[syslog-ng]Strang behaviour of syslog-ng (and my program)
Antai Ning
aning@jetnet.ca
Mon, 15 Jul 2002 10:32:08 -0400
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C22C0C.65E3E8E0
Content-Type: text/plain;
charset="iso-8859-1"
Hi Gents,
I'm posting the question again because I really need an answer for it,
Thanks a lot,
Andy
-----Original Message-----
From: Antai Ning [mailto:aning@jetnet.ca]
Sent: Wednesday, July 10, 2002 1:38 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: [syslog-ng]Strang behaviour of syslog-ng (and my program)
Hi Gurus,
I got some strange phenomemon with syslog-ng. Here is what I'm doing.
I configured syslog-ng to forward certain type of messages to a pipe. (say,
ALERT). I wrote a program in perl to read from the pipe and print them out.
The perl program first try to open the pipe and it'll block at the open
function untill syslog-ng has some messages to write to the pipe. Then the
perl program reads using IO::File can_read() function, with a 5 seconds
timeout. So the function looks like this: $sel->can_read(5). Then I send 10
valid messages to syslog-ng from a remote machine by UDP. To my supprise,
the perl program got only 2 of the 10! Then I send another 1 valid message
to this syslog-ng after 5 minutes, and I got not only this message, but also
the 8 I lost last time!
This happens only for the first 10 messages (which includes the opening of
the pipe). Everything is fine after the first round. It looks like it's
related to the pipe opening and messages get queued somewhere until later
messages trigger the queue to flush.
So what's really happening inside? And is there a solution?
Thanks,
Andy
Cofiguration:
syslog-ng 1.4.11 on Redhat linux 7.2. And here is the syslog-ng globla
option look like. (Sorry I can't post all the configuration because of
obvious reasons :) ) But there is no options set for specific source,
destionation or filter.
options {
use_dns (no); # Don't perform DNS lookups
use_fqdn (no); # Don't use full hostname
create_dirs (yes); # Create any necessary dirs for files
use_time_recvd (yes); # Use our time, not the remote device time
log_fifo_size(10000); # Queue 10000 msgs on a blocked dest
sync(0); # Flush the queues as fast as possible
# Tweak the sync parameter if the disks are
# going wild and thrashing the machine
chain_hostnames(on); # Chain hostname/IP information in log line
};
source s_UDP
{
udp( ip(192.168.1.1) port(514) );
};
------_=_NextPart_001_01C22C0C.65E3E8E0
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Message aggregation</TITLE>
<META content="MSHTML 5.50.4916.2300" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=810102514-15072002><FONT face=Arial color=#0000ff size=2>Hi
Gents, </FONT></SPAN></DIV>
<DIV><SPAN class=810102514-15072002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=810102514-15072002><FONT face=Arial color=#0000ff size=2>I'm
posting the question again because I really need an answer for
it,</FONT></SPAN></DIV>
<DIV><SPAN class=810102514-15072002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=810102514-15072002><FONT face=Arial color=#0000ff size=2>Thanks
a lot,</FONT></SPAN></DIV>
<DIV><SPAN class=810102514-15072002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=810102514-15072002><FONT face=Arial color=#0000ff
size=2>Andy</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Antai Ning
[mailto:aning@jetnet.ca]<BR><B>Sent:</B> Wednesday, July 10, 2002 1:38
PM<BR><B>To:</B> 'syslog-ng@lists.balabit.hu'<BR><B>Subject:</B>
[syslog-ng]Strang behaviour of syslog-ng (and my program)<BR><BR></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=710041517-10072002>Hi
Gurus,</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=710041517-10072002>I
got some strange phenomemon with syslog-ng. Here is what I'm
doing.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=710041517-10072002>I
configured syslog-ng to forward certain type of messages to a pipe. (say,
ALERT). I wrote a program in perl to read from the pipe and print them
out. The perl program first try to open the pipe and it'll block at the
open function untill syslog-ng has some messages to write to the pipe.
