[syslog-ng] Syslog-ng writing to files once per minute

Eric Cables ecables at gmail.com
Fri Jul 2 00:28:39 CEST 2010 

I'm not sure if this means anything, but immediately after restarting the
syslog-ng daemon, logs seem to update in real-time.  This lasts for about
5-10 seconds, and then the update interval drops back to per minute.

Here's some output immediately after restarting syslog-ng:
-rw-r--r--  1 root  wheel  455017963 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455018571 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455018907 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455019552 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455020305 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455028247 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455035022 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455035022 Jul  1 15:25 firewalls.log
-rw-r--r--  1 root  wheel  455035022 Jul  1 15:25 firewalls.log

As you can see, the first few outputs show the size increase happening
frequently, but then reverts back to per-minute updates.

-- Eric Cables


On Thu, Jul 1, 2010 at 2:50 PM, Eric Cables <ecables at gmail.com> wrote:

> Here's the relevant portion of my config:
> @version: 3.0
>
> options { dir_perm(0755); perm(0644);
>           chain_hostnames(no);
>           keep_hostname(yes);
>           create_dirs(yes);
>           normalize_hostnames(yes);
>           use_fqdn(yes);
>           flush_lines(0);
>           flush_timeout(0);
>           };
>
> # Default local source.
> source local {
>         unix-dgram("/var/run/log");
>         unix-dgram("/var/run/logpriv" perm(0600));
>         file("/dev/klog");
>         udp(ip(127.0.0.1) port(514));
>         internal();
> };
>
> source remote {
>         udp(ip(x.x.x.x) port(514));
>         tcp(ip(x.x.x.x) port(1470));
> };
>
>
> Also, here's some output to illustrate what I'm seeing:
> -rw-r--r--  1 root  wheel  454561970 Jul  1 14:45 firewalls.log
> -rw-r--r--  1 root  wheel  454561970 Jul  1 14:45 firewalls.log
> -rw-r--r--  1 root  wheel  454573725 Jul  1 14:46 firewalls.log
> -rw-r--r--  1 root  wheel  454573725 Jul  1 14:46 firewalls.log
> -rw-r--r--  1 root  wheel  454595899 Jul  1 14:47 firewalls.log
> -rw-r--r--  1 root  wheel  454595899 Jul  1 14:47 firewalls.log
>
> Please let me know if I've implemented the flush_lines() & flush_timeout()
> values incorrectly.
>
> -- Eric Cables
>
>
>
> On Thu, Jul 1, 2010 at 1:25 PM, Balazs Scheidler <bazsi at balabit.hu> wrote:
>
>> On Thu, 2010-07-01 at 10:35 -0700, Eric Cables wrote:
>> > I am seeing syslog-ng write to the file exactly once per minute, which
>> > includes the hundreds of queued messages.
>>
>> this definitely means that syslog-ng is using a non-zero value for
>> flush_lines(). This used to be called "sync_freq" or "sync", but those
>> names were deprecated.
>>
>> Please also note that these can be set on a per-destination basis, but
>> also globally, validate that if you have a global setting, you are
>> overriing at the specific destination.
>>
>> --
>> Bazsi
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100701/bb4515f8/attachment.htm

More information about the syslog-ng mailing list