Very Computer

by **Arnaud Megre** » Tue, 18 Jan 2000 04:00:00

My programme under Solaris 2.6 logs information using the syslog function at
the rate of about 100 messages/secondes.

I noticed that randomly some messages are skipped (they are not present in
the log file though I am sure the programme has called the syslog() function
with correct parameters).
The syslog() function has no return code. I believed that it was because
there was no errors.

I read in the man pages that the syslogd daemon is reading in the /dev/log
device messages written by calls to syslogd(). Is it possible that this
device has a limited size and that when it is full, new messages are lost?

In that case, what can I do to make it works.

Basically, what I need is a mechanism that make it possible for several
multithreaded processes to write messages in a common file. I thought syslog
was a good solution. What do you think about that?
Is there a better solution?

by **Nate Eldredg** » Wed, 19 Jan 2000 04:00:00

> My programme under Solaris 2.6 logs information using the syslog function at
> the rate of about 100 messages/secondes.

> I noticed that randomly some messages are skipped (they are not present in
> the log file though I am sure the programme has called the syslog() function
> with correct parameters).
> The syslog() function has no return code. I believed that it was because
> there was no errors.

This may or may not have anything to do with your particular problem,
but I once had a problem like this that I traced to a broken
log-rotation script. It would copy the logfile and then remove it,
leaving syslogd blissfully writing to a file that would never be
seen. The solution was to kill -HUP syslog afterwards (along with a
couple other refinements to avoid races).

--

Nate Eldredge

by **Alex Verst** » Wed, 19 Jan 2000 04:00:00

> > My programme under Solaris 2.6 logs information using the syslog function at
> > the rate of about 100 messages/secondes.

> > I noticed that randomly some messages are skipped (they are not present in
> > the log file though I am sure the programme has called the syslog() function
> > with correct parameters).
> > The syslog() function has no return code. I believed that it was because
> > there was no errors.

Syslog messages are sent to syslogd via datagrams (Unix domain or UDP).
The kernel can drop datagrams at its discretion, which is likely to
happen if syslogd cannot keep up with your program and the socket buffer
overflows. The only solution is to send less datagrams. Note that
syslogd is not designed to handle lots of messages.

--
Drive^H^Hnk safely!
Alex Verstak averstak at vt dot edu
1078 Ambler Johnston East *ia Tech
Blacksburg, VA 24060-0022 Tel. (540) 232-1389

by **Russ Allber** » Wed, 19 Jan 2000 04:00:00

> Alex> Syslog messages are sent to syslogd via datagrams (Unix domain
> Alex> or UDP).
> Not on Solaris 2.6 they aren't - it uses the doors interface.

My understanding is that it only uses doors to check to see if syslogd is
running, and that the actual message is sent via a streams socket
(/dev/log). But I could be mistaken.

--

by **Russ Allber** » Wed, 19 Jan 2000 04:00:00

> Russ> My understanding is that it only uses doors to check to see if
> Russ> syslogd is running, and that the actual message is sent via a
> Russ> streams socket (/dev/log). But I could be mistaken.
> I think you are. This kind of local IPC is precisely what doors exist
> for, there is no reason to involve sockets. (truss will show you the
> details anyway.)

Maybe it does both redundantly. Or maybe /usr/bin/logger does more than
just syslog(). A truss of it shows:

open("/dev/conslog", O_WRONLY) = 1
fcntl(1, F_SETFD, 0x00000001) = 0
fstat(1, 0xEFFFE340) = 0
fstat(1, 0xEFFFEDA0) = 0
time() = 948262988
open("/usr/share/lib/zoneinfo/US/Pacific", O_RDONLY) = 3
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0".., 8192) = 1000
close(3) = 0
putmsg(1, 0xEFFFE458, 0xEFFFE44C, 0) = 0
open("/etc/.syslog_door", O_RDONLY) = 3
door_info(3, 0xEFFFE390) = 0
getpid() = 6497 [6496]
door_call(3, 0xEFFFE378) = 0
close(3) = 0

--

by **Andrew Giert** » Thu, 20 Jan 2000 04:00:00

Alex> Syslog messages are sent to syslogd via datagrams (Unix domain
Alex> or UDP).

Not on Solaris 2.6 they aren't - it uses the doors interface.

--
Andrew.

comp.unix.programmer FAQ: see <URL: http://www.erlenstar.demon.co.uk/unix/>
or <URL: http://www.whitefang.com/unix/>

by **Andrew Giert** » Thu, 20 Jan 2000 04:00:00

Arnaud> My programme under Solaris 2.6 logs information using the
Arnaud> syslog function at the rate of about 100 messages/secondes.

Make sure you're up to date on patches - syslogd on 2.6 has been
pretty buggy.

--
Andrew.

comp.unix.programmer FAQ: see <URL: http://www.erlenstar.demon.co.uk/unix/>
or <URL: http://www.whitefang.com/unix/>

by **Andrew Giert** » Thu, 20 Jan 2000 04:00:00

Alex> Syslog messages are sent to syslogd via datagrams (Unix domain
Alex> or UDP).

>> Not on Solaris 2.6 they aren't - it uses the doors interface.

Russ> My understanding is that it only uses doors to check to see if
Russ> syslogd is running, and that the actual message is sent via a
Russ> streams socket (/dev/log). But I could be mistaken.

I think you are. This kind of local IPC is precisely what doors exist
for, there is no reason to involve sockets. (truss will show you the
details anyway.)

(If syslog() fails to open the door descriptor (/etc/.syslog_door IIRC),
it may well fall back to some other mechanism. One interesting issue I
found on 2.6 is that syslog() will spawn numerous child processes and
get thoroughly wedged if there are no free descriptors at the time of
the call - which is a pain. openlog() doesn't help with this, either -
it seems to insist on opening+closing the door descriptor on every call.)

--
Andrew.

comp.unix.programmer FAQ: see <URL: http://www.erlenstar.demon.co.uk/unix/>
or <URL: http://www.whitefang.com/unix/>