Hi It's not necesserly a problem with syslog-ng... In trying to debug the problem I ran 2 concurrent captures of the offending devices. 1 to STDOUT and one to a file. after I saw a few lines were captured in the STDOUT capture I wanted to look at the content of the file and see what was the content of the syslog messages and there I encountered a problem: The capture file was still empty. Only after I stopped the capture to the file, linux released the file cache and wrote the lines into the file itself. This happened to me on /tmp FS which is a 2GB shared memory (tmpfs) filesystem. The log files (syslog-ng writes to) are located on ext3 filesystem that is 45GB in size. Might it be that there is something tuned in the filesystem driver that tells it to buffer the data before its flushed to the hard drive and is the fault in the long delays of writing to log files? Another thing I noticed is that the offending devices have their clocks set to UTC while the syslog server is set to a different timezone.... TIA Paolo PS - to counter what I wrote above: There are other devices that syslog-ng does delay writing to their respective log files. --- Balazs Scheidler <bazsi@balabit.hu> wrote:
On Tue, 2005-12-27 at 08:59 -0800, Paolo Supino wrote:
Hi
1. I checked weather /proc/kmsg is being read by 2 processes. It isn't. The only process reading the file is syslog-ng (and there is only 1 instance of syslog-ng running). 2. All systems that report to the syslog server have forward and backward resolving setup. Here is the output: forward lookup: # nslookup switch-01 Server: 192.168.200.101 Address: 192.168.200.101#53
Name: switch-01.company.net Address: 192.168.63.1
backward lookup: # nslookup 192.168.63.1 Server: 192.168.200.101 Address: 192.168.200.101#53
1.63.168.192.in-addr.arpa name = switch-01.company.net.
Everything looks OK ...
I understand that your DNS is set up correctly I was only wondering whether syslog-ng might block on DNS queries for some reason. I'm sure syslog-ng is doing something, either it is buffering data (because of sync) or is blocking on something.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
__________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/