[syslog-ng] UDP errors and lost UDP messages
Matt Zagrabelny
mzagrabe at d.umn.edu
Tue Apr 7 17:29:08 CEST 2015
On Tue, Apr 7, 2015 at 3:36 AM, Balazs Scheidler <bazsi77 at gmail.com> wrote:
> Hi,
>
> 270 is not a lot unless there's some kind of bottleneck in the syslog-ng
> side. DNS is often a culprit, that's why syslog-ng has a DNS cache which
> should address the problem. Do you have any kind of related settings in your
> configuration.
Hi Bazsi!
I do use DNS, but per recommendations I use the cache. Here is my
complete config:
@version: 3.1
options {
long_hostnames(off);
flush_lines(0);
use_fqdn(no);
owner("root");
group("adm");
perm(0640);
stats_freq(0);
bad_hostname("^gconfd$");
create_dirs(yes);
dir_perm(0755);
chain_hostnames(0);
time_reopen(10);
time_reap(360);
time_sleep(20);
use_dns(yes);
dns_cache(2000);
dns_cache_expire(87600);
log_fetch_limit(10);
log_fifo_size(200000); # 10 polls of (10 fetch limit * 2000 connections)
log_iw_size(20000); # 10 fetch limit * 2000 connections (default 100)
};
########################
# Sources
########################
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source s_src {
unix-dgram("/dev/log");
internal();
file("/proc/kmsg" program_override("kernel"));
};
source s_tls {
syslog(
port(6514)
transport("tls")
tls(
peer-verify(required-trusted)
ca_dir('/etc/syslog-ng/ssl/ca.d')
key_file('/etc/syslog-ng/ssl/server.key')
cert_file('/etc/syslog-ng/ssl/server.crt')
)
max_connections(2000)
keep_hostname(yes)
so_rcvbuf(16777216)
);
};
source s_udp {
udp(
keep_hostname(yes)
so_rcvbuf(16777216)
);
};
########################
# Destinations
########################
# The root's console.
#
destination d_console { usertty("root"); };
# Virtual console.
#
destination d_console_all { file("/dev/tty10"); };
destination df_filter_by_facility {
file(
"/var/log/$FACILITY.log"
owner(root)
group(root)
perm(0644)
dir_perm(0755)
create_dirs(yes)
);
};
destination d_remote_clients {
file(
"/var/log/syslog-ng/remote_clients/$HOST_FROM/$YEAR/$MONTH/$DAY/$FACILITY"
owner(root)
group(root)
perm(0644)
dir_perm(0755)
create_dirs(yes)
);
};
destination d_remote_clients_udp {
file(
"/var/log/syslog-ng/remote_clients/.udp/$HOST_FROM/$YEAR/$MONTH/$DAY/$FACILITY"
owner(root)
group(root)
perm(0644)
dir_perm(0755)
create_dirs(yes)
);
};
########################
# Filters
########################
filter f_crit { level(crit .. emerg); };
filter f_console { level(warn .. emerg); };
########################
# Log paths
########################
log { source(s_src); filter(f_console); destination(d_console_all); };
log { source(s_src); filter(f_crit); destination(d_console); };
log {
source(s_src);
destination(df_filter_by_facility);
};
log {
source(s_tls);
source(s_udp);
destination(d_remote_clients);
flags(flow-control);
};
> Also, 3.1 is pretty old, can you perhaps upgrade that to something more
> recent? I think squeeze is supported by the madhouse.org packages.
Sure. I'll look at upgrading or standing up a newer Debian system with
a more recent syslog-ng.
Any other pointers in the mean time?
-m
More information about the syslog-ng
mailing list