Operating System - HP-UX
1748181 Members
3845 Online
108759 Solutions
New Discussion юеВ

Re: Linux syslog server taking time to update

 
SOLVED
Go to solution
chindi
Respected Contributor

Linux syslog server taking time to update

Hi ,

 

We have RHEL 5.6 linux syslog server.

Which we hav confgred as to use syslog server .

But when 1 client is cnfgred its getting updated immediately , whereas when i add 2nd client it takes almost 5 min for the entry to be updated in linux box.

5 REPLIES 5
Dennis Handly
Acclaimed Contributor

Re: Linux syslog server taking time to update

What HP-UX versions are your two clients?

Are they equally busy?

chindi
Respected Contributor

Re: Linux syslog server taking time to update

Hi ,

They are all hpux 11iv2

Not much busy , cpu wise all fine .

chindi
Respected Contributor

Re: Linux syslog server taking time to update

Waiting for any solution/suggestion.

 

Matti_Kurkela
Honored Contributor
Solution

Re: Linux syslog server taking time to update

There are three possibilities:

  • the 2nd client sends the log message to the syslog server immediately, but the syslog server takes a while to actually write it to the log file
  • the 2nd client takes a while to send the message, but when it finally does that, the syslog server writes the message to the log as soon as it gets it.
  • both the 2nd client and the syslog server are delaying the message for some reason.

You should use tcpdump or similar to verify that the message is not delayed at the 2nd client.

 

When you add the 2nd client, do you use the hostname or the IP address of the syslog server in the configuration?

 

If you use the hostname, are you sure the system can always rapidly resolve the hostname of the syslog server into an IP address? (The delay of several minutes while the system is not busy sounds like it might be a repeated DNS lookup failure.)

 

In general, if you use hostnames in syslog configuration, it would probably be a good idea to list the IP addresses corresponding to those hostnames in /etc/hosts, so your logging won't fail if you have problems with your DNS.

 

 

The syslog server might also be trying to look up the source IP address of the received log message, in order to replace it with the hostname of the server that sent the log message. (Since the syslog network protocol is not encrypted or authenticated at all, the message might be spoofed: therefore, it's better for the syslog server to check the source hostname based on the source IP address of the message, rather than blindly trust that the client identifies itself correctly.)

 

If your DNS has problems with reverse lookups, this might cause delays at the syslog server. In this case, you might add the IP address and hostname of the 2nd client to /etc/hosts at the syslog server too.

 

MK
chindi
Respected Contributor

Re: Linux syslog server taking time to update

Thanks Matti ur gr8888 :)