Re: [syslog-ng] TCP orig_log_iw_size='3', why?

Let me add some background: # cat /etc/redhat-release Red Hat Enterprise Linux release 9.4 (Plow) # syslog-ng --version syslog-ng 3 (3.35.1) Config version: 3.35 Installer-Version: 3.35.1 Revision: Compile-Date: Feb 6 2023 00:00:00 Module-Directory: /usr/lib64/syslog-ng Module-Path: /usr/lib64/syslog-ng Include-Path: /usr/share/syslog-ng/include Available-Modules: xml,add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,azure-auth-header,basicfuncs,cef,confgen,cryptofuncs,csvparser,dbparser,disk-buffer,examples,graphite,hook-commands,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,regexp-parser,sdjournal,secure-logging,stardate,syslogformat,system-source,tags-parser,tfgetent,timestamp Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: off Enable-Linux-Caps: on Enable-Systemd: on Extracts from /etc/syslog-ng/syslog-ng.conf: #### START OF SYSLOG-NG.CONF CONFIGURATION FILE #### @version:3.5 @include "scl.conf" options { flush_lines (100); time_reopen (10); log_fifo_size (30000); # Default is 1000 chain_hostnames (off); use_dns (yes); # This enables IP to hostname translation; this has no effect if keep_hostname() is enabled and message contains a hostname dns_cache(yes); # DNS caching to improve hostname translation dns-cache-size(2000); # Default is 1007 dns-cache-expire(14400); # Default is 3600 use_fqdn (yes); # This has no effect if keep_hostname() is enabled and message contains a hostname create_dirs (yes); keep_hostname (yes); threaded (yes); }; source s_nas { network(ip(X.X.X.X) transport(tcp) port(514)); network(ip(X.X.X.X) transport(udp) port(514) so-rcvbuf(26214400)); tcp(ip(X.X.X.X) port(44514) max-connections(300) tls( key_file("/etc/syslog-ng/key.d/priv.key") cert_file("/etc/syslog-ng/cert.d/cert.pem") peer_verify(optional-untrusted)) ); destination d_nas { file("/opt/$LOGHOST/logs/nas/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$YEAR$MONTH$DAY.log" template(t_splunk) dir-owner("splunk") dir-group("splunk") dir-perm(0750) owner("splunk") group("splunk") perm(0640)); }; log { source(s_nas); destination(d_nas); flags(flow-control);}; Thanks. Il 2025-03-01 08:32 claudio@witel.it ha scritto:

Hello syslog-ng community,

I get this warning at syslog-ng start (or restart) when running journalctl

[...] Feb 27 02:46:57 xxxsplunksyslog1 syslog-ng[2998304]: [2025-02-27T02:46:57.330923] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to value of min_iw_size_per_reader. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size='3', new_log_iw_size='100', min_iw_size_per_reader='100', min_log_fifo_size='30000' Feb 27 02:46:57 xxxsplunksyslog1 systemd[1]: Started System Logger Daemon.

I thought the orig_log_iw_size value was coming from the formula log_iw_size/max_connections which should be 100/300=1/3 What is this orig_log_iw_size='3' ?

Thanks.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng [1] Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng [2] FAQ: http://www.balabit.com/wiki/syslog-ng-faq [3]

Links: ------ [1] https://lists.balabit.hu/mailman/listinfo/syslog-ng [2] http://www.balabit.com/support/documentation/?product=syslog-ng [3] http://www.balabit.com/wiki/syslog-ng-faq