[syslog-ng] High volume of syslog message getting dropped

Samuel Petreski sp446 at georgetown.edu
Mon Mar 19 22:22:28 CET 2012 

I'm running syslog-ng 3.3.4 on FreeBSD 8.2, but am getting choppy logging
from syslog-ng. I'm continually (every minute or so) getting the following
messages from syslog-ng,

Mar 19 17:09:24 system syslog-ng[47183]: Syslog connection accepted;
fd='51', client='AF_INET(10.33.11.249:24813)', local='AF_INET(0.0.0.0:1470)'
Mar 19 17:09:25 system syslog-ng[47183]: Syslog connection closed; fd='51',
client='AF_INET(10.33.11.249:24813)', local='AF_INET(0.0.0.0:1470)'
Mar 19 17:09:46 system syslog-ng[47183]: Syslog connection accepted;
fd='25', client='AF_INET(10.166.166.234:50240)',
local='AF_INET(0.0.0.0:1470)'
Mar 19 17:09:47 system syslog-ng[47183]: Syslog connection closed; fd='25',
client='AF_INET(10.166.166.234:50240)', local='AF_INET(0.0.0.0:1470)'

Most of my hosts sending their logs to syslog-ng are Cisco ASAs and they are
configured to send their logs securely. Also these devices send syslog
messages at a very high rate (few of the devices generate logs in excess of
10GB/day). 

My relevant syslog-ng paramenters are as follows,

****************
#global options
options { chain_hostnames(off); keep_hostname(yes); use_fqdn(off);
flush_lines(0); stats_freq(360); threaded(yes);
        dns_cache(2000); dns_cache_expire(87600); flush_lines(10000000);
flush_timeout(6000); };

#destination, source and logging
destination d_cisco_devices { file("/data/log/$HOST-$YEAR$MONTH$DAY.log"
perm(0400)); };

source tls_clients {
        tcp(ip(0.0.0.0) port(1470) max-connections(300)
        log_iw_size(300000000) log_fetch_limit(2000000)
        tls( key_file("/etc/syslog-ng.key")
        cert_file("/etc/syslog-ng.crt")
        peer_verify(optional-untrusted)) );
};

log { source(tls_clients); destination(d_cisco_devices);
flags(flow-control); };

****************

I've read through the manual and have tried to increase the flush_line,
log_fetch_limit, log_iw_size parameters but have not been able to fine tune
its operation. Most of the my recorded syslog messages are for about few
seconds, and then they start again the next minute. 

Any help or pointers anyone can provide would be greatly appreciated.

Thanks.

--Samuel

More information about the syslog-ng mailing list