On Wed, 2010-01-20 at 17:05 -0500, Pontius, Brian D CIV NAVSISA wrote:
I apologize for what seems to be repost of a rather similar problem but I having looked through the archives and unable to find answers.
I am running syslog-ng 3.0.4 on Solaris 10 x86 (64bit). I have about 200 hosts, all running over udp. I have 1 heavy hitter, which is my firewall. I puts about 1500 messages a minute. It seems that syslog-ng is able to handle this amount of traffic but I am having trouble figuring out why I can't seem to make it work that way.
I started to notice that I was dropping udp packets by running netstat -s |grep udpInOverflows.
I tweaked the udp buffers by setting them to their max ndd -set /dev/udp udp_max_buf 1073741824 ndd -set /dev/udp udp_recv_hiwt 65536
I was still losing packets until I started to tweek my syslog-ng.conf and added the so_rcvbuf entries. The problem is, the logfiles do not reflect that all of the messages are making it. I only know this because the firewall is also logging to another standalone solaris server running standard syslogd and the syslog-ng's firewall's logs are still only getting 1/3 of the logs.
But what was the result of your tweaks? did the msg rate increase? I guess the options you've quoted above will only increase the maximum possible size, that the OS permits for applications. It doesn't immediately increase receive buffer size. -- Bazsi