<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>RE: [syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>We took DNS out of the config, and had no change. How do we go about seeing if we are blocking on /proc/kmsg?</FONT>
</P>
<P><FONT SIZE=2>Thanks!</FONT>
</P>
<P><FONT SIZE=2>Chris Ivey</FONT>
</P>
<P><FONT SIZE=2>Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2>1120 Celebration Blvd.</FONT>
<BR><FONT SIZE=2>Celebration, FL 34747</FONT>
</P>
<P><FONT SIZE=2>chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2>"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: syslog-ng-bounces@lists.balabit.hu [<A HREF="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of Balazs Scheidler</FONT>
<BR><FONT SIZE=2>Sent: Wednesday, January 10, 2007 1:10 PM</FONT>
<BR><FONT SIZE=2>To: Syslog-ng users' and developers' mailing list</FONT>
<BR><FONT SIZE=2>Subject: Re: [syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?</FONT>
</P>
<P><FONT SIZE=2>On Wed, 2007-01-10 at 07:30 -0600, Ivey, Chris wrote:</FONT>
<BR><FONT SIZE=2>> We are having a REALLY weird issue with syslog-ng that I need to</FONT>
<BR><FONT SIZE=2>> request some assistance with resolving. It has to do with forwarding</FONT>
<BR><FONT SIZE=2>> and spoofing. If I go into syslog-ng.conf and enable forwarding to my</FONT>
<BR><FONT SIZE=2>> 3 remote servers along with spoofing, it causes issues on the server.</FONT>
<BR><FONT SIZE=2>> First, the Recv-Q fills to capacity (as seen in "netstat -a | grep</FONT>
<BR><FONT SIZE=2>> syslog"). Once that buffer fills, we start seeing "packet receive</FONT>
<BR><FONT SIZE=2>> errors" (as seen in "netstat -su"). We have an INORDINATE amount of</FONT>
<BR><FONT SIZE=2>> these errors (about 45%). Observe:</FONT>
</P>
<P><FONT SIZE=2>syslog-ng is busy doing something and it causes not to read the UDP</FONT>
<BR><FONT SIZE=2>receive buffers in a timely manner.</FONT>
</P>
<P><FONT SIZE=2>Can you check:</FONT>
<BR><FONT SIZE=2>* syslog-ng is not blocking on DNS</FONT>
<BR><FONT SIZE=2>* syslog-ng is not blocking on /proc/kmsg</FONT>
</P>
<P><FONT SIZE=2>or something else.</FONT>
</P>
<P><FONT SIZE=2>-- </FONT>
<BR><FONT SIZE=2>Bazsi</FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2><A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>