Thank you for the quick reply.<br><br>Sorry for not mention, since are starting this now, we used the latest version, so syslog-ng 2.0.6...<br><br>We looked at the stats (set to 10s), and saw the following:<br><br>$ ./syslog-ng -v -e -F -f /tmp/syslog-
ng.conf.solaris<br>syslog-ng starting up; version='2.0.6'<br>Log statistics; processed='center(queued)=0', processed='center(received)=0', processed='destination(all)=0', processed='source(local)=0'
<br>Log statistics; processed='center(queued)=0', processed='center(received)=1', processed='destination(all)=0', processed='source(local)=1'<br>Log statistics; processed='center(queued)=0', processed='center(received)=1', processed='destination(all)=0', processed='source(local)=1'
<br>Initializing destination file writer; template='/tmp/messages-ng', filename='/tmp/messages-ng'<br>Log statistics; processed='center(queued)=46862', processed='center(received)=46863', processed='destination(all)=46862', processed='source(local)=46863'
<br>Log statistics; processed='center(queued)=136634', processed='center(received)=136635', processed='destination(all)=136634', processed='source(local)=136635'<br><...><br>Log statistics; processed='center(queued)=578629', processed='center(received)=578630', processed='destination(all)=578629', processed='source(local)=578630'
<br>Log statistics; processed='center(queued)=578629', processed='center(received)=578630', processed='destination(all)=578629', processed='source(local)=578630'<br>Log statistics; processed='center(queued)=578629', processed='center(received)=578630', processed='destination(all)=578629', processed='source(local)=578630'
<br><br>Our test program (same host, a Sun Fire v440 running Solaris 10) had tried to log 1000000 messages. I guess this means the loss is before it reached Syslog-ng?<br><br>Do you have any idea how we can get around this? The more logging-intensive applications, have their sources available to us, a few however don't, so maybe combining some other source with /dev/log could help?
<br><br>Any and all ideas are welcome!<br><br>Best regards,<br>Andrew<br><br><div class="gmail_quote">On Dec 21, 2007 10:09 AM, Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="Wj3C7c"><br>On Fri, 2007-12-21 at 09:14 +0100, Andrew Séguin wrote:<br>> Hello,<br>><br>> I'm sorry if I'm missing something obvious, admittedly I've only had<br>> the chance to quickly search through the manuals and mailing list and
<br>> not read them as deep as I'd like to, yet.<br>><br>> I'm working in a project where we were considering replacing syslog to<br>> take advantage of reliable transmission over tcp. Performance is a
<br>> factor for us, so we wrote a short program that simply loops and logs<br>> a counter and time stamp (to avoid "last message repeated x<br>> messages"). We ran it with syslog (saving locally to a file, and then
<br>> sending remotely to another station which is logging to file) and got<br>> some reference numbers for the hardware/OS (Solaris 10). We then<br>> started the same test with syslog-ng. Performance didn't get to be an
<br>> issue: under the pressure of the performance test, only some 5-600,000<br>> lines are logged although 1,000,000 were sent!<br>><br>> We tried a few tweaks to the configuration file for buffering (see<br>
> below), but it hasn't helped unfortunately. Is there a way to avoid<br>> this problem? Will we encounter this same problem on the remote host<br>> (considering the remote/logging host is planned to be accepting
<br>> messages from two servers with a lot of traffic)<br>><br>> Thanks for any tips/info!<br>> Andrew Seguin<br>><br>><br>> ps: here is the configuration file we have used...<br>><br>> #<br>> # Syslog-ng example configuration file for Solaris
<br>> #<br>> # Copyright (c) 1999 Balazs Scheidler<br>> # $Id: syslog-ng.conf.solaris,v 1.2 1999/11/15 12:30:41 bazsi Exp $<br>> #<br>> # Solaris 2.5.1 and below uses the STREAMS driver, above extends it<br>
> # with doors. For 2.5.1 remove the door() option from the source<br>> declaration.<br>> #<br>><br>> options {<br>> sync (0);<br>> log_fifo_size (65535);<br>> gc_idle_threshold(30); gc_busy_threshold(3000);
<br>> };<br>><br>> source local { sun-streams("/dev/log" door("/etc/.syslog_door"));<br>> internal(); };<br>><br>> destination all { file("/tmp/messages-ng" log_fifo_size(60000)); };
<br>><br>> filter filter_local6 { facility(local6); };<br>> log { source(local); filter(filter_local6); destination(all); };<br><br></div></div>The syslog-ng version would be a useful information.<br><br>What you need to find out where the lossage occurs, it might happen on
<br>the /dev/log device, or inside syslog-ng.<br><br>To find out whether it's the latter case, please check the "Log<br>statistics" message (or STATS in syslog-ng 1.6.x). If the drop counters<br>are zero, then it is the streams device which is dropping messages.
<br><br>I don't remember all the STREAMS details whether it can lose messages,<br>but before digging any further it'd be useful to know where the messages<br>get actually lost.<br><font color="#888888"><br>--<br>Bazsi
<br><br>_______________________________________________<br>syslog-ng maillist - <a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Frequently asked questions at <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br><br></font></blockquote>
</div><br>