Actually, I missed what you were doing with awk because I don't think I've ever seen /inet before. Are you on FreeBSD? My experience (and cited performance numbers) is all on Linux. My suspicion is that nc would take into account more things like SO_RCVBUF, so I'd be interested to see if there's any difference between redirecting the raw socket and running netcat. Your template refers to DNS hostnames, so it's certainly possible that it's a factor, though I agree that a single hostname with caching enabled should really not be a problem. On Fri, Oct 15, 2010 at 3:54 PM, Lars Kellogg-Stedman <lars@oddbit.com> wrote:
the time. A great sanity check is to use nc -l 514 -u > /some/out/file
Right, I did that...as I described in the message.
how many were received. If that's looking good, I recommend running tcpdump/wireshark to find the rate of DNS lookups from the box.
I'll take a look. I'm coming from a single host, and I do have dns caching enabled, so I would be surprised if this is the problem. As a first step I may just disable DNS and see if that has any impact on the problem.
two. A full answer would require seeing the values of your output templates.
template t_daily_log { template("$FULLHOST_FROM $YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC [$FACILITY:$LEVEL] [$PROGRAM:$PID] $MSG\n"); };
template t_host_log { template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC [$FACILITY:$LEVEL] [$PROGRAM:$PID] $MSG\n"); }; ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html