[syslog-ng] Messages dropped...
Balazs Scheidler
bazsi at balabit.hu
Sat Jan 23 14:01:52 CET 2010
On Wed, 2010-01-20 at 17:05 -0500, Pontius, Brian D CIV NAVSISA wrote:
> I apologize for what seems to be repost of a rather similar problem but I having looked through the archives and unable to find answers.
>
> I am running syslog-ng 3.0.4 on Solaris 10 x86 (64bit). I have about 200 hosts, all running over udp. I have 1 heavy hitter, which is my firewall. I puts about 1500 messages a minute. It seems that syslog-ng is able to handle this amount of traffic but I am having trouble figuring out why I can't seem to make it work that way.
>
> I started to notice that I was dropping udp packets by running
> netstat -s |grep udpInOverflows.
>
> I tweaked the udp buffers by setting them to their max
> ndd -set /dev/udp udp_max_buf 1073741824
> ndd -set /dev/udp udp_recv_hiwt 65536
>
> I was still losing packets until I started to tweek my syslog-ng.conf and added the so_rcvbuf entries.
> The problem is, the logfiles do not reflect that all of the messages are making it. I only know this
> because the firewall is also logging to another standalone solaris server running standard syslogd
> and the syslog-ng's firewall's logs are still only getting 1/3 of the logs.
But what was the result of your tweaks? did the msg rate increase? I
guess the options you've quoted above will only increase the maximum
possible size, that the OS permits for applications. It doesn't
immediately increase receive buffer size.
--
Bazsi
More information about the syslog-ng
mailing list