[syslog-ng] Missing messages

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Mon Jun 24 13:39:52 UTC 2019


Hi Bryan,

Thank you for using the syslog-ng mailing list! 🙂

Message drop could happen for several reasons. I couple reasons, that suddenly comes up to me:

  1.  The log path has a filter or parser, which does not match for the message.
  2.  The log path has a source, which has a built-in parser (syslog for example), and the message does not match the protocol.
  3.  Flow-control is not enabled and the destination is not alive for a longer period of time.
  4.  Flow-control is configured incorrectly.
  5.  ...

Saying so, it is hard to come up with one general way to investigate this.
However, I can give you some tips:

  1.  You can set "stats-level(1)" in the global options and use "sbin/syslog-ng-ctl stats", then look for the "dropped" counters.
  2.  You can start syslog-ng in debug mode (./sbin/syslog-ng -Fedtv) and look for the following logs: "Destination queue full, dropping message;" or "UNMATCHED".
  3.  Check if flow-control is enabled and configured properly.
  4.  If you do not want to use flow-control, you can use disk-queue alternatively.

If you could share some parts of your setup and config, where the problem happens, we could give you more insight.

Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Klimek, Bryan J. <bklimek at mayo.edu>
Sent: Monday, June 24, 2019 3:05 PM
To: 'syslog-ng at lists.balabit.hu'
Subject: [syslog-ng] Missing messages

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


First time poster, so be gentle.



We run syslog-ng in our environment as a centralized syslog manager for the archiving of syslog data. We have over 2000+ Unix/Linux systems sending their syslog data with a daily ingest rate of about 10GB per day.



It was recently pointed out to me that one particular message from one specific host is not getting persisted to the files on our syslog-ng server all the time. That is to say, it is intermittent.



If one person can find one message that is not making into our syslog-ng archive, I can only assume that we are dropping other messages as well.



How can I debug if and when messages are being lost and not making into the files on my centralized syslog server?



Bryan Klimek

Mayo Clinic


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190624/f9887014/attachment-0001.html>


More information about the syslog-ng mailing list