Greg, I had 'messages being dropped' issue recently on rhel4 and sol8 hosts. since you are using rhl.. 'netstat -ucs' was reporting 500-2000 packet receive errors per second. after making a few adjustments it has dropped to 0. my sysctl.conf is similar to yours, except for: net.core.rmem_default = 16777216 net.core.wmem_default = 16777216 * values mentioned worked for me, your mileage may vary. in my syslog-ng.conf file, I adjusted the source: (may be unnecessary since I use the default as set by sysctl (above), but for documentation sake) source abs_udp514 { udp(ip(0.0.0.0) port(514) so_rcvbuf(16777216)); }; set the log_fifo_size destination abd_sec { program( "/opt/sec/2.3.3/sec.pl -input=\"-\" -conf=/opt/sec/etc/sec.conf" template("$MONTH$DAY $UNIXTIME $HOST $MSG\n") log_fifo_size(8192) ); }; did something similar for my file destinations. and then add flow-control log { source(abs_udp514); filter(abf_postfix); destination(abd_sec); flags(flow-control); }; # netstat -ucs Udp: 1067529425 packets received 9835593 packets to unknown port received. 27851339 packet receive errors 772843529 packets sent Udp: 1067529464 packets received 9835593 packets to unknown port received. 27851339 packet receive errors 772843549 packets sent ------------------------------ Message: 3 Date: Tue, 22 Aug 2006 08:04:38 -0500 From: "King, John (Greg) (LMIT-HOU)" <Greg.King@lmit.com> Subject: [syslog-ng] Performance tuning questions To: <syslog-ng@lists.balabit.hu> Message-ID: <7E0DB88FB5A5C04AAB0A06E72D58B2B4026053AF@lmit-mb01-hou.SERVICE.lmit.com> Content-Type: text/plain; charset="us-ascii" I am currently using the stock syslog daemon from RedHat but it appears to not be able to keep up so I am looking at syslog-ng to improve things. The data below is to provide a baseline of what I am currently seeing and what I have attempted to do. Then if anyone would let me know if syslog-ng would be able to improve the performance and what measures I can take to achieve the improved performance that would be great. Logs have to be rotated each hour due to the amount of traffic. On average I am successfully logging 25,888 events per minute. That goes higher during the early morning login times. I have set the following sysctl params: net.core.rmem_max = 33554432 net.core.wmem_max = 33554432 net.core.rmem_default = 65536 net.core.wmem_default = 65536 net.ipv4.tcp_rmem = 4096 87380 33554432 net.ipv4.tcp_wmem = 4096 65536 33554432 net.ipv4.tcp_mem = 33554432 33554432 33554432 Netstat -su shows what might be data loss: Udp: 131725715 packets received 16642 packets to unknown port received. 4859684 packet receive errors 31571 packets sent The information transmitted (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is intended only for the person(s) or entity/entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient(s) is prohibited. If you received this in error, please contact the sender and delete the material from any computer.