[syslog-ng] syslog 2.0.8 lost some messages
Evan Rempel
erempel at uvic.ca
Tue Nov 4 20:47:33 CET 2008
First, were there any changes to the buffer/reopen code in
2.0.9 that may fix "lost" messages.
My host turtle lost connection to the syslog server, and
upon regaining connection did not send all (any?) of the buffered messages.
This is only the syslog-ng stats messages, there were lots of other message that
didn't "make it" to the server, but I wanted to show the problem with the smallest number,
AND show that syslog-ng did NOT report that it dropped any messages.
-------------------------------
Client (turtle)
2008-11-03T15:39:49-08:00 local at turtle.comp.uvic.ca syslog.info syslog-ng[3232]: Log statistics;
dropped='tcp(AF_INET(142.104.5.206:514))=0', dropped='tcp(AF_INET(142.104.246.92:514))=0'
2008-11-03T15:49:49-08:00 local at turtle.comp.uvic.ca syslog.info syslog-ng[3232]: Log statistics;
dropped='tcp(AF_INET(142.104.5.206:514))=0', dropped='tcp(AF_INET(142.104.246.92:514))=0'
2008-11-03T15:55:15-08:00 local at turtle.comp.uvic.ca syslog.err syslog-ng[3232]: EOF occurred while idle; fd='7'
2008-11-03T15:55:15-08:00 local at turtle.comp.uvic.ca syslog.err syslog-ng[3232]: Connection broken; time_reopen='5'
2008-11-03T15:59:49-08:00 local at turtle.comp.uvic.ca syslog.info syslog-ng[3232]: Log statistics;
dropped='tcp(AF_INET(142.104.5.206:514))=0', dropped='tcp(AF_INET(142.104.246.92:514))=0'
2008-11-03T16:09:49-08:00 local at turtle.comp.uvic.ca syslog.info syslog-ng[3232]: Log statistics;
dropped='tcp(AF_INET(142.104.5.206:514))=0', dropped='tcp(AF_INET(142.104.246.92:514))=0'
-----------------
On the syslog server
2008-11-03T15:39:49-08:00 local at turtle.comp.uvic.ca/turtle.comp.uvic.ca syslog.info syslog-ng[3232]: Log statistics;
dropped='tcp(AF_INET(142.104.5.206:514))=0', dropped='tcp(AF_INET(142.104.246.92:514))=0'
2008-11-03T15:55:15-08:00 local at turtle.comp.uvic.ca/turtle.comp.uvic.ca syslog.err syslog-ng[3232]: EOF occurred while
idle; fd='7'
2008-11-03T15:55:15-08:00 local at turtle.comp.uvic.ca/turtle.comp.uvic.ca syslog.err syslog-ng[3232]: Connection broken;
time_reopen='5'
2008-11-03T15:59:49-08:00 local at turtle.comp.uvic.ca/turtle.comp.uvic.ca syslog.info syslog-ng[3232]: Log statistics;
dropped='tcp(AF_INET(142.104.5.206:514))=0', dropped='tcp(AF_INET(142.104.246.92:514))=0'
2008-11-03T16:09:49-08:00 local at turtle.comp.uvic.ca/turtle.comp.uvic.ca syslog.info syslog-ng[3232]: Log statistics;
dropped='tcp(AF_INET(142.104.5.206:514))=0', dropped='tcp(AF_INET(142.104.246.92:514))=0'
------------------------------
The message with time stamp of 2008-11-03T15:49:49-08:00 did not get recorded at the server.
The EOF actually occurred due to a reload of the iptables, which then started blocking responses from the
syslog server (142.104.246.92) until the connection was reopened by the client (142.104.5.223).
2008-11-03T15:31:17-08:00 local at turtle.comp.uvic.ca local7.notice iptables: succeeded
2008-11-03T15:39:50-08:00 local at turtle.comp.uvic.ca kern.warning kernel: iptables: IN=eth0 OUT=
MAC=00:09:6b:89:ca:ec:00:0a:42:cb:84:00:08:00 SRC=142.104.246.92 DST=142.104.5.223 LEN=52 TOS=0x00 PREC=0x00 TTL=61
ID=23252 DF PROTO=TCP SPT=514 DPT=55411
WINDOW=350 RES=0x00 ACK URGP=0
... 14 other packets dropped
2008-11-03T15:53:15-08:00 local at turtle.comp.uvic.ca kern.warning kernel: iptables: IN=eth0 OUT=
MAC=00:09:6b:89:ca:ec:00:0a:42:cb:84:00:08:00 SRC=142.104.246.92 DST=142.104.5.223 LEN=64 TOS=0x00 PREC=0x00 TTL=61
ID=23282 DF PROTO=TCP SPT=514 DPT=55411
WINDOW=350 RES=0x00 ACK URGP=0
--
Evan Rempel erempel at uvic.ca
Senior Programmer Analyst 250.721.7691
University Systems, University of Victoria
More information about the syslog-ng
mailing list