[syslog-ng] Message loss (probably) within syslog-ng

Mike mike at jeke.fdns.net
Mon Mar 6 14:07:51 CET 2006

> Hi,
> This is a very good and interesting link for the generic tuning of the
> network stack. However what is says is how to set the udp max buffer
> size:
> # ndd /dev/udp udp_max_buf
> 1048576
> which according to
> http://docs.sun.com/app/docs/doc/806-6779/6jfmsfr8b?a=view sets the
> "maximum allowed buffer size for an udp socket", not the actual value.
> The default receive buffer size is set using the parameter
> udp_recv_hiwat which is currently set to its maximum value of 65536. To
> increase it the only way is the setsockopt syscall.
> Anyway I don't get that many udpInOverflows (a few everyday) but it does
> not explain the few thousand messages I miss in my logs files.
> Regards,
> Vincent.

hmmm. strange..on Linux it seems to use that max value without modifying 
applications. I could be wrong tho.

options {
  use_dns (yes);
  dns_cache (yes);
  use_fqdn (no); # utilisation du nom court de la machine

hmm..I am kinda wondering about the DNS usage now tho. I have never used 
this feature before, but from what the docs say, syslog-ng will block on 
DNS queries...can you tell if any of DNS queries are failing?

maybe you could add in some options here:
            Number of seconds while a successful lookup is cached.

            Number of seconds while a failed lookup is cached.

but if syslog-ng blocks on DNS queries, I would imagine that you would see 
your udpInOverflows value increase....

anyone know the default value of dns_cache_expire() off the top of your 

I would have to admit that I am grabbing at straws now tho.


More information about the syslog-ng mailing list