当 syslog-ng 遇到带有较旧时间戳的日志消息时,它会冻结/不记录

tag-icon tag-icon syslog-ng timestamp
当 syslog-ng 遇到带有较旧时间戳的日志消息时,它会冻结/不记录

我们发现 syslog-ng 3.8.1 会丢弃带有较旧时间戳的日志。我们的系统在重启后无法保留硬件时钟,但即使存在 ntp 抖动,也可能存在问题。

看起来,如果 syslog-ng 看到具有特定时间的日志,则任何具有较旧时间戳的日志都会被拒绝。虽然我们看到 syslog-ng 接收到了日志,但不清楚为什么我们没有看到它们被处理。

我们还发现,简单地改变系统时间(落后于时钟)而不重新加载也会导致 syslog-ng 冻结。

升级到 syslog-ng 3.22 也无济于事。启用 NTP 确实有助于解决问题,但时间抖动校正可能会再次冻结 syslog-ng。

有人遇到过这个问题吗?如果是,我们需要启用任何全局配置吗?

统计数据没有改变:

root@MYDEV:~# syslog-ng-ctl stats
SourceName;SourceId;SourceInstance;State;Type;Number
center;;received;a;processed;5
src.internal;s_src#0;;a;processed;5
src.internal;s_src#0;;a;stamp;1478194222
destination;d_messages;;a;processed;5
destination;d_console_all;;a;processed;1
destination;#anon-destination1;;a;processed;0
destination;#anon-destination0;;a;processed;0
destination;#anon-destination3;;a;processed;0
destination;d_syslog;;a;processed;5
center;;queued;a;processed;11
destination;#anon-destination4;;a;processed;0
destination;#anon-destination2;;a;processed;0
destination;d_console;;a;processed;0
global;payload_reallocs;;a;processed;0
src.journald;;journal;a;processed;0
src.journald;;journal;a;stamp;0
global;sdata_updates;;a;processed;0
global;msg_clones;;a;processed;0
source;s_src;;a;processed;5
global;internal_queue_length;;a;processed;0
root@MYDEV:~#
root@MYDEV:~# <<<<< TRIGGERED A MESSAGE; can see it on journald >>>>
root@MYDEV:~#
root@MYDEV:~# syslog-ng-ctl stats
SourceName;SourceId;SourceInstance;State;Type;Number
center;;received;a;processed;5
src.internal;s_src#0;;a;processed;5
src.internal;s_src#0;;a;stamp;1478194222
destination;d_messages;;a;processed;5
destination;d_console_all;;a;processed;1
destination;#anon-destination1;;a;processed;0
destination;#anon-destination0;;a;processed;0
destination;#anon-destination3;;a;processed;0
destination;d_syslog;;a;processed;5
center;;queued;a;processed;11
destination;#anon-destination4;;a;processed;0
destination;#anon-destination2;;a;processed;0
destination;d_console;;a;processed;0
global;payload_reallocs;;a;processed;0
src.journald;;journal;a;processed;0
src.journald;;journal;a;stamp;0
global;sdata_updates;;a;processed;0
global;msg_clones;;a;processed;0
source;s_src;;a;processed;5
global;internal_queue_length;;a;processed;0

谢谢

答案1

类似的问题刚刚发布到 syslog-ng 问题跟踪器:https://github.com/balabit/syslog-ng/issues/2836

相关内容