[syslog-ng]Losing 25% of messages using UDP
Balazs Scheidler
syslog-ng@lists.balabit.hu
Tue, 8 Apr 2003 13:18:16 +0200
On Mon, Apr 07, 2003 at 04:02:04PM -0700, Bill Graham wrote:
> I have syslog-ng-1.6.0rc1 compiled on Solaris 9 and I am intend to use
> the system as a central log server and I need to log every message that
> makes it to the system. I am testing it out with Kiwi Syslog Message
> generator with bursts of 100 messages every 10 seconds. Syslog-ng is
> only logging about 20-25% of the messages. I have verified that the
> messages are getting to the system. Is there some additional tuning
> that I have to do to get this to work. Here is a copy of my syslog-ng:
> options { use_fqdn(yes);
> keep_hostname(yes);
> use_dns(no);
> long_hostnames(off);
> sync(0);
> gc_idle_threshold(5000);
> gc_busy_threshold(1000);
> log_fifo_size(10240); };
>
> source local { sun-streams("/dev/log" door("/etc/.syslog_door"));
> internal(); };
> source network { udp();};
>
> destination all { file("/var/log/messages"); };
> log { source(local); destination(all); };
> log { source(network); destination(all); };
UDP messages might be dropped at several places:
* at the sender side (please check that messages are indeed sent to the
network)
* on the network itself (this is not common, only when the link is
saturated)
* on the receiver side if the receiving program does not issue recv()
requests fast enough.
You can use netstat to check buffer space and/or truss to check whether
syslog-ng really receives messages. You have to identify the point where you
are losing messages because syslog-ng is probably not the culprit.
--
Bazsi