Just in case:
If the firewall is a Cisco PIX you might
want to reconsider. If the PIX looses its ability to send TCP messages to
its loghost then it denies all traffic until loghost connectivity is restored.
From:
syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Cary, Kim
Sent: Tuesday, March 14, 2006
12:30 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] solaris UDP
loss
Finally got around to reading the docs and applying the
recommendations.
FIRST - thanks much!
NOW - my results:
# ndd /dev/udp udp_recv_hiwat
65536
# ndd /dev/udp udp_max_buf
1073741824
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:16
udpInCksumErrs =
0 udpInOverflows =677996405
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:19
udpInCksumErrs =
0 udpInOverflows =677996571
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:22
udpInCksumErrs =
0 udpInOverflows =677996726
I'm pretty sure this is just the Firewall sending more than 55M lines
of connection/deny logs over UDP.
IF I was to switch the FW over to TCP logging from UDP, would this be a
better solution?
BTW, here are a few words from syslog-ng:
Mar 14 09:32:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 09:42:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 09:52:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:02:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:04:53 syslog-ng[20685]: Garbage collecting while busy...
Mar 14 10:04:58 syslog-ng[20685]: Objects alive: 310, garbage
collected: 2999695
Mar 14 10:12:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:16:22 syslog-ng[20685]: Garbage collecting while idle...
Mar 14 10:16:24 syslog-ng[20685]: Objects alive: 318, garbage
collected: 1129970
Mar 14 10:22:32 syslog-ng[20685]: STATS: dropped 0
and its config:
source s_udp_inetpix {
udp(ip(192.168.0.1));
};
On Mar 7, 2006, at 3:01 PM, syslog-ng-request@lists.balabit.hu
wrote:
| 1) Am I reading that loss right??
Probably, you might however want to snoop on the
interface to see what
kind of udp packets come on your
interface.
| 2) Any tips from Solaris/syslog-ng
tuners would be appreciated!
udp_max_buf does not set the queue
length of the udp socket, which by
the way can have a different value
for each socket...
You could have a look at:
http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1
basically: increasing udp_max_buf
without increasing udp_recv_hiwat has
no meaning. Furthermore, you can
increase you socket buffer that way up
to 64k (Solaris 8 & 9), if you
want to increase it
further up you must use the
setsockopt call (up to udp_max_buf which
has a maximum value of 1GB).
Here is the official SUN
documentation regarding this:
http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag
Now regarding your packet loss
issue. I would increase
udp_recv_hiwat -> 65536
udp_max_buf -> 1073741824 (you
will never get here anyway)
Then I would try to play with
syslog-ng config: log_fifo_size,
log_iw_size and log_fetch_limit. But here I'd appreciate
a syslog-ng expert to step in and
tell us what to do more preceisely.
This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. |