Hi Gabor,

 

This is strange: the d_localfile destinations (as well as the vrf-socket destination "d_mgmt_vrf_socket") receive messages from the syslog() source, but not from the internal() or system() sources?”

Yes.

 

And the issue vanishes when "d_mgmt_vrf_socket" destination is removed?

Yes.

 

I could not test the 2 last suggestions that you made.

 

We did however another test, which was to remove the reliable option from d_mgmt_vrf_socket, and it seems the problem is not seen again.

 

Besides from what it is written in the manual, in other which cases/conditions can syslog-ng loose logs?

 

reliable()

Type:

yes|no

Default:

no

Description: If set to yes, syslog-ng OSE cannot lose logs in case of reload/restart, unreachable destination or syslog-ng OSE crash. This solution provides a slower, but reliable disk-buffer option. It is created and initialized at startup and gradually grows as new messages arrive. If set to no, the normal disk-buffer will be used. This provides a faster, but less reliable disk-buffer option.

 

Thanks in advance,

Alex

 

From: Gabor Nagy (gnagy) <Gabor.Nagy@oneidentity.com>
Sent: 25 de março de 2022 14:44
To: Alexandre Santos <ASantos@infinera.com>; Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: Local sources seem not to be working

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Hi Alex,


Sorry I haven't answered yet. I'll have a few ideas I would like to try out next week.


This is strange: the d_localfile destinations (as well as the vrf-socket destination "d_mgmt_vrf_socket") receive messages from the syslog() source, but not from the internal() or system() sources?

And the issue vanishes when "d_mgmt_vrf_socket" destination is removed?

If it would be soft flow-control, then the syslog() source would be suspended too.

Just a tip: would you switch out the unix-dgram() destination to syslog() destination, please? Maybe that's not possible with the VRF in-place...


In the stats output, do you see an increased number of dropped messages?

 

I would still suggest increasing the 4MB disk-buffer. You should make an estimation of how long could the mgmt syslog-ng be down (i.e not receiving from the unix-dgram), what is the average incoming EPS and an average message size, that could give a hint about the required disk-buffer size.


Regards,

Gabor