Mike wrote:
I have a very high volume syslog-ng server. I currently have logs that are being received across the network but not being written to disk. This could be as much as 25% of the logs being dropped. The STAT to syslog always says 0 drops.
are you sure that they are being received? if htey are coming in over UDP, maybe check some netstat output to see if they are being dropped by the kernel? (in this case they would be dropped before syslog-ng can even see that would be the drops would be listed as zero)
I've just checked my syslog-ng-1.6.8 CentOS-4.1 server and discover I have a similar problem. I wrote a quick UDP syslog record generator using Net::Syslog and used it to pump 30,000 records in 3 forks (i.e. 3 x 10,000) at our syslog-ng server - and only received 29,987. I also ran tcpdump on the syslog-ng server and can confirm 30,000 UDP syslog packets were received. I have "log_fifo_size (10000)" set, have dns enabled, and have multiple files and directory trees opened by syslog-ng - "STATS: dropped 0" is what "stats()" is returning. I've run it multiple times now - it never equals 30,000 - always losing 5-50 events. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1