-----BEGIN PGP SIGNED MESSAGE----- On Apr 15, 2011, at 2:01 PM, Mishou Michael wrote:
I left out the resources I have to work with on this system, and how bad/good things are with syslog-ng running (and dropping), I'll include those now. As you can see, it's an older server, but it has a ton of RAM and the CPUs should have enough pop for this I think.
Hi Mishou, I battled this fight for quite a long time when I built a syslog server using syslog-ng on Solaris 10 running on a Sun Fire V210 (dual 1.5GHz US-IIIi processors, 4GB memory). This syslog server is being used to collect the immense amount of Cisco firewall messages (in the neighborhood of 14000 messages per second). At first I tried to fiddle around with the UDP buffers in the system and the so_rcvbuf setting in syslog-ng.conf but to no avail. Any increase of the buffer would just delay the time when UDP packets were starting to drop again. I then found an old Sun x86 server (a V60x) lying around (dual Xeon 3GHz, 6GB memory) and replaced the V210 with it, suspecting that even my very simple syslog-ng configuration (no filters or anything) just overwhelms the V210. That did the trick. It was just a matter of processing power. Not sure if this applies to your situation but it kind of has the same smell to it. Hope this helps a bit. - - Michael -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.0.3 (Build 1) Charset: us-ascii wsBVAwUBTaxwOZbfnpCg64TVAQGU4QgAw3rl6mvucBuThAvR+0uC2JoGYcN7xpBb hDzninYg1PlqAHEmfMHw3nt1fimnfxPQ4fnFq5UFoHaWqqbs1G3AqjiqOV7GOcoJ Yxq6F8cmGz1HM8AiHZJM7XHYdrqsZ8FQjyqW/Youv/TCC1zU0oigMdkobTkAphGg nJD9foAKIqMMgRawTRPY/8W9QFPvotLMN84Q/zzs6Wi62Kumncfjrg4bJQkpQdq/ pS0m/9ZvtQD7EohF/lVZRa5nPa/3/xm5WjTrEFmB16dzXOQvkSmcOWx8N88/joMR tmGfiutg6Lu69oG7xj7oeb/yp1iWKoTYwb/nZgwu/onZmLMtrZ+ZeA== =z1AA -----END PGP SIGNATURE-----