[syslog-ng]Losing 25% of messages using UDP
Bill Graham
syslog-ng@lists.balabit.hu
Thu, 10 Apr 2003 18:49:56 -0700
Balazs Scheidler wrote:
>On Tue, Apr 08, 2003 at 04:03:36PM -0700, Bill Graham wrote:
>
>
>>Ok, I have checked to see if all of the messages are being sent over the
>>network from the source. I have also checked the receiving end to see
>>if all of the connections are getting to this system. I used the snoop
>>command to find this out. When I sent a burst of 100 messages I saw
>>100 connections from the source system. When I did a truss of the
>>syslog-ng process I only saw around 75 recvfrom()'s. It looks like the
>>third option is what is happening. Is there a way to speed up the
>>issuing of recv()'s?
>>
>>
>
>syslog-ng uses a poll() loop to check whether a given source (e.g. UDP
>socket) is readable and once it is, it issues one single recvfrom() and then
>returns to the mainloop.
>
>So your host is not fast enough to keep up with the message rate (at least
>not when using one message/poll loop)
>
>The following options are available:
>1) upgrade the hw
>2) increase the default UDP sockbuf size to keep up with bursts
>3) implementat issuing several recvfrom() when poll() indicates readability
>
>The 3) option involves adding a loop in sources.c:do_read_line() function
>which would call recvfrom() as long as it returns that nothing is available.
>Maybe an upper limit to avoid starving other sources would be needed (say
>read until anything is available but no more than 10 messages)
>
I increased my default UDP sockbuf and it seems to have solved the problem.