Chapter 16. Statistics of syslog-ng
Periodically, syslog-ng sends a message containing statistics about the received messages, and about any lost messages since the last such message. These statistics messages are available in the
internal() source. It includes a
processed entry for every source and destination, listing the number of messages received or sent, and a
dropped entry including the IP address of the server for every destination where syslog-ng has lost messages. The
center(received) entry shows the total number of messages received from every configured sources.
The following is a sample log statistics message for a configuration that has a single source (
s_local) and a network and a local file destination (
d_local, respectively). All incoming messages are sent to both destinations.
Log statistics; dropped='tcp(AF_INET(192.168.10.1:514))=6439', processed='center(received)=234413', processed='destination(d_tcp)=234413', processed='destination(d_local)=234413', processed='source(s_local)=234413'
Log statistics can be also retrieved on-demand using one of the following options:
Use the socat application: echo STATS | socat -vv UNIX-CONNECT:/opt/syslog-ng/var/run/syslog-ng.ctl -
If you have an OpenBSD-style netcat application installed, use the echo STATS | nc -U /opt/syslog-ng/var/run/syslog-ng.ctl command. Note that the netcat included in most Linux distributions is a GNU-style version that is not suitable to query the statistics of syslog-ng.
Starting from syslog-ng Open Source Edition version 3.1, syslog-ng Open Source Edition includes the syslog-ng-ctl utility. Use the syslog-ng-ctl stats command.
The statistics include a list of source groups and destinations, as well as the number of processed messages for each. The verbosity of the statistics can be set using the
stats-level() option. For details, see Section 9.2, Global options. An example output is shown below.
src.internal;s_all#0;;a;processed;6445 src.internal;s_all#0;;a;stamp;1268989330 destination;df_auth;;a;processed;404 destination;df_news_dot_notice;;a;processed;0 destination;df_news_dot_err;;a;processed;0 destination;d_ssb;;a;processed;7128 destination;df_uucp;;a;processed;0 source;s_all;;a;processed;7128 destination;df_mail;;a;processed;0 destination;df_user;;a;processed;1 destination;df_daemon;;a;processed;1 destination;df_debug;;a;processed;15 destination;df_messages;;a;processed;54 destination;dp_xconsole;;a;processed;671 dst.tcp;d_network#0;10.50.0.111:514;a;dropped;5080 dst.tcp;d_network#0;10.50.0.111:514;a;processed;7128 dst.tcp;d_network#0;10.50.0.111:514;a;stored;2048 destination;df_syslog;;a;processed;6724 destination;df_facility_dot_warn;;a;processed;0 destination;df_news_dot_crit;;a;processed;0 destination;df_lpr;;a;processed;0 destination;du_all;;a;processed;0 destination;df_facility_dot_info;;a;processed;0 center;;received;a;processed;0 destination;df_kern;;a;processed;70 center;;queued;a;processed;0 destination;df_facility_dot_err;;a;processed;0
The statistics are semicolon separated: every line contains statistics for a particular object (for example source, destination, tag, and so on). The statistics have the following fields:
The type of the object (for example
The ID of the object used in the syslog-ng configuration file, for example
#0part means that this is the first destination in the destination group.
The instance ID (destination) of the object, for example the filename of a file destination, or the name of the application for a program source or destination.
The status of the object. One of the following:
a- active. At the time of quering the statistics, the source or the destination was still alive (it continuously received statistical data).
d- dynamic. Such objects may not be continuously available, for example, like statistics based on the sender's hostname.
o- This object was once active, but stopped receiving messages. (For example a dynamic object may disappear and become orphan.)
The syslog-ng OSE application stores the statistics of the objects when syslog-ng OSE is reloaded. However, if the configuration of syslog-ng OSE was changed since the last reload, the statistics of orphaned objects are deleted.
The type of the statistics:
processed: The number of messages that successfully reached their destination driver. Note that this does not necessarily mean that the destination driver successfully delivered the messages (for example, written to disk or sent to a remote server).
dropped: The number of dropped messages — syslog-ng OSE could not send the messages to the destination and the output buffer got full, so messages were dropped by the destination driver.
stored: The number of messages stored in the message queue of the destination driver, waiting to be sent to the destination.
suppressed: The number of suppressed messages (if the
suppress()feature is enabled).
stamp: The UNIX timestamp of the last message sent to the destination.
The number of such messages.
To reset the statistics to zero, use the following command: syslog-ng-ctl stats --reset