[syslog-ng]missing 33% of syslog messages
Bob Kupiec
kupiec@ias.edu
Thu, 19 Sep 2002 12:25:27 -0400
I'm running syslog-ng 1.4.14 on Linux. This server is a loghost for
all my syslog clients. It's got plenty of cpu, memory, disk, and
bandwidth. The servers that it's accepting logs from are on the same
switch as the loghost.
That said, I'm losing about 33% of my syslog messages from each client.
I tried 1.5.20 with the slightly worse results. All the clients are UDP,
and need to stay that way.
There are times when minutes go by without recording anything from the
clients.
Also, where are the "stats" recorded to?
Here is my config:
----------------------------------------------------------------------------
options { sync (0);
time_reopen (10);
# Increased buffer size to 50*256 (50 hosts). -rjk
log_fifo_size (12800);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
stats (600);
owner (root);
group (syslog);
perm (0644);
dir_owner (root);
dir_group (syslog);
dir_perm (0755);
};
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/lo
g"); internal(); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
destination remote {
file("/var/log/remote/$HOST/$FACILITY.log" log_fifo_size (12800));
};
source net {
udp();
};
log {
source(net);
destination(remote);
};
----------------------------------------------------------------------------
--
Bob Kupiec Security/Network Administrator
Email: kupiec@ias.edu Institute for Advanced Study
Phone: 609-734-8179 Einstein Drive (A208)
Fax: 609-951-4418 Princeton, NJ 08540-4907