[syslog-ng] Solaris syslog-ng tuning

Cary, Kim Kim.Cary at pepperdine.edu
Tue Mar 7 18:34:23 CET 2006 

Vincent!

Thanks much for confirming the issue and repeating the link to me.

Well, the only _intended_ udp traffic to the system is syslog.
Currently, the system is logging from a PIX on one GigE interface,
and from a few servers plus a less active PIX on another GigE.

We send the PIX logs, separately, to pipes. And log everything to file.

# vmstat 5 4
kthr      memory            page            disk          faults       
cpu
r b w   swap  free  re  mf pi po fr de sr s0 s1 s3 --   in   sy   cs  
us sy id
0 0 4 2793888 737144 34  5 232 2  1  0  0  0  3  0  0  124   18  107  
11  9 80
0 0 36 2680456 673440 5  6  0  0  0  0  0  3  5  0  0 1897 15728 2516  
9 15 76
0 0 36 2680456 673440 5  5  0  0  0  0  0  0  2  0  0 1612 13349 2268  
10 10 80
0 0 36 2680456 673440 5  5  0  0  0  0  0  0  3  0  0 1854 15740 2520  
13 15 73

# iostat 5 4
    tty        sd0           sd1           sd30           
nfs1           cpu
tin tout kps tps serv  kps tps serv  kps tps serv  kps tps serv   us  
sy wt id
    0   37   5   0   11  421   3   22    0   0    0    0   0    0    
11  9  0 80
    0   47   0   0    0  259   2   29    0   0    0    0   0    0    
11 14  0 75
    0   16  28   4   17  334   5   25    0   0    0    0   0    0    
15 16  1 69
    0   16   2   0   10  293   2   40    0   0    0    0   0    0    
11 11  0 78

At: ndd  /dev/udp udp_max_buf 33554432 (32Mb!)

We have these time/counter readings for udpInOverflows:
00 -  645628929
33 -  645630391
96 -  645632008

Or, about 1924 packets/minute lost.

At udp_max_buf 64Mb (!!!), 2713 packets/minute lost.

I am FAR from out of memory 700Mb free.

1) Am I reading that loss right??
2) Any tips from Solaris/syslog-ng tuners would be appreciated!

Kim


On Mar 6, 2006, at 8:49 AM, syslog-ng-request at lists.balabit.hu wrote:

> Le Mon Mar  6 07:45:39 2006, Cary, Kim a ecrit:
> | Syslog-ng 1.6.4 on Solaris 9:
> |
> | IPv4
> |        udpInOverflows      =640473547
> |
> |  UDP
> |         udpInDatagrams      =409687632  udpInErrors         =     0
> |         udpOutDatagrams     =466811     udpOutErrors        =     0
> |
> | Does the udpInOverflows indicate I'm losing packets?
>
> Yes, as mentioned in this link
> http://www.29west.com/docs/THPM/udp-buffer-sizing.html given today by
> Mike, it means that some udp packets could not be inserted in the
> sockets buffers.
>
> Be careful, it means you are losing udp packets, not only syslog
> packets...
>
> Vincent.

More information about the syslog-ng mailing list