<p dir="ltr">How do you know messages are dropped?</p>
<div class="gmail_quote">On Apr 22, 2013 4:24 PM, "Davide D'Amico" <<a href="mailto:davide.damico@gmail.com">davide.damico@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi, I'm using syslog-ng OSE 3.3.8 on a FreeBSD 9.1 amd64 box on a centralized server (DELL R610, 32GB ram, ZFS with compressed filesystem) and 150 servers with syslog-ng that logs locally and send remotely their logs stream to the centralized syslog-ng.<div>
Sometime I see packets dropped, so I think I'm missing something on its configuration.</div><div><br></div><div>That's what I'm using:</div><div>- generic server:</div><div><div>@version: 3.3</div><div><br></div>
<div>options {</div><div> perm(0644);</div><div> dir_perm(0750);</div><div> create_dirs(yes);</div><div> group (logs);</div><div> dir_group (logs);</div><div> log_fifo_size(10000);</div><div> use_fqdn(yes);</div><div>
keep_hostname(yes);</div><div> chain_hostnames(no);</div><div> stats_freq(3600);</div><div>};</div><div><br></div><div>source s_local {</div><div> unix-dgram("/var/run/log");</div><div> unix-dgram("/var/run/logpriv" perm(0600));</div>
<div> internal();</div><div> file("/dev/klog");</div><div>};</div><div><br></div><div>destination d_local {</div><div> file("/var/log/syslog-ng/$YEAR/$MONTH/$DAY/$FACILITY.log");</div><div>};</div>
<div>
<br></div><div>destination d_remote {</div><div> tcp("10.0.0.9" port(514));</div><div>};</div><div><br></div><div>log {<br></div><div> source(s_local);</div><div> destination(d_local);</div><div> destination(d_remote);</div>
<div>};</div><div><br></div><div>- centralized log server:</div><div><div>@version: 3.3</div><div><br></div><div>options {</div><div> perm(0644);</div><div> dir_perm(0755);</div><div> create_dirs(yes);</div>
<div> group (logs);</div><div> dir_group (logs);</div><div> use_fqdn(yes);</div><div> keep_hostname(yes);</div><div> chain_hostnames(no);</div><div> stats_freq(120);</div><div> log_fifo_size(10000);<br></div><div>
frac_digits(3);</div>
<div>};</div><div><br></div><div>source s_local { </div><div> unix-dgram("/var/run/log" max_connections(20));</div><div> unix-dgram("/var/run/logpriv" perm(0600) max_connections(20));</div><div> internal();</div>
<div> file("/dev/klog");</div><div>};</div><div><br></div><div>filter f_localhost {</div><div> netmask( "127.0.0.1" );</div><div>};</div><div><br></div><div>filter f_network6 {</div><div> netmask( "<a href="http://172.16.6.0/255.255.255.0" target="_blank">172.16.6.0/255.255.255.0</a>" );</div>
<div>};</div><div><br></div><div>destination d_local { </div><div> file("/tank/syslog/custom/localhost/$YEAR/$MONTH/$DAY/$FACILITY.log");</div><div>};</div><div><br></div><div>source s_network {</div><div> udp(ip("10.0.0.9") so_rcvbuf(16777216));</div>
<div> tcp(ip("10.0.0.9") port(514) log_fetch_limit(100) max_connections(200) log_iw_size(20000) so_rcvbuf(16777216));</div><div>};</div><div><br></div><div>filter f_www_host { </div><div> host("www1.domain.lan") or host("www2.domain.lan") or host("www3.domain.lan");</div>
<div>};</div><div><br></div><div>[...]</div><div><br></div><div><div>filter f_www_fac {</div><div> facility(local6);</div><div>};</div></div><div><br></div><div>[...]</div><div><br></div><div><div>destination d_www { </div>
<div> file("/tank/syslog-ng/custom/www/$YEAR/$MONTH/$DAY/$FACILITY.log");</div><div>};</div></div><div><br></div><div>[...]</div><div><br></div><div><div>log {</div><div> source(s_network);</div><div> filter(f_www_host);</div>
<div> filter(f_www_fac);</div><div> destination(d_www);</div><div>};</div></div><div><br></div><div> <br></div><div>Thanks,</div></div>-- <br>d.
</div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>