Stop input or Graylog is unreachable

Hi,
I’m using Graylog server (free trial 4.2.3) to collect my server’s log, to do this I have Linux and Windows servers that send their logs to Rsyslog server, and after it sends all logs to Graylog server.

I wanted to understand what happens if input enter in stopping mode or Graylog is unreachable.
Do you now if Rsyslog server has a buffer to conserve logs if Graylog is unreachable? If yes where? How many logs can it conserve? Is it configurable?

I tried to stop my input and after 10minutes restart it, but I lose all data between this time.
I sincerely hoped this thing would be handled.
Did I forget / wrong some configuration?

Thanks for support.

If you were to install the sidecar agent on your linux and windows machines you could then use either beats like winlogbeat (packaged with sidecar) filebeat or you could you NXlog. Both of these will recall where they left off and feed into Graylog when the connection resumes… based on your configuration settings on how far you want to go back.

Hello,
I concur with @tmacgbay

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#config_global

.

Thanks for you suggest. For Windows I’ll use NxLog, while for Linux, Rsyslog implement by default the possibility to create a buffer contains all log if remote server is unreachable. https://www.rsyslog.com/doc/v8-stable/tutorials/reliable_forwarding.html#the-intention.
NB: This solution need TCP protocol.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.