Hello all,<div><br></div><div>I hope what I'm asking hasn't been covered previously, I tried some searches with no luck. If I'm duplicating something else, I apologize.</div><div><br></div><div>My problem is, I have 6 DHCP servers with identical syslog-ng.conf and syslog.conf files on them. The set up is as so:</div>
<div><br></div><div>dhcp-a-01 and dhcp-b-01 are a DHCP failover pair</div><div>dhcp-a-02 and dhcp-b-02 are a DHCP failover pair</div><div>dhcp-a-03 and dhcp-b-03 are a DHCP failover pair</div><div><br></div><div>The 'dhcp-a' servers are in the A data center. 'dhcp-b' servers are in the B data center.</div>
<div><br></div><div>Again, the syslog-ng.conf files on all of them are identical, checked with sha1sum. It is confirmed that all of them are using syslog-ng for logging.</div><div><br></div><div>I have them all set to log to the same remote logging server. Logs from dhcp-[a,b]-01 and dhcp-[a,b]-03 are making it to the remote server with no issues. I can see it on the remote server and I can see it when doing a 'tcpdump port 514' on the servers themselves.</div>
<div><br></div><div>For some reason, I'm not seeing any logs from dhcp-[a,b]-02 on the remote server and when I do 'tcpdump port 514' for a length of time, I get:</div><div><br></div><div><div>dhcp-b-02:~# tcpdump port 514</div>
<div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div><div>listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes</div><div>^C</div><div>0 packets captured</div><div>0 packets received by filter</div>
<div>0 packets dropped by kernel</div></div><div><br></div><div>when the other servers, done at the same time, show packets captured.</div><div><br></div><div>I just did a "tail -f /var/log/syslog > /tmp/test" all of the servers between 11:43:26 and 11:45:38 (2m12s). In that time:</div>
<div><br></div><div>dhcp-[a,b]-01 had roughly 2700 lines</div><div>dhcp-[a-b]-02 had roughly 11000 lines</div><div>dhcp-[a-b]-03 had roughly 1100 lines</div><div><br></div><div>So to me it seems like there's some sort of throttling on the data that's able to be sent. There's ~5x more traffic on pair 2 than 1 (which will be rebalanced, just trying to get this working first) so that would make sense. The only thing that I could find that looks like it would help is the log_fifo_size option, but that doesn't seem to help -- I've made several adjustments to it, but it doesn't seem to make any difference. </div>
<div><br></div><div>Can someone please let me know what I'm missing? Thanks!</div><div><br></div><div>Brian</div><div><br></div>