[Rspamd-Users] syslog and missing log messages
Michael Grimm
trashcan at ellael.org
Thu Apr 11 15:14:11 UTC 2024
G.W. Haywood <rspamd at jubileegroup.co.uk> wrote:
> Sending syslog messages over the network means you will be using UDP.
>
> If you use UDP you cannot guarantee that syslog will log everything it
> is asked to log. That's because UDP connections are not "reliable" in
> the sense that TCP connections are described as "reliable". A message
> sent by UDP might arrive at the destination, or it might not (for many
> possible reasons), and the sender has no way of knowing what happened.
> That being said, if the hardware resources are not over-committed then
> most of the time you should get away with it. Perhaps there are some
> performance issues in your system?
No, my system is bored to death ;-) Small server for a handful users with moderate usage. Nothing fancy.
But your answer let me think about UDP limitations. Thus, I did check if the sizes of all missing messages are exceeding RFC 3164 length of 1028 bytes, but no, they don't.
Next, I did increase verbosity of syslogd (-v -v) and did test syslog forwarding with logger:
logger -p mail.info <http://mail.info/> < missing_line
That worked, and now the receiving syslogd at the host reports both facility *and* level:
Apr 11 17:07:11 <mail.debug> mail rspamd[3653]: <fbf6c9>; proxy; rspamd_task_write_log: id: <abc at xxx>, qid: <4VFjjC4KXQzkp1>, ip: …
Ok, my missing lines are of level 'debug'.
Thus I increased the level in logging.inc to "debug", but to now avail. Now, the logfile in the jail collects a lot of messages of level "debug", but none of these messages are sent to the host.
It looks to me as if rspamd limits syslog messages to levels below "debug".
> The usual way to be sure that messages are logged is to write them to
> files, but obviously in a jail you're limited to accessible files.
Yeah, and sockets.
Thanks and regards,
Michael
More information about the Users
mailing list