[syslog-ng] Messages dropped...
Pontius, Brian D CIV NAVSISA
brian.pontius at navy.mil
Wed Jan 20 23:05:52 CET 2010
I apologize for what seems to be repost of a rather similar problem but I having looked through the archives and unable to find answers.
I am running syslog-ng 3.0.4 on Solaris 10 x86 (64bit). I have about 200 hosts, all running over udp. I have 1 heavy hitter, which is my firewall. I puts about 1500 messages a minute. It seems that syslog-ng is able to handle this amount of traffic but I am having trouble figuring out why I can't seem to make it work that way.
I started to notice that I was dropping udp packets by running
netstat -s |grep udpInOverflows.
I tweaked the udp buffers by setting them to their max
ndd -set /dev/udp udp_max_buf 1073741824
ndd -set /dev/udp udp_recv_hiwt 65536
I was still losing packets until I started to tweek my syslog-ng.conf and added the so_rcvbuf entries. The problem is, the logfiles do not reflect that all of the messages are making it. I only know this because the firewall is also logging to another standalone solaris server running standard syslogd and the syslog-ng's firewall's logs are still only getting 1/3 of the logs.
Here is my syslog-ng.conf
@version:3.0
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on SunOS. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb at sysfive.com
# Global Options
options { flush_lines (2000);
time_reopen (10);
time_sleep (50);
log_fifo_size (100000);
log_fetch_limit (50000);
chain_hostnames (yes);
use_dns (yes);
use_fqdn (no);
keep_hostname (yes);
dns_cache (yes);
dns_cache_size (2000);
dns_cache_expire(87600);
create_dirs (yes);
owner(splunk);
group(Unix_users);
dir_group(Unix_users);
perm(0640);
dir_perm(0750);
stats_level(1);
};
########################################################
# Sources
# Sun Remote port
source s_sun { udp(ip("xxx.xxx.xxx.101") port(514) so_rcvbuf(1073741824)); };
# Hp Remote port
source s_hp { udp(ip("xxx.xxx.xxx.102") port(514) so_rcvbuf(1073741824)); };
# Other Remote port
source s_other { udp(ip("xxx.xxx.xxx.103") port(514)); };
# ESX Remote port
source s_esx { udp(ip("xxx.xxx.xxx.104") port(514) so_rcvbuf(1073741824)); };
# Linux Remote port
source s_linux { udp(ip("xxx.xxx.xxx.105") port(514) so_rcvbuf(1073741824)); };
# Switch Remote port
source s_switch { udp(ip("xxx.xxx.xxx.106") port(514) so_rcvbuf(1073741824) ); };
source s_local { internal(); };
########################################################
# Destinations
# Sun destinations
destination d_sun_cons { file("/shares/logfiles/syslog/sun/$HOST/console"); };
destination d_sun_mesg { file("/shares/logfiles/syslog/sun/$HOST/messages"); };
destination d_sun_syslog { file("/shares/logfiles/syslog/sun/$HOST/syslog"); };
destination d_sun_auth { file("/shares/logfiles/syslog/sun/$HOST/auth"); };
destination d_sun_audit { file("/shares/logfiles/syslog/sun/$HOST/audit.log"); };
# HP destinations
destination d_hp_cons { file("/shares/logfiles/syslog/hp/$HOST/console"); };
destination d_hp_mail { file("/shares/logfiles/syslog/hp/$HOST/mail.log"); };
destination d_hp_syslog { file("/shares/logfiles/syslog/hp/$HOST/syslog.log"); };
# SAN destinations
destination d_switch { file("/shares/logfiles/syslog/switches/$HOST/syslog.log"); };
# Other destinations
destination d_other { file("/shares/logfiles/syslog/other_devices/$HOST/syslog.log"); };
# ESX destinations
destination d_esx_cons { file("/shares/logfiles/syslog/esx/$HOST/console"); };
destination d_esx_mesg { file("/shares/logfiles/syslog/esx/$HOST/messages"); };
destination d_esx_mail { file("/shares/logfiles/syslog/esx/$HOST/maillog"); };
destination d_esx_auth { file("/shares/logfiles/syslog/esx/$HOST/secure"); };
destination d_esx_cron { file("/shares/logfiles/syslog/esx/$HOST/cron.log"); };
# Linux destinations
destination d_linux_cons { file("/shares/logfiles/syslog/linux/$HOST/console"); };
