<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
So with dqtool ( cool) I noticed that actual problem is that syslog-ng is not writing to disk queue immediately when a message is generated. The message goes to usual place like var/log/message etc but not in the queue where it should because it has not been transmitted to remote host. Now I am thinking there has to be a memory limit before it starts flushing/dumping unsent message to disk queue ? I tried mem-buf-size(1) and <span class="parameter" style="font-family: "courier" , "fixed" ; font-size: 16px">log-fifo-size(1) but none of them works. Is it a static value or is it configurable ?</span><div><font face="Courier, fixed"><span style="font-size: 16px"><br /></span></font></div><div><font face="Courier, fixed"><span style="font-size: 16px">Thanks<br /></span></font><div><br /><br />27. Sep 2016 12:41 by <a href="mailto:thejaguar@tutanota.de" target="_blank" rel="noopener noreferrer">thejaguar@tutanota.de</a>:<br /><br /><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;">
<br />Thanks.<div>So if the queue stays intact, syslog-ng will try to send unsent messages as and when it starts ? even after 2-3 days ? it does not reset the queue or tracking ever ?</div><div><br /></div><div>Thanks again</div><div><br /></div><div><br /></div><div>27. Sep 2016 12:11 by <a href="mailto:balazs.scheidler@balabit.com" target="_blank" rel="noopener noreferrer">balazs.scheidler@balabit.com</a>:<br /><br /><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;"><p>Syslog-ng attempts to address application level failures with reliable disk buffer but kernel level crashes/power failures are not covered, at least you can suffer message loss, but the queue in general should stay intact.</p>
<p>There's a tool for reading disk queue files, iirc the name is dqtool, should be included in your package.</p>
<div class="gmail_extra"><br /><div class="gmail_quote">On Sep 27, 2016 8:35 PM, <<a href="mailto:thejaguar@tutanota.de" target="_blank" rel="noopener noreferrer">thejaguar@tutanota.de</a>> wrote:<br /><blockquote class="quote" style="margin: 0 0 0 0.8ex ; border-left: 1px #ccc solid ; padding-left: 1ex">
<div>
Hi,<div>I have been using disk based buffering with reliable turned on yes as suggested here :-</div><div><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-diskbuffer-reliable.html" target="_blank" rel="noopener noreferrer">https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-diskbuffer-reliable.html</a><br /></div><div><br /></div><div>This has been working great for me on an embedded linux device which does not have internet connection except when the application running on it turns on the modem/pppd when it has to send some data, basically to save battery power. Now syslog-ng is brilliant and sends all the stored/queued logs immediately upon detecting network connection as long as system stays alive. Now the challenge is if the device has a system reset or kernel crash in between network connection availability, will syslog-ng send unsent logs upon next system reboot when it gets the network connection ? Or it resets the queue and tracking upon system reset/boot ?</div><div>I noticed any logs generated in between power resets and which are not sent are not transmitted on next net connection. Is it expected behaviour ? If not then what wrong I am doing ? also how can I read whats in /var/lib/syslog-ng/syslog-ng-00000.rqf or syslog-ng.persist ?</div><div><br /></div><div>=======================<br /></div><div><br /></div><div><div>destination d_net {</div><div> network (</div><div> "`myloghost`" port(`mylogport`) transport("tls")</div><div> tls( ca-dir("/etc/syslog-ng/ca") peer-verify(required-trusted) ssl-options(no-sslv3,no-tlsv1) )</div><div> disk-buffer( reliable(yes) mem-buf-size(1M) disk-buf-size(5M) qout-size(64) )</div><div> template("<$PRI> $FACILITY $ISODATE $HOST $PROGRAM $MSG\n")</div><div> );</div><div>};</div></div><div><br /></div><div><div>syslog-ng 3.8.1</div><div>Installer-Version: 3.8.1</div><div>Revision:</div><div>Module-Directory: /usr/lib/syslog-ng</div><div>Module-Path: /usr/lib/syslog-ng</div><div>Available-Modules: cef,affile,basicfuncs,system-source,cryptofuncs,graphite,pseudofile,afuser,kvformat,add-contextual-data,date,csvparser,linux-kmsg-format,confgen,syslogformat,afprog,disk-buffer,dbparser,afsot</div><div>Enable-Debug: off</div><div>Enable-GProf: off</div><div>Enable-Memtrace: off</div><div>Enable-IPv6: off</div><div>Enable-Spoof-Source: off</div><div>Enable-TCP-Wrapper: off</div><div>Enable-Linux-Caps: off</div></div><div><br /></div><div>=======================<br /></div><div><br /></div><div>Thanks</div><div><br /></div><div><br /></div> </div>
<br />______________________________________________________________________________<br />
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noopener noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br />
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noopener noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br />
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noopener noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br />
<br />
<br /></blockquote></div><br /></div></blockquote></div></blockquote></div></div> </body>
</html>