[syslog-ng] Stats dropped

Thu Feb 1 19:03:51 CET 2007

Hi,
   I've just been through a couple of threads on this, one from a couple 
of years back and one from last year. I am having the same issue with 
logs being dropped. Obviously to maintain the integrity of my audit 
trail I'd like to limit/stop this. Most of the stats are 0 (which are 
printed every 12hours). Here is the entire config which is exactly the 
same on all syslog clients:

options {
        chain_hostnames(off);
        sync(0);
        stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
destination net { tcp("x.x.x.x" port(xxx)); };
log { source(src); destination(messages); };
log { source(src); destination(net); };

Most of the time the dropped stats are 0 but sometimes they are 3000 or 
so and occasionally 20000-50000! Usually this happens on the mail server 
or the log server which are both heavily used machines.

One of the destinations is obviously backing up, likely the tcp 
destination for the mail server. On the logserver I already have 
log_fifo_size(20000); to try to alleviate this. I would have thought 
this was reasonable. I don't think this increases memory consumption too 
much either, at least not by today's standards, the server has the 
nominal 1GB of Ram.

Should I increase this on the server and add it to on the agents too?

I think this would allow a large buffer to hopefully stop this 
altogether (unless of course the thing goes over the 20000 or whatever). 
Perhaps I should set log_fifo_size to 50000?

Any recommendations or feedback on this?

Thanks

--
Hari Sekhon