Hello,

 

My apologies in advance, this is my first posting and I'm quite the rook' when it comes to Linux and Syslog-ng. I keep wondering why this is my project.

 

I have a 4 server syslog deployment with 3 front end "relay" boxes and 1 backend archive box all within a virtualized SLES environment.

 

Recently I noticed that the relay's together are averaging about 2500 messages per second (mps).   The majority of the messages are coming from a single relay, about 2000 mps. Yet the archive box is only averaging about 400 mps.

 

Since we are running 3.0.2 I decided to turn up the stats_level to (1).  I don't see any drops to the about 150 file destinations that I've built.

 

What does stamp, processed, stored, etc.. mean?  I couldn't find any detailed documentation about the different statistics.

 

Why am I getting such a large discrepency between "stamp" and "processed" in the log stats?

 

Finally, since I'm sending the email does anyone see an issue with the way I've got the flow control set up in the global options?

 

Here are my stats in question off my archive box:

processed='src.udp(s_network#0)=22020892',
stamp='src.udp(s_network#0)=1245249328'

 

Here's the global's off the archive box:

options {
        time_sleep(10);
        log_fetch_limit(250);
        log_fifo_size(2000);
        use_dns(no);
        keep_timestamp(yes);
        dns_cache(no);
        long_hostnames(off);
        flush_lines(2000);
        flush_timeout(200);
        perm(0644);
        stats_freq(1800);
        stats_level(1);
        time_reopen(10);
        create_dirs(yes);
        dir_perm(755);
};

Thanks!