there are many udp packet receive errors
Eenvironment :
under linux
1 central log-collecting server.syslog-ng
2 client: syslog sending logs to central log-collecting server. The syslog-ng server configuration:
options { use_dns(no); create_dirs(yes);ts_format(iso); };
source src { udp(ip(0.0.0.0) port(514)); };
filter f_kern { facility(kern); };
filter f_authpriv { facility(auth,authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_boot { facility(local7); };
filter f_spooler { facility(uucp, news) and level(crit..emerg); };
filter f_messages { level(info..emerg) and not facility(authpriv, cron, mail); };
destination kern { file("/home/syslog-ng/$YEAR/$HOST/kernel-$MONTH"); };
destination authpriv { file("/home/syslog-ng/$YEAR/$HOST/secure-$MONTH"); };
destination mail { file("/home/syslog-ng/$YEAR/$HOST/maillog-$MONTH"); };
destination cron { file("/home/syslog-ng/$YEAR/$HOST/cron-$MONTH"); };
destination boot{ file("/home/syslog-ng/$YEAR/$HOST/boot.log-$MONTH"); };
destination spooler { file("/home/syslog-ng/$YEAR/$HOST/spooler-$MONTH"); };
destination messages { file("/home/syslog-ng/$YEAR/$HOST/messages-$MONTH"); };
log { source(src); filter(f_kern); destination(kern); };>
log { source(src); filter(f_authpriv); destination(authpriv); };>
log { source(src); filter(f_mail); destination(mail); };>
log { source(src); filter(f_cron); destination(cron); };>
log { source(src); filter(f_boot); destination(boot); };>
log { source(src); filter(f_spooler); destination(spooler); };
log { source(src); filter(f_messages); destination(messages); };>
QUESTION: I used the syslog-ng to collect logs from about 1000 clients,while there are many udp packets receive erros: # netstat -su # Udp: 41200545 packets received 0 packets to unknown port received. 410733273 packet receive errors 21311935 packets sent I think it means many log sending by the client are not received by syslog-ng successfully, How can I resolve this problems?
On Thu, Sep 20, 2007 at 03:31:27PM +0800, liuruihong wrote:
410733273 packet receive errors
21311935 packets sent
I think it means many log sending by the client are not received by syslog-ng successfully,
How can I resolve this problems?
Avoid UDP. If you can't - read this: http://www.29west.com/docs/THPM/udp-buffer-sizing.html -- Nate There are two ways to write error-free programs. Only the third one works. -Anon.
I have already read the page : http://www.29west.com/docs/THPM/udp-buffer-sizing.html sysctl -w net.core.rmem_max=8388608 use the above command to change the udp buffer size, but I don`t know the appropriate udp buffer size,can anyony tell me how to determing the appropriate udp buffer size? -----邮件原件----- 发件人: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] 代表 Nate Campi 发送时间: 2007年9月20日 22:18 收件人: Syslog-ng users' and developers' mailing list 主题: Re: [syslog-ng] there are many udp packet receive errors On Thu, Sep 20, 2007 at 03:31:27PM +0800, liuruihong wrote:
410733273 packet receive errors
21311935 packets sent
I think it means many log sending by the client are not received by syslog-ng successfully,
How can I resolve this problems?
Avoid UDP. If you can't - read this: http://www.29west.com/docs/THPM/udp-buffer-sizing.html -- Nate There are two ways to write error-free programs. Only the third one works. -Anon. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Fri, 2007-09-21 at 12:19 +0800, liuruihong wrote:
I have already read the page : http://www.29west.com/docs/THPM/udp-buffer-sizing.html sysctl -w net.core.rmem_max=8388608 use the above command to change the udp buffer size, but I don`t know the appropriate udp buffer size,can anyony tell me how to determing the appropriate udp buffer size?
There are no definite answers for this question, it is a matter of sizing based on your environment. If you already know the message rate, the average message size, then I would size the UDP buffer to have space for about 1-5 seconds worth of messages. -- Bazsi
I see ,I will do it as your suggestion, Thanks:) -----邮件原件----- 发件人: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] 代表 Balazs Scheidler 发送时间: 2007年9月21日 14:13 收件人: Syslog-ng users' and developers' mailing list 主题: Re: [syslog-ng] 答复: there are many udp packet receive errors On Fri, 2007-09-21 at 12:19 +0800, liuruihong wrote:
I have already read the page : http://www.29west.com/docs/THPM/udp-buffer-sizing.html sysctl -w net.core.rmem_max=8388608 use the above command to change the udp buffer size, but I don`t know the appropriate udp buffer size,can anyony tell me how to determing the appropriate udp buffer size?
There are no definite answers for this question, it is a matter of sizing based on your environment. If you already know the message rate, the average message size, then I would size the UDP buffer to have space for about 1-5 seconds worth of messages. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (3)
-
Balazs Scheidler
-
liuruihong
-
Nate Campi