[syslog-ng]missing 33% of syslog messages
Bob Kupiec
kupiec@ias.edu
Wed, 2 Oct 2002 13:38:14 -0400
Drew,
I tried tweaking sync() to 25 and to 100. No real change. I still average
capturing about 80% to 85% of the syslog data. See my previous message
for my configs and version.
All the packets are hitting the machine, verfied by tcpdump, but are getting
lost after that. The machine has a hardware RAID 5 array and it's only
running syslog-ng, it's not a hardware issue.
Tuning syslog-ng.conf doesn't do anything noticeable.
How do I go about fixing/debugging syslog-ng further?
>From Andrew.Hamilton@afccc.af.mil Thu, 19 Sep 2002 12:47:25 -0400
>Date: Thu, 19 Sep 2002 12:47:25 -0400
>From: Hamilton, Andrew Andrew.Hamilton@afccc.af.mil
>Subject: [syslog-ng]missing 33% of syslog messages
>
>Bob,
>
>Have you checked to see that the messages are getting to the loghost? On a
>busy network it is possible to lose a number of packets. With UDP you never
>know. You could use a network sniffer to find out. Something else you
>might try is raising sync some. If you are getting a ton of messages you
>might be getting lost in I/O somewhere. sync(0) writes immediately so you
>might crank it up a little to get some buffering going. You might have to
>play around with some of the options to get it to work with your
>configuration. I believe that stats are where you have the internal
>source going. It is just a line in the file I think.
>
--
Bob Kupiec Security/Network Administrator
Email: kupiec@ias.edu Institute for Advanced Study
Phone: 609-734-8179 Einstein Drive (A208)
Fax: 609-951-4418 Princeton, NJ 08540-4907