<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Just to close the circle on this, I found the problem. <br><br>After having increased the rmem_max I was no longer seeing any UDP packet drops. I was still not seeing some log messages, and at this point it was a configuration issue.<br><br>I noticed I had filters such as:<br><br>filter f_info { level(info);}<br><br>Obviously this was only catching info level messages. Changed to:<br><br>filter f_info {level(info...emerg);}<br><br>Sorry for the noise, but I still wanted to bring some closure in case someone runs into this. The initial packet drop blinded me into looking into some basic configs, thanks all for the suggestions!<br><br><br><div>> From: syslog-ng-request@lists.balabit.hu<br>> Subject: syslog-ng Digest, Vol 108, Issue 27<br>> To: syslog-ng@lists.balabit.hu<br>> Date: Wed, 30 Apr 2014 12:00:02 +0200<br>> <br>> Send syslog-ng mailing list submissions to<br>> syslog-ng@lists.balabit.hu<br>> <br>> To subscribe or unsubscribe via the World Wide Web, visit<br>> https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> or, via email, send a message with subject or body 'help' to<br>> syslog-ng-request@lists.balabit.hu<br>> <br>> You can reach the person managing the list at<br>> syslog-ng-owner@lists.balabit.hu<br>> <br>> When replying, please edit your Subject line so it is more specific<br>> than "Re: Contents of syslog-ng digest..."<br>> <br>> <br>> Today's Topics:<br>> <br>> 1. Re: Ubuntu Precise -ng filling out buffer, dropping messages<br>> (Evan Rempel)<br>> <br>> <br>> ----------------------------------------------------------------------<br>> <br>> Message: 1<br>> Date: Tue, 29 Apr 2014 12:38:52 -0700<br>> From: Evan Rempel <erempel@uvic.ca><br>> Subject: Re: [syslog-ng] Ubuntu Precise -ng filling out buffer,<br>> dropping messages<br>> To: syslog-ng@lists.balabit.hu<br>> Message-ID: <535FFFCC.8000203@uvic.ca><br>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>> <br>> On 04/29/2014 12:20 PM, Chaman Chakalaka wrote:<br>> > I fixed the issue with udp being dropped at the system level by changing the linux core files but this time restarting the system, now I know they are missing somewhere between getting to the system and syslog-ng :(<br>> ><br>> > I'm lost once again...<br>> ><br>> > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>> trysource s_network_udp { udp(so_rcvbuf(33554432) log_fetch_limit(20000) log_iw_size(1000000) ); };<br>> <br>> <br>> This assumes that you have a large net.core.rmem_max<br>> <br>> net.core.rmem_max = 52428800<br>> <br>> See how that goes.<br>> <br>> <br>> ------------------------------<br>> <br>> _______________________________________________<br>> syslog-ng maillist - syslog-ng@lists.balabit.hu<br>> https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>> <br>> <br>> End of syslog-ng Digest, Vol 108, Issue 27<br>> ******************************************<br></div> </div></body>
</html>