[syslog-ng] tuning syslog-ng 3.3.3
Johnson, Chris (HP TippingPoint Roseville)
chris.johnson3 at hp.com
Fri Jan 13 00:04:20 CET 2012
Thank you! It works now.
Chris
-----Original Message-----
From: Patrick Hemmer [mailto:syslogng at feystorm.net]
Sent: Thursday, January 12, 2012 1:05 PM
To: Syslog-ng users' and developers' mailing list
Cc: Johnson, Chris (HP TippingPoint Roseville)
Subject: Re: [syslog-ng] tuning syslog-ng 3.3.3
Sent: Thu Jan 12 2012 15:34:26 GMT-0500 (EST)
From: Johnson, Chris (HP TippingPoint Roseville) <chris.johnson3 at hp.com>
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] tuning syslog-ng 3.3.3
>
> I'm trying to tune syslog-ng 3.3.3.
>
> My first attempt is to use the log_fetch_limit parameter, but I'm
> running into the problem of where to define it!
>
> The Admin guide says I can put it in the global options{}, but that
> generates and error saying it has been taken out of the global area
> and needs to be specified by the source and I can't seem to find the
> correct source syntax.
>
> My config (pared down):
>
> @version: 3.3
>
> @include "scl.conf"
>
> options {
>
> # log_fetch_limit(100);
>
> };
>
> source s_local {
>
> system();
>
> internal();
>
> };
>
> #############################################################################
>
> # Service all
>
> filter f_all_pgm_01{program("*" type("glob"));};
>
> filter f_all_lvl_01.01{level(info..emerg)};
>
> destination d_all_01{file("/var/log/system.log" suppress(30));};
>
> log {
>
> source(s_local);
>
> filter(f_all_pgm_01);
>
> filter(f_all_lvl_01.01);
>
> destination(d_all_01);
>
> };
>
> I've tried putting it in:
>
> source s_local{ system( log_fetch_limit(100); ); ...};
>
> source s_local{ system(); ... log_fetch_limit(100); };
>
> log{ source(s_local log_fetch_limit(100);); ... };
>
> each generate a 'syslog-ng[1567]: Error parsing configuration;' error.
>
> Any ideas on **where** I should put it?
>
> Thanks,
>
> Chris
>
> ----------------------------------------
>
> Christopher Johnson
>
> chris.johnson3 at hp.com <mailto:chris.johnson3 at hp.com>
>
> HP Software - Security Product Group
>
> (916) 785-2817
>
> ----------------------------------------
>
>
Youre running into issues because youre using system() in your source
driver. System() is special as its really multiple different sources
combined into 1, so not all of the sources included by system() would
support the same options. You can find the documentation on what
system() really is on your platform at
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/index.html-single.html#configuring-source-system.
You can then replace system() with the sources really used, and add
log_fetch_limit() to them.
For example, if youre using linux
source s_local {
unix-dgram("/dev/log" log_fetch_limit(100));
file("/proc/kmsg" log_fetch_limit(100) program-override("kernel")
flags(kernel));
internal();
};
More information about the syslog-ng
mailing list