On Tue, 2005-12-27 at 06:07 -0800, Paolo Supino wrote:
Hi
I'm not sure weather the message gets written or not to the file eventually (there is no specific message I was able to track) so I cannot answer your question with absolute certainty. If I had to guess than I'd say it does get written to the file eventually. I think that the problem is in the way that syslog write the messages to the files. From what I read then on every message that is received a single write() is done. This means that each destination gets opened and closed repeatedly (and this was confirmed by running `fuser` on each of the files). On my server there are a few destinations (the ones that belong to the firewalls) that are so busy that they are constantly open or are opened/closed in such a pace that it's impossible to track manually. Might it be that in such a scenario messages will 1st be written to a destination that is already open and messages to destinations that are closed will wait an undefined amount of time?
syslog-ng does not reopen destination files at such a pace. It basically opens a destination whenever there's a message to write and keeps the file open up to the value specified by time_reap(), which is 60 seconds by default. So busy destinations should be kept opened indefinitely, destinations where incoming messages are rare are closed and reopened whenever they are needed.
Is there a way I can track what happens with a specific message in syslog-ng?
No, sorry. My suspicion is that syslog-ng blocks for some reason on external sources, the most common cases are: 1) two processes reading /proc/kmsg 2) DNS -- Bazsi