We are having a REALLY weird issue with syslog-ng that I need to request some assistance with resolving. It has to do with forwarding and spoofing. If I go into syslog-ng.conf and enable forwarding to my 3 remote servers along with spoofing, it causes issues on the server. First, the Recv-Q fills to capacity (as seen in "netstat -a | grep syslog"). Once that buffer fills, we start seeing "packet receive errors" (as seen in "netstat -su"). We have an INORDINATE amount of these errors (about 45%). Observe:
[civey@logsvr2 syslog-ng]$ netstat -su
Udp:
112958828 packets received
4084 packets to unknown port received.
50596174 packet receive errors
95393123 packets sent
Here is kind of a tabular representation of what I have done so far, and the results:
Action Results
No forwarding, no spoofing Buffers stay at 0 about 99% of the time, no problems
Forwarding to 1 server w/spoofing Buffers increase and stay high for a while, but do eventually get back to 0
Forwarding to 2 servers w/spoofing Buffers increase and stay high, eventually filling and causing "packet receive errors"
Forwarding to 1 server, no spoofing Same as no forwarding enabled at all
So far we have re-downloaded the syslog-ng source and recompiled on the server, we have re-downloaded and recompiled all the prerequisites for syslog-ng, and we have backed up all the libraries and executables on the bad server and replaced them with the libraries and executables from the good server. None of this has done any good, as we keep seeing the same issues. I am about at my wit's end here. Can someone please provide some direction on where to go from here?
O/S: Fedora Core 4
RAM: 2 GB
Syslog-ng: 1.6.11
Thanks in advance!
Chris Ivey
Affiliated Computer Services
Enterprise Management Integration Services
Infrastructure Management Senior Analyst
1120 Celebration Blvd.
Celebration, FL 34747
chris.ivey@acs-inc.com
"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes