<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Calibri;
color:windowtext;}
p.m161189388324671938gmail-p1, li.m161189388324671938gmail-p1, div.m161189388324671938gmail-p1
{mso-style-name:m_161189388324671938gmail-p1;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.m161189388324671938gmail-apple-converted-space
{mso-style-name:m_161189388324671938gmail-apple-converted-space;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:Calibri;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:227303197;
mso-list-template-ids:1059377618;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1292638927;
mso-list-template-ids:2109004232;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;color:#222222;background:white">Hello Support Team,</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222">In the syslog-ng configuration, we have 2 forward rules as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222">1. One rule reads from source (port 514) and writes syslogs to the file for all the syslogs greater than debug.<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222">2. Second rule reads from source <span style="background:white">(port 514) and forwards the the syslog to the destination if a set of filter rules match. These set of
filter rules are called whitelist filter rules are filter rules containing match filter and priority filter in each rule. As there are multiple filter rules, they are ORed to create a main filter rule.</span><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222;background:white"><br>
<br>
</span><span style="font-size:11.0pt;color:#222222"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222;background:white">Now we have syslogs coming in at a rate of 400 eps. Following is our observation:</span><span style="font-size:11.0pt;color:#222222"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222;background:white"><br>
<br>
</span><span style="font-size:11.0pt;color:#222222"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222;background:white">A. If the syslog matches the filter in point 2 above, then following happens</span><span style="font-size:11.0pt;color:#222222"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l1 level1 lfo1;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;color:#222222">It is forwarded to the destination provided in point 2.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l1 level1 lfo1;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;color:#222222"> Also at the same time it is written to a file as per rule in point 1.<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222"> <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222;background:white">B. If the syslog does not match the filter in point 2 above, then following happens</span><span style="font-size:11.0pt;color:#222222"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo2;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;color:#222222">It is NOT forwarded to the destination provided in point 2 as there is no match.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo2;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;color:#222222">It is suppose to still write to file as the rule in 1 matches. <b>But this does not happen.</b><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222">We are seeing that if the filter in point 2 matches then both the forward rules get executed immediately and we see the log written to file also immediately. But in case
of B, if the syslog does not match we are seeing that the write to file is happening g in bulk for 30 minutes. <b>Why is this ? Why does it not write to file immediately in case of (B) but does it in case of A ?</b><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222">Below is the snap of the config values we are using in the syslog-ng.conf<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;color:#222222"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333">options {<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> flush_lines (100);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> log_fetch_limit(1000);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> log_iw_size(10000);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> time_reopen (10);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> log_fifo_size (10000);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> chain_hostnames (off);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> use_dns (no);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> use_fqdn (no);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> create_dirs (yes);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> keep_hostname (yes);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333"> threaded(yes);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:9.0pt;background:white"><span style="font-size:11.0pt;color:#333333">};<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Kavita<o:p></o:p></span></p>
</div>
</body>
</html>