[syslog-ng]missing 33% of syslog messages

Bob Kupiec kupiec@ias.edu
Thu, 19 Sep 2002 12:25:27 -0400


I'm running syslog-ng 1.4.14 on Linux.  This server is a loghost for
all my syslog clients.  It's got plenty of cpu, memory, disk, and
bandwidth.  The servers that it's accepting logs from are on the same
switch as the loghost.

That said, I'm losing about 33% of my syslog messages from each client.
I tried 1.5.20 with the slightly worse results.  All the clients are UDP,
and need to stay that way.

There are times when minutes go by without recording anything from the
clients.

Also, where are the "stats" recorded to?

Here is my config:

----------------------------------------------------------------------------
options { sync (0);
          time_reopen (10);
          # Increased buffer size to 50*256 (50 hosts). -rjk
          log_fifo_size (12800);
          long_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          create_dirs (yes);
          keep_hostname (yes);
          stats (600);
          owner (root);
          group (syslog);
          perm (0644);
          dir_owner (root);
          dir_group (syslog);
          dir_perm (0755);
        };

source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/lo
g"); internal(); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };

filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

destination remote {
        file("/var/log/remote/$HOST/$FACILITY.log" log_fifo_size (12800));
};
source net {
        udp();
};
log {
        source(net);
        destination(remote);
};

----------------------------------------------------------------------------

-- 
       Bob Kupiec                     Security/Network Administrator
  Email: kupiec@ias.edu                Institute for Advanced Study
   Phone: 609-734-8179                    Einstein Drive (A208)
    Fax: 609-951-4418                   Princeton, NJ 08540-4907