[syslog-ng]Some device doesn't write to file

[Balazs Scheidler]

On Mon, Oct 27, 2003 at 05:42:21PM +0800, Santa Lau wrote:
> 
> Well. The ipchains/iptables has all been disabled. Is there any other
> locations which I should pay attention?

If syslog-ng does not receive messages via recvfrom, but the box receives
it, it can mean many things:

1) the packet filter drops packets
2) rp_filter drops packets
3) the destination IP is not local
4) the IP is local but syslog-ng listens on a different IP
5) the port is not correct
6) the UDP receive buffer overflows

The first four cases are easy to confirm, please check that the packet
headers as seen in tcpdump are destined to the box, syslog-ng listens on the
correct interface/port (check via netstat -an).

Can you see ICMP port unreachables as you receive messages?

The last case is also possible, though I'm a bit skeptic as you told me that
only specific hosts are missing from the log files. Check the recvq column
in the netstat -an output. If this recvq value is never 0 you should
increase the receive buffer size by increasing the values in
/proc/sys/net/core/rmem_default and
/proc/sys/net/core/rmem_max

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1