<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I'll do my best to get both ends, the client is on read-only flash, so
it makes that end difficult.<br>
<br>
But, as a general question, it has no problem handling the load if it
is straight udp. So, I imagine this is an issue with either encryption,
or, most likely, TCP. Do you have good pointers on the various syslog
tuning params for TCP?<br>
<br>
thx<br>
<br>
On 1/23/10 1:17 AM, Zoltán Pallagi wrote:
<blockquote cite="mid:4B5ABEAC.1090307@balabit.hu" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
Ok, then show the debug logs of server syslog-ng when you restart
rsyslog, please. You may need to check the debug logs of rsyslog as
well (I've never used rsyslog, but you can more information on the
rsyslog webpage: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.rsyslog.com/doc-troubleshoot.html">http://www.rsyslog.com/doc-troubleshoot.html</a>)<br>
<br>
I would like to help you, but I can't find out the reason for this
behavior without any information, so please tell me as much information
as possible.<br>
<br>
2010.01.23. 0:02 keltezéssel, Rory Toma írta:
<blockquote cite="mid:4B5A2E8B.6050309@ooma.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
I am not using syslog-ng on the client. I am using rsyslog.<br>
<br>
On 1/22/10 2:57 PM, Zoltán Pallagi wrote:
<blockquote cite="mid:4B5A2D67.5000606@balabit.hu" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Syslog-n tries to reconnect in every 60th seconds to server by default.
Perhaps, the first attempt was not succes and you need wait
for the second attempt so it can take 1-2 minutes.<br>
If you reduce the "time_reopen()" on your <u>client's</u>
configuration, it can be faster.<br>
<br>
I also have an other theory, if you are using flow-control on client
side, and the server is a bit overloaded, syslog-ng can stop reading
the source (and sending to the server).<br>
<br>
Just show a few debug lines after starting syslog-ng on client and a
few lines on server in the same time. (because syslog-ng will send a
few log about the state of connections, e.g.: accepted or closed)<br>
<br>
<br>
2010.01.22. 22:11 keltezéssel, Rory Toma írta:
<blockquote cite="mid:4B5A1472.7090607@ooma.com" type="cite">
<pre wrap="">The problem has been alleviated somewhat by moving to a 64-bit platform.
Since these generally have a different set of tcp defaults, there is
probably a tcp value(s) that need tuning. I do notice on this one, that
after I reboot a client, it takes a few minutes for the logs to start
flowing, but flow they do.
I can show you the output, but it's quite long.
On 1/22/10 1:26 AM, Zoltán Pallagi wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
Can you show me the output of "syslog-ng -Fevd" on your client after
restarting?
(you can find more information about debugging syslog-ng on my blog:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://pzolee.blogs.balabit.com/">http://pzolee.blogs.balabit.com/</a>)
Rory Toma írta:
</pre>
<blockquote type="cite">
<pre wrap="">I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using
tls, and have a setup as below. Here is what happens. It logs fine.
However, if I reboot my client that is sending logs, it no longer
works until I restart the syslog-ng server. What do I need to do here?
@version: 3.0
options { flush_lines (3);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes); dir_perm (0755);
keep_hostname (yes);
ts_format("iso");
};
source telo {
tcp( port(80)
tls( key_file("/export/tls/key.pem")
cert_file("/export/tls/cert.pem")
peer_verify(optional-untrusted)) ); };
# Myx destinations
destination myx_dest_0000 {
file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS
T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644)
template("$YEAR-
$MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); };
filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); };
log { source(telo); filter(myx_filter_0000);
destination(myx_dest_0000); };
______________________________________________________________________________
Member info: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<pre wrap=""> </pre>
</blockquote>
<pre wrap="">______________________________________________________________________________
Member info: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
pzolee</div>
</blockquote>
<br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
pzolee</div>
</blockquote>
<br>
</body>
</html>