For those of you who use rely on syslog and/or run a remote logging server
where all your logs are sent, you should really consider upgrading to
syslog-ng, and using tcp for the transport. Over the last couple of weeks,
I've been running some stats on my centrally located maillog, and they
didn't work out, it seemed like there were many missing lines that should
have been there.
It turns out that both the linux and freebsd syslog will very happily drop
log lines if it gets behind at all. I've switched to syslog-ng, set a
buffer of 100,000 lines on my main log server, set up tcp for the transport
both on the logging box and the boxes that log to it, and I haven't lost a
line yet, as far as I can tell. Even without logging over the network,
syslog will still discard lines if it's behind. Here's a small program that
someone (Vlad Marchenko) posted to the postfix mailing list a couple of days
ago to test if your syslog sucks or not. Just run it and check the log to
see if all the lines made it into the file.
Jay
--------------
#include <stdlib.h>
#include <syslog.h>
int main(int argc, char **argv) {
int count=1000;
int i=0;
char str[256];
if ( argc < 2 ) {
printf("usage: %s [number of lines to log]\n", argv[0]);
return(0);
}
openlog(argv[0], LOG_NDELAY | LOG_PID, LOG_MAIL);
count = atoi(argv[1]);
for (i=0; i<count; i++) {
sprintf(str,"this is line number %d.
blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-b
lah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-bl
ah-blah-blah-blah-blah",i);
syslog(LOG_INFO, "%.*s", 2000, str);
}
return;
}