Finally got around to reading the docs and applying the recommendations.

FIRST - thanks much!

NOW - my results:

# ndd /dev/udp udp_recv_hiwat
65536
# ndd /dev/udp udp_max_buf
1073741824
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:16
        udpInCksumErrs      =     0     udpInOverflows      =677996405
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:19
        udpInCksumErrs      =     0     udpInOverflows      =677996571
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:22
        udpInCksumErrs      =     0     udpInOverflows      =677996726

I'm pretty sure this is just the Firewall sending more than 55M lines of connection/deny logs over UDP.

IF I was to switch the FW over to TCP logging from UDP, would this be a better solution?

BTW, here are a few words from syslog-ng:

Mar 14 09:32:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 09:42:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 09:52:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:02:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:04:53 syslog-ng[20685]: Garbage collecting while busy...
Mar 14 10:04:58 syslog-ng[20685]: Objects alive: 310, garbage collected: 2999695
Mar 14 10:12:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:16:22 syslog-ng[20685]: Garbage collecting while idle...
Mar 14 10:16:24 syslog-ng[20685]: Objects alive: 318, garbage collected: 1129970
Mar 14 10:22:32 syslog-ng[20685]: STATS: dropped 0

and its config:

source s_udp_inetpix   {
                        udp(ip(192.168.0.1));
                };


On Mar 7, 2006, at 3:01 PM, syslog-ng-request@lists.balabit.hu wrote:

| 1) Am I reading that loss right??


Probably, you might  however want to snoop on the interface to see what

kind of udp packets come on your interface.


| 2) Any tips from Solaris/syslog-ng tuners would be appreciated!


udp_max_buf does not set the queue length of the udp socket, which by

the way can have a different value for each socket...


You could have a look at:

http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1


basically: increasing udp_max_buf without increasing udp_recv_hiwat has

no meaning. Furthermore, you can increase you socket buffer that way up

to 64k (Solaris 8 & 9), if you want to increase it

further up you must use the setsockopt call (up to udp_max_buf which

has a maximum value of 1GB). 

Here is the official SUN documentation regarding this:

http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag


Now regarding your packet loss issue. I would increase

udp_recv_hiwat -> 65536

udp_max_buf -> 1073741824 (you will never get here anyway)


Then I would try to play with syslog-ng config: log_fifo_size,

log_iw_size and log_fetch_limit.  But here I'd appreciate

a syslog-ng expert to step in and tell us what to do more preceisely.