From owner-freebsd-questions Tue Mar 13 13: 8: 5 2001 Delivered-To: freebsd-questions@freebsd.org Received: from silver.teardrop.org (silver.teardrop.org [205.181.101.128]) by hub.freebsd.org (Postfix) with ESMTP id 7BCBB37B727 for ; Tue, 13 Mar 2001 13:08:00 -0800 (PST) (envelope-from snow@teardrop.org) Received: (from snow@localhost) by silver.teardrop.org (8.11.2/8.11.1) id f2DL7xZ46765 for freebsd-questions@FreeBSD.ORG; Tue, 13 Mar 2001 16:07:59 -0500 (EST) (envelope-from snow@teardrop.org) Date: Tue, 13 Mar 2001 16:07:59 -0500 From: James Snow To: freebsd-questions@FreeBSD.ORG Subject: Re: syslogd acting weird, not logging, large receive queues? Message-ID: <20010313160759.A46740@teardrop.org> References: <20010313135257.B44753@teardrop.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010313135257.B44753@teardrop.org>; from snow@teardrop.org on Tue, Mar 13, 2001 at 01:52:57PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ok, what I've ascertained here is that the stock syslogd just can't handle large amounts of log entries coming in very quickly. It kills itself trying to resolve the source hostname on each datagram. I solved my problem in the short term by passing -n to syslogd on the command line and changing my syslog.conf from using hostnames to using IP addresses. I'm now looking at syslogd-ng in the ports tree. I guess my logging needs/requirements are a bit out of the ordinary. :) -Snow On Tue, Mar 13, 2001 at 01:52:57PM -0500, James Snow wrote: > I'm trying to setup a FreeBSD machine to act as a central log collector > and analyzer for a cluster of FreeBSD and Linux machines. > > /etc/syslog.conf for each of the machines logging to the remote host > contains one line: > > *.* @loghost > > (Yes, with tabs for whitespace.) > > Loghost then does something like: > > +hosta > *.* /var/log/hosta/logs > > +hostb > *.* /var/log/hostb/logs > > > They're actually sorted a bit more than that, but I don't think the > config file is the source of the problem, so, anyway. > > I'll get a few log entries in and they'll be routed correctly. Almost > immediately though, syslogd stops sending new log entries to the various > log files. At this point, netstat -f inet -an show some oddities: > > Proto Recv-Q Send-Q Local Address Foreign Address (state) > udp4 129 0 *.1053 *.* > udp4 30350 0 *.514 *.* > > Seems like an awful lot of data to have sitting in the receive queue. :) > > Weirder still is that the port number for the non-514 UDP socket, (which > I understand syslogd is using to do DNS queries) moves around. It might > be on port 1053 when I run netstat one time, but 60 seconds later it > will be on port 1127. However, the receive queue never diminishes. > > I'm puzzled. What on earth is going on here? > > Any hints, clues, pointers or invectives containing the letters R, T, F and > M would be appreciated, so long as you mention which M, 'cuz I sure > can't find anything that seems to relate to this. :) > > > Thanks, > -Snow > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message