<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>Forwarding + Spoofing = Errors & Dropped Packets?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">We are having a REALLY weird issue with syslog-ng that I need to request some assistance with resolving. It has to do with forwarding and spoofing. If I go into syslog-ng.conf and enable forwarding to my 3 remote servers along with spoofing, it causes issues on the server. First, the Recv-Q fills to capacity (as seen in "netstat -a | grep syslog"). Once that buffer fills, we start seeing "packet receive errors" (as seen in "netstat -su"). We have an INORDINATE amount of these errors (about 45%). Observe:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">[civey@logsvr2 syslog-ng]$ netstat -su</FONT>
<BR><FONT SIZE=2 FACE="Arial">Udp:</FONT>
<BR><FONT SIZE=2 FACE="Arial"> 112958828 packets received</FONT>
<BR><FONT SIZE=2 FACE="Arial"> 4084 packets to unknown port received.</FONT>
<BR><FONT SIZE=2 FACE="Arial"> 50596174 packet receive errors</FONT>
<BR><FONT SIZE=2 FACE="Arial"> 95393123 packets sent</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Here is kind of a tabular representation of what I have done so far, and the results:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Action Results</FONT>
<BR><FONT SIZE=2 FACE="Arial">No forwarding, no spoofing Buffers stay at 0 about 99% of the time, no problems</FONT>
<BR><FONT SIZE=2 FACE="Arial">Forwarding to 1 server w/spoofing Buffers increase and stay high for a while, but do eventually get back to 0</FONT>
<BR><FONT SIZE=2 FACE="Arial">Forwarding to 2 servers w/spoofing Buffers increase and stay high, eventually filling and causing "packet receive errors"</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Forwarding to 1 server, no spoofing Same as no forwarding enabled at all</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">So far we have re-downloaded the syslog-ng source and recompiled on the server, we have re-downloaded and recompiled all the prerequisites for syslog-ng, and we have backed up all the libraries and executables on the bad server and replaced them with the libraries and executables from the good server. None of this has done any good, as we keep seeing the same issues. I am about at my wit's end here. Can someone please provide some direction on where to go from here?</FONT></P>
<P><FONT SIZE=2 FACE="Arial">O/S: Fedora Core 4</FONT>
<BR><FONT SIZE=2 FACE="Arial">RAM: 2 GB</FONT>
<BR><FONT SIZE=2 FACE="Arial">Syslog-ng: 1.6.11</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Thanks in advance!</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Chris Ivey</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Affiliated Computer Services</FONT>
<BR><FONT SIZE=2 FACE="Arial">Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2 FACE="Arial">Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">1120 Celebration Blvd.</FONT>
<BR><FONT SIZE=2 FACE="Arial">Celebration, FL 34747</FONT>
<BR><FONT SIZE=2 FACE="Arial">chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
</P>
</BODY>
</HTML>