<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>RE: [syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Bazsi,</FONT>
<BR> <FONT SIZE=2>Thanks for your help thus far. After MUCH trial and error with enabling and disabling things in syslog-ng.conf, and watching "netstat -an" output after each attempt, I have narrowed this issue down to something to do with spoofing. From my starting syslog-ng.conf file, if I do NOTHING but turn off spoofing, the Recv-Q buffer stops filling and all is happy. If I turn on spoofing, those buffers start filling again. I used tkdiff to compare my 2 syslog-ng.conf files side-by-side, and the only differences between the 2 are the lines where the forward-to hosts are defined and where the destinations are defined (the bad server has lines commented, the good one does not). Lsof on both machines for syslog-ng shows the same libraries opened and such. So, the question now is what happens with spoofing that would cause all these issues? What does spoofing do in the background that my server is unhappy about? Any insight would be greatly appreciated!</FONT></P>
<P><FONT SIZE=2>Chris Ivey</FONT>
</P>
<P><FONT SIZE=2>Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2>1120 Celebration Blvd.</FONT>
<BR><FONT SIZE=2>Celebration, FL 34747</FONT>
</P>
<P><FONT SIZE=2>chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2>"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: syslog-ng-bounces@lists.balabit.hu [<A HREF="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of Balazs Scheidler</FONT>
<BR><FONT SIZE=2>Sent: Thursday, January 11, 2007 8:06 AM</FONT>
<BR><FONT SIZE=2>To: Syslog-ng users' and developers' mailing list</FONT>
<BR><FONT SIZE=2>Subject: RE: [syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?</FONT>
</P>
<P><FONT SIZE=2>On Wed, 2007-01-10 at 13:31 -0600, Ivey, Chris wrote:</FONT>
<BR><FONT SIZE=2>> We took DNS out of the config, and had no change. How do we go about</FONT>
<BR><FONT SIZE=2>> seeing if we are blocking on /proc/kmsg?</FONT>
</P>
<P><FONT SIZE=2>You need to identify the bottleneck, there are various tools for this.</FONT>
<BR><FONT SIZE=2>Check CPU/disk usage, vmstat, maybe even strace syslog-ng and check</FONT>
<BR><FONT SIZE=2>where it is spending its time.</FONT>
</P>
<P><FONT SIZE=2>If everything looks normal, you might need to increase the UDP receive</FONT>
<BR><FONT SIZE=2>buffer size. What is your message rate?</FONT>
</P>
<P><FONT SIZE=2>-- </FONT>
<BR><FONT SIZE=2>Bazsi</FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2><A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>