[syslog-ng] Local sources seem not to be working

Alexandre Santos ASantos at infinera.com
Mon Mar 28 11:45:06 UTC 2022 

Hi Gabor,

"This is strange: the d_localfile destinations (as well as the vrf-socket destination "d_mgmt_vrf_socket") receive messages from the syslog() source, but not from the internal() or system() sources?"
Yes.

And the issue vanishes when "d_mgmt_vrf_socket" destination is removed?
Yes.

I could not test the 2 last suggestions that you made.

We did however another test, which was to remove the reliable option from d_mgmt_vrf_socket, and it seems the problem is not seen again.

Besides from what it is written in the manual, in other which cases/conditions can syslog-ng loose logs?

reliable()
Type:
yes|no
Default:
no
Description: If set to yes, syslog-ng OSE cannot lose logs in case of reload/restart, unreachable destination or syslog-ng OSE crash. This solution provides a slower, but reliable disk-buffer option. It is created and initialized at startup and gradually grows as new messages arrive. If set to no, the normal disk-buffer will be used. This provides a faster, but less reliable disk-buffer option.

Thanks in advance,
Alex

From: Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com>
Sent: 25 de março de 2022 14:44
To: Alexandre Santos <ASantos at infinera.com>; Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: Local sources seem not to be working

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi Alex,

Sorry I haven't answered yet. I'll have a few ideas I would like to try out next week.

This is strange: the d_localfile destinations (as well as the vrf-socket destination "d_mgmt_vrf_socket") receive messages from the syslog() source, but not from the internal() or system() sources?
And the issue vanishes when "d_mgmt_vrf_socket" destination is removed?
If it would be soft flow-control, then the syslog() source would be suspended too.
Just a tip: would you switch out the unix-dgram() destination to syslog() destination, please? Maybe that's not possible with the VRF in-place...

In the stats output, do you see an increased number of dropped messages?

I would still suggest increasing the 4MB disk-buffer. You should make an estimation of how long could the mgmt syslog-ng be down (i.e not receiving from the unix-dgram), what is the average incoming EPS and an average message size, that could give a hint about the required disk-buffer size.

Regards,
Gabor

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220328/461b3c13/attachment.htm>

More information about the syslog-ng mailing list