Hi 1. I checked weather /proc/kmsg is being read by 2 processes. It isn't. The only process reading the file is syslog-ng (and there is only 1 instance of syslog-ng running). 2. All systems that report to the syslog server have forward and backward resolving setup. Here is the output: forward lookup: # nslookup switch-01 Server: 192.168.200.101 Address: 192.168.200.101#53 Name: switch-01.company.net Address: 192.168.63.1 backward lookup: # nslookup 192.168.63.1 Server: 192.168.200.101 Address: 192.168.200.101#53 1.63.168.192.in-addr.arpa name = switch-01.company.net. Everything looks OK ... TIA Paolo --- Balazs Scheidler <bazsi@balabit.hu> wrote:
On Tue, 2005-12-27 at 06:07 -0800, Paolo Supino wrote:
Hi
I'm not sure weather the message gets written or not to the file eventually (there is no specific message I was able to track) so I cannot answer your question with absolute certainty. If I had to guess than I'd say it does get written to the file eventually. I think that the problem is in the way that syslog write the messages to the files. From what I read then on every message that is received a single write() is done. This means that each destination gets opened and closed repeatedly (and this was confirmed by running `fuser` on each of the files). On my server there are a few destinations (the ones that belong to the firewalls) that are so busy that they are constantly open or are opened/closed in such a pace that it's impossible to track manually. Might it be that in such a scenario messages will 1st be written to a destination that is already open and messages to destinations that are closed will wait an undefined amount of time?
syslog-ng does not reopen destination files at such a pace. It basically opens a destination whenever there's a message to write and keeps the file open up to the value specified by time_reap(), which is 60 seconds by default. So busy destinations should be kept opened indefinitely, destinations where incoming messages are rare are closed and reopened whenever they are needed.
Is there a way I can track what happens with a specific message in syslog-ng?
No, sorry.
My suspicion is that syslog-ng blocks for some reason on external sources, the most common cases are:
1) two processes reading /proc/kmsg 2) DNS
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
__________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/