Actually, I did more research on this and found that two separate people back in 2007 had this same problem on the mailing list. See threads "Lost packets; UDP Checksum (chksum) errors; forwarding - source spoofing; libnet bug" as well as "Forwarding + Spoofing = Errors & Dropped Packets?" I believe I've definitively proven the problem to be invalid UDP checksums sent by libnet 1.1.2.1 as indicated in the first thread by Marvin Nipper. Further research shows that there is a Linux kernel-level setting that can act as a workaround by setting the socket option SO_NO_CHECK, which disables checksum verifications. So, either Syslog-NG needs to incorporate a newer, fixed libnet version (it was indicated that it did not compile using 1.1.3 Beta), or a socket option for receiving needs to be set or made as an available option to set like the receive buffer. On Mon, Jun 28, 2010 at 1:40 PM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Hi,
I think it will be an udp kernel buffer problem (and not syslog problem), see the earlier thread of "[syslog-ng] Tests using loggen - not receiving all the packets" in this mail list.
2010.06.28. 20:21 keltezéssel, Martin Holste írta:
I'm finding that with a destination of udp("10.x.x.x", port(514) spoof_source(yes)) about half of messages get lost when going from one syslog-ng host to another at a high message rate (> 3k/sec). This is on 3.1 OSE and the hosts are on the same subnet and switch, so there shouldn't be any network devices interfering. Has anyone else had this same issue? My hunch is that it's either a performance issue with the way the libnet (I'm using 1.1.2.1 on SuSE 10.2) API is implemented or it's an issue within the libnet API. Has anyone else noticed performance problems when using spoof_source?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee