[syslog-ng] tuning syslog-ng 3.3.3Yyy

Girish-Agarwal Girish.Agarwal at OfficeDepot.com
Mon Jan 16 23:36:20 CET 2012


Y

----- Original Message -----
From: Aldrich, Jamie S [mailto:JSAldrich at pier1.com]
Sent: Monday, January 16, 2012 04:55 PM
To: 'Syslog-ng users' and developers' mailing list' <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] tuning syslog-ng 3.3.3

I have tried unsubscribing from this mailing list several times.  I went to the website, put in my email address, and hit "Unsubscribe".  What am I missing?

Jamie


-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Monday, January 16, 2012 3:54 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] tuning syslog-ng 3.3.3

On Thu, 2012-01-12 at 16:04 -0500, Patrick Hemmer wrote:
> Sent: Thu Jan 12 2012 15:34:26 GMT-0500 (EST)
> From: Johnson, Chris (HP TippingPoint Roseville) <chris.johnson3 at hp.com>
> To: Syslog-ng users' and developers' mailing list 
> <syslog-ng at lists.balabit.hu>
> Subject: [syslog-ng] tuning syslog-ng 3.3.3
> >
> > I’m trying to tune syslog-ng 3.3.3.
> >
> > My first attempt is to use the log_fetch_limit parameter, but I’m 
> > running into the problem of where to define it!
> >
> > The Admin guide says I can put it in the global options{}, but that 
> > generates and error saying it has been taken out of the global area 
> > and needs to be specified by the source and I can’t seem to find the 
> > correct source syntax.
> >
> > My config (pared down):
> >
> > @version: 3.3
> >
> > @include "scl.conf"
> >
> > options {
> >
> > # log_fetch_limit(100);
> >
> > };
> >
> > source s_local {
> >
> > system();
> >
> > internal();
> >
> > };
> >
> > #############################################################################
> >
> > # Service all
> >
> > filter f_all_pgm_01{program("*" type("glob"));};
> >
> > filter f_all_lvl_01.01{level(info..emerg)};
> >
> > destination d_all_01{file("/var/log/system.log" suppress(30));};
> >
> > log {
> >
> > source(s_local);
> >
> > filter(f_all_pgm_01);
> >
> > filter(f_all_lvl_01.01);
> >
> > destination(d_all_01);
> >
> > };
> >
> > I’ve tried putting it in:
> >
> > source s_local{ system( log_fetch_limit(100); ); ...};
> >
> > source s_local{ system(); ... log_fetch_limit(100); };
> >
> > log{ source(s_local log_fetch_limit(100);); ... };
> >
> > each generate a ‘syslog-ng[1567]: Error parsing configuration;’ error.
> >
> > Any ideas on **where** I should put it?
> >
> > Thanks,
> >
> > Chris
> >
> > ----------------------------------------
> >
> > Christopher Johnson
> >
> > chris.johnson3 at hp.com <mailto:chris.johnson3 at hp.com>
> >
> > HP Software - Security Product Group
> >
> > (916) 785-2817
> >
> > ----------------------------------------
> >
> >
> Youre running into issues because youre using system() in your source 
> driver. System() is special as its really multiple different sources 
> combined into 1, so not all of the sources included by system() would 
> support the same options. You can find the documentation on what 
> system() really is on your platform at 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/index.html-single.html#configuring-source-system. 
> You can then replace system() with the sources really used, and add 
> log_fetch_limit() to them.
> 
> For example, if youre using linux
> source s_local {
> unix-dgram("/dev/log" log_fetch_limit(100));
> file("/proc/kmsg" log_fetch_limit(100) program-override("kernel") 
> flags(kernel));
> internal();
> };

As described, system() is basically like a macro, it expands to the
proper set of source drivers that make the local logs available in
syslog-ng. Since it was not expected by the macro author (me :) that
additional parameters would be needed, the macro doesn't support that,
even though it could.

Also, it probably doesn't make sense to tune the local log transport,
usually it's not that interface that is resource hungry, although YMMV.


-- 
Bazsi


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



More information about the syslog-ng mailing list