<DIV>
<DIV>
<DIV>The log data we receive from most systems is fairly consistent from day to day. That's how I can tell I'm missing some data. But it's not to the extent that syslog-ng STATS would seem to indicate.</DIV>
<DIV> </DIV>
<DIV>As for the system-level performance stuff, I don't mean to sound pretentious, but I've effectively ruled all of that out. I've analyzed all the statistics, and I even opened a ticket with Sun to get their two cents worth. They came to the same conclusion that I did--the application is simply not keeping up with the IP stack.</DIV>
<DIV> </DIV>
<DIV>Also, although it may not be entirely clear in my original post, these relays are just relays. The log messages come in via udp or tcp and go right back out via tcp. Any and all processing (including dns and regexp) is performed at the back end.</DIV>
<DIV> </DIV>
<DIV>At the end of the day, I guess my real question is, how truly accurate is the STATS number that I'm seeing?</DIV>
<DIV> </DIV>
<DIV>Here is my syslog-ng.conf:</DIV>
<DIV> </DIV>
<DIV>options { stats(300); sync(0); time_reopen(10); log_fifo_size(3000000); gc_busy_threshold(200000); check_hostname(no); keep_hostname(yes); };</DIV>
<DIV># Grab syslog-ng specific messages.<BR>source ng_local {<BR> internal();<BR>};</DIV>
<DIV># Grab local messages (OS specific messages).<BR>source local {<BR> sun-streams("/dev/log" door("/etc/.syslog_door"));<BR>};</DIV>
<DIV>source remote {<BR> udp(ip("1.1.1.1") port(514));<BR> tcp(ip("1.1.1.1") port(5514) max-connections(50));<BR>};</DIV>
<DIV># Log location for syslog-ng specific messages.<BR>destination ng_messages {<BR> file("/var/log/syslog-ng" owner(root) group(staff) perm(0740) create_dirs(yes) dir_perm(0755));<BR>};</DIV>
<DIV># Log location for OS specific messages.<BR>destination local_messages {<BR> file("/var/adm/messages" owner(root) group(staff) create_dirs(yes) dir_perm(0755));<BR>};</DIV>
<DIV># Forward messages to the cluster<BR>destination remote_messages {<BR> tcp("1.1.1.50" port(5514));<BR>};</DIV>
<DIV># Log all syslog-ng specific messages.<BR>log { source(ng_local); destination(ng_messages); };</DIV>
<DIV># Log all OS specific messages.<BR>log { source(local); destination(local_messages); };</DIV>
<DIV># Log all remote system messages.<BR>log { source(remote); destination(remote_messages); };</DIV>
<DIV><BR><B><I>Nate Campi <nate@campin.net></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">On Fri, Oct 21, 2005 at 06:54:04AM -0700, Scott C wrote:<BR>> But what's really most peculiar in this scenario is the fact that the<BR>> numbers simply don't add up. Why does syslog-ng appear (on the<BR>> surface) to be dropping a very large percentage of the messages that<BR>> it receives? I realize that it's not, but the numbers tell a<BR>> different story. And how could it possibly drop so many messages when<BR>> the FIFO queue is configured to buffer three million lines? How<BR>> preposterous!<BR><BR>So you think you really have all the logs but you see STATS messages<BR>reporting dropped messages? How would you know if you really have them<BR>all? It's possible that under heavy load you have some program or pipe<BR>destination (or maybe even file if you have slow disks) that just can't<BR>keep up. That's not syslog-ng's fault, it just lets you know that
the<BR>buffer filled up.<BR><BR>Right now all anyone can do is shoot off wild guesses like mine above,<BR>since there's no hard data in your post, just your conclusions. If you<BR>want to post your syslog-ng.conf, output of system commands like<BR>"netstat -i", prstat, "iostat -mnPxz 10" and vmstat during peak loads,<BR>and whatever else you used to reach your conclusions then we'd be in a<BR>better position to help.<BR><BR>OBTW there are performance tips in the FAQ that give clues as to causes:<BR><BR>http://www.campin.net/syslog-ng/faq.html#perf<BR><BR>Possible culprits: DNS, regexps (though you say CPU is ok, so maybe<BR>not), logging to a tty or the console.<BR>-- <BR>Nate<BR><BR>"I must've seen it in a USENET posting; that's sort of like hearsay<BR>evidence from Richard Nixon..." - Houghton, Blair<BR><BR>_______________________________________________<BR>syslog-ng maillist - syslog-ng@lists.balabit.hu<BR>https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>Frequently asked
questions at http://www.campin.net/syslog-ng/faq.html<BR><BR></BLOCKQUOTE></DIV></DIV><p>
<hr size=1> <a href="http://us.lrd.yahoo.com/_ylc=X3oDMTFqODRtdXQ4BF9TAzMyOTc1MDIEX3MDOTY2ODgxNjkEcG9zAzEEc2VjA21haWwtZm9vdGVyBHNsawNmYw--/SIG=110oav78o/**http%3a//farechase.yahoo.com/">Yahoo! FareChase - Search multiple travel sites in one click.</a>