[syslog-ng] clustering syslog-ng

[John.Dickinson at nominet.org.uk]

Hi,

I am trying to setup a clustered syslog server using polyserve, syslog-ng 
(1.6.8) and stunnel. Log messages are sent using TCP for reliability.

I am testing the setup by generating 10 messages per second on a client. 
The messages are numbered so that I can see if any are missing. 

Logging is working but when I force the syslog service to fail over to a 
different node in the cluster I lose messages. From what I have read on 
these lists I would expect syslog-ng 1.6.8 to lose one message when it 
finds that the first server has failed but should queue the rest until the 
service returns on the other node. However I am losing around 200 
messages.

This part of the client config 

destination d_log_server { tcp ("127.0.0.1" port (514) tcp-keep-alive(yes) 
log_fifo_size(10000)); };
log { source (s_local); filter (f_local7_info); destination 
(d_log_server); }; 

and the server
options {
    sync (0);
    time_reopen (10);
    log_fifo_size (1000);
    long_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_ext { tcp(ip(127.0.0.1) port(514) tcp-keep-alive(yes)); }; 

destination d_dev1 { file("/logs/dev1.log"); };

log { source(s_ext); destination(d_dev1); };

This stunnel config is the same as the example on the stunnel web site.

Any ideas? I know it is only beta but would I be better off using 
syslog-ng 1.9? I realise that I could do this without the clustering and 
just send all the messages to both servers but this way I have no 
duplication of logs.

Thanks
John