Hi Jim,

While not a direct answer and following on from Fabien's suggestion:

If in a virtual environment, as a work around you could create a few instances running syslog-ng with udp source and tcp destinations, and enable fifo or disk buffering and balance the load over the new instances; maybe explore round robin dns configuration if your environment permits?

Kr,

James

On 11 January 2017 08:26:39 GMT+00:00, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Jim,

On Tue, Jan 10, 2017 at 04:20:02PM -0500, Jim Hendrick wrote:
 loss rate. (according to netstat -su | grep error).
[…]
   On the syslog-ng side syslog-ng-ctl stats shows *no* drops at all.

This means that syslog-ng isn't accepting the packets fast enough, so the
kernel starts buffering, and the latter gets full, thus increasing the
kernel counters (see `/proc/net/snmp`).

   Increasing net.core.rmem_max and so_rcvbuf together all the way to 64 MB
 did not seem to make any significant difference.

I'm afraid these are the values I was going to suggest.

   This is a RHEL 6 box with 16 GB and 4 cores (virtual - running in an ESX
 environment)

FWIW I've had many problems with dropped Udp on virtual machines. It's easy
to correlate the `steal` cpu state with drop events where relevant.

   Are there other parameters, things I should be looking at?

I'm curious too if there is anything else that can be done (apart from
switching to TCP).


Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.