Finally got around to reading the docs and applying the recommendations. FIRST - thanks much! NOW - my results: # ndd /dev/udp udp_recv_hiwat 65536 # ndd /dev/udp udp_max_buf 1073741824 # date ; netstat -s | grep udpInOverflows Tue Mar 14 10:15:16 udpInCksumErrs = 0 udpInOverflows =677996405 # date ; netstat -s | grep udpInOverflows Tue Mar 14 10:15:19 udpInCksumErrs = 0 udpInOverflows =677996571 # date ; netstat -s | grep udpInOverflows Tue Mar 14 10:15:22 udpInCksumErrs = 0 udpInOverflows =677996726 I'm pretty sure this is just the Firewall sending more than 55M lines of connection/deny logs over UDP. IF I was to switch the FW over to TCP logging from UDP, would this be a better solution? BTW, here are a few words from syslog-ng: Mar 14 09:32:32 syslog-ng[20685]: STATS: dropped 0 Mar 14 09:42:32 syslog-ng[20685]: STATS: dropped 0 Mar 14 09:52:32 syslog-ng[20685]: STATS: dropped 0 Mar 14 10:02:32 syslog-ng[20685]: STATS: dropped 0 Mar 14 10:04:53 syslog-ng[20685]: Garbage collecting while busy... Mar 14 10:04:58 syslog-ng[20685]: Objects alive: 310, garbage collected: 2999695 Mar 14 10:12:32 syslog-ng[20685]: STATS: dropped 0 Mar 14 10:16:22 syslog-ng[20685]: Garbage collecting while idle... Mar 14 10:16:24 syslog-ng[20685]: Objects alive: 318, garbage collected: 1129970 Mar 14 10:22:32 syslog-ng[20685]: STATS: dropped 0 and its config: source s_udp_inetpix { udp(ip(192.168.0.1)); }; On Mar 7, 2006, at 3:01 PM, syslog-ng-request@lists.balabit.hu <mailto:syslog-ng-request@lists.balabit.hu> wrote: | 1) Am I reading that loss right?? Probably, you might however want to snoop on the interface to see what kind of udp packets come on your interface. | 2) Any tips from Solaris/syslog-ng tuners would be appreciated! udp_max_buf does not set the queue length of the udp socket, which by the way can have a different value for each socket... You could have a look at: http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1 <http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1> basically: increasing udp_max_buf without increasing udp_recv_hiwat has no meaning. Furthermore, you can increase you socket buffer that way up to 64k (Solaris 8 & 9), if you want to increase it further up you must use the setsockopt call (up to udp_max_buf which has a maximum value of 1GB). Here is the official SUN documentation regarding this: http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag <http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag> Now regarding your packet loss issue. I would increase udp_recv_hiwat -> 65536 udp_max_buf -> 1073741824 (you will never get here anyway) Then I would try to play with syslog-ng config: log_fifo_size, log_iw_size and log_fetch_limit. But here I'd appreciate a syslog-ng expert to step in and tell us what to do more preceisely.