Vincent! Thanks much for confirming the issue and repeating the link to me. Well, the only _intended_ udp traffic to the system is syslog. Currently, the system is logging from a PIX on one GigE interface, and from a few servers plus a less active PIX on another GigE. We send the PIX logs, separately, to pipes. And log everything to file. # vmstat 5 4 kthr memory page disk faults cpu r b w swap free re mf pi po fr de sr s0 s1 s3 -- in sy cs us sy id 0 0 4 2793888 737144 34 5 232 2 1 0 0 0 3 0 0 124 18 107 11 9 80 0 0 36 2680456 673440 5 6 0 0 0 0 0 3 5 0 0 1897 15728 2516 9 15 76 0 0 36 2680456 673440 5 5 0 0 0 0 0 0 2 0 0 1612 13349 2268 10 10 80 0 0 36 2680456 673440 5 5 0 0 0 0 0 0 3 0 0 1854 15740 2520 13 15 73 # iostat 5 4 tty sd0 sd1 sd30 nfs1 cpu tin tout kps tps serv kps tps serv kps tps serv kps tps serv us sy wt id 0 37 5 0 11 421 3 22 0 0 0 0 0 0 11 9 0 80 0 47 0 0 0 259 2 29 0 0 0 0 0 0 11 14 0 75 0 16 28 4 17 334 5 25 0 0 0 0 0 0 15 16 1 69 0 16 2 0 10 293 2 40 0 0 0 0 0 0 11 11 0 78 At: ndd /dev/udp udp_max_buf 33554432 (32Mb!) We have these time/counter readings for udpInOverflows: 00 - 645628929 33 - 645630391 96 - 645632008 Or, about 1924 packets/minute lost. At udp_max_buf 64Mb (!!!), 2713 packets/minute lost. I am FAR from out of memory 700Mb free. 1) Am I reading that loss right?? 2) Any tips from Solaris/syslog-ng tuners would be appreciated! Kim On Mar 6, 2006, at 8:49 AM, syslog-ng-request@lists.balabit.hu wrote:
Le Mon Mar 6 07:45:39 2006, Cary, Kim a ecrit: | Syslog-ng 1.6.4 on Solaris 9: | | IPv4 | udpInOverflows =640473547 | | UDP | udpInDatagrams =409687632 udpInErrors = 0 | udpOutDatagrams =466811 udpOutErrors = 0 | | Does the udpInOverflows indicate I'm losing packets?
Yes, as mentioned in this link http://www.29west.com/docs/THPM/udp-buffer-sizing.html given today by Mike, it means that some udp packets could not be inserted in the sockets buffers.
Be careful, it means you are losing udp packets, not only syslog packets...
Vincent.