syslog-ng doesn't handle builtin syslog messages correctly
Hello together, I'm running a central syslog-ng server and about two dozens clients sending their logs to this server (all redhat). But on some clients syslog-ng doesn't catch the builtin syslog messages. syslog-version: 1.6.0rc4 on all hosts the conf file on my clients: --- options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source src_sys { pipe ("/proc/kmsg"); unix-stream ("/dev/log"); internal (); }; destination dst_central { tcp('xxx.xxx.xxx.xxx'); }; destination dst_local { file ("/var/log/all"); }; log { source(src_sys); destination(dst_central); destination(dst_local); }; --- When I execute 'logger test' the message only reaches the local /var/log/all, but not the server. When I execute 'logger -u /dev/log test' the message reaches both destinations. I tried unix-dgram instead of unix-stream, but same problem. I tried udp as transport protocol, but also same problem. I tried same older versions of syslog-ng, but also same problem. Where is my mistake? With kind regards, Joerg Michels
Hey all, We log 20ish hosts to a central log server (many are through stunnel) and recently I started getting dropped messages. I see anywhere from 1-10 dropped per STATS line. This probably has something to do with us installing iplog on some machines and increasing the traffic (only timely coincidence I can think of) I'm wondering what, if anything, can be done to help the situation. I've read that you can increase the log_fifo_size to help with this problem, but I'm not sure what the default value is or what I should set it to. Is there a guideline for what to set this for X number of machines, or for a certain amount of traffic? Thanks! -- Josh
On Wed, 2003-12-10 at 17:54, Josh Endries wrote:
Hey all,
We log 20ish hosts to a central log server (many are through stunnel) and recently I started getting dropped messages. I see anywhere from 1-10 dropped per STATS line. This probably has something to do with us installing iplog on some machines and increasing the traffic (only timely coincidence I can think of) I'm wondering what, if anything, can be done to help the situation.
I've read that you can increase the log_fifo_size to help with this problem, but I'm not sure what the default value is or what I should set it to. Is there a guideline for what to set this for X number of machines, or for a certain amount of traffic?
log_fifo_size specifies the number of log lines a given destination can temporarily hold before starting to drop messages. The default value is 100 and you could increase this number at will. Please note however that syslog-ng will not enforce flow control, that is it will not limit incoming message rate if it is not able to send messages at the smae speed. If you only have a couple of bursts but the overall message rate stays below the processing limits of your central server then log_fifo_size will help. Otherwise you will have to increase server/network capacities. -- Bazsi
On Wed, 2003-12-10 at 15:10, Joerg Michels wrote:
Hello together,
I'm running a central syslog-ng server and about two dozens clients sending their logs to this server (all redhat). But on some clients syslog-ng doesn't catch the builtin syslog messages.
syslog-version: 1.6.0rc4 on all hosts
When I execute 'logger test' the message only reaches the local /var/log/all, but not the server. When I execute 'logger -u /dev/log test' the message reaches both destinations.
The two different commands you entered should be the same. Try strace-ing the logger command to find out what the difference is. -- Bazsi
On Thu, 11 Dec 2003 10:26:26 +0100 Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2003-12-10 at 15:10, Joerg Michels wrote:
Hello together,
I'm running a central syslog-ng server and about two dozens clients sending their logs to this server (all redhat). But on some clients syslog-ng doesn't catch the builtin syslog messages.
syslog-version: 1.6.0rc4 on all hosts
When I execute 'logger test' the message only reaches the local /var/log/all, but not the server. When I execute 'logger -u /dev/log test' the message reaches both destinations.
The two different commands you entered should be the same. Try strace-ing the logger command to find out what the difference is.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
already did so, but found real no difference. the failing: socket(PF_UNIX, SOCK_DGRAM, 0) = 1 fcntl64(1, F_SETFD, FD_CLOEXEC) = 0 connect(1, {sin_family=AF_UNIX, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket) close(1) = 0 socket(PF_UNIX, SOCK_STREAM, 0) = 1 fcntl64(1, F_SETFD, FD_CLOEXEC) = 0 connect(1, {sin_family=AF_UNIX, path="/dev/log"}, 16) = 0 send(1, "<13>Dez 11 10:19:32 root: agent\0", 32, 0) = 32 rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 close(1) = 0 the working: socket(PF_UNIX, SOCK_STREAM, 0) = 3 connect(3, {sin_family=AF_UNIX, path="/dev/log"}, 110) = 0 ... write(3, "<5>Dec 11 10:27:21 root: agent\0", 31) = 31 close(3) = 0 There's the difference in the use of write other than send. hmmm Next I tested is a simple c program to send syslog message and this one works correctly. The strace was nearly the same the the strace from the failing logger command ( internally the send command was used ). #include <syslog.h> int main () { openlog ( "systest", LOG_NDELAY, LOG_LOCAL0); syslog ( LOG_DEBUG, "%s", "agent"); closelog (); } The strange thing is, that the message always reaches syslog-ng, because syslog-ng writes it to the local log file but doesn't forward it to the remote host. The problem also occurs with other programs than logger. For example I use the perl module Unix::Syslog. Messages sent by this module doens't reach the remote host either, but always the local log file. Joerg
participants (3)
-
Balazs Scheidler
-
Joerg Michels
-
Josh Endries