[syslog-ng] Delay writing to files
Balazs Scheidler
bazsi at balabit.hu
Tue Dec 27 17:20:02 CET 2005
On Tue, 2005-12-27 at 06:07 -0800, Paolo Supino wrote:
> Hi
>
> I'm not sure weather the message gets written or not to the file
> eventually (there is no specific message I was able to track) so I
> cannot answer your question with absolute certainty. If I had to guess
> than I'd say it does get written to the file eventually.
> I think that the problem is in the way that syslog write the messages
> to the files. From what I read then on every message that is received
> a single write() is done. This means that each destination gets opened
> and closed repeatedly (and this was confirmed by running `fuser` on
> each of the files). On my server there are a few destinations (the ones
> that belong to the firewalls) that are so busy that they are constantly
> open or are opened/closed in such a pace that it's impossible to track
> manually. Might it be that in such a scenario messages will 1st be
> written to a destination that is already open and messages to
> destinations that are closed will wait an undefined amount of time?
syslog-ng does not reopen destination files at such a pace. It basically
opens a destination whenever there's a message to write and keeps the
file open up to the value specified by time_reap(), which is 60 seconds
by default. So busy destinations should be kept opened indefinitely,
destinations where incoming messages are rare are closed and reopened
whenever they are needed.
> Is there a way I can track what happens with a specific message in
> syslog-ng?
No, sorry.
My suspicion is that syslog-ng blocks for some reason on external
sources, the most common cases are:
1) two processes reading /proc/kmsg
2) DNS
--
Bazsi
More information about the syslog-ng
mailing list