[syslog-ng]Syslog Logging Delay

Brian E. Seppanen seppy@chartermi.net
Thu, 29 Mar 2001 09:15:47 -0500 (EST)


On Thu, 29 Mar 2001, Balazs Scheidler wrote:

> > I'm doing a tcpdump on port 514 and I'm seeing lots of traffic.
> > However, the logs where the information should be going isn't getting
> > updated.  My last log entry is from approximatet 2:53 p.m. EST, and it's
> > now 3:25 p.m. EST.  If I stop syslog-ng and restart it will probably start
> > logging just fine, but I can't be starting and stopping every three hours.
> > I'm sure it's probably a misconfiguration.
>
> I'd rather think it's a syslog-ng bug. Can you strace the syslog-ng process
> whether it reads its input file descriptor?
>
>

At about 9:05 a.m I'm getting packets via tcpdump, but no more
information is logging.  I started syslog-ng in the following
fashion.

strace /usr/local/sbin/syslog-ng -p /var/run/syslog-ng -f /usr/local/etc/syslog-ng.conf -d

I think all of the messages about SIGWINCH, we're me adjusting the window
size.  I was hoping to see more of the previous messages, but changing the
window size didn't work and I had to use scroll up.

time(NULL)                              = 985873810
poll([{fd=11, events=0}, {fd=10, events=0}, {fd=22, events=POLLIN},
{fd=14, events=0}, {fd=13, events=POLLIN}, {fd=17, events=0}, {fd=16,
events=POLLIN}, {fd=15, events=0}, {fd=9, events=0}, {fd=8,
events=POLLIN}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 15, 100) =
0
poll([{fd=11, events=0}, {fd=10, events=0}, {fd=22, events=POLLIN},
{fd=14, events=0}, {fd=13, events=POLLIN}, {fd=17, events=0}, {fd=16,
events=POLLIN}, {fd=15, events=0}, {fd=9, events=0}, {fd=8,
events=POLLIN}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=4, events=POLLIN}, {fd=3, events=POLLIN,
revents=POLLIN}], 15, 17000) = 1
read(3, 0x806bfd0, 1024)                = ? ERESTARTSYS (To be restarted)
--- SIGWINCH (Window changed) ---
read(3,

At this point the recv queue is full again for UDP:514
udp    65520      0 0.0.0.0:514             0.0.0.0:*

Shortly after I started this message it restarted again at about 9:10
a.m. EST, and the UDP:514 recv queue was cleared.  However my logging
stopped at 6:15 p.m. EST last night, and did not resume, although syslog
was still running apparently.

I'll leave the strace running today, and hopefully I'll see something
definitive.

Brian Seppanen
Charter Communications
Regional Data Center				906-228-4226 ext 23
Marquette, MI					seppy@chartermi.net