[syslog-ng]Syslog Logging Delay

Brian E. Seppanen seppy@chartermi.net
Wed, 28 Mar 2001 15:39:30 -0500 (EST) 

I'm running syslog-ng 1.4.11 on a redhat-7.0 box.  The box is a dual
processer PIII 500 dell poweredge 1300, with 512MB of RAM.  We're making
this baby hum, but may have too much on it.

My config is big so i'll include what I think are the relevent portions.
Let me know if I'm missing something.

Basically syslog-ng has stopped logging at various times.  I've been doing
a lot of poking today, to stress test it.

I'm doing a tcpdump on port 514 and I'm seeing lots of traffic.
However, the logs where the information should be going isn't getting
updated.  My last log entry is from approximatet 2:53 p.m. EST, and it's
now 3:25 p.m. EST.  If I stop syslog-ng and restart it will probably start
logging just fine, but I can't be starting and stopping every three hours.
I'm sure it's probably a misconfiguration.

netstat -an has remained the same for this span of time as follows
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp    65488      0 0.0.0.0:514             0.0.0.0:*

Notice the lot in the recv queue.

Okay now here's my config.  You promise not to laugh right? :)
options {
	sync(0);
	time_reopen(10);
	log_fifo_size(2000);
	chain_hostnames(no);
	use_dns(no);
	gc_idle_threshold(500);
	gc_busy_threshold(3500);
	};

Now I'm thinking that there is a setting that I haven't left high enough
or low enough.  I'm not sure if my logs are blocked because I'm trying to
force too much into them or what.  Basically if I start syslog-ng I
usually have about 500 objects alive, and idle_garbage_collection will
run almost constantly.  After a long time it isn't unheard of that I have
about 2000-3000 objects alive.  Is it trying to garbage collect itself to
death.  I never really got a good indication of how I should set that up.
This morning I tried increasing the log_fifo_size to 2000.

Is there a setting I should check?  What would cause it to block anything
from getting written?   Actually it has written the information to the
logs since I started this message at about 3:27, and it doesn't appear to
have dropped anything.  Would reducing the fifo_size speed up the commit
time?  What would delay the commit?

I'd appreciate any help.  Thanks :)


Brian Seppanen
Charter Communications
Regional Data Center				906-228-4226 ext 23
Marquette, MI					seppy@chartermi.net