Bob, Ok, then there are a couple of things to try next. Setup the DEFAULT filter as the last line in your config file and send that to a junk file just to see if the messages are missing your filters and being discarded by syslog-ng. Also run syslog in a shell with the -dv switches turned on so you can watch the messages come in. Turn the daemon off before you run it in a shell. Drew -----Original Message----- From: Bob Kupiec [mailto:kupiec@ias.edu] Sent: Wednesday, October 02, 2002 1:38 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]missing 33% of syslog messages Drew, I tried tweaking sync() to 25 and to 100. No real change. I still average capturing about 80% to 85% of the syslog data. See my previous message for my configs and version. All the packets are hitting the machine, verfied by tcpdump, but are getting lost after that. The machine has a hardware RAID 5 array and it's only running syslog-ng, it's not a hardware issue. Tuning syslog-ng.conf doesn't do anything noticeable. How do I go about fixing/debugging syslog-ng further?

From Andrew.Hamilton@afccc.af.mil Thu, 19 Sep 2002 12:47:25 -0400 Date: Thu, 19 Sep 2002 12:47:25 -0400 From: Hamilton, Andrew Andrew.Hamilton@afccc.af.mil Subject: [syslog-ng]missing 33% of syslog messages

Bob,

Have you checked to see that the messages are getting to the loghost? On a busy network it is possible to lose a number of packets. With UDP you never know. You could use a network sniffer to find out. Something else you might try is raising sync some. If you are getting a ton of messages you might be getting lost in I/O somewhere. sync(0) writes immediately so you might crank it up a little to get some buffering going. You might have to play around with some of the options to get it to work with your configuration. I believe that stats are where you have the internal source going. It is just a line in the file I think.

-- Bob Kupiec Security/Network Administrator Email: kupiec@ias.edu Institute for Advanced Study Phone: 609-734-8179 Einstein Drive (A208) Fax: 609-951-4418 Princeton, NJ 08540-4907 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html