[syslog-ng] Syslog-ng writing to files once per minute

Eric Cables ecables at gmail.com
Thu Jul 1 23:50:35 CEST 2010 

Here's the relevant portion of my config:
@version: 3.0

options { dir_perm(0755); perm(0644);
          chain_hostnames(no);
          keep_hostname(yes);
          create_dirs(yes);
          normalize_hostnames(yes);
          use_fqdn(yes);
          flush_lines(0);
          flush_timeout(0);
          };

# Default local source.
source local {
        unix-dgram("/var/run/log");
        unix-dgram("/var/run/logpriv" perm(0600));
        file("/dev/klog");
        udp(ip(127.0.0.1) port(514));
        internal();
};

source remote {
        udp(ip(x.x.x.x) port(514));
        tcp(ip(x.x.x.x) port(1470));
};


Also, here's some output to illustrate what I'm seeing:
-rw-r--r--  1 root  wheel  454561970 Jul  1 14:45 firewalls.log
-rw-r--r--  1 root  wheel  454561970 Jul  1 14:45 firewalls.log
-rw-r--r--  1 root  wheel  454573725 Jul  1 14:46 firewalls.log
-rw-r--r--  1 root  wheel  454573725 Jul  1 14:46 firewalls.log
-rw-r--r--  1 root  wheel  454595899 Jul  1 14:47 firewalls.log
-rw-r--r--  1 root  wheel  454595899 Jul  1 14:47 firewalls.log

Please let me know if I've implemented the flush_lines() & flush_timeout()
values incorrectly.

-- Eric Cables


On Thu, Jul 1, 2010 at 1:25 PM, Balazs Scheidler <bazsi at balabit.hu> wrote:

> On Thu, 2010-07-01 at 10:35 -0700, Eric Cables wrote:
> > I am seeing syslog-ng write to the file exactly once per minute, which
> > includes the hundreds of queued messages.
>
> this definitely means that syslog-ng is using a non-zero value for
> flush_lines(). This used to be called "sync_freq" or "sync", but those
> names were deprecated.
>
> Please also note that these can be set on a per-destination basis, but
> also globally, validate that if you have a global setting, you are
> overriing at the specific destination.
>
> --
> Bazsi
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100701/d8935410/attachment-0001.htm

More information about the syslog-ng mailing list