On Thu, 29 Mar 2001, Balazs Scheidler wrote:
I'm doing a tcpdump on port 514 and I'm seeing lots of traffic. However, the logs where the information should be going isn't getting updated. My last log entry is from approximatet 2:53 p.m. EST, and it's now 3:25 p.m. EST. If I stop syslog-ng and restart it will probably start logging just fine, but I can't be starting and stopping every three hours. I'm sure it's probably a misconfiguration.
I'd rather think it's a syslog-ng bug. Can you strace the syslog-ng process whether it reads its input file descriptor?
At about 9:05 a.m I'm getting packets via tcpdump, but no more information is logging. I started syslog-ng in the following fashion. strace /usr/local/sbin/syslog-ng -p /var/run/syslog-ng -f /usr/local/etc/syslog-ng.conf -d I think all of the messages about SIGWINCH, we're me adjusting the window size. I was hoping to see more of the previous messages, but changing the window size didn't work and I had to use scroll up. time(NULL) = 985873810 poll([{fd=11, events=0}, {fd=10, events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13, events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15, events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 15, 100) = 0 poll([{fd=11, events=0}, {fd=10, events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13, events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15, events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=4, events=POLLIN}, {fd=3, events=POLLIN, revents=POLLIN}], 15, 17000) = 1 read(3, 0x806bfd0, 1024) = ? ERESTARTSYS (To be restarted) --- SIGWINCH (Window changed) --- read(3, At this point the recv queue is full again for UDP:514 udp 65520 0 0.0.0.0:514 0.0.0.0:* Shortly after I started this message it restarted again at about 9:10 a.m. EST, and the UDP:514 recv queue was cleared. However my logging stopped at 6:15 p.m. EST last night, and did not resume, although syslog was still running apparently. I'll leave the strace running today, and hopefully I'll see something definitive. Brian Seppanen Charter Communications Regional Data Center 906-228-4226 ext 23 Marquette, MI seppy@chartermi.net