[syslog-ng]Dropping entries.

[Gregor Binder]

Scott A. McIntyre on Fri, Jan 26, 2001 at 12:34:20PM +0100:

Scott,

> Is there anything I can try to make sure this doesn't happen? Any
> options I can tweak, that sort of thing.  Would logging to individual
> files on a host by host basis be better, coupled with sylog-ng
> monitoring those local files to concatenate them all into one larger
> file?

logging to individual files would probably make it worse, at least if
it is a problem on the server. If this is an option for you, upgrade
your log clients (mailservers) to syslog-ng, and use tcp logging. I use
this method to log various snort sensor alert data, and it seems very
reliable, as long as the log server has enough processing and i/o power
to handle the alert messages. Logging over tcp will not compensate for
a weak machine.

Other than that, you would have to analyse where the messages are get-
ting dropped. If your udp packets are actually travelling on your net-
work (you could check with ethereal), your system could be i/o bound.
Try to use vmstat to see if your resources are blocked by processes that
are waiting for i/o. If that's the case, and you have some RAM available
(vmstat on some platform tells you as well, check swap/pagescanner
activity), play with the sync() and log_fifo_size() options. Or buy more
or faster disks :)

Regards,
  Gregor.

--
Gregor Binder  <gregor.binder@sysfive.com>  http://sysfive.com/~gbinder/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55