I'm running syslog-ng 1.4.11 on a redhat-7.0 box. The box is a dual processer PIII 500 dell poweredge 1300, with 512MB of RAM. We're making this baby hum, but may have too much on it. My config is big so i'll include what I think are the relevent portions. Let me know if I'm missing something. Basically syslog-ng has stopped logging at various times. I've been doing a lot of poking today, to stress test it. I'm doing a tcpdump on port 514 and I'm seeing lots of traffic. However, the logs where the information should be going isn't getting updated. My last log entry is from approximatet 2:53 p.m. EST, and it's now 3:25 p.m. EST. If I stop syslog-ng and restart it will probably start logging just fine, but I can't be starting and stopping every three hours. I'm sure it's probably a misconfiguration. netstat -an has remained the same for this span of time as follows Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 65488 0 0.0.0.0:514 0.0.0.0:* Notice the lot in the recv queue. Okay now here's my config. You promise not to laugh right? :) options { sync(0); time_reopen(10); log_fifo_size(2000); chain_hostnames(no); use_dns(no); gc_idle_threshold(500); gc_busy_threshold(3500); }; Now I'm thinking that there is a setting that I haven't left high enough or low enough. I'm not sure if my logs are blocked because I'm trying to force too much into them or what. Basically if I start syslog-ng I usually have about 500 objects alive, and idle_garbage_collection will run almost constantly. After a long time it isn't unheard of that I have about 2000-3000 objects alive. Is it trying to garbage collect itself to death. I never really got a good indication of how I should set that up. This morning I tried increasing the log_fifo_size to 2000. Is there a setting I should check? What would cause it to block anything from getting written? Actually it has written the information to the logs since I started this message at about 3:27, and it doesn't appear to have dropped anything. Would reducing the fifo_size speed up the commit time? What would delay the commit? I'd appreciate any help. Thanks :) Brian Seppanen Charter Communications Regional Data Center 906-228-4226 ext 23 Marquette, MI seppy@chartermi.net
I'm doing a tcpdump on port 514 and I'm seeing lots of traffic. However, the logs where the information should be going isn't getting updated. My last log entry is from approximatet 2:53 p.m. EST, and it's now 3:25 p.m. EST. If I stop syslog-ng and restart it will probably start logging just fine, but I can't be starting and stopping every three hours. I'm sure it's probably a misconfiguration.
I'd rather think it's a syslog-ng bug. Can you strace the syslog-ng process whether it reads its input file descriptor? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Thu, 29 Mar 2001, Balazs Scheidler wrote:
I'm doing a tcpdump on port 514 and I'm seeing lots of traffic. However, the logs where the information should be going isn't getting updated. My last log entry is from approximatet 2:53 p.m. EST, and it's now 3:25 p.m. EST. If I stop syslog-ng and restart it will probably start logging just fine, but I can't be starting and stopping every three hours. I'm sure it's probably a misconfiguration.
I'd rather think it's a syslog-ng bug. Can you strace the syslog-ng process whether it reads its input file descriptor?
At about 9:05 a.m I'm getting packets via tcpdump, but no more information is logging. I started syslog-ng in the following fashion. strace /usr/local/sbin/syslog-ng -p /var/run/syslog-ng -f /usr/local/etc/syslog-ng.conf -d I think all of the messages about SIGWINCH, we're me adjusting the window size. I was hoping to see more of the previous messages, but changing the window size didn't work and I had to use scroll up. time(NULL) = 985873810 poll([{fd=11, events=0}, {fd=10, events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13, events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15, events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 15, 100) = 0 poll([{fd=11, events=0}, {fd=10, events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13, events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15, events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=4, events=POLLIN}, {fd=3, events=POLLIN, revents=POLLIN}], 15, 17000) = 1 read(3, 0x806bfd0, 1024) = ? ERESTARTSYS (To be restarted) --- SIGWINCH (Window changed) --- read(3, At this point the recv queue is full again for UDP:514 udp 65520 0 0.0.0.0:514 0.0.0.0:* Shortly after I started this message it restarted again at about 9:10 a.m. EST, and the UDP:514 recv queue was cleared. However my logging stopped at 6:15 p.m. EST last night, and did not resume, although syslog was still running apparently. I'll leave the strace running today, and hopefully I'll see something definitive. Brian Seppanen Charter Communications Regional Data Center 906-228-4226 ext 23 Marquette, MI seppy@chartermi.net
participants (2)
-
Balazs Scheidler
-
Brian E. Seppanen