FailoverPort, FailoverProtocol) 

    End If

     

    ' Set the return value to indicate that the script ran correctly

    Main = "OK"

     

    End Function