[syslog-ng] syslog-ng client messages delayed

Balazs Scheidler bazsi at balabit.hu
Fri Mar 28 08:50:58 CET 2008


On Thu, 2008-03-27 at 09:08 -0700, Evan Rempel wrote:
> mark peters wrote:
> > Hi,
> > 
> > We are running into a issue where syslog-ng clients who
> > are configured to forward to a central syslog-ng
> > destination server that are reasonably chatty are getting
> > there messages delayed at the source (ie. 'tcpdump'ing the
> > client shows it is sending messages from N minutes ago,
> > where N is anything from 5 to 60 minutes on average
> > sometimes more). We have also seen a small percentage of 
> > loss at the destination.
> 
> Some applications syslog with an incorrect time.
> We are currently working with sendmail logging some messages exactly 1 hour old.
> They log it at the correct time, but with an hour old timestamp.
> 
> We saw open ssh log with a time of 7 hours in the future (I think it logged UTC native
> time rather than our time zone).
> 
> IF you can, try to associate the "wrong time" messages with a process ID or something
> that you can confirm is logging the messages at the correct time. By ignoring the
> time on the syslog messages, you can see that the cronlogy of the messages is correct,
> then you can deduce that the application is logging the wrong time.

If this is indeed true, you could perhaps use the received timestamp
instead of the one in the message. This way you don't have to trust the
time generated by applications.

-- 
Bazsi



More information about the syslog-ng mailing list