[...]
them about a dialup connection, so I modified the log statement to "log (source(net); destination(home); destination(all); };" where all was "destination all { file("/var/log/allmessages"); };". From that moment on (i.e. after the HUP) the whole system went to sleep. Every process trying to use syslog blocked. Within a few seconds I had some hundred pop3d and sendmail tasks running, my own ssh was blocked since I tried to issued a logger command. I was not able to telnet or ssh to this host since both daemon tried to log when I connected. Luckily enough someone else at my company still had an open telnet. I called him and advised him to remove the malicious lines from the config and send syslog-ng a SIGHUP. No Effect. Only a SIGKILL was able to help us out of this strange situation. Within seconds all the daemons went back to work again.
[...]
An strace dump or something could really help here. As it seems syslog-ng blocked on something (a DNS request maybe?), thus couldn't accept connections on /dev/log.
Ok, yesterday the same thing happend again while one of colleques restarted the nameserver on the same host. This seems to proove your explaination with the block on resolving hostnames on the one hand but brings me I a very nasty situation on the other hand because I cannot igonre that problem any longer. I need name resolution and I need a stable system, of course. So I see three posibility's 1.) As you suggested:
Newer libc's allow using unix-dgram /dev/log, try using that, client programs will never block then.
Only problem: what is a "newer libc"? Do you talk about glibc? 2.) Running two syslog-ng processes, on with name resolution on (receiving all that network-data) and one with name resolution off (reading /dev/log) which should solve my problem, too. 3.) Firewall port syslog at host level and putting all hosts allowed to get through in the hosts file. Will syslog-ng use the hosts file (by using the standart resolver library) or will it bypass it and only do ns lookups? I'd really like to hear your opinion about these possibilities. Of course I'd prefer 1.) since I like things wich work by design an not because of some "dirty tricks". thank you in advance Stefan