[syslog-ng] Solaris 10 UDP overflows, message drops

sramesh.kumar at wipro.com sramesh.kumar at wipro.com
Wed Apr 27 09:10:21 CEST 2011 

Hi All,

Can any body help me. Please?????
I hve configured syslog-ng in X86 server. Bellow is the configuration.
But Logs are not coming under /syslog-ng folder.....if I am wrong in
bellow configuration, can you Please Provide step by step configuration
Procedure to configure the same...

# cat /etc/syslog-ng/syslog-ng.conf
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
sun-stream ("/dev/log");
internal();
};

# External Source
source s_ext

{
# Standard Syslog
udp(); # All interfaces
tcp(); # All interfaces on tcp port
sun-stream("/dev/log");
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/adm/messages"); };
destination d_mail { file("/var/log/syslog"); };
destination d_auth { file("/var/log/authlog"); };
destination d_mlop { usertty("operator"); };
destination d_mlrt { usertty("root"); };
destination d_mlal { usertty("*"); };
destination d_ext
{
file("/syslog-ng/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY" \
owner(root) group(root) perm(0650) dir_perm(0750) create_dirs(yes));

create_dirs(yes));
};

filter f_filter1   { level(err) or
                     (level(notice) and facility (auth, kern)); };
filter f_filter2   { level(err) or
                     (facility(kern) and level(notice)) or
                     (facility(daemon) and level(notice)) or
                     (facility(mail) and level(crit)); };
filter f_filter3   { level(alert) or
                     (facility(kern) and level(err)) or
                     (facility(daemon) and level(err)); };
filter f_filter4   { level(alert); };
filter f_filter5   { level(emerg); };
filter f_filter6   { facility(kern) and level(notice); };
filter f_filter7   { facility(mail) and level(debug); };
filter f_filter8   { facility(user) and level(err); };
filter f_filter9   { facility(user) and level(alert); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_mlop); };
log { source(s_sys); filter(f_filter4); destination(d_mlrt); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_auth); };
log { source(s_sys); filter(f_filter7); destination(d_mail); };
log { source(s_sys); filter(f_filter8); destination(d_cons);
                                        destination(d_mesg); };

log { source(s_ext); destination(d_ext); };
# isainfo -kv
64-bit amd64 kernel modules
# cat /etc/release
                       Solaris 10 10/08 s10x_u6wos_07b X86
           Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                            Assembled 27 October 2008
# pkginfo -l SMCsyslng
   PKGINST:  SMCsyslng
      NAME:  syslogng
  CATEGORY:  application
      ARCH:  x86
   VERSION:  2.0.5
   BASEDIR:  /usr/local
    VENDOR:  BalaBit IT Ltd
    PSTAMP:  Steve Christensen
  INSTDATE:  Apr 20 2011 16:24
     EMAIL:  steve at smc.vnet.net
    STATUS:  completely installed
     FILES:       64 installed pathnames
                   3 shared pathnames
                  15 directories
                   2 executables
                2163 blocks used (approx)


-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Mishou Michael
Sent: Tuesday, April 26, 2011 11:28 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops

Gergely,

Thanks for any testing you can do.  I'm not sure if a SPARC processor is
an important testing component or not, I suppose your VMs will help
determine this since you'll be using x86.  If there's any testing I can
do to help things along, please let me know.

Yes, I'm (very) scared of rsyslog as a maintainable solution, the
configs for syslog-ng are *so* much easier to read and understand.  I'll
try 3.3 and report back how threading helps things out, I'm glad to hear
that it's been pretty stable for you, that was my major concern in
testing 3.3 since eventually we'll need this to be in production with
our basic (from a config complexity standpoint) requirements. 

I'll report back how 3.3 works out for me after I get it compiled and up
today.

Regards,

--Mike

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Gergely Nagy
Sent: Tuesday, April 26, 2011 12:19 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Solaris 10 UDP overflows, message drops

(A few preliminary answers follow - I'll have another look at this later
tonight from home, once I tested a few things on my local solaris vm)

"Mishou Michael" <Michael.Mishou at csirc.irs.gov> writes:

> I'm going to experiment with syslog-ng and the loggen tool to find a
> point at which a single syslog-ng instance starts dropping inbound UDP
> traffic with a simple configuration writing to disk.  Once I have that
> number, I have a few options:
>
> 1.  Experiment with syslog-ng 3.3 and the new threaded code to see if
I
> have performance gains.  I'm hesitant to push Alpha code in
production,
> if anyone has any experience with 3.3 in semi-production environment
> running consistently I'd love to hear it.

I've been running 3.3 on most systems I administer (2 of my own servers
+ a few I administer for friends; and all of my virtual machines). It's
been serving me fine for the past 4 months now.

However, most of my systems are also linux systems, where syslog-ng is
much better tested (and I'm not using UDP at all).

Personally, I'd give it a test run, as current 3.3 is fairly stable.

> 3.  Give up on syslog-ng until 3.3, or move to some other solution.
Not
> sure what I could do here, rsyslog is the other major contender I
guess,
> not sure what gains I would get.  Could also do native syslog server
and
> post-process to different buckets/relay which is what we mainly use
> syslog-ng for.

I wouldn't consider rsyslog. It's a nightmare to maintain that, and an
even bigger nightmare to get it to perform well in any but the most
trivial situations. (Or it might be just me being too used to good
documentation and readable config files, but I'm fairly sure it's not
just that :P)

-- 
|8]
________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html


Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com

More information about the syslog-ng mailing list