[syslog-ng] Delay writing to files

Paolo Supino vrkid at yahoo.com
Tue Dec 27 17:59:14 CET 2005 

Hi 

1. I checked weather /proc/kmsg is being read by 2 processes. It isn't.
The only process reading the file is syslog-ng (and there is only 1
instance of syslog-ng running).
2. All systems that report to the syslog server have forward and
backward resolving setup. Here is the output: 
forward lookup: 
# nslookup switch-01
Server:         192.168.200.101
Address:        192.168.200.101#53

Name:   switch-01.company.net
Address: 192.168.63.1

backward lookup:
# nslookup 192.168.63.1
Server:         192.168.200.101
Address:        192.168.200.101#53

1.63.168.192.in-addr.arpa name = switch-01.company.net.

Everything looks OK ... 







TIA 
Paolo 




--- Balazs Scheidler <bazsi at balabit.hu> wrote:

> On Tue, 2005-12-27 at 06:07 -0800, Paolo Supino wrote:
> > Hi 
> > 
> >   I'm not sure weather the message gets written or not to the file 
> > eventually (there is no specific message I was able to track) so I
> > cannot answer your question with absolute certainty. If I had to
> guess
> > than I'd say it does get written to the file eventually.
> >   I think that the problem is in the way that syslog write the
> messages
> > to the files. From what I read then on every message that  is
> received
> > a single write() is done. This means that each destination gets
> opened
> > and closed repeatedly (and this was confirmed by running `fuser` on
> > each of the files). On my server there are a few destinations (the
> ones
> > that belong to the firewalls) that are so busy that they are
> constantly
> > open or are opened/closed in such a pace that it's impossible to
> track
> > manually. Might it be that in such a scenario messages will 1st be
> > written to a destination that is already open and messages to
> > destinations that are closed will wait an undefined amount of time?
> 
> 
> syslog-ng does not reopen destination files at such a pace. It
> basically
> opens a destination whenever there's a message to write and keeps the
> file open up to the value specified by time_reap(), which is 60
> seconds
> by default. So busy destinations should be kept opened indefinitely,
> destinations where incoming messages are rare are closed and reopened
> whenever they are needed.
> 
> >   Is there a way I can track what happens with a specific message
> in
> > syslog-ng? 
> 
> No, sorry.
> 
> My suspicion is that syslog-ng blocks for some reason on external
> sources, the most common cases are:
> 
> 1) two processes reading /proc/kmsg
> 2) DNS
> 
> -- 
> Bazsi
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> 
> 



	
		
__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/

More information about the syslog-ng mailing list