Logstash Is NOT Eating My Logs

This is an update to Is Logstash Eating My Logs?.

TL/DR – Changing Logstash configuration input from syslog to tcp resolved messages getting lost. TCP input type proved 100% reliable.

After listening to advice on reddit and browsing logstash-users (thanks Jordan), I changed Logstash input from

input {
  syslog {
    type=> syslog
    port=> 3514
  }
}

to

input {
  tcp {
    port=> 3514
  }
}

This time, I sent 1000 messages at a time for initial test. First, I used input type syslog and then I switched to input type tcp.

Test Results

Msg Syslog input TCP input
1000 995 1000
2000 1995 2000
3000 2995 3000
4000 3995 4000
5000 4994 5000
6000 5994 6000
7000 6994 7000
8000 7993 8000
9000 8993 9000
10000 9993 10000

As best as I understand, Logstash input type syslog listens on both UDP and TCP. Even thou I was sending messages over TCP, Logstash silently awaits on both protocols. I am certain something in my environment (load, hardware,?) is facilitating this message loss.

Lastly, I setup a temporary Windows instance to test whether the culprit was Sysloggen. On this box, I ran the same tests with Kiwi Syslog Message. Both Kiwi Syslog Message and Sysloggen acted identically; neither product was to blame for messages lost.

Crisis averted.

Advertisements

One thought on “Logstash Is NOT Eating My Logs

  1. Pingback: Is Logstash Eating My Logs? | Mario Talavera Writes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s