Balazs,<div><br></div><div>Thank you for the response to my question. I thought I responded to both you and the list and didn't, so I wanted to make sure it made it to the list. It turns out that that's exactly what it was -- there were some changes in the original configuration that caused the 2nd pair to have iptables in place blocking the logging. I'll get it fixed and be good to go.</div>
<div><br></div><div>Thanks for catching that and apologies to the list for not thinking of it before I posted.</div><div><br></div><div>Brian<br><br><div class="gmail_quote">On Tue, Sep 11, 2012 at 2:14 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div>
<p>this seems to be a completely unrelated issue. are you sure syslog isn't dropped by packet filtering, firewalls etc?
<br></p><div><div class="h5">
<br>
<br>
<br>----- Original message -----
<br>> Hello all,
<br>>
<br>> I hope what I'm asking hasn't been covered previously, I tried some
<br>> searches with no luck. If I'm duplicating something else, I apologize.
<br>>
<br>> My problem is, I have 6 DHCP servers with identical syslog-ng.conf and
<br>> syslog.conf files on them. The set up is as so:
<br>>
<br>> dhcp-a-01 and dhcp-b-01 are a DHCP failover pair
<br>> dhcp-a-02 and dhcp-b-02 are a DHCP failover pair
<br>> dhcp-a-03 and dhcp-b-03 are a DHCP failover pair
<br>>
<br>> The 'dhcp-a' servers are in the A data center. 'dhcp-b' servers are in
<br>> the B data center.
<br>>
<br>> Again, the syslog-ng.conf files on all of them are identical, checked
<br>> with sha1sum. It is confirmed that all of them are using syslog-ng for
<br>> logging.
<br>>
<br>> I have them all set to log to the same remote logging server. Logs from
<br>> dhcp-[a,b]-01 and dhcp-[a,b]-03 are making it to the remote server with
<br>> no issues. I can see it on the remote server and I can see it when doing
<br>> a 'tcpdump port 514' on the servers themselves.
<br>>
<br>> For some reason, I'm not seeing any logs from dhcp-[a,b]-02 on the remote
<br>> server and when I do 'tcpdump port 514' for a length of time, I get:
<br>>
<br>> dhcp-b-02:~# tcpdump port 514
<br>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
<br>> decode listening on eth0, link-type EN10MB (Ethernet), capture size 96
<br>> bytes ^C
<br>> 0 packets captured
<br>> 0 packets received by filter
<br>> 0 packets dropped by kernel
<br>>
<br>> when the other servers, done at the same time, show packets captured.
<br>>
<br>> I just did a "tail -f /var/log/syslog > /tmp/test" all of the servers
<br>> between 11:43:26 and 11:45:38 (2m12s). In that time:
<br>>
<br>> dhcp-[a,b]-01 had roughly 2700 lines
<br>> dhcp-[a-b]-02 had roughly 11000 lines
<br>> dhcp-[a-b]-03 had roughly 1100 lines
<br>>
<br>> So to me it seems like there's some sort of throttling on the data that's
<br>> able to be sent. There's ~5x more traffic on pair 2 than 1 (which will be
<br>> rebalanced, just trying to get this working first) so that would make
<br>> sense. The only thing that I could find that looks like it would help is
<br>> the log_fifo_size option, but that doesn't seem to help -- I've made
<br>> several adjustments to it, but it doesn't seem to make any difference.
<br>>
<br>> Can someone please let me know what I'm missing? Thanks!
<br>>
<br>> Brian
<br><br></div></div><p></p>
</div>
</blockquote></div><br></div>