Hi,

On Mon, Jun 5, 2023, 22:16 Johnson, Linwood <linwood.johnson@dowjones.com> wrote:
I get the following when I check
[root@server1~]# syslog-ng
 WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
The kernel refused to set the receive buffer (SO_RCVBUF) to the requested size, you probably need to adjust buffer related kernel parameters; so_rcvbuf='536870912', so_rcvbuf_set='425984'

[root@ server1~]# sysctl -a |grep rmem_max
net.core.rmem_max = 212992
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@ server1 ~]# sysctl -a |grep vbuf
net.ipv4.tcp_moderate_rcvbuf = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.sctp.rcvbuf_policy = 0
[root@ server1~ ]# cat /proc/sys/net/ipv4/tcp_rmem
4096    87380   6291456
[root@ server1~ ]# cat /proc/sys/net/core/rmem_default
212992
[root@ server1~ ]# cat /proc/sys/net/core/rmem_max
212992
[root@ server1~ ]# grep . /proc/sys/net/ipv4/tcp*mem
/proc/sys/net/ipv4/tcp_mem:173202       230936  346404
/proc/sys/net/ipv4/tcp_rmem:4096        87380   6291456
/proc/sys/net/ipv4/tcp_wmem:4096        16384   4194304
[root@ server1~ hisotry]#

I attempted to make the changes on the server.
What can I do to resolve this issue?


The receive buffer parameter is critical for UDP based traffic, not for TCP.

You need to bump /proc/sys/net/core/rmem_max which enables the use of larger receive buffers.

Also, you might want to read these blog posts:

https://axoflow.com/syslog-over-udp-message-loss-1/

and


https://axoflow.com/syslog-over-udp-kernel-syslog-ng-tuning-avoid-losing-messages/

Also, we added the capability of tracking per-port UDP message loss in syslog-ng 4.2, e.g:

syslogng_socket_receive_dropped_packets_total

For more info on 4.2 and some more metrics:

https://axoflow.com/axosyslog-release-4-2/

The new metrics were added along with a new interface to syslog-ng stats that makes it easier to integrate it with the new generation of monitoring tools (e.g. the prometheus stack).

Hope this helps. You are welcome in our discord channel, should you have more questions, here:

https://discord.gg/E65kP9aZGm

A number of syslog-ng devs/axoflow folks lurk there, who made all of the above a reality.

Bazsi