syslog(3) issues

[Robert Watson]

On Mon, 3 Sep 2012, Attilio Rao wrote:

> I was trying to use syslog(3) in a port application that uses threading , 
> having all of them at the LOG_CRIT level. What I see is that when the 
> logging gets massive (1000 entries) I cannot find some items within the 
> /var/log/messages (I know because I started stamping also some sort of 
> message ID in order to see what is going on). The missing items are in the 
> order of 25% of what really be there.
>
> Someone has a good idea on where I can start verifying for my syslogd 
> system? I have really 0 experience with syslogd and maybe I could be missing 
> something obvious.

syslog(3)/syslogd(8) use datagram sockets for both local and networked 
logging, and it is possible for those datagram sockets to fill and drop 
messages.  I'm not sure if we have per-socket counters that can easily be 
queried by syslogd, but if we do, it might be beneficial to have syslogd wake 
up once a second and check to see if the counters have changed -- if they 
have, inject a log message indicating how many messages were dropped in the 
last $epsilon.  If we don't have counters along those lines, it might make 
sense to add them.  We might also find that it is appropriate to tune up the 
limits if they no longer seem sensible in the current world order -- they may 
have late 1980s/early 1990s values (or they may not).

Robert