[syslog-ng] problem with server

Zoltán Pallagi pzolee at balabit.hu
Sat Jan 23 10:17:32 CET 2010


Ok, then show the debug logs of server syslog-ng when you restart 
rsyslog, please. You may need to check the debug logs of rsyslog as well 
(I've never used rsyslog, but you can more information on the rsyslog 
webpage: http://www.rsyslog.com/doc-troubleshoot.html)

I would like to help you, but I can't find out the reason for this 
behavior without any information, so please tell me as much information 
as possible.

2010.01.23. 0:02 keltezéssel, Rory Toma írta:
> I am not using syslog-ng on the client. I am using rsyslog.
>
> On 1/22/10 2:57 PM, Zoltán Pallagi wrote:
>> Syslog-n tries to reconnect in every 60th seconds to server by 
>> default. Perhaps, the first attempt was not succes and you need wait 
>> for the second attempt so it can take 1-2 minutes.
>> If you reduce the "time_reopen()" on your _client's_ configuration, 
>> it can be faster.
>>
>> I also have an other theory, if you are using flow-control on client 
>> side, and the server is a bit overloaded, syslog-ng can stop reading 
>> the source (and sending to the server).
>>
>> Just show a few debug lines after starting syslog-ng on client and a 
>> few lines on server in the same time. (because syslog-ng will send a 
>> few log about the state of connections, e.g.: accepted or closed)
>>
>>
>> 2010.01.22. 22:11 keltezéssel, Rory Toma írta:
>>> The problem has been alleviated somewhat by moving to a 64-bit platform.
>>> Since these generally have a different set of tcp defaults, there is
>>> probably a tcp value(s) that need tuning. I do notice on this one, that
>>> after I reboot a client, it takes a few minutes for the logs to start
>>> flowing, but flow they do.
>>>
>>> I can show you the output, but it's quite long.
>>>
>>> On 1/22/10 1:26 AM, Zoltán Pallagi wrote:
>>>    
>>>> Hi,
>>>>
>>>> Can you show me the output of "syslog-ng -Fevd" on your client after
>>>> restarting?
>>>>
>>>> (you can find more information about debugging syslog-ng on my blog:
>>>> http://pzolee.blogs.balabit.com/)
>>>>
>>>> Rory Toma írta:
>>>>      
>>>>> I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using
>>>>> tls, and have a setup as below. Here is what happens. It logs fine.
>>>>> However, if I reboot my client that is sending logs, it no longer
>>>>> works until I restart the syslog-ng server. What do I need to do here?
>>>>>
>>>>> @version: 3.0
>>>>> options { flush_lines (3);
>>>>>             time_reopen (10);
>>>>>             log_fifo_size (1000);
>>>>>             long_hostnames (off);
>>>>>             use_dns (no);
>>>>>             use_fqdn (no);
>>>>>             create_dirs (yes); dir_perm (0755);
>>>>>             keep_hostname (yes);
>>>>>             ts_format("iso");
>>>>>           };
>>>>>
>>>>> source telo {
>>>>>           tcp( port(80)
>>>>>           tls( key_file("/export/tls/key.pem")
>>>>>                cert_file("/export/tls/cert.pem")
>>>>>                peer_verify(optional-untrusted)) ); };
>>>>>
>>>>> # Myx destinations
>>>>> destination myx_dest_0000 {
>>>>> file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS
>>>>> T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644)
>>>>> template("$YEAR-
>>>>> $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); };
>>>>> filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); };
>>>>> log { source(telo); filter(myx_filter_0000);
>>>>> destination(myx_dest_0000); };
>>>>>
>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>>
>>>>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation:
>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ:http://www.campin.net/syslog-ng/faq.html
>>>>>
>>>>>
>>>>>        
>>>>      
>>> ______________________________________________________________________________
>>> Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ:http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>    
>>
>>
>> -- 
>> pzolee
>


-- 
pzolee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100123/a4b6399c/attachment.htm 


More information about the syslog-ng mailing list