[syslog-ng] STATS: dropped with version 1.6.8 under rh el4

Nate Campi nate at campin.net
Wed Aug 17 00:56:57 CEST 2005 

Dude NO! You're ignoring errors, not what I'd recommend. A destination
is backing up, perhaps a pipe or TCP destination (your d_cic or d_tcp
destinations would be suspect - start with the pipe).

OBTW, sorry for the top post.

On Wed, Aug 10, 2005 at 09:48:59AM -0400, Ken Garland wrote:
> Yes, receiving those lines are annoying and I drop this line into the 
> client syslog-ng.conf:
> 
> filter f_syslog { not facility(auth, authpriv, kern) and 
>                  not match("STATS: dropped 0"); };
> 
> 
> Then just use that filter in your log line.
> 
> - Ken
> 
> Stephan Hendl wrote:
> 
> >Hi all,
> >
> >recently I upgraded one of my central syslog servers from hpux to redhat 
> >el4 with syslog-ng-1.6.8-1 and get from time to time messages like
> >
> >Aug 10 11:43:57 pns1 syslog-ng[10542]: STATS: dropped 19
> >Aug 10 11:48:57 pns1 syslog-ng[10542]: STATS: dropped 45
> >Aug 10 11:53:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 11:58:57 pns1 syslog-ng[10542]: STATS: dropped 36
> >Aug 10 12:03:57 pns1 syslog-ng[10542]: STATS: dropped 7
> >Aug 10 12:08:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:13:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:18:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:23:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:28:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:33:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:38:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:43:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 12:48:57 pns1 syslog-ng[10542]: STATS: dropped 37
> >Aug 10 12:53:57 pns1 syslog-ng[10542]: STATS: dropped 52
> >Aug 10 12:58:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 13:03:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 13:08:57 pns1 syslog-ng[10542]: STATS: dropped 51
> >Aug 10 13:13:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 13:18:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 13:23:57 pns1 syslog-ng[10542]: STATS: dropped 11
> >Aug 10 13:28:57 pns1 syslog-ng[10542]: STATS: dropped 1
> >Aug 10 13:33:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >Aug 10 13:38:57 pns1 syslog-ng[10542]: STATS: dropped 0
> >
> >There are 5 servers who are sending their syslog messages via tcp an one 2 
> >servers who are sending via udp to that central server. The load of the 
> >machine (2xXenon CPU, 3 GHz, 1 GB RAM) is really low. For revison purposes 
> >(maillogdata) I have to keep _all_ syslog lines!!! What can I change in 
> >order to avoid dropped lines?
> >
> >Stephan
> >
> >top - 15:39:06 up 36 days,  1:49,  2 users,  load average: 0.10, 0.09, 0.04
> >Tasks: 194 total,   1 running, 193 sleeping,   0 stopped,   0 zombie
> >Cpu(s):  0.3% us,  0.2% sy,  0.0% ni, 99.2% id,  0.4% wa,  0.0% hi,  0.0% 
> >si
> >Mem:   1034692k total,  1018520k used,    16172k free,   141372k buffers
> >Swap:  2096440k total,      144k used,  2096296k free,   602228k cached
> >
> > PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> > 690 root      16   0 43644 4784 2180 S  0.7  0.5 129:42.96 nco_p_syslog
> > 779 root      16   0 43644 4784 2180 S  0.3  0.5 254:33.32 nco_p_syslog
> >10542 root      15   0  1876 1048  776 S  0.3  0.1   6:59.31 syslog-ng
> >   1 root      16   0  3236  548  472 S  0.0  0.1   0:00.96 init
> >   2 root      RT   0     0    0    0 S  0.0  0.0   0:04.37 migration/0
> >   3 root      34  19     0    0    0 S  0.0  0.0   0:00.06 ksoftirqd/0
> >   4 root      RT   0     0    0    0 S  0.0  0.0   0:03.11 migration/1
> >   5 root      34  19     0    0    0 S  0.0  0.0   0:00.02 ksoftirqd/1
