Syslog cant keep up with cisco

[3wsparky]

Hi , I am syslogging from a cisco box to a linux box , problem i have is that the debug im logging on the linux box cant keepup with the ciscos output resulting in the syslog not containing all my messages !
i am running a 2.4 gig linux box 100mb card full dup
not sure what todo about this one

any ideas would be great
Terry

 

[RhythmAce]

Does MTU come into play and have you tried to lower it?

 

[3wsparky]

not tried lowering the mtu , but think this might affect the other data circuits connected to this router , bascally its a 3745 with voip ios and has two data circuits to other branches attached to it , the router audio becomes one direction and it starts eating cpu then in many cases clears its self after a while , the solarwinds syslog seems to capture the data ok without missing logs so i think its a linux problem , but will test syslog with a fixed mtu size in a lab at work on monday , thanks

 

[mrn]

Try editing the /etc/syslog.conf file and place a - in front of /var/log/messages
-/var/log/messages

This should switch the syslogd into async mode allowing it to keep up.

You may need to restart syslogd

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[3wsparky]

I Have added the "-" to /var/log/messages and to /var/log/rtr to give the following.

--------------------------------------------------
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

local7.debug -/var/log/rtr
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages

# The authpriv file has restricted access.
--------------------------------------------------

it seemed great to start with and altho it was slow looking at the log being created all the numbers were incrementing correctly. after 5 mins the numbers started going out of sync and i suspect data is being lost again.

here is a sample of the log

----------------------------------------------------

Jun 21 10:41:51 172.30.255.38 596525: 318203: Jun 21 09:37:16.487: //2443/434C92
1E82E6/DSM1/0:15):29/dsp_stream_mgr_req_stats: .
Jun 21 10:41:55 172.30.255.38 596531: 318209: Jun 21 09:37:20.363: //2443/434C92
1E82E6/DSM1/0:15):29/dsp_stream_mgr_req_stats: .
Jun 21 10:42:00 172.30.255.38 596535: 318213: Jun 21 09:37:24.670: //2439/371E5D
3C82E5/DSM1/0:15):30/dsp_stream_mgr_req_stats: .
Jun 21 10:42:04 172.30.255.38 596543: 318221: Jun 21 09:37:31.214: ISDN Se1/0:15
Q931: RX <- SETUP pd = 8 callref = 0x5B5F
Jun 21 10:42:09 172.30.255.38 597055: 318477: Jun 21 09:37:34.738: //2439/371E5D
3C82E5/DSM1/0:15):30/dsp_stream_mgr_req_stats: .
Jun 21 10:42:13 172.30.255.38 597061: 318483: Jun 21 09:37:39.626: //2246/9705CB
C088F1/DSM1/0:15):-1/dsp_stream_mgr_req_stats: .
Jun 21 10:42:18 172.30.255.38 597065: 318487: Jun 21 09:37:42.782: //2439/371E5D
3C82E5/DSM1/0:15):30/dsp_stream_mgr_req_stats: .
Jun 21 10:42:22 172.30.255.38 597856: 318874: Jun 21 09:37:48.222: //2443/434C92
1E82E6/DSM1/0:15):29/dsp_stream_mgr_req_stats: .
Jun 21 10:42:27 172.30.255.38 597898: 318904: Jun 21 09:37:52.542: //2439/371E5D
3C82E5/DSM1/0:15):30/dsp_stream_mgr_req_stats: .
Jun 21 10:42:31 172.30.255.38 597904: 318910: Jun 21 09:37:56.350: //2452/6E1D04
3681C5/DSM1/0:15):-1/dsp_stream_mgr_req_stats: .
Jun 21 10:42:36 172.30.255.38 598428: 319175: Jun 21 09:38:01.974: //2449/6D8BC4
5A82E8/DSM1/0:15):28/dsp_stream_mgr_req_stats: .

any other ideas would be great...

Many thanks for your help so far
Terry

 

[3wsparky]

to confim my results of this

each time i kill the syslogd then start it by syslogd -r -m0
it logs fine for a short time then it starts to drop data is this a buffer issue ?

 

[mrn]

The default buffer size is 128 kbytes, you could try chaging it with the -b flag. I'm not sure which way to advise smaller or larger; so try both.

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[Annihilannic]

I had a look for something like that when I originally saw this thread mrn... but it doesn't seem to be documented anywhere (at least not on RedHat AS 2.1/3/SLES9). Where did you find that?

Annihilannic.

 

[mrn]

Which post Annihilannic the async mode or buffer?

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[Annihilannic]

Buffer.

Annihilannic.

 

[3wsparky]

can anyone confirm that they have tried the above ? and had it accept the command i have tried the following

syslogd -r -m0 -d 512

but it pukes at the -b command

 

[robbieguy2003]

You've got a typo in your output - -d instead of -b.

I wish someone would just call me Sir, without adding 'Your making a scene'.

Rob