[syslog-ng] solaris UDP loss

Cary, Kim Kim.Cary at pepperdine.edu
Tue Mar 14 19:30:00 CET 2006 

Finally got around to reading the docs and applying the recommendations.

FIRST - thanks much!

NOW - my results:

# ndd /dev/udp udp_recv_hiwat
65536
# ndd /dev/udp udp_max_buf
1073741824
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:16
        udpInCksumErrs      =     0     udpInOverflows      =677996405
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:19
        udpInCksumErrs      =     0     udpInOverflows      =677996571
# date ; netstat -s | grep udpInOverflows
Tue Mar 14 10:15:22
        udpInCksumErrs      =     0     udpInOverflows      =677996726

I'm pretty sure this is just the Firewall sending more than 55M lines of
connection/deny logs over UDP.

IF I was to switch the FW over to TCP logging from UDP, would this be a
better solution?

BTW, here are a few words from syslog-ng:

Mar 14 09:32:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 09:42:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 09:52:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:02:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:04:53 syslog-ng[20685]: Garbage collecting while busy...
Mar 14 10:04:58 syslog-ng[20685]: Objects alive: 310, garbage collected:
2999695
Mar 14 10:12:32 syslog-ng[20685]: STATS: dropped 0
Mar 14 10:16:22 syslog-ng[20685]: Garbage collecting while idle...
Mar 14 10:16:24 syslog-ng[20685]: Objects alive: 318, garbage collected:
1129970
Mar 14 10:22:32 syslog-ng[20685]: STATS: dropped 0

and its config:

source s_udp_inetpix   { 
                        udp(ip(192.168.0.1)); 
                };


On Mar 7, 2006, at 3:01 PM, syslog-ng-request at lists.balabit.hu
<mailto:syslog-ng-request at lists.balabit.hu>  wrote:


| 1) Am I reading that loss right??




Probably, you might  however want to snoop on the interface to see what

kind of udp packets come on your interface.




| 2) Any tips from Solaris/syslog-ng tuners would be appreciated!




udp_max_buf does not set the queue length of the udp socket, which by

the way can have a different value for each socket...




You could have a look at:

http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1
<http://sunsolve.sun.com/search/document.do?assetkey=1-30-3218-1> 




basically: increasing udp_max_buf without increasing udp_recv_hiwat has

no meaning. Furthermore, you can increase you socket buffer that way up

to 64k (Solaris 8 & 9), if you want to increase it

further up you must use the setsockopt call (up to udp_max_buf which

has a maximum value of 1GB). 

Here is the official SUN documentation regarding this:

http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag
<http://docs.sun.com/app/docs/doc/817-0404/6mg74vsb5?a=view#gbtag> 




Now regarding your packet loss issue. I would increase

udp_recv_hiwat -> 65536

udp_max_buf -> 1073741824 (you will never get here anyway)




Then I would try to play with syslog-ng config: log_fifo_size,

log_iw_size and log_fetch_limit.  But here I'd appreciate

a syslog-ng expert to step in and tell us what to do more preceisely.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060314/00032892/attachment.html

More information about the syslog-ng mailing list