-
Title
"Load-Balancing" within the Syslog-ng PE config file -
Description
Sending logs to different destinations, or to the same destination using multiple connections, to "load-balance" the number of logs coming in is desired. -
Cause
Cause 1.)
The endpoint which is receiving the forwarded logs from the Syslog-ng PE server and/or relay receives too many logs too quickly.Cause 2.)
Logs need to be sent to 2 or more locations to "load-balance" the number of logs. -
Resolution
Change the configuration of the Syslog-ng PE server and/or relay to "load-balance" the logs to multiple destinations, or a single destination using multiple connections, based upon the millisecond the log was processed by the Syslog-ng PE server/relay.
If the millisecond that the log was processed is an even number, then it will be forwarded to one location, if the millisecond that the log was processed is an odd number, then it will be forwarded to the other location.
In the event that a single destination is used, an even-numbered millisecond will create one connection to the destination specified, and an odd-numbered millisecond will create another connection to the destination specified.
source s_testlog { syslog( ip("0.0.0.0") port("601") transport("tcp") flags(no-parse) ); }; destination d_lb_endpoint_0 { syslog( "10.10.10.10" port("1010") transport("tcp") ); }; destination d_lb_endpoint_1 { syslog( "10.10.10.11" port("1011") transport("tcp") ); }; #divide to two parts filter f_even { "$(% ${R_MSEC} 2)" == "0" }; filter f_odd { "$(% ${R_MSEC} 2)" != "0" }; log { source(s_testlog); filter(f_even); destination(d_lb_endpoint_0); flags(final); }; log { source(s_testlog); filter(f_odd); destination(d_lb_endpoint_1); flags(final); }; -
Additional Information
When using Syslog-ng PE 7.0.16 or older - because of a bug fixed in 7.0.17 - the filters must be changed from == to eg and
ne , see the below examples.filter f_even { "$(% ${R_MSEC} 2)" eg "0" }; filter f_odd { "$(% ${R_MSEC} 2)" ne "0" };Additionally, the following command can be issued at the command line which will show if the configuration is working as expected:
sudo /opt/syslog-ng/sbin/syslog-ng-ctl stats | grep d_lbAdditionally, other macros such as RCPTID can be used in place of MSEC if desired.