[syslog-ng] Local sources seem not to be working
Gabor Nagy (gnagy)
Gabor.Nagy at oneidentity.com
Fri Mar 25 14:43:42 UTC 2022
Hi Alex,
Sorry I haven't answered yet. I'll have a few ideas I would like to try out next week.
This is strange: the d_localfile destinations (as well as the vrf-socket destination "d_mgmt_vrf_socket") receive messages from the syslog() source, but not from the internal() or system() sources?
And the issue vanishes when "d_mgmt_vrf_socket" destination is removed?
If it would be soft flow-control, then the syslog() source would be suspended too.
Just a tip: would you switch out the unix-dgram() destination to syslog() destination, please? Maybe that's not possible with the VRF in-place...
In the stats output, do you see an increased number of dropped messages?
I would still suggest increasing the 4MB disk-buffer. You should make an estimation of how long could the mgmt syslog-ng be down (i.e not receiving from the unix-dgram), what is the average incoming EPS and an average message size, that could give a hint about the required disk-buffer size.
Regards,
Gabor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220325/0ccf8e9f/attachment.htm>
More information about the syslog-ng
mailing list