For a while now I have been using a configuration that includes 3 sources (remote udp, remote tcp, internal) and 3 destinations ( remote archive, local, loopback for an analyzer). Today I tried to move this setup that works on all levels to another machine. This new machine has an EXTREMELY large udp traffic base. About 7.5gb of syslog per day. The setup of the new machine is exactly the same the only variable is this large traffic volume. Now, to the problem.

 

I am receiving all the syslog on the remote destination archive across normal syslog export mechanisms. However the two log destinations under it are not receiving the “copies” of the logs. I was wondering if anyone else uses syslog-ng to log large pix firewall syslog traffic, and have seen anything similar. My theory is that syslog-ng is just not keeping up with the speed that its receiving data.

 

Here is a copy of the conf file with only the private info adjusted.

 

options {

        long_hostnames(off);

        chain_hostnames(yes);

        log_fifo_size(0);

        stats(5);

        sync(1);

        time_reopen(5);

        time_reap(20);

        use_dns(no);

        use_fqdn(yes);

        use_time_recvd(no);

        };

## Normal syslog domain socket

source devlog { unix-dgram("/dev/log"); };

source r_tcp { tcp(ip(0.0.0.0) port(514) max-connections(200)); };

source r_udp { udp(ip(0.0.0.0) port(514)); };

 

## This stuff goes straight to the syslog server

destination xxxx { tcp('X.X.X.X' port(514)); };

destination r_all { file("/var1/syslog/$HOST-$MONTH-$DAY"); };

destination AAAAAAA { file("/var1/AAAAAAA/$FACILITY" create_dirs(yes) ); };

destination analyzer { tcp('localhost' port(10000)); };

################################################################

filter fil_local7 { facility(local7); };

filter fil_local4 { facility(local4); };

 

## syslog-ng messages like STATS, etc

## This also tells us when it can't find a source (i.e. Hermes)

source int { internal(); };

 

log {

source(int);

source(devlog);

source(r_tcp);

source(r_udp);

 

destination(xxxx); <<<WORKS

destination(analyzer); <<< DOESN’T WORK

};

 

log {

source(r_udp);

destination(AAAAAAAA); <<< DOESN’T WORK

};

 

log {

   source(int);

   source(devlog);

   destination(r_all);<<<WORKS

   flags(final); ## Stop processing rules

};

 

 

 

WillyBeamenHere