07-02-2013 10:36 PM
We have RHEL 5.6 linux syslog server.
Which we hav confgred as to use syslog server .
But when 1 client is cnfgred its getting updated immediately , whereas when i add 2nd client it takes almost 5 min for the entry to be updated in linux box.
Solved! Go to Solution.
07-13-2013 02:48 PM
There are three possibilities:
- the 2nd client sends the log message to the syslog server immediately, but the syslog server takes a while to actually write it to the log file
- the 2nd client takes a while to send the message, but when it finally does that, the syslog server writes the message to the log as soon as it gets it.
- both the 2nd client and the syslog server are delaying the message for some reason.
You should use tcpdump or similar to verify that the message is not delayed at the 2nd client.
When you add the 2nd client, do you use the hostname or the IP address of the syslog server in the configuration?
If you use the hostname, are you sure the system can always rapidly resolve the hostname of the syslog server into an IP address? (The delay of several minutes while the system is not busy sounds like it might be a repeated DNS lookup failure.)
In general, if you use hostnames in syslog configuration, it would probably be a good idea to list the IP addresses corresponding to those hostnames in /etc/hosts, so your logging won't fail if you have problems with your DNS.
The syslog server might also be trying to look up the source IP address of the received log message, in order to replace it with the hostname of the server that sent the log message. (Since the syslog network protocol is not encrypted or authenticated at all, the message might be spoofed: therefore, it's better for the syslog server to check the source hostname based on the source IP address of the message, rather than blindly trust that the client identifies itself correctly.)
If your DNS has problems with reverse lookups, this might cause delays at the syslog server. In this case, you might add the IP address and hostname of the 2nd client to /etc/hosts at the syslog server too.