[syslog-ng] Not able to recive all syslog messages

Fri Nov 12 15:21:17 CET 2010

Hello,

> netstat -l -n -p
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name

> tcp        0      0 0.0.0.0:514                 0.0.0.0:*                   LISTEN      21589/syslog-ng
> udp   110400      0 0.0.0.0:514                 0.0.0.0:*                               21589/syslog-ng

Ok, syslog-ng is listening on both UDP and TCP.

> lsof -n -P -p 21589
> COMMAND     PID USER   FD   TYPE DEVICE      SIZE    NODE NAME

[ cut ]

> syslog-ng 21589 root    3r  FIFO    0,7            600630 pipe
> syslog-ng 21589 root    4w  FIFO    0,7            600630 pipe

Just out of curiousity: what are these pipes? IIRC your config doesn't
contain pipes at all.

> syslog-ng 21589 root    5u  IPv4 600631               TCP *:514 (LISTEN)
> syslog-ng 21589 root    6u  IPv4 600632               UDP *:514
> syslog-ng 21589 root    7w   REG  253,0    166729 3654854 /var/log/syslog-ng.log
> syslog-ng 21589 root    8u  IPv4 601698               TCP 172.16.1.200:514->172.16.1.48:4189 (CLOSE_WAIT)
> syslog-ng 21589 root    9w   REG  253,0 208821114 3752054 /var/log/syslog-ng/172.16.16.13/messages
> syslog-ng 21589 root   10u   REG  253,0  42205502 3833896 /var/log/syslog-ng/MUM4S01LBF5640ISA02/messages
> syslog-ng 21589 root   11u   REG  253,0     46530 6964157 /var/log/syslog-ng/172.16.16.19/messages
> syslog-ng 21589 root   12w   REG  253,0      2123 7389223 /var/log/syslog-ng/172.16.16.212/messages
> syslog-ng 21589 root   13u   REG  253,0    103030 6438998 /var/log/syslog-ng/1/messages
> syslog-ng 21589 root   14w  IPv4 601704               UDP 202.138.117.51:51455->202.138.96.2:53
> syslog-ng 21589 root   19u   REG  253,0    102774 5259345 /var/log/syslog-ng/220.226.204.56/messages

Looks like your server is a multihomed host...

> Some sample proof that the messages actually reach server
>
> Nov 11 00:34:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:49:40 WARNING Farm Super_Trade_1.111 Server 10.65.X.X Port 80 TCP Is Not Responding
> Nov 11 00:39:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:51:56 WARNING Farm RTrade_New_Feed_Test_10.25 Server 10.65.10.27 Port 80 TCP Is Not Responding
> Nov 11 00:40:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:52:36 WARNING Farm Farm_10.20 Server 10.65.10.9 Port 80 TCP Is Not Responding
> Nov 11 00:42:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:55:16 WARNING Farm Farm_10.20 Server 10.65.X.X Port 80 TCP Is Not Responding
> Nov 11 00:47:47 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:59:36 INFO Farm Farm_3 Server 10.65.X.X Up
> Nov 11 00:48:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 00:59:56 WARNING Farm Farm_4 Server 10.65.X.X Port 80 TCP Is Not Responding
> Nov 11 01:09:27 172.16.32.219/172.16.32.219 AppDi11-11-2010 01:23:16 INFO Farm Super_Trade_1.111 Server 10.65.X.X Up
> Nov 11 07:30:28 172.16.32.219/172.16.32.219 AppDi11-11-2010 07:49:36 INFO Farm Farm_10.20 Server 10.65.X.X Up

I don't know the format the above messages are using but it looks like
these logs all have either INFO or WARNING severity. You should check
and reconfigure your devices to send all logs to syslog-ng.

Regards,

Sandor