[syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?

Ivey, Chris Chris.ivey at acs-inc.com
Wed Jan 10 14:30:59 CET 2007 

We are having a REALLY weird issue with syslog-ng that I need to request
some assistance with resolving.  It has to do with forwarding and spoofing.
If I go into syslog-ng.conf and enable forwarding to my 3 remote servers
along with spoofing, it causes issues on the server.  First, the Recv-Q
fills to capacity (as seen in "netstat -a | grep syslog").  Once that buffer
fills, we start seeing "packet receive errors" (as seen in "netstat -su").
We have an INORDINATE amount of these errors (about 45%).  Observe:

[civey at logsvr2 syslog-ng]$ netstat -su
Udp:
    112958828 packets received
    4084 packets to unknown port received.
    50596174 packet receive errors
    95393123 packets sent

Here is kind of a tabular representation of what I have done so far, and the
results:

Action					Results
No forwarding, no spoofing		Buffers stay at 0 about 99% of the
time, no problems
Forwarding to 1 server w/spoofing	Buffers increase and stay high for a
while, but do eventually get back to 0
Forwarding to 2 servers w/spoofing	Buffers increase and stay high,
eventually filling and causing "packet receive errors"
Forwarding to 1 server, no spoofing	Same as no forwarding enabled at all

So far we have re-downloaded the syslog-ng source and recompiled on the
server, we have re-downloaded and recompiled all the prerequisites for
syslog-ng, and we have backed up all the libraries and executables on the
bad server and replaced them with the libraries and executables from the
good server.  None of this has done any good, as we keep seeing the same
issues.  I am about at my wit's end here.  Can someone please provide some
direction on where to go from here?

O/S: Fedora Core 4
RAM: 2 GB
Syslog-ng: 1.6.11

Thanks in advance!

Chris Ivey

Affiliated Computer Services
Enterprise Management Integration Services
Infrastructure Management Senior Analyst

1120 Celebration Blvd.
Celebration, FL 34747
chris.ivey at acs-inc.com

"When you find yourself in a hole, the best thing to do is stop digging!" --
Nick Stokes

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070110/ca10da63/attachment.htm

More information about the syslog-ng mailing list