[syslog-ng] "Errors" in /var/log/messages

Wed Sep 28 17:44:09 CEST 2011

I have setup syslog-ng to report application logs to a LogLogic device over UDP.  Below is a excerpt of the syslog.conf file:

source s_file_fs3 {
file("/tmp/APPSRV_fs3_current.LOG" flags(no-parse) follow-freq(1));
};

destination d_messages{
udp("10.13.33.11" port(514));
};
log {
source(s_file_fs3);
destination(d_messages);
};

I am seeing the following messages from our OSSEC server and /var/log/messages:

OSSEC HIDS Notification.

2011 Sep 28 09:50:11

Received From: lxfwossecp3->/var/log/messages

Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."

Portion of the log(s):

Sep 28 09:50:10 lxfwossecp3 syslog-ng[3992]: Log statistics; processed='destination(d_mail)=2', processed='destination(d_spol)=0', processed='source(s_file_fs3)=1690', processed='global(payload_reallocs)=218', processed='source(s_sys)=325', processed='destination(d_mesg)=114', processed='global(msg_clones)=0', processed='src.internal(s_sys#2)=114', stamp='src.internal(s_sys#2)=1317220810', processed='destination(d_kern)=0', processed='destination(d_mlal)=0', processed='destination(d_cron)=200', dropped='dst.udp(d_messages#0,10.13.33.11:514)=0', processed='dst.udp(d_messages#0,10.13.33.11:514)=20670', stored='dst.udp(d_messages#0,10.13.33.11:514)=0', processed='global(sdata_updates)=0', processed='destination(d_auth)=9', processed='destination(d_boot)=0', processed='source(s_file_hr1)=2025', processed='center(received)=0', processed='source(s_file_fs1)=3896', processed='destination(d_messages)=20670', processed='source(s_file_hr2)=2743', processed='center(queued)=0', processed='source(s_file_fs2)=2662', processed='source(s_file_hr3)=7654'

Do we have an issue?  It looks like the log size is too large to process correctly, and it is kicking it out.  What would we need to do to remedy the situation?

Jamie

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110928/05c62cf4/attachment-0001.htm 