I'm not sure if this means anything, but immediately after restarting the syslog-ng daemon, logs seem to update in real-time. This lasts for about 5-10 seconds, and then the update interval drops back to per minute.<br>
<br>Here's some output immediately after restarting syslog-ng:<br>-rw-r--r-- 1 root wheel 455017963 Jul 1 15:25 firewalls.log<br>-rw-r--r-- 1 root wheel 455018571 Jul 1 15:25 firewalls.log<br>-rw-r--r-- 1 root wheel 455018907 Jul 1 15:25 firewalls.log<br>
-rw-r--r-- 1 root wheel 455019552 Jul 1 15:25 firewalls.log<br>-rw-r--r-- 1 root wheel 455020305 Jul 1 15:25 firewalls.log<br>-rw-r--r-- 1 root wheel 455028247 Jul 1 15:25 firewalls.log<br>-rw-r--r-- 1 root wheel 455035022 Jul 1 15:25 firewalls.log<br>
-rw-r--r-- 1 root wheel 455035022 Jul 1 15:25 firewalls.log<br>-rw-r--r-- 1 root wheel 455035022 Jul 1 15:25 firewalls.log<br><br>As you can see, the first few outputs show the size increase happening frequently, but then reverts back to per-minute updates.<br clear="all">
<br>-- Eric Cables<br>
<br><br><div class="gmail_quote">On Thu, Jul 1, 2010 at 2:50 PM, Eric Cables <span dir="ltr"><<a href="mailto:ecables@gmail.com">ecables@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Here's the relevant portion of my config:<br>@version: 3.0<br><br>options { dir_perm(0755); perm(0644); <br> chain_hostnames(no);<br> keep_hostname(yes); <br> create_dirs(yes);<br> normalize_hostnames(yes);<br>
use_fqdn(yes);<br> flush_lines(0);<br> flush_timeout(0);<br> };<br><br># Default local source.<br>source local {<br> unix-dgram("/var/run/log");<br> unix-dgram("/var/run/logpriv" perm(0600));<br>
file("/dev/klog");<br> udp(ip(127.0.0.1) port(514));<br> internal();<br>};<br><br>source remote {<br> udp(ip(x.x.x.x) port(514));<br> tcp(ip(x.x.x.x) port(1470));<br>};<br><br>
<br>Also, here's some output to illustrate what I'm seeing:<br>-rw-r--r-- 1 root wheel 454561970 Jul 1 14:45 firewalls.log<br>-rw-r--r-- 1 root wheel 454561970 Jul 1 14:45 firewalls.log<br>-rw-r--r-- 1 root wheel 454573725 Jul 1 14:46 firewalls.log<br>
-rw-r--r-- 1 root wheel 454573725 Jul 1 14:46 firewalls.log<br>-rw-r--r-- 1 root wheel 454595899 Jul 1 14:47 firewalls.log<br>-rw-r--r-- 1 root wheel 454595899 Jul 1 14:47 firewalls.log<br clear="all"><br>Please let me know if I've implemented the flush_lines() & flush_timeout() values incorrectly.<br>
<font color="#888888">
<br>-- Eric Cables</font><div><div></div><div class="h5"><br>
<br><br><div class="gmail_quote">On Thu, Jul 1, 2010 at 1:25 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu" target="_blank">bazsi@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>On Thu, 2010-07-01 at 10:35 -0700, Eric Cables wrote:<br>
> I am seeing syslog-ng write to the file exactly once per minute, which<br>
> includes the hundreds of queued messages.<br>
<br>
</div>this definitely means that syslog-ng is using a non-zero value for<br>
flush_lines(). This used to be called "sync_freq" or "sync", but those<br>
names were deprecated.<br>
<br>
Please also note that these can be set on a per-destination basis, but<br>
also globally, validate that if you have a global setting, you are<br>
overriing at the specific destination.<br>
<font color="#888888"><br>
--<br>
</font><div><div></div><div>Bazsi<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br>