Multiple syslog server support

BMC AMI Defender and CZASEND can support multiple destination syslog servers (subject to memory constraints). You can code multiple alternative server IP addresses for these servers. All SERVER parameter specifications except for the PROTOcol specification must be the same for all server IP addresses. Therefore, the TRANSport specification (UDP or TCP) and maximum message length applies to all IP addresses. For more information, see SERVER-statement.

The treatment of multiple server IP addresses differs depending on whether you specify UDP or TCP (including SSL and TLS):

  • For UDP, BMC AMI Defender and CZASEND send all syslog messages to all of the specified addresses. The order in that they are specified is not significant.
  • For TCP, SSL, and TLS, if BMC AMI Defender or CZASEND encounters an IP error when communicating with the primary syslog server, it switches over to the first alternative, then the second, and so on. BMC AMI Defender issues console and CZAPRINT messages documenting the switch. 

The order of ALTERNate specifications is significant: the first becomes alternative 1, the second becomes alternative 2, and so on. BMC AMI Defender tries them in that order and validates the connectivity to each server address on startup.

When you refresh a parameter file, BMC AMI Defender attempts first to connect to the server with that it had the last connection based on the server address, not the server number.

Example

If BMC AMI Defender were connected to alternative 2, and you deleted the first alternative from the parameter file and refreshed the parameters, BMC AMI Defender would reconnect to the same server, even though that it was now alternative 1, not alternative 2.

BMC AMI Defender maintains cumulative statistics for each server address across the refreshing of parameter files.

TCP/IP error recovery

When a syslog protocol TCP/IP error occurs, BMC AMI Defender cannot determine how many messages were not delivered except for the message it just tried to send (that is usually also not delivered). 

BMC AMI Defender supports the SERVER parameter REXMIT(n) specification, where n defaults to 2 and can have any value from 1 through 20 (where 20 is an arbitrary reasonableness check). If BMC AMI Defender encounters a TCP/IP session failure and starts a new session with an alternate server IP address, it retransmits the same number of preceding messages.

Example

You specify REXMIT(5). If two messages are lost due to a failure, then on the alternative connection you receive the two lost messages preceded by three duplicates (that is, three re-transmissions of messages that were already successfully delivered). If ten messages are lost due to a failure, then five messages are irretrievably lost, but five messages are re-sent on the re-transmission.

Tip

To preclude duplicates, specify REXMIT(1). If you can tolerate duplicates but want to minimize the number messages due to an error, specify REXMIT(20). The default specification, REXMIT(2), is a compromise between the two extremes.

Related topics

Getting-started
SERVER-statement

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*