syslogd not draining

Mon Mar 27 18:46:46 UTC 2006

On Mon, Mar 27, 2006 at 10:35:11PM +0400, Maxim Konovalov wrote:
> [....]
> > > > > >ns1/etc;netstat -s | grep full
> > > > > >Warning: sysctl(net.inet6.ip6.rip6stats): No such file or directory
> > > > > >        122066 dropped due to full socket buffers
> > > > > >ns1/etc;
> > > > > >
> > > > > >I've doubled kern.ipc.maxsockbuf a couple of times now, and yet it
> > > > > >still happens.
> > >
> > > That's not enough.  You need to teach syslogd to use this new value.
> >
> > I don't see this in syslogd(8); I presume it require source hacking?
> 
> Yes.

OK, I'm going to avoid that for the moment.  I haven't touched C in
five years now, I'd probably confuse it even worse.

Besides, I've had centralized logging hosts with this much activity --
and far more -- previously.  I can't believe that this environment is
so special that it requires that sort of customization.

> [...]
> > > netstat -sp udp | grep 'datagrams received'; sleep 10; \
> > > netstat -sp udp | grep 'datagrams received'
> >
> >         158169 dropped due to full socket buffers
> >         2467251 datagrams received
> > 	sleeping...
> >         158903 dropped due to full socket buffers
> >         2468299 datagrams received
> 
> ~100 datagrams per second, not a lot.  Perhaps they are huge.

Not that I've noticed.  It's syslogd, DHCP, DNS, and flow-capture
from a variety of devices, all generally small packets.

> > > How much cpu time does syslogd use?
> >
> > Not much.  ps -ax | grep syslog gives:
> >
> >  4317 ??  Ss 0:01.60 /usr/sbin/syslogd -l /var/run/log -l
> >  /var/named/var/run/log
> 
> Try to remove a log socket for named and restart syslogd.

Removed the named socket and restarted.  We'll see what happens.

> > Process has been running for about five minutes at that point.
> >
> > Another point that might be of interest:
> >
> > ns1/etc;rc.d/syslogd restart Stopping syslogd. Waiting for PIDS:
> > 4317, 4317, 4317, 4317, 4317, 4317, 4317, 4317, 4317, 4317, 4317,
> > 4317, 4317, 4317, 4317, 4317, 4317, 4317 Starting syslogd.
> 
> What's the /var filesystem type?  Something like gmirror?

Nope.  It's a big SATA drive with a swap partition at the top and the
rest vanilla UFS2:

ad4: 38146MB <WDC WD400JD-75HKA1 14.03G14> at ata2-master SATA150
ad5: 476940MB <Maxtor 6H500F0 HA431C00> at ata2-slave SATA150

ns1~;mount
/dev/ad4s1a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad4s1d on /tmp (ufs, local, soft-updates)
/dev/ad4s1e on /usr (ufs, local, soft-updates)
/dev/ad4s1f on /home (ufs, local, soft-updates)
/dev/ad5s1d on /var (ufs, local, soft-updates)
devfs on /var/named/dev (devfs, local)

> diff -u /etc/syslog.conf /usr/src/etc/syslog.conf?

 # $FreeBSD: src/etc/syslog.conf,v 1.28 2005/03/12 12:31:16 glebius Exp $
-#$Id: syslog.conf,v 1.11 2006/03/17 18:56:18 system_mwl Exp system_mwl $
 #
 #      Spaces ARE valid field separators in this file. However,
 #      other *nix-like systems still insist on using tabs as field
 #      separators. If you are sharing this file between systems, you
 #      may want to use only tabs as field separators here.
 #      Consult the syslog.conf(5) manpage.
-*.err;kern.warning;auth.notice;mail.crit;local4.none   /var/log/console.log
-#*.err;kern.warning;auth.notice;mail.crit;local4.none  /dev/console
-*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.none;local                 1.none;local2.none;local3.none;local4.none;local5.none;local6.none;local7.none /                 var/log/messages
+*.err;kern.warning;auth.notice;mail.crit               /dev/console
+*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err  /var/log/message                 s
 security.*                                     /var/log/security
 auth.info;authpriv.info                                /var/log/auth.log
 mail.info                                      /var/log/maillog
 lpr.info                                       /var/log/lpd-errs
 ftp.info                                       /var/log/xferlog
 cron.*                                         /var/log/cron
-daemon.debug                                   /var/log/daemon.debug
 *.=debug                                       /var/log/debug.log
 *.emerg                                                *
-local0.*                                       /var/log/router
-local1.*                                       /var/log/switch
-#local2.*                                      /var/log/kvm
-#local 2-3 can be used
-local4.*                                       /var/log/pix
-local5.*                                       /var/log/vpn
-local7.*                                       /var/log/dhcpd
 # uncomment this to log all writes to /dev/console to /var/log/console.log
 #console.info                                  /var/log/console.log
 # uncomment this to enable logging of all log messages to /var/log/all.log
 # touch /var/log/all.log and chmod it to mode 600 before it will work
-*.*                                            /var/log/all.log
+#*.*                                           /var/log/all.log
 # uncomment this to enable logging to a remote loghost named loghost
 #*.*                                           @loghost
 # uncomment these if you're running inn
@@ -40,5 +30,3 @@
 *.*                                            /var/log/slip.log
 !ppp
 *.*                                            /var/log/ppp.log
-!flow-capture
-*.*                                            /var/log/flow-capture


-- 
Michael W. Lucas	mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org
		http://www.BlackHelicopters.org/~mwlucas/

"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur
