Linux syslog server taking time to update (291 Views)
Reply
Valued Contributor
chindi
Posts: 367
Registered: ‎07-24-2008
Message 1 of 6 (291 Views)
Accepted Solution

Linux syslog server taking time to update

Hi ,

 

We have RHEL 5.6 linux syslog server.

Which we hav confgred as to use syslog server .

But when 1 client is cnfgred its getting updated immediately , whereas when i add 2nd client it takes almost 5 min for the entry to be updated in linux box.

Acclaimed Contributor
Dennis Handly
Posts: 25,072
Registered: ‎03-06-2006
Message 2 of 6 (280 Views)

Re: Linux syslog server taking time to update

What HP-UX versions are your two clients?

Are they equally busy?

Valued Contributor
chindi
Posts: 367
Registered: ‎07-24-2008
Message 3 of 6 (279 Views)

Re: Linux syslog server taking time to update

Hi ,

They are all hpux 11iv2

Not much busy , cpu wise all fine .

Valued Contributor
chindi
Posts: 367
Registered: ‎07-24-2008
Message 4 of 6 (240 Views)

Re: Linux syslog server taking time to update

Waiting for any solution/suggestion.

 

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 5 of 6 (234 Views)

Re: Linux syslog server taking time to update

There are three possibilities:

  • the 2nd client sends the log message to the syslog server immediately, but the syslog server takes a while to actually write it to the log file
  • the 2nd client takes a while to send the message, but when it finally does that, the syslog server writes the message to the log as soon as it gets it.
  • both the 2nd client and the syslog server are delaying the message for some reason.

You should use tcpdump or similar to verify that the message is not delayed at the 2nd client.

 

When you add the 2nd client, do you use the hostname or the IP address of the syslog server in the configuration?

 

If you use the hostname, are you sure the system can always rapidly resolve the hostname of the syslog server into an IP address? (The delay of several minutes while the system is not busy sounds like it might be a repeated DNS lookup failure.)

 

In general, if you use hostnames in syslog configuration, it would probably be a good idea to list the IP addresses corresponding to those hostnames in /etc/hosts, so your logging won't fail if you have problems with your DNS.

 

 

The syslog server might also be trying to look up the source IP address of the received log message, in order to replace it with the hostname of the server that sent the log message. (Since the syslog network protocol is not encrypted or authenticated at all, the message might be spoofed: therefore, it's better for the syslog server to check the source hostname based on the source IP address of the message, rather than blindly trust that the client identifies itself correctly.)

 

If your DNS has problems with reverse lookups, this might cause delays at the syslog server. In this case, you might add the IP address and hostname of the 2nd client to /etc/hosts at the syslog server too.

 

MK
Valued Contributor
chindi
Posts: 367
Registered: ‎07-24-2008
Message 6 of 6 (206 Views)

Re: Linux syslog server taking time to update

Thanks Matti ur gr8888 :)

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.