Re: Syslog query - I'm probably doing something stoopid
From: Jason Baugher (jason@baugher.pike.il.us)Date: 05/20/02
- Next message: Lassi Hippeläinen: "Re: IP address <--> Global Positioning System (GPS)"
- Previous message: Blah: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Chopper: "Syslog query - I'm probably doing something stoopid"
- Next in thread: Barry Margolin: "Re: Syslog query - I'm probably doing something stoopid"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Jason Baugher <jason@baugher.pike.il.us> Date: Mon, 20 May 2002 02:18:14 GMT
Can you post the syslog.conf from the boxes? Have you looked at the
network utilization to see if you are maxing out the bandwidth with
logger messages? Have you checked the date/time on the systems to make
sure they are synced? Is it just that the timestamps are wacky, like one
message is stamped 9:30 and the next is stamped 6:30, from 3 hours
before?
Try using logger to generate a test log message and see how long it
really takes to show up, and if the timestamp associated with it really
matches the time when you sent it from the AIX system.
IF that fails, and the messages are really taking that long to arrive....
then keep reading.
Since it sounds like the local logger messages are getting logged right,
I'd say the issue is with the AIX systems or the network, although I
can't imagine how the messages could be getting delayed by hours.
I don't know for sure, but it's likely that syslog handles log messages
sequentially. If your AIX systems are generating log messages faster
than the AIX syslog can pass them off to the FreeBSD syslog because of
some CPU or network issue on the AIX end of things, I suppose the backlog
of messages would keep growing and growing.
I'd recommend checking the network utilization with different levels of
logging, as well as the AIX load averages. You may be choking the box
with too many messages.
I'd also recommend looking hard at what you are logging. There is
nothing to be gained by logging too much, and much to be gained by NOT
logging too much. Try to narrow down what you are wanting to see, and
change your rules to focus on just those things.
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 5/19/2002, 7:13:25 PM, Chopper <no.spam@for.me> wrote regarding Syslog
query - I'm probably doing something stoopid:
> Well g'day!
> I'm in the process of setting syslog up to remotely log to a FreeBSD
> box from 3 AIX boxes. is that a normal thing to do? Anyway, got it
> working EXCEPT the central log host (ie the FreeBSD box) lags behind.
It's
> own syslog messages are fine - they are logging AS they happen - it's the
> ones from the AIX boxes. they end up HOURS behind - after only a couple
of
> days.
> Can anybody help?? Any more info required? I thought maybe that I am
> trying to log too much - and yeah, when I log less they keep up - but
from
> what I've been able to find on the net, people remotely log a lot more
than
> I am attempting. I'm trying to remotely log everything at the 'info'
> level. Is that overkill?
> Additional info (just in case this is relevant): On the FreeBSD box I
start
> syslog with '-a' options for every machine that I'm remote logging from,
ie
> 'syslogd -a 23.23.32.43/32:* -a 45.45.35.34/32:* -a 34.98.6.56/32:*'. i
> understand that the '*' should be replaced by 514 - the udp port I'm
> listening for - but when I put it in, it doesn't playthe game.
> Any help appreciated! I'm out of ideas. I guess that I just log less
and
> make do with that.
> Chop
- Next message: Lassi Hippeläinen: "Re: IP address <--> Global Positioning System (GPS)"
- Previous message: Blah: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Chopper: "Syslog query - I'm probably doing something stoopid"
- Next in thread: Barry Margolin: "Re: Syslog query - I'm probably doing something stoopid"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
