options { chain_hostnames(off); sync(0); stats(43200); }; source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; destination messages { file("/var/log/messages"); }; destination net { tcp("x.x.x.x" port(xxx)); }; log { source(src); destination(messages); }; log { source(src); destination(net); };
Most of the time the dropped stats are 0 but sometimes they are 3000 or so and occasionally 20000-50000! Usually this happens on the mail server or the log server which are both heavily used machines.
One of the destinations is obviously backing up, likely the tcp destination for the mail server. On the logserver I already have log_fifo_size(20000); to try to alleviate this. I would have thought this was reasonable. I don't think this increases memory consumption too much either, at least not by today's standards, the server has the nominal 1GB of Ram.
Should I increase this on the server and add it to on the agents too?
you should look at adding the log_fifo_size() on the agents. the way I read it above, your log sources don't have an increased log_fifo_size(). hrm. to make that more clear: you should increase the log_fifo_size() on the systems where you are seeing the drops.
From what I remember the memory for this is dynamically allocated, and cleaned up afterwards..so I would even set it at 100,000 or 200,000.
Mike