[syslog-ng] tuning syslog-ng 3.3.3

Balazs Scheidler bazsi at balabit.hu
Mon Jan 16 22:54:02 CET 2012


On Thu, 2012-01-12 at 16:04 -0500, Patrick Hemmer wrote:
> Sent: Thu Jan 12 2012 15:34:26 GMT-0500 (EST)
> From: Johnson, Chris (HP TippingPoint Roseville) <chris.johnson3 at hp.com>
> To: Syslog-ng users' and developers' mailing list 
> <syslog-ng at lists.balabit.hu>
> Subject: [syslog-ng] tuning syslog-ng 3.3.3
> >
> > I’m trying to tune syslog-ng 3.3.3.
> >
> > My first attempt is to use the log_fetch_limit parameter, but I’m 
> > running into the problem of where to define it!
> >
> > The Admin guide says I can put it in the global options{}, but that 
> > generates and error saying it has been taken out of the global area 
> > and needs to be specified by the source and I can’t seem to find the 
> > correct source syntax.
> >
> > My config (pared down):
> >
> > @version: 3.3
> >
> > @include "scl.conf"
> >
> > options {
> >
> > # log_fetch_limit(100);
> >
> > };
> >
> > source s_local {
> >
> > system();
> >
> > internal();
> >
> > };
> >
> > #############################################################################
> >
> > # Service all
> >
> > filter f_all_pgm_01{program("*" type("glob"));};
> >
> > filter f_all_lvl_01.01{level(info..emerg)};
> >
> > destination d_all_01{file("/var/log/system.log" suppress(30));};
> >
> > log {
> >
> > source(s_local);
> >
> > filter(f_all_pgm_01);
> >
> > filter(f_all_lvl_01.01);
> >
> > destination(d_all_01);
> >
> > };
> >
> > I’ve tried putting it in:
> >
> > source s_local{ system( log_fetch_limit(100); ); ...};
> >
> > source s_local{ system(); ... log_fetch_limit(100); };
> >
> > log{ source(s_local log_fetch_limit(100);); ... };
> >
> > each generate a ‘syslog-ng[1567]: Error parsing configuration;’ error.
> >
> > Any ideas on **where** I should put it?
> >
> > Thanks,
> >
> > Chris
> >
> > ----------------------------------------
> >
> > Christopher Johnson
> >
> > chris.johnson3 at hp.com <mailto:chris.johnson3 at hp.com>
> >
> > HP Software - Security Product Group
> >
> > (916) 785-2817
> >
> > ----------------------------------------
> >
> >
> Youre running into issues because youre using system() in your source 
> driver. System() is special as its really multiple different sources 
> combined into 1, so not all of the sources included by system() would 
> support the same options. You can find the documentation on what 
> system() really is on your platform at 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/index.html-single.html#configuring-source-system. 
> You can then replace system() with the sources really used, and add 
> log_fetch_limit() to them.
> 
> For example, if youre using linux
> source s_local {
> unix-dgram("/dev/log" log_fetch_limit(100));
> file("/proc/kmsg" log_fetch_limit(100) program-override("kernel") 
> flags(kernel));
> internal();
> };

As described, system() is basically like a macro, it expands to the
proper set of source drivers that make the local logs available in
syslog-ng. Since it was not expected by the macro author (me :) that
additional parameters would be needed, the macro doesn't support that,
even though it could.

Also, it probably doesn't make sense to tune the local log transport,
usually it's not that interface that is resource hungry, although YMMV.


-- 
Bazsi




More information about the syslog-ng mailing list