The syslog-ng 3.0 Administrator Guide

Configuration changes do not take effect: Configuration changes take effect only after restarting the syslog-ng service or rebooting the system. Also restart the system after changing the timezone settings of the host, or importing a certificate that you want to use to authenticate the communication between the agent and the server. If the configuration of the agent has changed since the last restart, the syslog-ng agent sends a message of the change, including the hmac-sha-1 hash of the new configuration.

Also note that if your clients are managed from a Domain Controller, configuration changes are not instantly downloaded to the client hosts, only at the time of the next group policy update. To update the configuration of a client host earlier, open a command prompt on the client host, and issue the gpupdate /force command.

After downloading the configuration from the Domain Controller, the syslog-ng Agent service is automatically restarted if the configuration has changed.

	Note
	Certain domain settings that may affect the syslog-ng Agent are downloaded only when the machine is rebooted. For example, moving the computer from one group policy to another requires a reboot to have effect.

The syslog-ng agent does not send messages to the server: Check the Application eventlog for messages of the syslog-ng agent. In case of connection errors and certificate problems, the syslog-ng agent sends error messages into the eventlog. Ensure that the destination address of the server is correctly set. If you use SSL encryption, verify that the certificate of the Certificate Authority of the server and that the certificate of the client are properly imported. If there are no error messages, check the logs on your logserver: the syslog-ng agent sends a MARK message every ten minutes even if there are no other messages to send.

The syslog-ng agent sends only MARK messages to the server: Verify that you have configured the eventlog and file sources, and that they have not been disabled globally. If these settings are correct but the server still does not send any messages, temporarily disable all filters to see that they are not configured to ignore every message. When using filter, it is also recommended to check the global case-sensitivity settings.

Command-line parameters are ignored on Windows Vista and 2008 Server: Command-line parameters work only for administrators if User Account Control (UAC) is enabled. To execute syslog-ng Agent with command-line parameters, select Start > Programs > Accessories, right-click on Command prompt > Run as administrator.

If you contact the BalaBit Support Team about a problem with the syslog-ng Agent for Windows, execute the syslog-ng-agent -V command from the command line and include every version and platform information it displays in your support request.

CPU load is high: See Section 5.10.1, “Sending messages and CPU load”.

Losing messages from eventlog containers: An eventlog container is a special file. The Agent reads this file, formats the messages and sends them to remote log server. Note that the eventlog container can be configured only to a certain size. If the container reaches that size, Windows writes the next message to the beginning of the file. As a result, if the agent is not running (or the destination server is unavailable) so long that the eventlog container is filled up, messages can be lost.