[syslog-ng] lost messages with follow_freq()?
Joe Shaw
joe at joeshaw.org
Tue Aug 19 21:21:05 CEST 2008
Hi,
I'm trying to use the follow_freq() option to tail a growing log file,
but not all of the messages are making it from the source end to the
destination end. However, according to the statistics, no messages
are dropped. I am using syslog-ng 2.0.9.
The file on the source side looks like this:
-rw-r--r-- 1 jshaw ita 251M Aug 19 15:07 dump-file
and is growing rather rapidly. (It is basically being created by
replaying another stored log file.) At this same point on the
destination side, this is the corresponding file:
-rw-r--r-- 1 root root 30M Aug 19 15:07 syslog-messages
And doing a diff on those files does show large missing chunks from
this file.
The source's statistics say that nothing has been dropped:
Aug 19 15:07:45 source-host syslog-ng[18574]: Log statistics;
dropped='tcp(AF_INET(10.1.73.18:2000))=0',
processed='center(queued)=303967',
processed='center(received)=304017',
processed='destination(d_file)=6',
processed='destination(d_remote)=303961',
processed='source(s_sys)=56',
processed='source(s_internal)=6',
processed='source(s_file)=303955'
And on the destination side:
Aug 19 15:08:04 dest-host syslog-ng[21023]: Log statistics;
processed='center(queued)=318524',
processed='center(received)=318521',
processed='destination(d_file)=318521',
processed='destination(d_stats)=3',
processed='source(s_tcp)=318518',
processed='source(s_internal)=3'
The source syslog-ng.conf file looks like this:
options {
sync(0);
time_reopen(10);
log_fifo_size(1000);
long_hostnames(off);
use_dns(yes);
dns_cache(yes);
use_fqdn(no);
keep_hostname(yes);
use_time_recvd(no);
log_msg_size(65536);
stats_freq(180);
};
source s_internal {
internal();
};
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
};
source s_file {
file("/ita/dump-file" follow_freq(1) flags(no-parse));
};
# Local destination for statistics
destination d_file { file("/ita/syslog-messages" perm(0644)); };
# Remote destination
destination d_remote { tcp("dest-host" port(2000)); };
# Send stats locally
log { source(s_internal); destination(d_file); };
# Send everything remotely
log { source(s_internal); source(s_file); destination(d_remote); };
(Yes, the s_sys source is unused.)
On the destination side:
options {
sync(0);
time_reopen(10);
log_fifo_size(1000);
long_hostnames(off);
use_dns(yes);
dns_cache(yes);
use_fqdn(no);
keep_hostname(yes);
use_time_recvd(no);
log_msg_size(65536);
stats_freq(180);
};
# Remote source
source s_tcp {
tcp(port(2000) log-fetch-limit(128) max-connections(1000));
};
# syslog-ng statistics
source s_internal {
internal();
};
destination d_file {
file("/ita/syslog-messages" perm(0644) log_fifo_size(100));
};
destination d_stats {
file("/ita/syslog-stats" perm(0644));
};
# Save stats separately
log { source(s_internal); destination(d_stats); };
# Take all remote data and save it locally
log { source(s_tcp); source(s_internal); destination(d_file); };
Any ideas what might be going on, or how to analyze this further?
Thanks,
Joe
More information about the syslog-ng
mailing list