destination d_linux_mesg { file("/shares/logfiles/syslog/linux/$HOST/messages"); };
destination d_linux_mail { file("/shares/logfiles/syslog/linux/$HOST/maillog"); };
destination d_linux_auth { file("/shares/logfiles/syslog/linux/$HOST/secure"); };
destination d_linux_cron { file("/shares/logfiles/syslog/linux/$HOST/cron.log"); };
destination d_local { file("/shares/logfiles/syslog/syslog-ng.log"); };
########################################################
# Filtering
# Sun Remote Filtering
filter f_sun_mesg { level(err) or
level(crit) or
(facility(kern)) or
(facility(daemon)) or
(facility(mail) and level(crit)); };
filter f_sun_syslog { facility(mail); };
filter f_sun_auth { facility(auth); };
filter f_sun_audit { facility(13); };
filter f_sun_cons { level(crit) or
level(alert) or
(facility (auth)) or
level(emerg); };
# Hp Remote Filtering
filter f_hp_mail { facility(mail); };
filter f_hp_syslog { level(info); };
filter f_hp_cons { level(alert) or
level(emerg); };
# SAN Remote Filtering
#filter f_san { level(info); };
# ESX Remote Filtering
filter f_esx_cons { level(emerg); };
filter f_esx_mesg { level(info) or
facility(auth) or
facility(local6) or
facility(local5) or
facility(local7) or
(facility(mail) and level(crit)); };
filter f_esx_auth { facility(auth); };
filter f_esx_mail { facility(mail); };
filter f_esx_cron { facility(cron); };
# Linux Remote Filtering
filter f_linux_cons { level(emerg); };
filter f_linux_mesg { level(info) or
facility(auth) or
facility(local6) or
facility(local5) or
facility(local7) or
(facility(mail) and level(crit)); };
filter f_linux_auth { facility(auth); };
filter f_linux_mail { facility(mail); };
filter f_linux_cron { facility(cron); };
########################################################
# Logging
# Sun Remote Logging
log { source(s_sun); filter(f_sun_cons); destination(d_sun_cons); flags(flow-control); };
log { source(s_sun); filter(f_sun_mesg); destination(d_sun_mesg); flags(flow-control); };
log { source(s_sun); filter(f_sun_syslog); destination(d_sun_syslog); flags(flow-control); };
log { source(s_sun); filter(f_sun_auth); destination(d_sun_auth); flags(flow-control); };
log { source(s_sun); filter(f_sun_audit); destination(d_sun_audit); flags(flow-control); };
# Hp Remote Logging
log { source(s_hp); filter(f_hp_mail); destination(d_hp_mail); flags(flow-control); };
log { source(s_hp); filter(f_hp_syslog); destination(d_hp_syslog); flags(flow-control); };
log { source(s_hp); filter(f_hp_cons); destination(d_hp_cons); flags(flow-control); };
# SAN
log { source(s_switch); destination(d_switch); flags(flow-control); };
# SAN
log { source(s_other); destination(d_other); flags(flow-control); };
# ESX Remote Logging
log { source(s_esx); filter(f_esx_cons); destination(d_esx_cons); flags(flow-control); };
log { source(s_esx); filter(f_esx_mesg); destination(d_esx_mesg); flags(flow-control); };
log { source(s_esx); filter(f_esx_mail); destination(d_esx_mail); flags(flow-control); };
log { source(s_esx); filter(f_esx_auth); destination(d_esx_auth); flags(flow-control); };
log { source(s_esx); filter(f_esx_cron); destination(d_esx_cron); flags(flow-control); };
# Linux Remote Logging
log { source(s_linux); filter(f_linux_cons); destination(d_linux_cons); flags(flow-control); };
log { source(s_linux); filter(f_linux_mesg); destination(d_linux_mesg); flags(flow-control); };
log { source(s_linux); filter(f_linux_mail); destination(d_linux_mail); flags(flow-control); };
log { source(s_linux); filter(f_linux_auth); destination(d_linux_auth); flags(flow-control); };
log { source(s_linux); filter(f_linux_cron); destination(d_linux_cron); flags(flow-control); };
log { source(s_local); destination(d_local); };
Thanks for any help you can offer.
Brian Pontius
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4972 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100120/05de96f8/attachment.bin
More information about the syslog-ng
mailing list