syslog-ng 1.4.11 on Redhat linux 7.2. And here is the syslog-ng globla option look like. (Sorry I can't post all the configuration because of obvious reasons :) ) But there is no options set for specific source, destionation or filter. options { use_dns (no); # Don't perform DNS lookups use_fqdn (no); # Don't use full hostname create_dirs (yes); # Create any necessary dirs for files use_time_recvd (yes); # Use our time, not the remote device time log_fifo_size(10000); # Queue 10000 msgs on a blocked dest sync(0); # Flush the queues as fast as possible # Tweak the sync parameter if the disks are # going wild and thrashing the machine chain_hostnames(on); # Chain hostname/IP information in log line }; source s_UDP { udp( ip(192.168.1.1) port(514) ); }; destination d_alert { pipe ("/usr/local/var/ALERT"); }; filter f_alert { match("blah, blah ...") or match("blah, blah ...") or match("blah, blah ...") or match("blah, blah ...") or match("blah, blah ...") or match("blah, blah ...") or match("blah, blah ...") or match("blah, blah ..."); }; log { source(s_UDP); filter(f_alert); destination(d_alert); }; Thanks, Andy -----Original Message----- From: Michael Earls [mailto:Michael.Earls@chmcc.org] Sent: Thursday, July 11, 2002 10:13 AM To: aning@jetnet.ca; syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]Strang behaviour of syslog-ng (and my program) What ver of syslog-ng? and what distro are u running syslog-ng on? what does your config look like? michael
aning@jetnet.ca 07/11/02 09:49AM >>>
Just add a little more info, if I send the first 10 messages a little bit slower, say delay 10 msec in between, then it doesn't happen. -----Original Message----- From: Antai Ning [mailto:aning@jetnet.ca] Sent: Wednesday, July 10, 2002 1:38 PM To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]Strang behaviour of syslog-ng (and my program) Hi Gurus, I got some strange phenomemon with syslog-ng. Here is what I'm doing. I configured syslog-ng to forward certain type of messages to a pipe. (say, ALERT). I wrote a program in perl to read from the pipe and print them out. The perl program first try to open the pipe and it'll block at the open function untill syslog-ng has some messages to write to the pipe. Then the perl program reads using IO::File can_read() function, with a 5 seconds timeout. So the function looks like this: $sel->can_read(5). Then I send 10 valid messages to syslog-ng from a remote machine by UDP. To my supprise, the perl program got only 2 of the 10! Then I send another 1 valid message to this syslog-ng after 5 minutes, and I got not only this message, but also the 8 I lost last time! This happens only for the first 10 messages (which includes the opening of the pipe). Everything is fine after the first round. It looks like it's related to the pipe opening and messages get queued somewhere until later messages trigger the queue to flush. So what's really happening inside? And is there a solution? Thanks, Andy