From owner-freebsd-questions  Tue Mar 13 10:53:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from silver.teardrop.org (silver.teardrop.org [205.181.101.128])
	by hub.freebsd.org (Postfix) with ESMTP id B014537B719
	for <freebsd-questions@freebsd.org>; Tue, 13 Mar 2001 10:53:08 -0800 (PST)
	(envelope-from snow@teardrop.org)
Received: (from snow@localhost)
	by silver.teardrop.org (8.11.2/8.11.1) id f2DIqv245756
	for freebsd-questions@freebsd.org; Tue, 13 Mar 2001 13:52:57 -0500 (EST)
	(envelope-from snow@teardrop.org)
Date: Tue, 13 Mar 2001 13:52:57 -0500
From: James Snow <snow@teardrop.org>
To: freebsd-questions@freebsd.org
Subject: syslogd acting weird, not logging, large receive queues?
Message-ID: <20010313135257.B44753@teardrop.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I'm trying to setup a FreeBSD machine to act as a central log collector
and analyzer for a cluster of FreeBSD and Linux machines. 

/etc/syslog.conf for each of the machines logging to the remote host
contains one line:

*.*		@loghost

(Yes, with tabs for whitespace.)

Loghost then does something like:

+hosta
*.*		/var/log/hosta/logs

+hostb
*.*		/var/log/hostb/logs


They're actually sorted a bit more than that, but I don't think the
config file is the source of the problem, so, anyway.

I'll get a few log entries in and they'll be routed correctly. Almost
immediately though, syslogd stops sending new log entries to the various
log files. At this point, netstat -f inet -an show some oddities:

Proto Recv-Q Send-Q  Local Address          Foreign Address (state)
udp4     129      0  *.1053                 *.*
udp4   30350      0  *.514                  *.*

Seems like an awful lot of data to have sitting in the receive queue. :)

Weirder still is that the port number for the non-514 UDP socket, (which
I understand syslogd is using to do DNS queries) moves around. It might
be on port 1053 when I run netstat one time, but 60 seconds later it
will be on port 1127. However, the receive queue never diminishes.

I'm puzzled. What on earth is going on here?

Any hints, clues, pointers or invectives containing the letters R, T, F and
M would be appreciated, so long as you mention which M, 'cuz I sure
can't find anything that seems to relate to this. :)


Thanks,
-Snow

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message