I am running 3 node graylog cluster with GELF UDP input. And I am using nginx as a UDP load balancer which is distributing all logs to graylog inputs.
But its missing lots of logs as per the analyses its missing 90% of logs. Looks like Nginx is not able to handle the traffic. If any one is using GELF UDP then which Load Balancer you are using and how?
Hey @akhilbhardwaj89,
your problem is most likely the segmentation of UDP GELF.
GELF uses chunking for larger messages by segmenting the payload into multiple UDP messages with a sequence number. And the GELF specification states the following:
All chunks MUST arrive within 5 seconds or the server will discard all already arrived and still arriving chunks. A message MUST NOT consist of more than 128 chunks.
Additionally, it should be obvious that the chunks must arrive at the same server for them to get reassembled, else the message will be discarded instantly. So using round robin or similar load balancing will not work.
See here:
You will need to setup a host-based / sticky balancing system.
Have a look here (the search functions helps 
)
Greetings,
Philipp
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
