I'm running syslog-ng 1.4.14 on Linux. This server is a loghost for all my syslog clients. It's got plenty of cpu, memory, disk, and bandwidth. The servers that it's accepting logs from are on the same switch as the loghost. That said, I'm losing about 33% of my syslog messages from each client. I tried 1.5.20 with the slightly worse results. All the clients are UDP, and need to stay that way. There are times when minutes go by without recording anything from the clients. Also, where are the "stats" recorded to? Here is my config: ---------------------------------------------------------------------------- options { sync (0); time_reopen (10); # Increased buffer size to 50*256 (50 hosts). -rjk log_fifo_size (12800); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); stats (600); owner (root); group (syslog); perm (0644); dir_owner (root); dir_group (syslog); dir_perm (0755); }; source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/lo g"); internal(); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; destination remote { file("/var/log/remote/$HOST/$FACILITY.log" log_fifo_size (12800)); }; source net { udp(); }; log { source(net); destination(remote); }; ---------------------------------------------------------------------------- -- Bob Kupiec Security/Network Administrator Email: kupiec@ias.edu Institute for Advanced Study Phone: 609-734-8179 Einstein Drive (A208) Fax: 609-951-4418 Princeton, NJ 08540-4907