[syslog-ng] Delay writing to files

Paolo Supino vrkid at yahoo.com
Wed Dec 28 14:42:26 CET 2005 

Hi 

  It's not necesserly a problem with syslog-ng... 
In trying to debug the problem I ran 2 concurrent captures of the
offending devices. 1 to STDOUT and one to a file. after I saw a few
lines were captured in the STDOUT capture I wanted to look at the
content of the file and see what was the content of the syslog messages
and there I encountered a problem: The capture file was still empty.
Only after I stopped the capture to the file, linux released the file
cache and wrote the lines into the file itself. This happened to me on
/tmp FS which is a 2GB shared memory (tmpfs) filesystem. The log files
(syslog-ng writes to) are located on ext3 filesystem that is 45GB in
size. Might it be that there is something tuned in the filesystem
driver that tells it to buffer the data before its flushed to the hard
drive and is the fault in the long delays of writing to log files? 

 Another thing I noticed is that the offending devices have their
clocks set to UTC while the syslog server is set to a different
timezone.... 


TIA 
Paolo 

PS - to counter what I wrote above: There are other devices that
syslog-ng does delay writing to their respective log files. 







 

--- Balazs Scheidler <bazsi at balabit.hu> wrote:

> On Tue, 2005-12-27 at 08:59 -0800, Paolo Supino wrote:
> > Hi 
> > 
> > 1. I checked weather /proc/kmsg is being read by 2 processes. It
> isn't.
> > The only process reading the file is syslog-ng (and there is only 1
> > instance of syslog-ng running).
> > 2. All systems that report to the syslog server have forward and
> > backward resolving setup. Here is the output: 
> > forward lookup: 
> > # nslookup switch-01
> > Server:         192.168.200.101
> > Address:        192.168.200.101#53
> > 
> > Name:   switch-01.company.net
> > Address: 192.168.63.1
> > 
> > backward lookup:
> > # nslookup 192.168.63.1
> > Server:         192.168.200.101
> > Address:        192.168.200.101#53
> > 
> > 1.63.168.192.in-addr.arpa name = switch-01.company.net.
> > 
> > Everything looks OK ... 
> 
> I understand that your DNS is set up correctly I was only wondering
> whether syslog-ng might block on DNS queries for some reason. I'm
> sure
> syslog-ng is doing something, either it is buffering data (because of
> sync) or is blocking on something.
> 
> -- 
> Bazsi
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> 
> 



	
		
__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/

More information about the syslog-ng mailing list