[syslog-ng] Syslog-ng 1.6.9 just stops...
Andreoli, Tony A. USNUNK NAVAIR B1490, R215
tony.andreoli at navy.mil
Wed Mar 1 22:16:42 CET 2006
I had klogd off already, but this got me thinking about something else.
My config file's sources are:
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream
("/dev/log"); udp(); internal(); };
source t_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream
("/dev/log"); tcp(); internal(); };
Could it be that both sources, attempting to read /proc/kmsg and
/dev/log (and internal()?) are causing this?
Thanks a lot!
Tony
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs
Scheidler
Sent: Wednesday, March 01, 2006 15:25
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-ng 1.6.9 just stops...
On Wed, 2006-03-01 at 10:01 -0500, Andreoli, Tony A. USNUNK NAVAIR
B1490, R215 wrote:
> I'm using 1.6.9 (upgraded from 1.6.6 because I was seeing the same
> problem). I have it running on 8 different servers at different
> locations, some are SMP, some aren't. On these hosts, we have
> anywhere from 2 to 14 devices logging to the servers, some via
> 514/tcp, others via 514/udp. All of the loggers typically sit with a
> load average < 1 (usually not even registering), and a cpu idle of
> 99%. 7 of these remote loggers also log to our local machine, but
> only 5 lines every 2 minutes (for stats).
>
> What I've noticed (and I've seen this on all of them at one time or
> another), is that syslog-ng just stops. ps shows it running, but the
> log file (/logs/messages) never changes. If I tcpdump on the
> interface that it's listening on, I see traffic, and it seems that the
> act of tcpdumping causes the log file to start to grow again, then a
> little while later, it may stop again. It's sporadic though, on one
> of my systems, it hasn't done it in over 2 months, on another, it's
> done it 3 times today.
>
> I've pulled out my last hair and still haven't come any closer to a
> solution. I've recompiled the source, loaded 3 different versions,
> etc. The only thing common is that all of these systems are running
> RHEL3.
Don't you happen to read /proc/kmsg by both syslog-ng and klogd ? That
is a known bad situation and the symptoms are exactly what you describe.
(poll indicates readability but by the time syslog-ng gets to read the
file the data has already been read)
This is documented in the FAQ as well.
--
Bazsi
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list