[syslog-ng]Dropping UDP logs - need ideas

[Balazs Scheidler]

On Mon, Sep 22, 2003 at 10:37:13AM -0600, Wayne Sweatt wrote:
> Here's the sad part: I tested with the old syslogd, and it logged only 73%
> of the UDP logs. (Had one entry, plus a "repeated 72 times" line)
> So it looks like a system problem, just not sure where it is.
> I tried upping the sync(), and it didn't seem to help either. I have the
> /var partition on it's own 10K SCSI drive, so I doubt it's a disk I/O issue
> - iostat looks ok too.
> I tries turning the use_dns() on/off too. It doesn't even log with it off, I
> guess because I have the dns_cache on which must conflict.(?)
> I have plenty of memory and swap.
> Actually I've ge the system JASS'ed out, so I'm not running much of anything
> process-wise, except Syslog-ng.
> Any debugging suggestions?

probably syslog-ng (e.g. your CPU) is not fast enough to fetch messages from
the receive buffer. Increasing the UDP receive buffer could help you to a
point, but if the incoming rate is higher than the rate syslog-ng is
processing traffic there's nothing you could do.

Does your CPU have idle time in vmstat? Another possibility is that
syslog-ng is waiting for something and this slows down processing. I don't
know if truss is able to print timestamps to system calls, strace on Linux
can do this and might help you to debug what makes syslog-ng wait.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1