On Tue, Apr 7, 2015 at 3:36 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
Hi,
270 is not a lot unless there's some kind of bottleneck in the syslog-ng side. DNS is often a culprit, that's why syslog-ng has a DNS cache which should address the problem. Do you have any kind of related settings in your configuration.
Hi Bazsi! I do use DNS, but per recommendations I use the cache. Here is my complete config: @version: 3.1 options { long_hostnames(off); flush_lines(0); use_fqdn(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); create_dirs(yes); dir_perm(0755); chain_hostnames(0); time_reopen(10); time_reap(360); time_sleep(20); use_dns(yes); dns_cache(2000); dns_cache_expire(87600); log_fetch_limit(10); log_fifo_size(200000); # 10 polls of (10 fetch limit * 2000 connections) log_iw_size(20000); # 10 fetch limit * 2000 connections (default 100) }; ######################## # Sources ######################## # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); }; source s_tls { syslog( port(6514) transport("tls") tls( peer-verify(required-trusted) ca_dir('/etc/syslog-ng/ssl/ca.d') key_file('/etc/syslog-ng/ssl/server.key') cert_file('/etc/syslog-ng/ssl/server.crt') ) max_connections(2000) keep_hostname(yes) so_rcvbuf(16777216) ); }; source s_udp { udp( keep_hostname(yes) so_rcvbuf(16777216) ); }; ######################## # Destinations ######################## # The root's console. # destination d_console { usertty("root"); }; # Virtual console. # destination d_console_all { file("/dev/tty10"); }; destination df_filter_by_facility { file( "/var/log/$FACILITY.log" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); }; destination d_remote_clients { file( "/var/log/syslog-ng/remote_clients/$HOST_FROM/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); }; destination d_remote_clients_udp { file( "/var/log/syslog-ng/remote_clients/.udp/$HOST_FROM/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) ); }; ######################## # Filters ######################## filter f_crit { level(crit .. emerg); }; filter f_console { level(warn .. emerg); }; ######################## # Log paths ######################## log { source(s_src); filter(f_console); destination(d_console_all); }; log { source(s_src); filter(f_crit); destination(d_console); }; log { source(s_src); destination(df_filter_by_facility); }; log { source(s_tls); source(s_udp); destination(d_remote_clients); flags(flow-control); };
Also, 3.1 is pretty old, can you perhaps upgrade that to something more recent? I think squeeze is supported by the madhouse.org packages.
Sure. I'll look at upgrading or standing up a newer Debian system with a more recent syslog-ng. Any other pointers in the mean time? -m