[syslog-ng]missing 33% of syslog messages

Hamilton, Andrew Andrew.Hamilton@afccc.af.mil
Thu, 19 Sep 2002 12:47:25 -0400


Bob,

Have you checked to see that the messages are getting to the loghost?  On a
busy network it is possible to lose a number of packets.  With UDP you never
know.  You could use a network sniffer to find out.  Something else you
might try is raising sync some.  If you are getting a ton of messages you
might be getting lost in I/O somewhere.  sync(0) writes immediately so you
might crank it up a little to get some buffering going.  You might have to
play around with some of the options to get it to work with your
configuration.  I believe that stats are where you have the internal source
going.  It is just a line in the file I think.

Regards,
Drew

-----Original Message-----
From: Bob Kupiec [mailto:kupiec@ias.edu]
Sent: Thursday, September 19, 2002 12:25 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]missing 33% of syslog messages



I'm running syslog-ng 1.4.14 on Linux.  This server is a loghost for
all my syslog clients.  It's got plenty of cpu, memory, disk, and
bandwidth.  The servers that it's accepting logs from are on the same
switch as the loghost.

That said, I'm losing about 33% of my syslog messages from each client.
I tried 1.5.20 with the slightly worse results.  All the clients are UDP,
and need to stay that way.

There are times when minutes go by without recording anything from the
clients.

Also, where are the "stats" recorded to?

Here is my config:

----------------------------------------------------------------------------
options { sync (0);
          time_reopen (10);
          # Increased buffer size to 50*256 (50 hosts). -rjk
          log_fifo_size (12800);
          long_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          create_dirs (yes);
          keep_hostname (yes);
          stats (600);
          owner (root);
          group (syslog);
          perm (0644);
          dir_owner (root);
          dir_group (syslog);
          dir_perm (0755);
        };

source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream
("/dev/lo
g"); internal(); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };

filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

destination remote {
        file("/var/log/remote/$HOST/$FACILITY.log" log_fifo_size (12800));
};
source net {
        udp();
};
log {
        source(net);
        destination(remote);
};

----------------------------------------------------------------------------

-- 
       Bob Kupiec                     Security/Network Administrator
  Email: kupiec@ias.edu                Institute for Advanced Study
   Phone: 609-734-8179                    Einstein Drive (A208)
    Fax: 609-951-4418                   Princeton, NJ 08540-4907

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html