CEF plugin losing events

We're using rsyslog to round-robin TCP syslog events to multiple logstash syslog listeners with the CEF plugin.
Using tcpdump on a logstash host, I find a random eventid and search for it in elastic. Sometimes it's there, sometimes it's not.

So we're losing events somewhere. We've also had this setup load balancing via scp and having logstash pull the events in via these files. This method also dropped events.

Just wondering if anyone else has had this issue? Otherwise we might contact support.

This may be a false alarm. I have found an issue that may have been breaking logstash. Event count is back up where it should be and I will see if it stays that way.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.