[syslog-ng] Tips to diagnose missing syslog messages?

Laszlo Szemere (lszemere) Laszlo.Szemere at oneidentity.com
Mon Jun 14 14:34:09 UTC 2021

Hello Daniel,

 If I understand you correctly: you have a problem that one of your Syslog-ng server is not receiving a log message. (Not that you do not receive a message FROM one of your Syslog-ng server.)

 From my experience: In those cases when someone tries to diagnose an issue where Syslog-ng do not receive a message, it is always a good first step to determine if the message actually reaches Syslog-ng or not.
 i.e.: in case of a network source, try to receive the message with a simple netcat command. (Maybe the message was dropped by a firewall before reaching your machine, and Syslog-ng has nothing to do with it.) At this point we do not really care about the format of the message.

 If you made sure that those messages are reaching the application, we should try to diagnose Syslog-ng itself. For that we will need some information about your setup.
  - your platform
  - version of Syslog-ng (Where it is obtained from? i.e. local build)
  - Related config parts. (including the source driver which is expected to receive the logs)
  - How do you start Syslog-ng? (i.e.: as a service)

Best regards,

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Daniel Ehrlich <Daniel.Ehrlich at usq.edu.au>
Sent: Wednesday, June 9, 2021 07:24
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] Tips to diagnose missing syslog messages?

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi Everyone,

Does anyone have some diagnostic tips to offer to diagnose why syslog messages are not being received?
I have syslog-ng on a few servers but one is losing messages (others syslog-ng servers might be dropping that I am unaware off).
Not sure if there is some options I should add to the conf or diag commands or load specifications I should check?

options {
   create_dirs (yes);
   time_reopen (10);

Also adding the flag-control flag to the log stanza.

This email (including any attached files) is confidential and is
for the intended recipient(s) only. If you received this email by
mistake, please, as a courtesy, tell the sender, then delete this
The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland. Although
all reasonable precautions were taken to ensure that this email
contained no viruses at the time it was sent we accept no
liability for any losses arising from its receipt.
The University of Southern Queensland is a registered provider
of education with the Australian Government.
(CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210614/1e167c59/attachment.html>

More information about the syslog-ng mailing list