Thanks to Mike for the tip on checking whether we're having problems taking on our UDP data from our solaris 9 syslog server. On Jun 1, 2005, at 1:52 PM, syslog-ng-request@lists.balabit.hu wrote:

For Solaris: netstat -s -P udp I am pretty sure that "udpInErrors" will represent packets dropped from teh UDP buffer, but am unsure..

I don't think I would use syslog over TCP from a PIX for the exact reason you said..the PIX will stop until the syslog server is ready..instead, maybe just increase your UDP buffer size. Depending on what else your syslog server is doing..crank it up to 64MBytes or more..RAM is pretty cheap.

Here's what it looks like (uptime like 2 days): netstat -s -P udp UDP udpInDatagrams =101638801 udpInErrors = 0 udpOutDatagrams = 8151 udpOutErrors = 0 ndd -get /dev/udp udp_max_buf 262144 ndd -get /dev/udp udp_recv_hiwat 8192 Since this system will only get more logs sent to it, I think increasing these parameters might be good. On consultation with: http://docs.sun.com/app/docs/doc/806-7009/6jftnqskc?a=view ndd -set /dev/udp udp_recv_hiwat 65536 ndd -get /dev/udp udp_max_buf 524288 And I'm considering adding these to startup. However, I'm wondering, since apps can set their own buffers, should I even worry about this? I'm not enough of a C reader to find this out from the source code. Does syslog-ng accept the defaults or set its own buffers? Am I on the right track here? The implementation seems very solid so far, just planning for the future. Kim (thanks to Bill for his test idea as well)