[syslog-ng] Re: Reliable tcp logging

Peter Daum gator_ml at yahoo.de
Thu May 12 10:48:12 CEST 2005 

Roberto Nibali wrote:
>> Well, yes, it is exactly the same issue and it is indeed only one line
>> that gets lost (which in my case, where typically every host sends about
>> 1 line/hour does not really make a difference).
> 
> 
> You mean 1 line/hour that is lost, right?

I guess, my description was ambiguous.
My problem is _not_ excessive packet loss because syslog-ng couldn't handle
the volume but really just the contrary: Per host there is typically maybe
than one line/hour and if that line gets lost, this is a significant
percentage.

I have a "classical" loghost where all kinds of machinery sends their log
messages to via udp, That loghost runs syslog-ng and sorts all the messages
neatly into different files. I didn't systematically investigate, but I
don't have any reason to believe that much gets lost. Because everything
works so nicely (I switched to syslog-ng fairly recently and am very
thrilled; my thanks to everybody who contributed to it:-), I decided to
extend the central logging:

There is a bunch of server machines, which in maintain their own local
logfiles and in general this is fine. What I am trying to do now, is
collect (in addition to the "normal" logging) everything that is important
enough to require immediate attention in one location at the loghost.

For this, I switched completely to syslog-ng and configured all boxes to
forward everything beyond a certain priority via tcp to the loghost.
Because I am still fine-tuning the setup (weeding out messages that are
sent with a far-to-high priority), I occasionally have to reload the
configuration (which also results in all network connections being
dropped). This is where I discovered, that if the loghost is restarted
for any reason, it takes up to 2 hours for the clients to notice and if
they try to send anything during this time it is lost. In my case this
is fatal because the hole idea is to normally only watch one log file
and rely on everything important showing up there.

I guess, for me currently the best option would be to switch to udp
instead (maybe on a different port to keep the important stuff separate
from printers telling about being out of paper), or get really daring
and try 1.9.x ...

Regards and Thanks,
                      Peter Daum

More information about the syslog-ng mailing list