topic With a [syslog] output to 3rd party using TCP, why does TCP stop talking to index cluster when 3rd party is not contactable? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/With-a-syslog-output-to-3rd-party-using-TCP-why-does-TCP-stop/m-p/398337#M71018 <P>Hello, </P> <P>I am sending some source types to a 3rd party via SYSLOG as the output as TCP not UDP. All works fine until we lose contact with their syslog server. Then it breaks all indexing even to my cluster. The queues fill up and basically shuts down inputs. </P> <P>Works fine using UDP! </P> <P>Wondering if anyone has came across this issue. He is output of btool. </P> <PRE><CODE>[syslog] maxEventSize = 1024 priority = &lt;13&gt; type = udp [syslog:syslog_indexers] server = syslogserver:9997 timestampformat = %Y-%m-%dT%T.%S type = tcp [tcpout] ackTimeoutOnShutdown = 30 autoLBFrequency = 30 autoLBVolume = 0 blockOnCloning = true blockWarnThreshold = 100 cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 compressed = false connectionTimeout = 20 defaultGroup = cluster_indexers disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = 5 ecdhCurves = prime256v1, secp384r1, secp521r1 forceTimebasedAutoLB = false forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry) forwardedindex.filter.disable = false heartbeatFrequency = 30 indexAndForward = false maxConnectionsPerIndexer = 2 maxFailuresPerInterval = 2 maxQueueSize = auto readTimeout = 300 secsInFailureInterval = 1 sendCookedData = true sslQuietShutdown = false sslVersions = tls1.2 tcpSendBufSz = 0 useACK = true writeTimeout = 300 [tcpout:cluster_indexers] server = indexer1:9997,indexer2:9997 </CODE></PRE> Wed, 03 Oct 2018 11:23:41 GMT lukessi 2018-10-03T11:23:41Z With a [syslog] output to 3rd party using TCP, why does TCP stop talking to index cluster when 3rd party is not contactable? https://community.splunk.com/t5/Getting-Data-In/With-a-syslog-output-to-3rd-party-using-TCP-why-does-TCP-stop/m-p/398337#M71018 <P>Hello, </P> <P>I am sending some source types to a 3rd party via SYSLOG as the output as TCP not UDP. All works fine until we lose contact with their syslog server. Then it breaks all indexing even to my cluster. The queues fill up and basically shuts down inputs. </P> <P>Works fine using UDP! </P> <P>Wondering if anyone has came across this issue. He is output of btool. </P> <PRE><CODE>[syslog] maxEventSize = 1024 priority = &lt;13&gt; type = udp [syslog:syslog_indexers] server = syslogserver:9997 timestampformat = %Y-%m-%dT%T.%S type = tcp [tcpout] ackTimeoutOnShutdown = 30 autoLBFrequency = 30 autoLBVolume = 0 blockOnCloning = true blockWarnThreshold = 100 cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 compressed = false connectionTimeout = 20 defaultGroup = cluster_indexers disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = 5 ecdhCurves = prime256v1, secp384r1, secp521r1 forceTimebasedAutoLB = false forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry) forwardedindex.filter.disable = false heartbeatFrequency = 30 indexAndForward = false maxConnectionsPerIndexer = 2 maxFailuresPerInterval = 2 maxQueueSize = auto readTimeout = 300 secsInFailureInterval = 1 sendCookedData = true sslQuietShutdown = false sslVersions = tls1.2 tcpSendBufSz = 0 useACK = true writeTimeout = 300 [tcpout:cluster_indexers] server = indexer1:9997,indexer2:9997 </CODE></PRE> Wed, 03 Oct 2018 11:23:41 GMT https://community.splunk.com/t5/Getting-Data-In/With-a-syslog-output-to-3rd-party-using-TCP-why-does-TCP-stop/m-p/398337#M71018 lukessi 2018-10-03T11:23:41Z Re: With a [syslog] output to 3rd party using TCP, why does TCP stop talking to index cluster when 3rd party is not contactable? https://community.splunk.com/t5/Getting-Data-In/With-a-syslog-output-to-3rd-party-using-TCP-why-does-TCP-stop/m-p/398338#M71019 <P>That’s not an issue, that is by design (although for you that is then still an issue of course). Whenever one of multiple TCP destinations is unreachable, all forwarding is blocked. And as far as I know, that is not configurable.</P> Wed, 03 Oct 2018 20:37:19 GMT https://community.splunk.com/t5/Getting-Data-In/With-a-syslog-output-to-3rd-party-using-TCP-why-does-TCP-stop/m-p/398338#M71019 FrankVl 2018-10-03T20:37:19Z