Drew, et al - Thanks for writing back and for the sync() parameter suggestion. I tried setting sync(0) and that does indeed work for low-volume situations. However, the penalty for doing it this way seems to be exacted during high-volume situations, e.g. several hundred messages per second. I have a rather simple test program that I run while looking at my output file: #include <syslog.h> #include <unistd.h> main( int argc, char **argv) { if (argc == 2) { int i, loop = 0; loop = atoi(argv[1]); if (loop != 0) { openlog( "EER-TEST: ", LOG_PID, LOG_LOCAL5); for (i = 1; i <= loop; i++) { syslog( LOG_INFO, "testing, 1, 2, 3 ... %d", i); } } } } This attempts to simulate an nmap scan or DoS-type attack against my firewall; I am hoping to lose as few log messages as possible in these scenarios. With the stock Solaris syslog (brain-dead as it may be), I am able to run this program with arguments of 1000 or 2000 and not lose any messages. After setting sync(0) so that I wouldn't lose any messages in low-volume situations, I ran the same tests and, although syslog-ng kept up with a burst of 100 or 200 messages, 1000 turned out to be way too much; over 300 messages were lost. I'm hoping to find the sweet spot for tuning syslog-ng, since it obviously has many superior features to the standard syslog daemon that ships with Solaris, but I'm running into some roadblocks. TIA. -------------------- What do you mean you can't get it to output every message it receives? I have used syslog-ng on Solaris for 2 years with very few problems and I log over 1000 devices. Do you know if it is receiving messages? You're not running syslogd as well are you? In low volumes the defaults for garbage collection should be sufficient. How many hosts are you logging? Try setting sync(0). Regards, Drew -----Original Message----- From: T. Esting [mailto:T_Esting@excite.com] Tuesday, June 12, 2001 6:16 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]newbie Solaris question I've been trying to get both 1.4.11 and 1.5.7 to run on my Solaris system, and have met with limited success. Compiling and installing were fairly easy, as was creating a configuration file. I understand from the docs that the mark() feature still doesn't work, and from the mailing list that sync_freq() should actually be sync(). I am having trouble, however, with flushing output in low-volume scenarios. Here is the configuration file I am using: options { use_dns(no); log_fifo_size(XXX); gc_idle_threshold(YYY); gc_busy_threshold(ZZZ); use_time_recvd(yes); }; source sun { sun-streams ( "/dev/log" door("/etc/.syslog_door")); internal(); }; destination testout { file ( "/var/adm/testout.txt" sync(WWW)); } ; log { source (sun); destination (testout); }; I've tried various values for WWW, XXX, YYY, and ZZZ, even setting WWW to 1. I have not been able to influence syslog-ng to write out every message it receives. Does anyone have any pointers on what I might want to try next to get syslog-ng to more reliably receive and log messages on Solaris? Thanks. _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/