hi Inderjeet,
since this appears to be a syslog-ng issue, I think it is best if you post
the question to syslog-ng mailing list.
I can nevertheless try to suggest couple of things to check:
1) since you mentioned that events are received from devices, does this
mean that logging happens over UDP based BSD syslog protocol? If you are
dealing with UDP and your network is congested, some syslog packets might
be dropped before they reach the log server. As a workaround, you could try
TCP based transport instead.
2) if syslog-ng faces local problems with receiving or forwarding messages,
you could try to read diagnostics messages from a special internal()
driver, in order to locate the problem:
https://syslog-ng.com/documents/html/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-guide-admin/html/configuring-sources-internal.html
3) if messages are lost locally at the syslog-ng server during reception,
you can try to increase socket receive buffers with syslog-ng so-rcvbuf()
option (
https://syslog-ng.com/documents/html/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-guide-admin/html/reference-source-tcpudp.html),
and also increase kernel parameters which define the maximum and default
socket receive buffer sizes (net.core.rmem_max and net.core.rmem_default).
Hope this helps,
risto
2018-04-03 14:45 GMT+03:00 Inderjeet Singh <inder...@qti.qualcomm.com>:
> Hi Risto,
>
>
>
> Your are right, events are missing from the file(local7) serves as input
> file to SEC and is being produced by syslog-ng. This is breaking things on
> SEC side for auto closure of alerts.
>
> Same events from devices are copied to Splunk too and missing events
> appeared there.
>
>
>
> Regards,
>
> Inderjeet
>
> +91-9971183748 <+91%2099711%2083748>
>
>
>
>
>
> *From:* Risto Vaarandi <risto.vaara...@seb.ee>
> *Sent:* Tuesday, April 3, 2018 4:35 PM
> *To:* Inderjeet Singh <inder...@qti.qualcomm.com>;
> simple-evcorr-users@lists.sourceforge.net
> *Subject:* RE: Input log missing in syslog-ng
>
>
>
> Hi Inderjeet,
>
>
>
> A quick question – are events missing from the file which serves as an
> input for SEC (in other words, the file which is provided with the –input
> command line option to SEC)? If so, is this file produced by syslog-ng?
>
>
>
> Kind regards,
>
> risto
>
>
>
> *From:* Inderjeet Singh [mailto:inder...@qti.qualcomm.com
> <inder...@qti.qualcomm.com>]
> *Sent:* Tuesday, April 03, 2018 1:26 PM
> *To:* simple-evcorr-users@lists.sourceforge.net
> *Subject:* [Simple-evcorr-users] Input log missing in syslog-ng
>
>
>
> Hi,
>
>
>
> Recently we migrated SEC from RHEL5 to RHEL7(Syslog-ng r3.5.6-3.el7, SEC
> r2.7.12) system.
>
> We have observed events are missing in syslog-ng input file in the new SEC
> instance while syslog-ng and SEC rule files are replica of old instance.
>
> Any pointer to identify what can be root cause of the issue? There might
> be syslog-ng.conf file compilation issue with RHEL7?
>
>
>
> Regards,
>
> Inderjeet
>
> +91-9971183748 <+91%2099711%2083748>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
