[syslog-ng]Losing 25% of messages using UDP

Bill Graham syslog-ng@lists.balabit.hu
Tue, 08 Apr 2003 16:03:36 -0700 

Balazs Scheidler wrote:

>On Mon, Apr 07, 2003 at 04:02:04PM -0700, Bill Graham wrote:
>  
>
>>I have syslog-ng-1.6.0rc1 compiled on Solaris 9 and I am intend to use
>>the system as a central log server and I need to log every message that
>>makes it to the system.  I am testing it out with Kiwi Syslog Message
>>generator with bursts of 100 messages every 10 seconds.  Syslog-ng is
>>only logging about 20-25% of the messages.  I have verified that the
>>messages are getting to the system.  Is there some additional tuning
>>that I have to do to get this to work.  Here is a copy of  my syslog-ng:
>>options { use_fqdn(yes);
>>         keep_hostname(yes);
>>         use_dns(no);
>>         long_hostnames(off);
>>         sync(0);
>>         gc_idle_threshold(5000);
>>         gc_busy_threshold(1000);
>>         log_fifo_size(10240); };
>>
>>source local { sun-streams("/dev/log" door("/etc/.syslog_door"));
>>internal(); };
>>source network { udp();};
>>
>>destination all { file("/var/log/messages"); };
>>log { source(local); destination(all); };
>>log { source(network); destination(all); };
>>    
>>
>
>UDP messages might be dropped at several places:
>
>* at the sender side (please check that messages are indeed sent to the
>  network)
>* on the network itself (this is not common, only when the link is
>  saturated)
>* on the receiver side if the receiving program does not issue recv()
>  requests fast enough. 
>
>You can use netstat to check buffer space and/or truss to check whether
>syslog-ng really receives messages. You have to identify the point where you
>are losing messages because syslog-ng is probably not the culprit.
>  
>
Ok, I have checked to see if all of the messages are being sent over the 
network from the source.  I have also checked the receiving end to see 
if all of the connections are getting to this system.  I used the snoop 
command to find this out.  When I sent a burst of  100 messages I saw 
100 connections from the source system.  When I did a truss of the 
syslog-ng process I only saw around 75 recvfrom()'s.  It looks like the 
third option is what is happening.  Is there a way to speed up the 
issuing of recv()'s?

Bill