<br>Something really wrong with syslog-ng or my config. I'm dropping way too many packets. <br>I will admit that my configuration is probably really a large part of the problem <br>and would appreciate it if someone could take a look at it and offer some suggestions.<br>
There is another thread going about a similar problem on a similar platform.<br><br> We recently upgraded to Solaris 10 from Solaris 9 and I don't recall us dropping that<br>many packets before. And we also upgraded from a very older Sylog-ng version to 3.1.2.<br>
I am basing the dropped packets on the udp stats, not syslog-ng stats. Syslog-ng stats has NO dropped packets.<br><br>UDP udpInDatagrams -4599313 udpInErrors - 0<br> udpOutDatagrams - 3421 udpOutErrors - 0<br>
tcpInErrs - 0 udpNoPorts -2587612<br> udpInCksumErrs - 0 udpInOverflows -95806254<br><br>The above is a 3 hour sample and it is from our syslog server that does not get that much traffic.<br>
____________________________<br><br>Here is the current version info: Solaris 10,<br><br>syslog-ng 3.1.2<br>Installer-Version: 3.1.2<br>Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#8bf13c304b6ab5fc1a372b49d55c78370efe14ca<br>
Compile-Date: Oct 25 2010 23:56:18<br>Enable-Threads: off<br>Enable-Debug: off<br>Enable-GProf: off<br>Enable-Memtrace: off<br>Enable-Sun-STREAMS: on<br>Enable-Sun-Door: on<br>Enable-IPv6: on<br>Enable-Spoof-Source: on<br>
Enable-TCP-Wrapper: off<br>Enable-SSL: on<br>Enable-SQL: off<br>Enable-Linux-Caps: off<br>Enable-Pcre: on<br>_____________________________<br><br>Below is a very small sampling of our syslog-ng.conf. We are filtering on about<br>
1400 devices most of which are Firewalls and routers. The IPs in the following<br>sample have been made up.<br><br>One of my questions is "Does the number of devices we are filtering on make a difference? (1400)"<br>
We have several sites and use just one version of the syslogng.conf file. It is <br>a lot easier to maintain one copy:))<br><br>Also notice the format: ("^10\.123\.10\.133$") for the filters. All 1400 are in that format.<br>
I was hoping this would help a little but don't really know for sure:))<br><br>The source statementbelow "...external_Future_tcp" has not yet been implemented. Since we are dropping so<br>many packets, I was going to try configuring the devices to log TCP instead of UDP.<br>
<br>@version: 3.0<br><br># Created: 01 March 2011 <br><br>#----------------[ GLOBAL OPTIONS ]-------------------------<br><br>options {<br>create_dirs(yes);<br>use_dns(no);<br>time_reopen(10);<br>time_reap(360);<br>keep_timestamp(yes);<br>
};<br><br>#---------------------[ SOURCES ]---------------------------<br><br>source s_local {<br>sun-stream("/dev/log" door("/etc/.syslog_door"));<br>internal();<br>};<br><br>source s_external {<br>
udp();<br>};<br><br>source s_external_tcp {<br>tcp(max-connections(50) port(514));<br>};<br><br>source s_external_Future_tcp {<br>tcp(max-connections(1400) port(1470));<br>};<br><br><br>#---------------------[ DESTINATION ]---------------------------<br>
<br>destination d_local {<br>file("/var/adm/messages"<br>perm(0655)<br>dir_perm(0655));<br>};<br><br>destination d_network_file {<br>file("/logs/$YEAR/$MONTH/$DAY/network.log"<br>perm(0655)<br>
dir_perm(0655));<br>};<br><br>destination d_bacsit {<br>udp("10.11.13.114" port(2514) spoof-source(yes));<br>};<br><br>destination d_network_syslogd {<br>udp("10.11.13.116" port(1514) spoof-source(yes));<br>
};<br><br><br>destination d_firewall_file {<br>file("/logs/$YEAR/$MONTH/$DAY/firewall/$HOST.log"<br>perm(0655)<br>dir_perm(0655));<br>};<br><br>destination d_mrv_file {<br>file("/logs/$YEAR/$MONTH/$DAY/mrv.log"<br>
perm(0655)<br>dir_perm(0655));<br>};<br><br>destination d_mail_file {<br>file("/logs/$YEAR/$MONTH/$DAY/mail/$HOST.log"<br>perm(0655)<br>dir_perm(0655));<br>};<br><br>destination d_f567_file {<br>file("/logs/$YEAR/$MONTH/$DAY/f5s/$HOST.log"<br>
perm(0655)<br>dir_perm(0655));<br>};<br><br>#---------------------[ FILTERS ]---------------------------<br><br>filter f_f567 {<br>host("^10\.123\.10\.133$") or # Host B<br>host("^10\.100\.10\.200$") or # Host A<br>
host("^10\.115\.10\.246$") or # Host C<br>host("^10\.121\.10\.102$") or # Host D<br>host("^10\.117\.10\.99$"); # Host F<br>};<br><br>filter f_mrv {<br>host("^10\.68\.69\.100$") or # <br>
host("^10\.100\166\.10$") or # <br>};<br>.<br>.<br>. and so on<br><br>#---------------------[ LOGS ]---------------------------<br><br>log {<br>source(s_local);<br>destination(d_local);<br>};<br><br>log {<br>
source(s_external);<br>filter(f_f567);<br>destination(d_f5_file);<br>};<br><br>log {<br>source(s_external); source(s_external_tcp);<br>filter(f_firewall);<br>destination(d_bacsit);<br>};<br><br>log {<br>source(s_external);<br>
filter(f_network);<br>destination(d_bacsit);<br>};<br><br>log {<br>source(s_external); source(s_external_tcp);<br>filter(f_firewall);<br>destination(d_combo_file);<br>};<br><br>log {<br>source(s_external);<br>filter(f_mail);<br>
destination(d_mail_file);<br>};<br><br>....and so on<br><br>I'm grateful for all help and suggestions.<br><br>Thanks!!<br><br><br><br><br><br><br>