[syslog-ng] Idea for streaming logs to my workstation as well as logserver

Hari Sekhon hpsekhon at googlemail.com
Mon Oct 30 20:29:55 CET 2006

I'm not entirely clear on the whole dropping thing in syslog-ng.

If messages are dropped, I take it this does not affect other
destination sources, they still get their messages, right?

Also, I remember reading on campin.net's faq that if the logger fills
up the global buffer due to one destination not being available, then
you effectively lose all buffering. I take it this is what will happen
to my local logger if I stop running root-tail for any reason, ie my X
session dies or something... Is this what you mean by dropping
messages internally? They overflow the global buffer and then are
immediately discarded if the destination can't accept them?

Which brings me to another point. How exactly do you specify different
global buffers, as recommended at the bottom of the campin.net faq? It
doesn't explicitly say how to do this. Does having separate
destination definitions do this or is some other configuration needed?



On 30/10/06, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Sun, 2006-10-29 at 17:19 +0000, Hari Sekhon wrote:
> > Are there any pitfalls that you can think of when doing this? I don't
> > think this will risk filling up the bit bucket on the logserver since
> > the logs are immediately sent on via udp, "spray and pray". If they
> > don't get to my workstation for any reason, no harm done, it won't
> > clog up the logserver.
> >
> > I guess the root-tail will take a bit out of my workstation having to
> > draw on the X background all the time but it's a fast machine.
> >
> > I believe that it would block my local syslog-ng on my workstation if
> > the root-tail were to stop reading from it. Which brings me to my next
> > question:
> >
> > Is it better to do
> >
> > root-tail /var/log/logstream.pipe
> >
> > or
> >
> > root-tail - < /var/log/logstream.pipe
> >
> > Since I'm not sure that the first will take the actual throughput away
> > from the pipe to stop the logger from blocking on the sending side.
> >
> > Also, this would require that the my X session not be closed otherwise
> > the root-tail wouldn't be able to run to take away the logs from the
> > other side of the pipe and the local logger would block again.
> >
> > All feedback welcome.
> Another possibility is by using the latest multicasting feature, send
> the logs to a multicast address, have your workstation joined to the
> multicast group, and use the packets sent there. If you are not joined,
> it could mean no traffic (if set up properly), if you are you receive
> messages.
> There's an example script in contrib that does the joining and receiving
> part, but it could be hacked to do what you are up to.
> On the other hand the setup you are proposiing should work as well,
> syslog-ng won't block if the reader of a pipe does not read messages. It
> will simply start dropping messages internally (which you can then see
> as DROPPED messages in the stats message)
> --
> Bazsi
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

Hari Sekhon

More information about the syslog-ng mailing list