[syslog-ng]Losing 25% of messages using UDP
Balazs Scheidler
syslog-ng@lists.balabit.hu
Thu, 10 Apr 2003 09:27:50 +0200
On Tue, Apr 08, 2003 at 04:03:36PM -0700, Bill Graham wrote:
> Ok, I have checked to see if all of the messages are being sent over the
> network from the source. I have also checked the receiving end to see
> if all of the connections are getting to this system. I used the snoop
> command to find this out. When I sent a burst of 100 messages I saw
> 100 connections from the source system. When I did a truss of the
> syslog-ng process I only saw around 75 recvfrom()'s. It looks like the
> third option is what is happening. Is there a way to speed up the
> issuing of recv()'s?
syslog-ng uses a poll() loop to check whether a given source (e.g. UDP
socket) is readable and once it is, it issues one single recvfrom() and then
returns to the mainloop.
So your host is not fast enough to keep up with the message rate (at least
not when using one message/poll loop)
The following options are available:
1) upgrade the hw
2) increase the default UDP sockbuf size to keep up with bursts
3) implementat issuing several recvfrom() when poll() indicates readability
The 3) option involves adding a loop in sources.c:do_read_line() function
which would call recvfrom() as long as it returns that nothing is available.
Maybe an upper limit to avoid starving other sources would be needed (say
read until anything is available but no more than 10 messages)
--
Bazsi