[syslog-ng] Lost messages

Andrew Séguin aseguo at gmail.com
Fri Dec 21 09:14:27 CET 2007 

Hello,

I'm sorry if I'm missing something obvious, admittedly I've only had the
chance to quickly search through the manuals and mailing list and not read
them as deep as I'd like to, yet.

I'm working in a project where we were considering replacing syslog to take
advantage of reliable transmission over tcp. Performance is a factor for us,
so we wrote a short program that simply loops and logs a counter and time
stamp (to avoid "last message repeated x messages"). We ran it with syslog
(saving locally to a file, and then sending remotely to another station
which is logging to file) and got some reference numbers for the hardware/OS
(Solaris 10). We then started the same test with syslog-ng. Performance
didn't get to be an issue: under the pressure of the performance test, only
some 5-600,000 lines are logged although 1,000,000 were sent!

We tried a few tweaks to the configuration file for buffering (see below),
but it hasn't helped unfortunately. Is there a way to avoid this problem?
Will we encounter this same problem on the remote host (considering the
remote/logging host is planned to be accepting messages from two servers
with a lot of traffic)

Thanks for any tips/info!
Andrew Seguin


ps: here is the configuration file we have used...

#
# Syslog-ng example configuration file for Solaris
#
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf.solaris,v 1.2 1999/11/15 12:30:41 bazsi Exp $
#
# Solaris 2.5.1 and below uses the STREAMS driver, above extends it
# with doors. For 2.5.1 remove the door() option from the source
declaration.
#

options {
        sync (0);
        log_fifo_size (65535);
        gc_idle_threshold(30); gc_busy_threshold(3000);
};

source local { sun-streams("/dev/log" door("/etc/.syslog_door"));
internal(); };

destination all { file("/tmp/messages-ng" log_fifo_size(60000)); };

filter filter_local6 { facility(local6); };
log { source(local); filter(filter_local6); destination(all); };
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20071221/8e9bf9e5/attachment.htm

More information about the syslog-ng mailing list