are you sure that they are being received? if htey are coming in over UDP, maybe check some netstat output to see if they are being dropped by the kernel? (in this case they would be dropped before syslog-ng can even see that would be the drops would be listed as zero)
I've just checked my syslog-ng-1.6.8 CentOS-4.1 server and discover I have a similar problem. I wrote a quick UDP syslog record generator using Net::Syslog and used it to pump 30,000 records in 3 forks (i.e. 3 x 10,000) at our syslog-ng server - and only received 29,987. I also ran tcpdump on the syslog-ng server and can confirm 30,000 UDP syslog packets were received.
I have "log_fifo_size (10000)" set, have dns enabled, and have multiple files and directory trees opened by syslog-ng - "STATS: dropped 0" is what "stats()" is returning.
stats() shows messages that syslog-ng has received, but was not able to write to one of it's outputs in time (that is where log_fifo_size() comes in) >
I've run it multiple times now - it never equals 30,000 - always losing 5-50 events.
check the output of: netstat -su do you see anything for "packet receive errors"? try running your send again...did that number grow? can't remember the command right now, but there is an option to adjust this with a sysctl command....
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html