Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
alannnnnnn
Explorer

Log Export intermittently failing

Hi All,

I deployed a new dedicated logger on 81.10 that is quite large with resources and I have setup an Export to Splunk. I only have 1 gateway sending logs to this logger right now.

Some of the logs are making it to splunk, the forwarding is not stable. I have another manager/logger on 81.10 forwarding logs without these errors. From what I can tell, the settings are the same on both servers.

Both servers are on the same subnet with the same path to splunk.

Has anyone else come across these socket/write-blocked issues?

[3997166400][23 Feb 17:58:25] LogsSender::Process suceeded to send logs with new connection
[3811572544][23 Feb 17:58:27] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=0 buffers (0/0/0/0)
[3811572544][23 Feb 17:58:27] Sent current: 0 average: 0 total: 0
[3986684736][23 Feb 17:58:30] SyslogTCPSender::shouldRetry: Socket: [73] was write-blocked for 5 seconds, and 25 millis
[3986684736][23 Feb 17:58:30] SyslogTCPSender::shouldRetry: Select timed out - 11 - Resource temporarily unavailable bytes_left: [301] try_number: [1]
[3986684736][23 Feb 17:58:30] SyslogTCPSender::send: Try to Sent [287/588] errn:[11 - Resource temporarily unavailable].
[3986684736][23 Feb 17:58:30] LogsSender::Process _LogsSender->send return CP_E_UNEXP_NET_ERR
[3986684736][23 Feb 17:58:30] LogsSender::Process failed to send logs. Try to establish new connection
[3986684736][23 Feb 17:58:30] LogsSender::Process suceeded to send logs with new connection

0 Kudos
3 Replies
the_rock
Legend
Legend

There is definitely something resetting the connection, based on those messages. Does doing evstop; evstart or cpstop; cpstart on the logging server make a difference?

Best,

Andy

0 Kudos
alannnnnnn
Explorer

No difference, but everything does stop and start correctly

0 Kudos
the_rock
Legend
Legend

Personally, I would reboot it and if no change, specially considering that you made sure if matches with the one that works, might be worth open support TAC case and see what they say. I never liked those intermittent issues, because those are hardest to troubleshoot, specially considering the fact you never know when the actual issue may occur. 

I examined the logs you sent and cant find much at all on either support site or any other community posts, sorry mate : - (

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events