[syslog-ng] Solaris syslog-ng tuning

Vincent Haverlant vincent at haverlant.org
Tue Mar 7 22:45:01 CET 2006 

Le Tue Mar  7 09:34:23 2006, Cary, Kim a écrit:
| Vincent!
| 
| Thanks much for confirming the issue and repeating the link to me.
| 
| Well, the only _intended_ udp traffic to the system is syslog.
| Currently, the system is logging from a PIX on one GigE interface,
| and from a few servers plus a less active PIX on another GigE.
| 
| We send the PIX logs, separately, to pipes. And log everything to file.
| 
| # vmstat 5 4
| kthr      memory            page            disk          faults      cpu
| r b w   swap  free  re  mf pi po fr de sr s0 s1 s3 --   in   sy   cs us sy id
| 0 0 4 2793888 737144 34  5 232 2  1  0  0  0  3  0  0  124   18  107 11  9 80
| 0 0 36 2680456 673440 5  6  0  0  0  0  0  3  5  0  0 1897 15728 2516 9 15 76
| 0 0 36 2680456 673440 5  5  0  0  0  0  0  0  2  0  0 1612 13349 2268 10 10 80
| 0 0 36 2680456 673440 5  5  0  0  0  0  0  0  3  0  0 1854 15740 2520 13 15 73
| 
| # iostat 5 4
|    tty        sd0           sd1           sd30          nfs1           cpu
| tin tout kps tps serv  kps tps serv  kps tps serv  kps tps serv   us sy wt id
|    0   37   5   0   11  421   3   22    0   0    0    0   0    0   11  9  0 80
|    0   47   0   0    0  259   2   29    0   0    0    0   0    0   11 14  0 75
|    0   16  28   4   17  334   5   25    0   0    0    0   0    0   15 16  1 69
|    0   16   2   0   10  293   2   40    0   0    0    0   0    0   11 11  0 78
| 
| At: ndd  /dev/udp udp_max_buf 33554432 (32Mb!)
| 
| We have these time/counter readings for udpInOverflows:
| 00 -  645628929
| 33 -  645630391
| 96 -  645632008
| 
| Or, about 1924 packets/minute lost.
| 
| At udp_max_buf 64Mb (!!!), 2713 packets/minute lost.
| 
| I am FAR from out of memory 700Mb free.
| 
| 1) Am I reading that loss right??

Probably, you might  however want to snoop on the interface to see what
kind of udp packets come on your interface.

| 2) Any tips from Solaris/syslog-ng tuners would be appreciated!

udp_max_buf does not set the queue length of the udp socket, which by
the way can have a different value for each socket...

You could have a look at:
http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1

basically: increasing udp_max_buf without increasing udp_recv_hiwat has
no meaning. Furthermore, you can increase you socket buffer that way up
to 64k (Solaris 8 & 9), if you want to increase it
further up you must use the setsockopt call (up to udp_max_buf which
has a maximum value of 1GB). 
Here is the official SUN documentation regarding this:
http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag

Now regarding your packet loss issue. I would increase
udp_recv_hiwat -> 65536
udp_max_buf -> 1073741824 (you will never get here anyway)

Then I would try to play with syslog-ng config: log_fifo_size,
log_iw_size and log_fetch_limit.  But here I'd appreciate
a syslog-ng expert to step in and tell us what to do more preceisely.


Vincent
-- 
   .~.     Vincent Haverlant  -- Galadril -- #ICQ: 35695155   
   /V\      MSN: vincent_msn at haverlant.org  -- http://www.haverlant.org/
  /( )\      Parinux member: http://www.parinux.org/
  ^^-^^       GPG: 8FEA 52C2 5C54 A201 2375  0FA5 AF2E 1881 92D0 EE84

More information about the syslog-ng mailing list