Balazs Scheidler wrote:
On Mon, Apr 07, 2003 at 04:02:04PM -0700, Bill Graham wrote:
I have syslog-ng-1.6.0rc1 compiled on Solaris 9 and I am intend to use the system as a central log server and I need to log every message that makes it to the system. I am testing it out with Kiwi Syslog Message generator with bursts of 100 messages every 10 seconds. Syslog-ng is only logging about 20-25% of the messages. I have verified that the messages are getting to the system. Is there some additional tuning that I have to do to get this to work. Here is a copy of my syslog-ng: options { use_fqdn(yes); keep_hostname(yes); use_dns(no); long_hostnames(off); sync(0); gc_idle_threshold(5000); gc_busy_threshold(1000); log_fifo_size(10240); };
source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; source network { udp();};
destination all { file("/var/log/messages"); }; log { source(local); destination(all); }; log { source(network); destination(all); };
UDP messages might be dropped at several places:
* at the sender side (please check that messages are indeed sent to the network) * on the network itself (this is not common, only when the link is saturated) * on the receiver side if the receiving program does not issue recv() requests fast enough.
You can use netstat to check buffer space and/or truss to check whether syslog-ng really receives messages. You have to identify the point where you are losing messages because syslog-ng is probably not the culprit.
Ok, I have checked to see if all of the messages are being sent over the network from the source. I have also checked the receiving end to see if all of the connections are getting to this system. I used the snoop command to find this out. When I sent a burst of 100 messages I saw 100 connections from the source system. When I did a truss of the syslog-ng process I only saw around 75 recvfrom()'s. It looks like the third option is what is happening. Is there a way to speed up the issuing of recv()'s? Bill