Hi Jim, While not a direct answer and following on from Fabien's suggestion: If in a virtual environment, as a work around you could create a few instances running syslog-ng with udp source and tcp destinations, and enable fifo or disk buffering and balance the load over the new instances; maybe explore round robin dns configuration if your environment permits? Kr, James On 11 January 2017 08:26:39 GMT+00:00, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Jim,
On Tue, Jan 10, 2017 at 04:20:02PM -0500, Jim Hendrick wrote:
loss rate. (according to netstat -su | grep error). […] On the syslog-ng side syslog-ng-ctl stats shows *no* drops at all.
This means that syslog-ng isn't accepting the packets fast enough, so the kernel starts buffering, and the latter gets full, thus increasing the kernel counters (see `/proc/net/snmp`).
Increasing net.core.rmem_max and so_rcvbuf together all the way to 64 MB did not seem to make any significant difference.
I'm afraid these are the values I was going to suggest.
This is a RHEL 6 box with 16 GB and 4 cores (virtual - running in an ESX environment)
FWIW I've had many problems with dropped Udp on virtual machines. It's easy to correlate the `steal` cpu state with drop events where relevant.
Are there other parameters, things I should be looking at?
I'm curious too if there is anything else that can be done (apart from switching to TCP).
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.