[syslog-ng] Local sources seem not to be working
Szilard Parrag (sparrag)
Szilard.Parrag at oneidentity.com
Thu May 5 06:32:11 UTC 2022
Hi Alex,
After checking the stats, you have sent we can see that there had been some writes:
from
dst.program;d_localfile_linecard#0;/opt/machine/local/bin/write_with_rotation.sh /var/log/linecard.log 10 10;a;written;4518
to
dst.program;d_localfile_linecard#0;/opt/machine/local/bin/write_with_rotation.sh /var/log/linecard.log 10 10;a;written;4549
* we do not see increase in the counters of /var/log destinatons, but only on one destination
* we could only see an increase in syslog-udp processed counters
* there are no dropped/queued counters
We would guess this could be due to flow-control, but for that we would need to see non-zero queued counter values, which is not the case. It could happen that one destination hangs/can't send messages out, which leads to suspended sources due to flow-control, but the syslog() source is not affected since it doesn't send messages to the hanged destination(s).
Based on the stats, only "d_localfile_linecard" is active (~30 messages in 15 minutes), maybe the syslog() source would be affected too without the filtering.
We should see more internal logs, which is problematic, since internal() source seems to be stopped too. For that I would recommend extracting internal() source from the s_src statement and putting it in a separate log path with a simple file destination.
Also, if possible, could you please share your `write_with_rotation.sh` script? It is unlikely that it interferes with syslog-ng, but a double check would be nice. 🙂
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220505/250ab73a/attachment.htm>
More information about the syslog-ng
mailing list