[syslog-ng] Losing to much remote sent logs
Daniel Neubacher
daniel.neubacher at xing.com
Mon Mar 5 11:30:32 CET 2012
Thanks for the answer. Disabling DNS would be really painful. I will play around some more today and try it as a last resort.
The Baseline for a webserver is 146k logs per hour, the minimum is 22k and the maximum 365k. The peaks are only happening in the night for 3-4 hours because of the local mail traffic.
Today I will roll out my tcp logging conf but I'm not too happy about that.
-----Ursprüngliche Nachricht-----
Von: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] Im Auftrag von Martin Holste
Gesendet: Freitag, 2. März 2012 16:00
An: Syslog-ng users' and developers' mailing list
Betreff: Re: [syslog-ng] Losing to much remote sent logs
If possible, I would try swapping the $HOST macro for $SOURCEIP to avoid doing any DNS lookups, cached or not. It's unlikely to help, but it sounds like you've already tried the basic tuning things. I will say that I'm very surprised you're losing log lines. What is your peak logs per second, and how long are the peaks?
On Fri, Mar 2, 2012 at 3:40 AM, Daniel Neubacher <daniel.neubacher at xing.com> wrote:
> Hello there,
>
> I've started playing around with syslog-ng 3.3.4 ose a few days ago
> but I'm still experiencing some trouble. First of all we want to use
> syslog-ng to send all of our logs via udp to a central syslog server.
> This includes of course syslogs, apache logs and custom generated
> applogs. These logs are generated from 400 clients and produces a
> minimum of 300 mio. log lines a day.
>
> The problem is really simple: I'm losing log lines :P Most of the time
> everything goes well but when the logs are peaking high 1-5% logs are
> getting lost.
>
> Last night the stats of the server and a client said 0 drops but when
> I counted the lines I found lost lines. The server has 24g ram & 8
> cores and I can rule out a network problem for sure.
>
>
>
> So now to my questions, has anyone else an idea where I can tweak my
> cfg or where I have to look to find more clues? Is tcp the only way to
> get around it?
>
> I've attached my syslog server cfg. The so_rcvbuf buffer is the same
> size as the os net.core.rmem settings. And as described in the various
> balabit blog posts I played around with log_fetch_limit and flush_lines already.
>
>
>
> syslog-ng.conf:
>
> @version: 3.3
>
>
>
> options {
>
> threaded(yes);
>
> owner("root");
>
> group("root");
>
> perm(0660);
>
>
>
> dir_owner("root");
>
> dir_group("root");
>
> dir_perm(0770);
>
> create_dirs(yes);
>
>
>
> stats_freq(600);
>
> stats_level(2);
>
> chain_hostnames(yes);
>
> normalize_hostnames(yes);
>
> check_hostname(yes);
>
>
>
> dns_cache(yes);
>
> dns_cache_size(16384);
>
> dns_cache_expire(3600);
>
> dns_cache_expire_failed(60);
>
>
>
> log_msg_size(16384);
>
> log_fifo_size(100000);
>
>
>
>
>
> use_fqdn(yes);
>
> #disabled 4 debugging
>
> # flush_lines(200);
>
> };
>
>
>
> source s_src {
>
> unix-dgram("/dev/log");
>
> internal();
>
> file("/proc/kmsg" program_override("kernel"));
>
> };
>
>
>
> source s_net {
>
> udp(
>
> log_fetch_limit(400)
>
> so_rcvbuf(51200000)
>
> keep_hostname(yes)
>
> keep_timestamp(no)
>
> ip("10.8.4.10")
>
> port(514)
>
> );
>
> tcp(
>
> so_rcvbuf(51200000)
>
> so_keepalive(yes)
>
> keep_hostname(no)
>
> keep_timestamp(no)
>
> ip("10.8.4.10")
>
> port(514)
>
>
>
> );
>
> syslog();
>
> };
>
>
>
> filter f_syslog {
>
> not program(access.log) and
>
> not program(error.log) and
>
> not program(beetle.log) and
>
> not program(edge.log);
>
>
>
> };
>
>
>
> filter f_apache {
>
> program(access.log) or
>
> program(error.log);
>
> };
>
>
>
> filter f_applogs {
>
> program(beetle.log)
>
> or program(edge.log);
>
> };
>
>
>
> template t_plain {
>
> template("$MSG\n"); template_escape(no);
>
> };
>
>
>
> destination d_messages { file("/var/log/messages"); };
>
> destination d_remote {
> file("/log/syslog/${R_YEAR}/${R_MONTH}/${R_DAY}/$HOST"); };
>
> destination d_apache {
> file("/log/apache/${R_YEAR}/${R_MONTH}/${R_DAY}/$HOST/$PROGRAM"
> template(t_plain)); };
>
> destination d_applogs {
> file("/log/applogs/${R_YEAR}/${R_MONTH}/${R_DAY}/$HOST/$PROGRAM"
> template(t_plain)); };
>
>
>
> log {
>
> source(s_src);
>
> destination(d_messages);
>
> };
>
>
>
> log {
>
> source(s_net);
>
> filter(f_syslog);
>
> destination(d_remote);
>
> };
>
>
>
> log {
>
> source(s_net);
>
> filter(f_apache);
>
> destination(d_apache);
>
> };
>
>
>
> log {
>
> source(s_net);
>
> filter(f_applogs);
>
> destination(d_applogs);
>
> };
>
>
>
>
>
> Thanks
>
> Daniel Neubacher
>
>
>
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list