> >
> >My syslog-ng.conf looks like:
> >
> >root at pns1:~# vi /etc/syslog-ng/syslog-ng.conf
> ># syslog-ng configuration file.
> >#
> ># This should behave pretty much like the original syslog on RedHat Linux 
> >9.
> ># But it could be configured a lot smarter.
> >#
> ># See syslog-ng(8) and syslog-ng.conf(5) for more information.
> >
> >options {sync (0);
> >        time_reopen (10);
> >        long_hostnames (off);
> >        use_dns (yes);
> >        use_fqdn (no);
> >        create_dirs (no);
> >        keep_hostname (yes);
> >        stats (300);
> >};
> >
> >source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream 
> >("/dev/log"); internal(); };
> >source s_tcp { tcp(ip(a.b.c.d) port(10514) keep-alive(no)); };
> >source s_udp { udp(ip(a.b.c.d) port(514)); };
> >
> ># Log all kernel messages to the console.
> ># Logging much else clutters up the screen.
> >#destination    d_cons  { file("/dev/console"); };
> >#filter         f_cons  { facility(kern); };
> >#log { source(s_sys); filter(f_cons); destination(d_cons); };
> >
> ># Log anything (except mail) of level info or higher.
> ># Don't log private authentication messages!
> >destination     d_mesg  { file("/var/log/messages"); };
> >filter          f_mesg  { not facility(mail,news,authpriv,cron) and 
> >level(emerg..info); };
> >log { source(s_sys); filter(f_mesg); destination(d_mesg); };
> >
> ># The authpriv file has restricted access.
> >destination     d_auth  { file("/var/log/secure"); };
> >filter          f_auth  { facility(authpriv); };
> >log { source(s_sys); filter(f_auth); destination(d_auth); };
> >
> ># Log all the mail messages in one place.
> >destination     d_mail  { file("/var/log/maillog" template( "$DATE $HOST 
> >$MESSAGE\n")); };
> >filter          f_mail  { facility(mail); };
> >log { source(s_sys); filter(f_mail); destination(d_mail); };
> >
> ># Log cron stuff.
> >destination     d_cron  { file("/var/log/cron"); };
> >filter          f_cron  { facility(cron); };
> >log { source(s_sys); filter(f_cron); destination(d_cron); };
> >
> ># Everybody gets emergency messages.
> >destination     d_mlal  { usertty("*"); };
> >filter          f_mlal  { level(emerg); };
> >log { source(s_sys); filter(f_mlal); destination(d_mlal); };
> >
> ># Save news errors of level crit and higher in a special file.
> >destination     d_spol  { file("/var/log/spooler"); };
> >filter          f_spol  {facility(uucp) or facility(news) and 
> >level(emerg..crit); };
> >log { source(s_sys); filter(f_spol); destination(d_spol); };
> >
> ># Save boot messages also to boot.log.
> >destination     d_boot  { file("/var/log/boot.log"); };
> >filter          f_boot  { facility(local7); };
> >log { source(s_sys); filter(f_boot); destination(d_boot); };
> >
> ># Save all mesages to syslog.lvnbb.de
> >destination     d_tcp   { tcp("localhost" port(10514)); };
> >log { source(s_sys); destination(d_tcp); };
> >log { source(s_tcp); destination(d_tcp); };
> >log { source(s_udp); destination(d_tcp); };
> >
> ># Save all messages to pipe /tmp/cic.pipe
> >destination     d_cic   { pipe("/tmp/cic.pipe" owner("root") group("root") 
> >perm(0640) template("$DATE $HOST $MESSAGE\n") template-escape(yes)); };
> >log { source(s_sys); destination(d_cic); };
> >log { source(s_tcp); destination(d_cic); };
> >log { source(s_udp); destination(d_cic); };
> >
> >_______________________________________________
> >syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> >https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> > 
> >
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 

-- 
Nate

You can have cheap, fast, or good: pick two.

More information about the syslog-ng mailing list