[syslog-ng] remote logging not reliable

stucky stucky101 at gmail.com
Fri Mar 10 03:56:47 CET 2006

Hey gurus

I will try 1.9.9 again when I have more time. I tried it once and it
literally killed me with stats although I had stats(0) set.
It was insane so I turned it off again. As I said when I have more time but
I was wondering whether some of the log delivery probs may have to do with
oracle rac. It seems those machines are particulary bad and a
netstat -ee reveals the great amount of open tcp connections used by
'oracle' for the cluster stuff.
I have an average of 300 lines like this in netstat -ee:

tcp        0      0 {host-vip}:1521         {host-real}:44853
ESTABLISHED oracle     1176037944

the real and VIP are on the same box. my log is stuffed of the dreaded :

Mar  9 18:51:26 {host} syslog-ng[29085]: Connection broken to
AF_INET(localhost:5000), reopening in 10 seconds

I'm thinking this box run out of sockets but I'm not too sure how to
properly ts/prove that. netstat -s seems to show
random drops but on all machines.
Would anyone have more hints on how to check whether I have to tune the
kernel for these boxes ? Sorry but this is the first time I'm digging that
deep into the stack...

PS: any chance 2.0 will include temporary message supressant code - syslog
style (the only thing I really liked about old syslog) ?

On 3/3/06, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Thu, 2006-03-02 at 16:15 -0800, stucky wrote:
> >
> > thanks for your reply ! I am already using keepalive on the server :
> >
> > tcp (ip("**********")
> >        port(5000)
> >        max-connections(1000)
> >        keep-alive(yes)); };
> >
> > It doesn't look like I can specify this option on the client though.
> > If I try something like :
> > destination loghost { tcp("*********" port(5000) keep-alive(yes)); };
> >
> > It complains about a syntax error. I have never seen an option called
> > 'tcp-keep-alive()' but I tried it without
> > luck. It always complains about a syntax error. I guess you meant
> > 'keep-alive(yes)' right ?
> tcp-keep-alive was added in 1.6.3 as I read my changelogs.
> keep-alive and tcp-keep-alive are different beasts, the first means that
> syslog-ng should keep all connections open through reloads, the second
> means to enable SO_KEEPALIVE option.
> >
> > As far as upgrading is concerned I want to but I wanted to wait till
> > 2.0 is out and stable. Any ETA ?
> It all depends on testers. Judging the feedback it is either rock solid,
> or no-one is using it. I suspect it is the latter.
> In the current situation an "it works for me" messages would help a lot,
> the first can be this very mail, as I've been using 1.9.x snapshots for
> about a year now.
> --
> Bazsi
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060309/189cd0b3/attachment.html

More information about the syslog-ng mailing list