Then the perl program reads using IO::File can_read() function, with
a 5 seconds timeout. So the function looks like this: $sel->can_read(5).
Then I send 10 valid messages to syslog-ng from a remote machine by UDP. To my
supprise, the perl program got only 2 of the 10! Then I send
another 1 valid message to this syslog-ng after 5 minutes, and I got not
only this message, but also the 8 I lost last
time! </SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=710041517-10072002>This
happens only for the first 10 messages (which includes the opening of the
pipe). Everything is fine after the first round. It looks like it's
related to the pipe opening and messages get queued somewhere until later
messages trigger the queue to flush.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=710041517-10072002>So
what's really happening inside? And is there a
solution?</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002>Thanks,</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=710041517-10072002></SPAN></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=710041517-10072002>Andy <BR></DIV><SPAN
class=810102514-15072002></SPAN></SPAN></FONT></FONT></FONT></BLOCKQUOTE>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"><FONT face=Arial><FONT
color=#0000ff><FONT size=2><SPAN class=710041517-10072002><SPAN
class=810102514-15072002></SPAN></SPAN></FONT></FONT></FONT>
<DIV><FONT size=2><SPAN class=710041517-10072002><SPAN
class=810102514-15072002>
<DIV><SPAN class=600273114-11072002><FONT size=1><SPAN
class=810102514-15072002><FONT face=Arial color=#0000ff
size=2>Cofiguration:</FONT></SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=600273114-11072002><FONT size=1><SPAN
class=810102514-15072002><FONT face=Arial color=#0000ff
size=2> </FONT></SPAN><BR><FONT face=Arial><FONT
color=#0000ff>syslog-ng 1.4.11 on Redhat linux 7.2. And here is the syslog-ng
globla option look like<SPAN class=650383314-11072002>. </SPAN>(Sorry I can't
post all the configuration<SPAN class=650383314-11072002> because of obvious
reasons :) ) But there is no options set for specific source, destionation or
filter.</SPAN></FONT></FONT></FONT></SPAN></DIV>
<DIV><SPAN class=600273114-11072002><FONT face=Arial color=#0000ff
size=1><SPAN class=650383314-11072002></SPAN></FONT></SPAN> </DIV>
<DIV><SPAN class=600273114-11072002><FONT face=Arial color=#0000ff
size=1><SPAN class=650383314-11072002>options
{<BR> use_dns
(no); # Don't perform DNS
lookups<BR> use_fqdn
(no); # Don't use full
hostname<BR> create_dirs
(yes); # Create any necessary dirs for
files<BR> use_time_recvd
(yes); # Use our time, not the remote device
time<BR>
log_fifo_size(10000); # Queue 10000 msgs on a blocked
dest<BR>
sync(0);
# Flush the queues as fast as
possible<BR>
# Tweak the sync parameter if the disks
are<BR>
# going wild and thrashing the
machine<BR>
chain_hostnames(on); # Chain hostname/IP information in log
line<BR>};<BR></SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=600273114-11072002><FONT face=Arial color=#0000ff
size=1><SPAN class=650383314-11072002>source s_UDP</SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=600273114-11072002><FONT face=Arial color=#0000ff
size=1><SPAN class=650383314-11072002>{ </SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=600273114-11072002><FONT face=Arial color=#0000ff
size=1><SPAN
class=650383314-11072002> udp(
ip(192.168.1.1) port(514) );</SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=600273114-11072002><FONT face=Arial color=#0000ff
size=1><SPAN class=650383314-11072002>};</SPAN></FONT></SPAN></DIV><FONT
face=Arial color=#0000ff> </FONT></SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=710041517-10072002><SPAN
class=810102514-15072002> </SPAN></SPAN><SPAN
class=810102514-15072002> </SPAN></FONT></FONT></FONT></DIV></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C22C0C.65E3E8E0--