[syslog-ng]missing 33% of syslog messages

Hamilton, Andrew Andrew.Hamilton@afccc.af.mil
Wed, 2 Oct 2002 13:46:01 -0400 

Bob,

Ok, then there are a couple of things to try next.  Setup the DEFAULT filter
as the last line in your config file and send that to a junk file just to
see if the messages are missing your filters and being discarded by
syslog-ng.  Also run syslog in a shell with the -dv switches turned on so
you can watch the messages come in.  Turn the daemon off before you run it
in a shell.

Drew

-----Original Message-----
From: Bob Kupiec [mailto:kupiec@ias.edu]
Sent: Wednesday, October 02, 2002 1:38 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]missing 33% of syslog messages



Drew,

I tried tweaking sync() to 25 and to 100.  No real change.  I still average
capturing about 80% to 85% of the syslog data.  See my previous message
for my configs and version.

All the packets are hitting the machine, verfied by tcpdump, but are getting
lost after that.  The machine has a hardware RAID 5 array and it's only
running syslog-ng, it's not a hardware issue.

Tuning syslog-ng.conf doesn't do anything noticeable.

How do I go about fixing/debugging syslog-ng further?

>From Andrew.Hamilton@afccc.af.mil Thu, 19 Sep 2002 12:47:25 -0400
>Date: Thu, 19 Sep 2002 12:47:25 -0400
>From: Hamilton, Andrew Andrew.Hamilton@afccc.af.mil
>Subject: [syslog-ng]missing 33% of syslog messages
>
>Bob,
>
>Have you checked to see that the messages are getting to the loghost?  On a
>busy network it is possible to lose a number of packets.  With UDP you
never
>know.  You could use a network sniffer to find out.  Something else you
>might try is raising sync some.  If you are getting a ton of messages you
>might be getting lost in I/O somewhere.  sync(0) writes immediately so you
>might crank it up a little to get some buffering going.  You might have to
>play around with some of the options to get it to work with your
>configuration.  I believe that stats are where you have the internal
>source going.  It is just a line in the file I think.
>
-- 
       Bob Kupiec                     Security/Network Administrator
  Email: kupiec@ias.edu                Institute for Advanced Study
   Phone: 609-734-8179                    Einstein Drive (A208)
    Fax: 609-951-4418                   Princeton, NJ 08540-4907

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html