Scott A. McIntyre on Fri, Jan 26, 2001 at 12:34:20PM +0100: Scott,

Is there anything I can try to make sure this doesn't happen? Any options I can tweak, that sort of thing. Would logging to individual files on a host by host basis be better, coupled with sylog-ng monitoring those local files to concatenate them all into one larger file?

logging to individual files would probably make it worse, at least if it is a problem on the server. If this is an option for you, upgrade your log clients (mailservers) to syslog-ng, and use tcp logging. I use this method to log various snort sensor alert data, and it seems very reliable, as long as the log server has enough processing and i/o power to handle the alert messages. Logging over tcp will not compensate for a weak machine. Other than that, you would have to analyse where the messages are get- ting dropped. If your udp packets are actually travelling on your net- work (you could check with ethereal), your system could be i/o bound. Try to use vmstat to see if your resources are blocked by processes that are waiting for i/o. If that's the case, and you have some RAM available (vmstat on some platform tells you as well, check swap/pagescanner activity), play with the sync() and log_fifo_size() options. Or buy more or faster disks :) Regards, Gregor. -- Gregor Binder <gregor.binder@sysfive.com> http://sysfive.com/~gbinder/ sysfive.com GmbH UNIX. Networking. Security. Applications. PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55