[syslog-ng]Syslog Logging Delay
Brian E. Seppanen
seppy@chartermi.net
Thu, 29 Mar 2001 11:25:27 -0500 (EST)
Here it stops again at approx 10:44 a.m. EST.
Again UDP:514 is 65550. Packets are still coming. No logging. Tried
logging via logger and no messages.
10:53 a.m. EST it starts again. vmstat doesn't indicate much disk
activity blocking either in or out either before or after. After it picks
up again the messages I logged via logger are logged.
Utilization on the box is pretty steady. Swap neither grows, nor
diminishes. Memory is used for the most part, maybe about 10MB free.
Lots of shared memory.
Graphs show loopback at 10:45 is quite active comparitively.
This is from a dump of an rrdtool database monitoring loopback
utilization. This doesn't correlate to other times when I've seen the
problem though, specifically when it stopped logging at 10:10 p.m. EST.
Normall readings for the graph are around 2.e+01.
<!-- 2001-03-29 10:40:00 EST --> <row><v> 2.8297444075e+01 </v><v> 2.8297444075e+01 </v></row>
<!-- 2001-03-29 10:45:00 EST --> <row><v> 5.7677917503e+01 </v><v> 5.7677917503e+01 </v></row>
<!-- 2001-03-29 10:50:00 EST --> <row><v> 9.0888004719e+01 </v><v> 9.0888004719e+01 </v></row>
POLLIN}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN},
{fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 17, 100) = 0
poll([{fd=12, events=0}, {fd=11, events=0}, {fd=21, events=0}, {fd=10,
events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13,
events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15,
events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=0},
{fd=6, events=POLLIN}, {fd=5, events=POLLIN, revents=POLLIN}, {fd=4,
events=POLLIN}, {fd=3, events=POLLIN}], 17, 6000) = 1
recvfrom(5, "<133>559901: 4w3d: %UBR7200-5-MA"..., 1024, 0,
{sin_family=AF_INET, sin_port=htons(49364),
sin_addr=inet_addr("24.247.48.35")}}, [16]) = 163
time(NULL) = 985880402
time(NULL) = 985880402
time(NULL) = 985880402
time(NULL) = 985880402
poll([{fd=12, events=0}, {fd=11, events=0}, {fd=21, events=0}, {fd=10,
events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13,
events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15,
events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=POLLOUT,
revents=POLLOUT}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=4,
events=POLLIN}, {fd=3, events=POLLIN}], 17, 100) = 1
write(7, "Mar 29 10:40:02 24.247.48.35 559"..., 188) = 188
time(NULL) = 985880402
poll([{fd=12, events=0}, {fd=11, events=0}, {fd=21, events=0}, {fd=10,
events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13,
events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15,
events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=0},
{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=4, events=POLLIN},
{fd=3, events=POLLIN}], 17, 100) = 0
poll([{fd=12, events=0}, {fd=11, events=0}, {fd=21, events=0}, {fd=10,
events=0}, {fd=22, events=POLLIN}, {fd=14, events=0}, {fd=13,
events=POLLIN}, {fd=17, events=0}, {fd=16, events=POLLIN}, {fd=15,
events=0}, {fd=9, events=0}, {fd=8, events=POLLIN}, {fd=7, events=0},
{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=4, events=POLLIN},
{fd=3, events=POLLIN, revents=POLLIN}], 17, 4000) = 1
read(3,
I don't know. Nothing to correlate it to stopping at 10:10:00 p.m. EST
last night though...
I'm just not seeing anything that sticks out to indicate where a problem
might be.
Can someone who is running a central logging server indicate how they have
configured syslog-ng, as far as log_fifo_size, garbage collection options,
number of objects alive at any one time after running for a while, sync
options? I would appreciate it, greatly.
Thanks,
Brian Seppanen
Charter Communications
Regional Data Center 906-228-4226 ext 23
Marquette, MI seppy@chartermi.net