On Mon, Oct 27, 2003 at 05:42:21PM +0800, Santa Lau wrote:
Well. The ipchains/iptables has all been disabled. Is there any other locations which I should pay attention?
If syslog-ng does not receive messages via recvfrom, but the box receives it, it can mean many things: 1) the packet filter drops packets 2) rp_filter drops packets 3) the destination IP is not local 4) the IP is local but syslog-ng listens on a different IP 5) the port is not correct 6) the UDP receive buffer overflows The first four cases are easy to confirm, please check that the packet headers as seen in tcpdump are destined to the box, syslog-ng listens on the correct interface/port (check via netstat -an). Can you see ICMP port unreachables as you receive messages? The last case is also possible, though I'm a bit skeptic as you told me that only specific hosts are missing from the log files. Check the recvq column in the netstat -an output. If this recvq value is never 0 you should increase the receive buffer size by increasing the values in /proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_max -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1