I have a pair of syslog-ng OSE servers on different LANs, which forward some of the log entries that they receive to separate collectors. In other words,

 

                Syslog-A   ->  collector-A

                Syslog-B  ->  collector-B

 

I would like for the two syslog servers to use a common syslog-ng.conf for obvious reasons. I first built destination clauses with the separate IPs, like so:

 

destination d_collector {

    udp(

        "192.168.1.23"

        port(514)

        template("${DATE} ${HOST} ${MSG}")

    );

};

 

This worked fine. But when I define an environment variable, COLLECTOR_IP, and then change my configuration to:

 

destination d_collector {

    udp(

        "`COLLECTOR_IP`"

        port(514)

        template("${DATE} ${HOST} ${MSG}")

    );

};

 

Then syslog-ng’s throughput slows down to a trickle (but does continue); CPU utilization (ordinarily substantial – this is a busy log handler) drops to near zero. Changing the configurations back to use the raw IP address restored previous throughput. There are no unusual messages in syslog-ng’s own logfile.

 

Anyone seen this puzzling behavior?

 

Thanks,

Jon Wilson

jonathan.wilson@vumc.org