参考文档

Syslog - Fluent Bit: Official Manual

Linux - rsyslogd：操作“action-3-builtin：omfwd”已挂起 - 堆栈溢出 (stackoverflow.com)

背景介绍

在研究FluentBit做日志数据采集端时看到官方实例syslog tcp方式采集后进行本地尝试，结果出现了如下错误：

action 'action-8-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension.

环境说明

操作系统：Ubuntu 20.04.4 LTS

IP地址： 10.0.0.10

复现步骤

我按照官方文档（Syslog - Fluent Bit: Official Manual）的说明进行了如下配置：

#在 /etc/rsyslog.d/ 目录下的 rsyslog 配置规则中添加一个名为 60-fluent-bit.conf 的新文件，并添加以下内容：
root@havenetwork:~# cat /etc/rsyslog.d/60-fluent-bit.conf 
action(type="omfwd" Target="127.0.0.1" Port="5140" Protocol="tcp")
# 重启rsyslog
root@havenetwork:~# service rsyslog restart
# 报错如下
cannot connect to 127.0.0.1:5140: Connection refused [v8.2001.0 try https://www.rsyslog.com/e/2027 ]
action 'action-8-builtin:omfwd' suspended (module 'builtin:omfwd'), next retry is Fri Dec 22 06:48:41 2023, retry nbr 0. There should be

解决办法

vim /etc/rsyslog.conf
取消对以下行的注释：
module(load="imtcp")
input(type="imtcp" port="514")

root@havenetwork:~# service rsyslog restart
root@havenetwork:~# netstat  -ntpl 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      116446/rsyslogd     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      22359/systemd-resol 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      18789/sshd: /usr/sb 
tcp6       0      0 :::514                  :::*                    LISTEN      116446/rsyslogd     
tcp6       0      0 :::22                   :::*                    LISTEN      18789/sshd: /usr/sb 
root@havenetwork:~#