Jim,
You can try some of the steps outlined here:
http://demo.logzilla.net/help/performance_tuning/udp_buffer_tuning
Since these are VM's, you may also want to look at the type of NIC you are using for the VM, for example:
And of course, make sure the VMware drivers are installed in the OS.
From:
syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Jim Hendrick <james.r.hendrick@gmail.com>
Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Date: Tuesday, January 10, 2017 at 4:20 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] udp tuning - where to look.
Hi,
I am working an issue with UDP drops in a high EPS rate environment (several thousand steady) and struggling with making any changes in the loss rate. (according to netstat -su | grep error).
This is happening on two nodes, (one running an older syslog-ng 3.2 OSE, the other running a splunk forwarder) but I don't actually think it is making it out of the kernel to either application.
On the syslog-ng side syslog-ng-ctl stats shows *no* drops at all.
Increasing net.core.rmem_max and so_rcvbuf together all the way to 64 MB did not seem to make any significant difference.
This is a RHEL 6 box with 16 GB and 4 cores (virtual - running in an ESX environment)
Are there other parameters, things I should be looking at?
Thanks,
Jim