[syslog-ng] Message loss (probably) within syslog-ng
Mike
mike at jeke.fdns.net
Mon Mar 6 14:07:51 CET 2006
Hey,
>
> Hi,
>
> This is a very good and interesting link for the generic tuning of the
> network stack. However what is says is how to set the udp max buffer
> size:
> # ndd /dev/udp udp_max_buf
> 1048576
> which according to
> http://docs.sun.com/app/docs/doc/806-6779/6jfmsfr8b?a=view sets the
> "maximum allowed buffer size for an udp socket", not the actual value.
>
> The default receive buffer size is set using the parameter
> udp_recv_hiwat which is currently set to its maximum value of 65536. To
> increase it the only way is the setsockopt syscall.
>
> Anyway I don't get that many udpInOverflows (a few everyday) but it does
> not explain the few thousand messages I miss in my logs files.
>
> Regards,
> Vincent.
hmmm. strange..on Linux it seems to use that max value without modifying
applications. I could be wrong tho.
options {
.
.
.
use_dns (yes);
dns_cache (yes);
dns_cache_size(3000);
use_fqdn (no); # utilisation du nom court de la machine
.
.
.
.
};
hmm..I am kinda wondering about the DNS usage now tho. I have never used
this feature before, but from what the docs say, syslog-ng will block on
DNS queries...can you tell if any of DNS queries are failing?
maybe you could add in some options here:
dns_cache_expire(n)
Number of seconds while a successful lookup is cached.
dns_cache_expire_failed(n)
Number of seconds while a failed lookup is cached.
but if syslog-ng blocks on DNS queries, I would imagine that you would see
your udpInOverflows value increase....
anyone know the default value of dns_cache_expire() off the top of your
heads?
I would have to admit that I am grabbing at straws now tho.
Mike
More information about the syslog-ng
mailing list