<p dir="ltr"><br>
On May 7, 2013 11:37 PM, "Xuri Nagarin" <<a href="mailto:secsubs@gmail.com">secsubs@gmail.com</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> I have a syslog-ng server that does not seem to receive well over TCP.<br>
> Instead of an expected ~150 Mbits/s, I get a trickle of few events/sec.<br>
> The setup is: Server L is an ArcSight Logger that streams out events<br>
> over TCP or UDP. Server X is a test Syslog-ng VM that is running 3.2.5<br>
> (from EPEL). Server P is running Syslog-NG 3.2.5 built from EPEL srpms<br>
> with TLS enabled.<br>
><br>
> L -> X over UDP Port 514, I get ~100 Mbit/sec<br>
> L -> X over TCP Port 514, I get ~150 Mbit/sec<br>
><br>
> L-> P over UDP Port 514, I get ~100 Mbit/sec<br>
> L-> P over TCP Port 514, I get almost nothing. Just a few tens of events<br>
> make it through over a half hour period.<br>
></p>
<p dir="ltr">I have a guess but that should only happen with 3.3 or later and should at least display a warning message at startup.</p>
<p dir="ltr">Stating with 3.3 the flow control window calculation has changed. Syslog-ng divides the window for each potential connection upfront.</p>
<p dir="ltr">You have max-connection set to 100 and log-iw-size defaults to 1000, which means that syslog-ng allocates 10 to each connection which is somewhat low in threaded mode.</p>
<p dir="ltr">Now as I think of it If you are really using 3.2 another issue may be the cause, is there another client that sends a lot of traffic parallel to logger? One source may starve the other. That's why the window allocation was changed.</p>
<p dir="ltr">In any case try to increase that and see if it helps.</p>
<p dir="ltr">> From L, I relay the same data over and over so there isn't an issue<br>
> with what's being streamed.<br>
><br>
> Config on X and P is identical and very basic:<br>
> -----------------------------------------------------<br>
> options {<br>
> time_reopen (10);<br>
> long_hostnames (off);<br>
> use_dns (no);<br>
> use_fqdn (no);<br>
> create_dirs (yes);<br>
> keep_hostname (yes);<br>
> keep_timestamp(yes);<br>
> log_fifo_size (1000);<br>
> stats_freq(60);<br>
> flush_timeout(10000);<br>
> log_fetch_limit(100);<br>
> flush_lines(100);<br>
> log_iw_size(100);<br>
> };<br>
><br>
> source s_tcp {<br>
> tcp( port(514) max-connections(100) );<br>
> };<br>
><br>
> source s_udp {<br>
> udp( port(514));<br>
> };<br>
><br>
> destination d_tcp { file("/var/log/tcp/$HOST-$YEAR-$MONTH-$DAY-$HOUR"); };<br>
> destination d_udp { file("/var/log/udp/$HOST-$YEAR-$MONTH-$DAY-$HOUR"); };<br>
> -----------------------------------------------------<br>
><br>
><br>
> L -> X over TCP, L opens one TCP connections and everything comes over it.<br>
> L -> P over TCP, L keeps opening up connections with P but no data comes<br>
> over those connections or very few events come over those connections.<br>
><br>
> I am going to investigate if there are any network QoS rules in place<br>
> between L and P but wondering if there might be something in Syslog-NG<br>
> that might be broken. I ran syslog-ng in debug mode but saw no errors. I<br>
> looked at the pcap captures between L and P and saw no errors.<br>
><br>
> Any other clues/ideas for troubleshooting are welcome.<br>
><br>
> TIA!<br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
</p>