Bazsi & Matt, Thanks for your help. After strace-ing I found that the culprit was DNS. DNS lookups were blocking the daemon. Adding use_dns(no) to the global config fixed the problem. Messages are now being written to disk in real time and I am losing nothing! Now, if I want my 'pretty' directory structure and filenames do I add my remote machines to /etc/hosts or do I make my syslog-ng machine a caching name server? Will these block? Brian Leveille ------------------- Senior Internetworking Engineer DefendNet Solutions, Inc. www.defendnet.com -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Thursday, November 09, 2000 3:42 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Real time .conf? Hi,
Thanks. Somehow though, I don't think that worked. Here is my config file.
# this file show more or less all the features of syslog-ng
options {sync(0); create_dirs(yes);};
source int { unix-stream("/dev/log"); internal(); }; source src { udp(port(514)); };
destination everything { file("/NetscreenLogs/$HOST/$HOST.$MONTH-$DAY-$YEAR.log" owner(NetscreenLogs) group(NetscreenLogs) perm(0777) dir_perm(0777)); };
destination internallogs { file("/var/log/messages"); };
log { source(src); destination(everything); }; log { filter(DEFAULT); destination(internallogs); };
All I am trying to do is have my remote boxes send their syslog messages to my server, and have the server create some semblance of a directory structure. Simple.
But, when I watch packets with tcpdump, it seems there are A LOT more udp port 514 packets than there are log records. My tcpdump sessions shows hundreds of udp port 514 packets while my tail -f of my log RARELY updates.
Am I losing data?!?!?!?
I don't think so. Can you strace syslog-ng to see if it does receive those messages? strace -s 256 -p <pidofsyslog-ng> -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
Thanks for your help. After strace-ing I found that the culprit was DNS. DNS lookups were blocking the daemon.
Adding use_dns(no) to the global config fixed the problem. Messages are now being written to disk in real time and I am losing nothing!
Now, if I want my 'pretty' directory structure and filenames do I add my remote machines to /etc/hosts or do I make my syslog-ng machine a caching name server? Will these block?
a caching nameserver should help, though syslog-ng can still block for a while on DNS queries. you could filter out hosts that might not be resolvable with ipchains or ipfwadm (or the packet filter your OS has) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
Balazs Scheidler on Thu 9/11 18:10 +0100:
Thanks for your help. After strace-ing I found that the culprit was DNS. DNS lookups were blocking the daemon.
Adding use_dns(no) to the global config fixed the problem. Messages are now being written to disk in real time and I am losing nothing!
Now, if I want my 'pretty' directory structure and filenames do I add my remote machines to /etc/hosts or do I make my syslog-ng machine a caching name server? Will these block?
a caching nameserver should help, though syslog-ng can still block for a while on DNS queries. you could filter out hosts that might not be resolvable with ipchains or ipfwadm (or the packet filter your OS has)
It might be a good idea to port syslog-ng to the adns resolver library, which is non-blocking, like most of the rest of syslog-ng. Just something to think about.
participants (3)
-
Balazs Scheidler
-
Brian Leveille
-
Scott McDermott