[syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?
Ivey, Chris
Chris.ivey at acs-inc.com
Thu Jan 11 17:24:42 CET 2007
Bazsi,
Thanks for your help thus far. After MUCH trial and error with
enabling and disabling things in syslog-ng.conf, and watching "netstat -an"
output after each attempt, I have narrowed this issue down to something to
do with spoofing. From my starting syslog-ng.conf file, if I do NOTHING but
turn off spoofing, the Recv-Q buffer stops filling and all is happy. If I
turn on spoofing, those buffers start filling again. I used tkdiff to
compare my 2 syslog-ng.conf files side-by-side, and the only differences
between the 2 are the lines where the forward-to hosts are defined and where
the destinations are defined (the bad server has lines commented, the good
one does not). Lsof on both machines for syslog-ng shows the same libraries
opened and such. So, the question now is what happens with spoofing that
would cause all these issues? What does spoofing do in the background that
my server is unhappy about? Any insight would be greatly appreciated!
Chris Ivey
Affiliated Computer Services
Enterprise Management Integration Services
Infrastructure Management Senior Analyst
1120 Celebration Blvd.
Celebration, FL 34747
chris.ivey at acs-inc.com
"When you find yourself in a hole, the best thing to do is stop digging!" --
Nick Stokes
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Thursday, January 11, 2007 8:06 AM
To: Syslog-ng users' and developers' mailing list
Subject: RE: [syslog-ng] Forwarding + Spoofing = Errors & Dropped Packets?
On Wed, 2007-01-10 at 13:31 -0600, Ivey, Chris wrote:
> We took DNS out of the config, and had no change. How do we go about
> seeing if we are blocking on /proc/kmsg?
You need to identify the bottleneck, there are various tools for this.
Check CPU/disk usage, vmstat, maybe even strace syslog-ng and check
where it is spending its time.
If everything looks normal, you might need to increase the UDP receive
buffer size. What is your message rate?
--
Bazsi
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070111/ec10f497/attachment.html
More information about the syslog-ng
mailing list