[syslog-ng] tuning syslog-ng 3.3.3

Patrick Hemmer syslogng at feystorm.net
Thu Jan 12 22:04:32 CET 2012 

Sent: Thu Jan 12 2012 15:34:26 GMT-0500 (EST)
From: Johnson, Chris (HP TippingPoint Roseville) <chris.johnson3 at hp.com>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] tuning syslog-ng 3.3.3
>
> I’m trying to tune syslog-ng 3.3.3.
>
> My first attempt is to use the log_fetch_limit parameter, but I’m 
> running into the problem of where to define it!
>
> The Admin guide says I can put it in the global options{}, but that 
> generates and error saying it has been taken out of the global area 
> and needs to be specified by the source and I can’t seem to find the 
> correct source syntax.
>
> My config (pared down):
>
> @version: 3.3
>
> @include "scl.conf"
>
> options {
>
> # log_fetch_limit(100);
>
> };
>
> source s_local {
>
> system();
>
> internal();
>
> };
>
> #############################################################################
>
> # Service all
>
> filter f_all_pgm_01{program("*" type("glob"));};
>
> filter f_all_lvl_01.01{level(info..emerg)};
>
> destination d_all_01{file("/var/log/system.log" suppress(30));};
>
> log {
>
> source(s_local);
>
> filter(f_all_pgm_01);
>
> filter(f_all_lvl_01.01);
>
> destination(d_all_01);
>
> };
>
> I’ve tried putting it in:
>
> source s_local{ system( log_fetch_limit(100); ); ...};
>
> source s_local{ system(); ... log_fetch_limit(100); };
>
> log{ source(s_local log_fetch_limit(100);); ... };
>
> each generate a ‘syslog-ng[1567]: Error parsing configuration;’ error.
>
> Any ideas on **where** I should put it?
>
> Thanks,
>
> Chris
>
> ----------------------------------------
>
> Christopher Johnson
>
> chris.johnson3 at hp.com <mailto:chris.johnson3 at hp.com>
>
> HP Software - Security Product Group
>
> (916) 785-2817
>
> ----------------------------------------
>
>
Youre running into issues because youre using system() in your source 
driver. System() is special as its really multiple different sources 
combined into 1, so not all of the sources included by system() would 
support the same options. You can find the documentation on what 
system() really is on your platform at 
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/index.html-single.html#configuring-source-system. 
You can then replace system() with the sources really used, and add 
log_fetch_limit() to them.

For example, if youre using linux
source s_local {
unix-dgram("/dev/log" log_fetch_limit(100));
file("/proc/kmsg" log_fetch_limit(100) program-override("kernel") 
flags(kernel));
internal();
};

More information about the syslog-ng mailing list