Le Tue Mar 7 09:34:23 2006, Cary, Kim a écrit: | Vincent! | | Thanks much for confirming the issue and repeating the link to me. | | Well, the only _intended_ udp traffic to the system is syslog. | Currently, the system is logging from a PIX on one GigE interface, | and from a few servers plus a less active PIX on another GigE. | | We send the PIX logs, separately, to pipes. And log everything to file. | | # vmstat 5 4 | kthr memory page disk faults cpu | r b w swap free re mf pi po fr de sr s0 s1 s3 -- in sy cs us sy id | 0 0 4 2793888 737144 34 5 232 2 1 0 0 0 3 0 0 124 18 107 11 9 80 | 0 0 36 2680456 673440 5 6 0 0 0 0 0 3 5 0 0 1897 15728 2516 9 15 76 | 0 0 36 2680456 673440 5 5 0 0 0 0 0 0 2 0 0 1612 13349 2268 10 10 80 | 0 0 36 2680456 673440 5 5 0 0 0 0 0 0 3 0 0 1854 15740 2520 13 15 73 | | # iostat 5 4 | tty sd0 sd1 sd30 nfs1 cpu | tin tout kps tps serv kps tps serv kps tps serv kps tps serv us sy wt id | 0 37 5 0 11 421 3 22 0 0 0 0 0 0 11 9 0 80 | 0 47 0 0 0 259 2 29 0 0 0 0 0 0 11 14 0 75 | 0 16 28 4 17 334 5 25 0 0 0 0 0 0 15 16 1 69 | 0 16 2 0 10 293 2 40 0 0 0 0 0 0 11 11 0 78 | | At: ndd /dev/udp udp_max_buf 33554432 (32Mb!) | | We have these time/counter readings for udpInOverflows: | 00 - 645628929 | 33 - 645630391 | 96 - 645632008 | | Or, about 1924 packets/minute lost. | | At udp_max_buf 64Mb (!!!), 2713 packets/minute lost. | | I am FAR from out of memory 700Mb free. | | 1) Am I reading that loss right?? Probably, you might however want to snoop on the interface to see what kind of udp packets come on your interface. | 2) Any tips from Solaris/syslog-ng tuners would be appreciated! udp_max_buf does not set the queue length of the udp socket, which by the way can have a different value for each socket... You could have a look at: http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1 basically: increasing udp_max_buf without increasing udp_recv_hiwat has no meaning. Furthermore, you can increase you socket buffer that way up to 64k (Solaris 8 & 9), if you want to increase it further up you must use the setsockopt call (up to udp_max_buf which has a maximum value of 1GB). Here is the official SUN documentation regarding this: http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag Now regarding your packet loss issue. I would increase udp_recv_hiwat -> 65536 udp_max_buf -> 1073741824 (you will never get here anyway) Then I would try to play with syslog-ng config: log_fifo_size, log_iw_size and log_fetch_limit. But here I'd appreciate a syslog-ng expert to step in and tell us what to do more preceisely. Vincent -- .~. Vincent Haverlant -- Galadril -- #ICQ: 35695155 /V\ MSN: vincent_msn@haverlant.org -- http://www.haverlant.org/ /( )\ Parinux member: http://www.parinux.org/ ^^-^^ GPG: 8FEA 52C2 5C54 A201 2375 0FA5 AF2E 1881 92D0 EE84