Hello, I have two questions: 1. % sudo /etc/init.d/syslog-ng restart * Stopping system logging syslog-ng [ OK ] * Starting system logging syslog-ng WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to 100 entries. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size='80', new_log_iw_size='100', min_log_fifo_size='25000' I have a lot of tcp sources, destination and options. Where should I look for this warning? I don't have "log_iw_size=80" anywhere. 2. `syslog-ng --preprocess-into=/tmp/pre.conf` ^Does it work for anybody? It writes the config file but it hangs after it for me. Is it supposed to be used when syslog-ng daemon is down? -- Best regards, Koldaev Anton
Anton Koldaev <koldaevav@gmail.com> writes:
1. % sudo /etc/init.d/syslog-ng restart WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to 100 entries. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size='80', new_log_iw_size='100', min_log_fifo_size='25000'
I have a lot of tcp sources, destination and options. Where should I look for this warning? I don't have "log_iw_size=80" anywhere.e
Can you show your global settings, by any chance? Also, what @version does your syslog-ng.conf have? (This is most likely in your global settings)
2. `syslog-ng --preprocess-into=/tmp/pre.conf` ^Does it work for anybody? It writes the config file but it hangs after it for me. Is it supposed to be used when syslog-ng daemon is down?
--preprocess-into only tells syslog-ng to write the processed config to a file, it will then proceed to do whatever else it would've done without the option. That's a bit counter-intuitive, I agree. You can use the --syntax-only (-s) option to just write the file and exit without doing anything else. -- |8]
--preprocess-into only tells syslog-ng to write the processed config to a file, it will then proceed to do whatever else it would've done without the option. That's a bit counter-intuitive, I agree. You can use the --syntax-only (-s) option to just write the file and exit without doing anything else.
Got it, thanks!
Can you show your global settings, by any chance? Also, what @version does your syslog-ng.conf have? (This is most likely in your global settings) # Global: options { threaded (yes); time_reopen (10); chain_hostnames (off); use_dns (yes); dns_cache (yes); dns_cache_size (2000); dns_cache_expire (86400); use_fqdn (no); keep_hostname (yes); stats_freq (0); stats_level (1); log_msg_size (16384); log_fifo_size (8000000); };
# Version: @version: 3.3 # Sources source s_local { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); }; source s_local_internal { internal(); }; source s_remote { udp(ip(0.0.0.0) port(514) so_rcvbuf(1024000)); # Switches are configured to send logs here tcp(ip(0.0.0.0) port(5140) max-connections(250) so_rcvbuf(1024000) log_iw_size(20000) so_keepalive(yes) log_fetch_limit(100)); syslog(ip(0.0.0.0) transport("tcp") port(5141) max-connections(200) log_iw_size(20000) flags("threaded") log_fetch_limit(100)); }; # TCP and UDP source for each app <% @apps.each do |app| %> source s_remote_<%= app[:id] %> { syslog(ip(0.0.0.0) transport("tcp") port(<%= app[:syslog][:port] %>) max-connections(100) log_iw_size(20000) flags("threaded") log_fetch_limit(100)); }; source s_remote_udp_<%= app[:id] %> { udp(ip(0.0.0.0) port(<%= app[:syslog][:udp_port] so_rcvbuf(1024000)); # HAproxy }; <% end %> On Tue, Dec 11, 2012 at 12:28 AM, Gergely Nagy <algernon@balabit.hu> wrote:
--preprocess-into only tells syslog-ng to write the processed config to a file, it will then proceed to do whatever else it would've done without the option. That's a bit counter-intuitive, I agree. You can use the --syntax-only (-s) option to just write the file and exit without doing anything else.
-- Best regards, Koldaev Anton
Anton Koldaev <koldaevav@gmail.com> writes:
source s_remote { udp(ip(0.0.0.0) port(514) so_rcvbuf(1024000)); # Switches are configured to send logs here tcp(ip(0.0.0.0) port(5140) max-connections(250) so_rcvbuf(1024000) log_iw_size(20000) so_keepalive(yes) log_fetch_limit(100)); syslog(ip(0.0.0.0) transport("tcp") port(5141) max-connections(200) log_iw_size(20000) flags("threaded") log_fetch_limit(100)); };
The log_iw_size(20000)/max-connections(250) thing is what triggers the error message, by the looks of it. Increasing log_iw_size to 25000 should make the warning go away. The warning could use an update, though, that makes it clearer where it gets the numbers from. -- |8]
You're right. Thanks On Tue, Dec 11, 2012 at 3:52 PM, Gergely Nagy <algernon@balabit.hu> wrote:
Anton Koldaev <koldaevav@gmail.com> writes:
source s_remote { udp(ip(0.0.0.0) port(514) so_rcvbuf(1024000)); # Switches are configured to send logs here tcp(ip(0.0.0.0) port(5140) max-connections(250) so_rcvbuf(1024000) log_iw_size(20000) so_keepalive(yes) log_fetch_limit(100)); syslog(ip(0.0.0.0) transport("tcp") port(5141) max-connections(200) log_iw_size(20000) flags("threaded") log_fetch_limit(100)); };
The log_iw_size(20000)/max-connections(250) thing is what triggers the error message, by the looks of it. Increasing log_iw_size to 25000 should make the warning go away.
The warning could use an update, though, that makes it clearer where it gets the numbers from.
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Best regards, Koldaev Anton
participants (2)
-
Anton Koldaev
-
Gergely Nagy