[syslog-ng] solaris UDP loss

SOLIS, ALEX asolis at oppd.com
Tue Mar 14 20:29:42 CET 2006

Just in case:


If the firewall is a Cisco PIX you might want to reconsider.  If the PIX
looses its ability to send TCP messages to its loghost then it denies
all traffic until loghost connectivity is restored.





From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Cary, Kim
Sent: Tuesday, March 14, 2006 12:30 PM
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] solaris UDP loss


Finally got around to reading the docs and applying the recommendations.


FIRST - thanks much!


NOW - my results:


# ndd /dev/udp udp_recv_hiwat


# ndd /dev/udp udp_max_buf


# date ; netstat -s | grep udpInOverflows

Tue Mar 14 10:15:16

        udpInCksumErrs      =     0     udpInOverflows      =677996405

# date ; netstat -s | grep udpInOverflows

Tue Mar 14 10:15:19

        udpInCksumErrs      =     0     udpInOverflows      =677996571

# date ; netstat -s | grep udpInOverflows

Tue Mar 14 10:15:22

        udpInCksumErrs      =     0     udpInOverflows      =677996726


I'm pretty sure this is just the Firewall sending more than 55M lines of
connection/deny logs over UDP.


IF I was to switch the FW over to TCP logging from UDP, would this be a
better solution?


BTW, here are a few words from syslog-ng:


Mar 14 09:32:32 syslog-ng[20685]: STATS: dropped 0

Mar 14 09:42:32 syslog-ng[20685]: STATS: dropped 0

Mar 14 09:52:32 syslog-ng[20685]: STATS: dropped 0

Mar 14 10:02:32 syslog-ng[20685]: STATS: dropped 0

Mar 14 10:04:53 syslog-ng[20685]: Garbage collecting while busy...

Mar 14 10:04:58 syslog-ng[20685]: Objects alive: 310, garbage collected:

Mar 14 10:12:32 syslog-ng[20685]: STATS: dropped 0

Mar 14 10:16:22 syslog-ng[20685]: Garbage collecting while idle...

Mar 14 10:16:24 syslog-ng[20685]: Objects alive: 318, garbage collected:

Mar 14 10:22:32 syslog-ng[20685]: STATS: dropped 0


and its config:


source s_udp_inetpix   { 





On Mar 7, 2006, at 3:01 PM, syslog-ng-request at lists.balabit.hu wrote:

| 1) Am I reading that loss right??


Probably, you might  however want to snoop on the interface to see what

kind of udp packets come on your interface.


| 2) Any tips from Solaris/syslog-ng tuners would be appreciated!


udp_max_buf does not set the queue length of the udp socket, which by

the way can have a different value for each socket...


You could have a look at:



basically: increasing udp_max_buf without increasing udp_recv_hiwat has

no meaning. Furthermore, you can increase you socket buffer that way up

to 64k (Solaris 8 & 9), if you want to increase it

further up you must use the setsockopt call (up to udp_max_buf which

has a maximum value of 1GB). 

Here is the official SUN documentation regarding this:



Now regarding your packet loss issue. I would increase

udp_recv_hiwat -> 65536

udp_max_buf -> 1073741824 (you will never get here anyway)


Then I would try to play with syslog-ng config: log_fifo_size,

log_iw_size and log_fetch_limit.  But here I'd appreciate

a syslog-ng expert to step in and tell us what to do more preceisely.


This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient.  Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance.  If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060314/aac6d122/attachment-0001.html

More information about the syslog-ng mailing list