<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="chsdate"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
/* Page Definitions */
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
layout-grid:15.6pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=ZH-CN link=blue vlink=purple style='text-justify-trim:punctuation'>
<div class=Section1 style='layout-grid:15.6pt'>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>Eenvironment : <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> under linux <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> 1 central log-collecting server.syslog-ng <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-indent:9.0pt;
text-autospace:none'><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'>2 client: syslog sending logs to
central log-collecting server.<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-indent:9.0pt;
text-autospace:none'><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'><o:p> </o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>The syslog-ng server configuration: <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> options { use_dns(no);
create_dirs(yes);ts_format(iso); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> source src { udp(ip(<st1:chsdate IsROCDate="False"
IsLunarDate="False" Day="30" Month="12" Year="1899" w:st="on">0.0.0</st1:chsdate>.0)
port(514)); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> filter f_kern { facility(kern); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> filter f_authpriv { facility(auth,authpriv); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> filter f_mail { facility(mail); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> filter f_cron { facility(cron); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> filter f_boot { facility(local7); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> filter f_spooler { facility(uucp, news) and
level(crit..emerg); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> filter f_messages { level(info..emerg) and not
facility(authpriv, cron, mail); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> destination kern {
file("/home/syslog-ng/$YEAR/$HOST/kernel-$MONTH"); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> destination authpriv {
file("/home/syslog-ng/$YEAR/$HOST/secure-$MONTH"); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> destination mail {
file("/home/syslog-ng/$YEAR/$HOST/maillog-$MONTH"); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> destination cron {
file("/home/syslog-ng/$YEAR/$HOST/cron-$MONTH"); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> destination boot{
file("/home/syslog-ng/$YEAR/$HOST/boot.log-$MONTH"); };<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> destination spooler { file("/home/syslog-ng/$YEAR/$HOST/spooler-$MONTH");
}; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>destination messages {
file("/home/syslog-ng/$YEAR/$HOST/messages-$MONTH"); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> log { source(src); filter(f_kern); destination(kern);
};> <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> log { source(src); filter(f_authpriv);
destination(authpriv); };> <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> log { source(src); filter(f_mail); destination(mail);
};> <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> log { source(src); filter(f_cron); destination(cron);
};> <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> log { source(src); filter(f_boot); destination(boot);
};> <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> log { source(src); filter(f_spooler);
destination(spooler); }; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>> log { source(src); filter(f_messages);
destination(messages); };><o:p></o:p></span></font></p>
<p class=MsoNormal><b><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun;font-weight:bold'>QUESTION: <o:p></o:p></span></font></b></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> I used the syslog-ng to </span></font><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>collect logs from about 1000 clients,while there are many
udp packets receive erros: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'> # netstat </span></font><font
size=1><span lang=EN-US style='font-size:9.0pt'>–</span></font><font
size=1 face=宋体><span lang=EN-US style='font-size:9.0pt;
font-family:SimSun'>su<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'> #</span></font><span
lang=EN-US> </span><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'>Udp:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'> 41200545 packets
received<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'> 0 packets to
unknown port received.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'> 410733273 packet
receive errors<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=宋体><span lang=EN-US
style='font-size:9.0pt;font-family:SimSun'> 21311935 packets
sent<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> I think it means many log sending by the client
are not received by syslog-ng successfully,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>How can I resolve this problems?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-US><o:p> </o:p></span></font></p>
</div>
</body>
</html>