[syslog-ng] Re: Assessing reliability - did we get all messages?

[Cary, Kim]

Thanks to Mike for the tip on checking whether we're having problems 
taking
on our UDP data from our solaris 9 syslog server.

On Jun 1, 2005, at 1:52 PM, syslog-ng-request at lists.balabit.hu wrote:
> For Solaris:
> netstat -s -P udp
> I am pretty sure that "udpInErrors" will represent packets dropped from
> teh UDP buffer, but am unsure..
>
> I don't think I would use syslog over TCP from a PIX for the exact 
> reason
> you said..the PIX will stop until the syslog server is ready..instead,
> maybe just increase your UDP buffer size. Depending on what else your
> syslog server is doing..crank it up to 64MBytes or more..RAM is pretty
> cheap.

Here's what it looks like (uptime like 2 days):

	netstat -s -P udp

	UDP
         udpInDatagrams      =101638801  udpInErrors         =     0
         udpOutDatagrams     =  8151     udpOutErrors        =     0

  	ndd -get /dev/udp udp_max_buf
	262144

	ndd -get /dev/udp udp_recv_hiwat
	8192

Since this system will only get more logs sent to it, I think
increasing these parameters might be good.

On consultation with:
http://docs.sun.com/app/docs/doc/806-7009/6jftnqskc?a=view
	
	ndd -set /dev/udp udp_recv_hiwat 65536
  	ndd -get /dev/udp udp_max_buf 524288

And I'm considering adding these to startup. However, I'm wondering,
since apps can set their own buffers, should I even worry about this?

I'm not enough of a C reader to find this out from the source code.
Does syslog-ng accept the defaults or set its own buffers?
Am I on the right track here?

The implementation seems very solid so far, just planning for the 
future.

Kim

(thanks to Bill for his test idea as well)