<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="generator" content="Osso Notes">
<title></title></head>
<body>
<p>this seems to be a completely unrelated issue. are you sure syslog isn't dropped by packet filtering, firewalls etc?
<br>
<br>
<br>
<br>----- Original message -----
<br>> Hello all,
<br>>
<br>> I hope what I'm asking hasn't been covered previously, I tried some
<br>> searches with no luck. If I'm duplicating something else, I apologize.
<br>>
<br>> My problem is, I have 6 DHCP servers with identical syslog-ng.conf and
<br>> syslog.conf files on them. The set up is as so:
<br>>
<br>> dhcp-a-01 and dhcp-b-01 are a DHCP failover pair
<br>> dhcp-a-02 and dhcp-b-02 are a DHCP failover pair
<br>> dhcp-a-03 and dhcp-b-03 are a DHCP failover pair
<br>>
<br>> The 'dhcp-a' servers are in the A data center. 'dhcp-b' servers are in
<br>> the B data center.
<br>>
<br>> Again, the syslog-ng.conf files on all of them are identical, checked
<br>> with sha1sum. It is confirmed that all of them are using syslog-ng for
<br>> logging.
<br>>
<br>> I have them all set to log to the same remote logging server. Logs from
<br>> dhcp-[a,b]-01 and dhcp-[a,b]-03 are making it to the remote server with
<br>> no issues. I can see it on the remote server and I can see it when doing
<br>> a 'tcpdump port 514' on the servers themselves.
<br>>
<br>> For some reason, I'm not seeing any logs from dhcp-[a,b]-02 on the remote
<br>> server and when I do 'tcpdump port 514' for a length of time, I get:
<br>>
<br>> dhcp-b-02:~# tcpdump port 514
<br>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
<br>> decode listening on eth0, link-type EN10MB (Ethernet), capture size 96
<br>> bytes ^C
<br>> 0 packets captured
<br>> 0 packets received by filter
<br>> 0 packets dropped by kernel
<br>>
<br>> when the other servers, done at the same time, show packets captured.
<br>>
<br>> I just did a "tail -f /var/log/syslog > /tmp/test" all of the servers
<br>> between 11:43:26 and 11:45:38 (2m12s). In that time:
<br>>
<br>> dhcp-[a,b]-01 had roughly 2700 lines
<br>> dhcp-[a-b]-02 had roughly 11000 lines
<br>> dhcp-[a-b]-03 had roughly 1100 lines
<br>>
<br>> So to me it seems like there's some sort of throttling on the data that's
<br>> able to be sent. There's ~5x more traffic on pair 2 than 1 (which will be
<br>> rebalanced, just trying to get this working first) so that would make
<br>> sense. The only thing that I could find that looks like it would help is
<br>> the log_fifo_size option, but that doesn't seem to help -- I've made
<br>> several adjustments to it, but it doesn't seem to make any difference.
<br>>
<br>> Can someone please let me know what I'm missing? Thanks!
<br>>
<br>> Brian
<br><br></p>
</body>
</html>