<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" id="owaParaStyle"></style><style type="text/css"></style>
</head>
<body fpstyle="1" ocsi="0" style="">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<div><span style="font-family: 'Times New Roman'; font-size: 16px;">I don't know how much logs you are getting but should tweak "</span><span style="font-family: 'Times New Roman'; font-size: 16px;">log_fifo_size (1000);" to a higher number. Your </span><span style="font-family: 'Times New Roman'; font-size: 16px;">flush_lines
is really high too.. I tested around with flush lines but I ended setting it to 0 with 50k log per second. And they greatest of all tweaks would be a newer syslog version because of the threading.</span></div>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF523290" style="direction: ltr;"><font face="Tahoma" size="2" color="#000000"><b>Von:</b> syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu]" im Auftrag von "Xuri Nagarin [secsubs@gmail.com]<br>
<b>Gesendet:</b> Freitag, 31. Mai 2013 07:46<br>
<b>An:</b> Syslog-ng users' and developers' mailing list<br>
<b>Betreff:</b> [syslog-ng] TCP packet collapse errors<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">I have a pair of Syslog-NG servers running 3.2.5-3. The hardware specs are - Quad Xeon E5-2680 (32 cores), 32GB RAM, and two 1TB SAS 7200 RPM disks in RAID-1.
<div> </div>
<div style="">OS is RHEL6.2 - Kernel 2.6.32-279.5.2. Filesystem is ext3.</div>
<div style=""><br>
</div>
<div style="">Global options are set as:</div>
<div style="">
<div>options {</div>
<div><span class="" style="white-space:pre"></span>flush_lines (1000);</div>
<div><span class="" style="white-space:pre"></span>time_reopen (10);</div>
<div><span class="" style="white-space:pre"></span>log_fifo_size (1000);</div>
<div><span class="" style="white-space:pre"></span>long_hostnames (off);</div>
<div><span class="" style="white-space:pre"></span>use_dns (no);</div>
<div><span class="" style="white-space:pre"></span>use_fqdn (no);</div>
<div><span class="" style="white-space:pre"></span>create_dirs (yes);</div>
<div><span class="" style="white-space:pre"></span>keep_hostname (yes);</div>
<div><span class="" style="white-space:pre"></span>keep_timestamp(yes);</div>
<div><span class="" style="white-space:pre"></span>dir_group("syslog");</div>
<div><span class="" style="white-space:pre"></span>perm(0640);</div>
<div><span class="" style="white-space:pre"></span>dir_perm(0750);</div>
<div><span class="" style="white-space:pre"></span>group("syslog");</div>
<div>};</div>
<div><br>
</div>
<div style="">I have already set TCP kernel buffers to 128MB max and set disk scheduler to "deadline".</div>
<div style=""><br>
</div>
<div style="">But even under light disk IO load, from ~8-25MB, I see "1320811067 packets collapsed in receive queue due to low socket buffer". I had some other processes on the host writing to disk. Stopping them reduced the packet errors but this number still
keeps incrementing.</div>
<div style=""><br>
</div>
<div style="">To rule out other issues, I temporarily pointed my disk-based destinations to /dev/null and then packet losses/errors stopped. So either Syslog-NG isn't able to write to disk fast enough or there is an underlying OS/hardware issue.</div>
<div style=""><br>
</div>
<div style="">Both hosts have the same issue. Any pointers in troubleshooting it will be appreciated.</div>
<div style=""><br>
</div>
<div style="">TIA.</div>
<div style=""><br>
</div>
<div style=""><br>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>