On Fri, 2005-10-21 at 08:01 -0700, Nate Campi wrote:
On Fri, Oct 21, 2005 at 06:54:04AM -0700, Scott C wrote:
But what's really most peculiar in this scenario is the fact that the numbers simply don't add up. Why does syslog-ng appear (on the surface) to be dropping a very large percentage of the messages that it receives? I realize that it's not, but the numbers tell a different story. And how could it possibly drop so many messages when the FIFO queue is configured to buffer three million lines? How preposterous!
So you think you really have all the logs but you see STATS messages reporting dropped messages? How would you know if you really have them all? It's possible that under heavy load you have some program or pipe destination (or maybe even file if you have slow disks) that just can't keep up. That's not syslog-ng's fault, it just lets you know that the buffer filled up.
One minor note: files are _not_ flow-controlled. If a file destination cannot keep up, then the incoming side of syslog-ng (e.g. UDP receive buffers) will drop messages. It might be possible that syslog-ng can write all incoming messages to a file for instance, but fail to do so for a pipe or tcp destination. The reason is that pipe and tcp are flow controlled, they will not sink all messages that syslog-ng would send to them. -- Bazsi