Y ----- Original Message ----- From: Aldrich, Jamie S [mailto:JSAldrich@pier1.com] Sent: Monday, January 16, 2012 04:55 PM To: 'Syslog-ng users' and developers' mailing list' <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] tuning syslog-ng 3.3.3 I have tried unsubscribing from this mailing list several times. I went to the website, put in my email address, and hit "Unsubscribe". What am I missing? Jamie -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Monday, January 16, 2012 3:54 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] tuning syslog-ng 3.3.3 On Thu, 2012-01-12 at 16:04 -0500, Patrick Hemmer wrote:
Sent: Thu Jan 12 2012 15:34:26 GMT-0500 (EST) From: Johnson, Chris (HP TippingPoint Roseville) <chris.johnson3@hp.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] tuning syslog-ng 3.3.3
I’m trying to tune syslog-ng 3.3.3.
My first attempt is to use the log_fetch_limit parameter, but I’m running into the problem of where to define it!
The Admin guide says I can put it in the global options{}, but that generates and error saying it has been taken out of the global area and needs to be specified by the source and I can’t seem to find the correct source syntax.
My config (pared down):
@version: 3.3
@include "scl.conf"
options {
# log_fetch_limit(100);
};
source s_local {
system();
internal();
};
#############################################################################
# Service all
filter f_all_pgm_01{program("*" type("glob"));};
filter f_all_lvl_01.01{level(info..emerg)};
destination d_all_01{file("/var/log/system.log" suppress(30));};
log {
source(s_local);
filter(f_all_pgm_01);
filter(f_all_lvl_01.01);
destination(d_all_01);
};
I’ve tried putting it in:
source s_local{ system( log_fetch_limit(100); ); ...};
source s_local{ system(); ... log_fetch_limit(100); };
log{ source(s_local log_fetch_limit(100);); ... };
each generate a ‘syslog-ng[1567]: Error parsing configuration;’ error.
Any ideas on **where** I should put it?
Thanks,
Chris
----------------------------------------
Christopher Johnson
chris.johnson3@hp.com <mailto:chris.johnson3@hp.com>
HP Software - Security Product Group
(916) 785-2817
----------------------------------------
Youre running into issues because youre using system() in your source driver. System() is special as its really multiple different sources combined into 1, so not all of the sources included by system() would support the same options. You can find the documentation on what system() really is on your platform at http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guide.... You can then replace system() with the sources really used, and add log_fetch_limit() to them.
For example, if youre using linux source s_local { unix-dgram("/dev/log" log_fetch_limit(100)); file("/proc/kmsg" log_fetch_limit(100) program-override("kernel") flags(kernel)); internal(); };
As described, system() is basically like a macro, it expands to the proper set of source drivers that make the local logs available in syslog-ng. Since it was not expected by the macro author (me :) that additional parameters would be needed, the macro doesn't support that, even though it could. Also, it probably doesn't make sense to tune the local log transport, usually it's not that interface that is resource hungry, although YMMV. -- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq