[syslog-ng] Local sources seem not to be working

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Wed Mar 16 15:09:02 UTC 2022 

Hi Alex!

I've checked the attached config and logs, and it looks like syslog-ng cannot send logs to the "/dev/uds_log" destination, and you have flow-control enabled in the config.
Once you fill the disk-buffer (which is a 4MiB sized reliable disk-buffer), flow-control kicks in and syslog-ng stops reading more messages from the sources that are connected to this destination.

example log:
Destination reliable queue full, dropping message; filename='/tmp/syslog-ng-00016.rqf', queue_len='6063', mem_buf_size='2097152', disk_buf_size='4194304', persist_name='afsocket_dd_qfile(stream,localhost.afunix:/dev/uds_log)'

At first, I would suggest to increase the disk-buffer size.

Regards,
Gabor

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Alexandre Santos <ASantos at infinera.com>
Sent: Tuesday, March 15, 2022 16:04
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] Local sources seem not to be working

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hi,



I have syslog-ng 3.32.1 running in a Debian GNU/Linux 10 (buster) with the configuration in the attachement.



After sometime running, syslog-ng seems be unable to read from system() and internal() sources.

Log messages from syslog(ip(10.20.30.40) transport("udp") port(514) keep-alive(no)); are seen in the output folders.

Also journald logs are working fine.



After a reload of configuration in which what changes is this line:

rewrite r_host { set("MACHINE-${HOST}", value("HOST")); };

logging is resumed.



Here is the time gap for logs:

<43>1 2022-03-11T11:55:23.802+00:00 xmm4-1-1 syslog-ng 8283 - [meta sequenceId="767"] Last message 'Destination reliable' repeated 8933 times, suppressed by syslog-ng on xmm4-1-1

<46>1 2022-03-14T07:19:01.817+00:00 xmm4-1-1 syslog-ng 8283 - [meta sequenceId="1"] Module loaded and initialized successfully; module='syslogformat'



Do you know why this is happening?



Thanks & Regards,

Alex


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220316/0edb85d4/attachment.htm>

More information about the syslog-ng mailing list