[syslog-ng]Over zealous syslog-ng problem

Aaron Jackson Aaron.Jackson@dc.gov
Tue, 31 Dec 2002 11:44:10 -0500

My Setup:
I have syslog-ng running on several Solaris 8 machines.  Each machine 
writes log messages to their local disks and also forwards the messages 
to a central log server via a UPD connection, also a Solaris 8 machine. 
  The central log server stores everything into a mysql database via a 
perl script I wrote.

My Problem:
I am running the UNIX version of Cisco Secure on one of the Solaris 
boxes.  A couple of times it has blown up.  When this happens, it 
generates millions of log messages in a very short period.  The problem 
is that syslog-ng logs most of these messages (I also get the mangled 
message problem during these heavy loads).  The most recent episode 
generated 1,930,974 messages that made it into the mysql database and 
49,573 mangled messages on the central log server, but 16,040,886 
messages were written to disk on the local machine (see below).

My Questions:
Is there any way to throttle syslog-ng, or make syslog-ng not accept all 
  log messages when an app goes crazy?  I want to log some of these 
messages, so I know when to restart the service, but I don't want all 16 
million.  Also, it seems that around 15 million log messages didn't make 
it to my central server.  Where were they lost?  Is this a problem with 
the UDP transport?


# cat local0.log | grep -c 'ERROR - error on accept'

jackson@auth:/tmp {5} cat sql_errors | grep -c 'INSERT INTO'

mysql> delete from logs where host='acs' and facility='local0' and 
priority='err' and msg like '%ERROR - error on accept%';
Query OK, 1943387 rows affected (1 hour 40.16 sec)