[syslog-ng] Messages dropped...
Pontius, Brian D CIV NAVSISA
brian.pontius at navy.mil
Mon Jan 25 18:54:36 CET 2010
Increasing the udp_max_buf and udp_recv_hiwt to their max alone did not stop the increase of the udpInOverflows.
Only after I added the so_rcvbuf entries to some of my sources, did the increase of udpInOverflows stop increasing.
Unfortunately, it still seems like I am losing messages because my firewall logs ARE STILL 1/3 of the second firewall syslog server.
Syslog-ng still says that it is not dropping messages.
Therefore I am stumped.
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Saturday, January 23, 2010 8:02
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Messages dropped...
On Wed, 2010-01-20 at 17:05 -0500, Pontius, Brian D CIV NAVSISA wrote:
> I apologize for what seems to be repost of a rather similar problem but I having looked through the archives and unable to find answers.
>
> I am running syslog-ng 3.0.4 on Solaris 10 x86 (64bit). I have about 200 hosts, all running over udp. I have 1 heavy hitter, which is my firewall. I puts about 1500 messages a minute. It seems that syslog-ng is able to handle this amount of traffic but I am having trouble figuring out why I can't seem to make it work that way.
>
> I started to notice that I was dropping udp packets by running
> netstat -s |grep udpInOverflows.
>
> I tweaked the udp buffers by setting them to their max ndd -set
> /dev/udp udp_max_buf 1073741824 ndd -set /dev/udp udp_recv_hiwt 65536
>
> I was still losing packets until I started to tweek my syslog-ng.conf and added the so_rcvbuf entries.
> The problem is, the logfiles do not reflect that all of the messages
> are making it. I only know this because the firewall is also logging
> to another standalone solaris server running standard syslogd and the syslog-ng's firewall's logs are still only getting 1/3 of the logs.
But what was the result of your tweaks? did the msg rate increase? I guess the options you've quoted above will only increase the maximum possible size, that the OS permits for applications. It doesn't immediately increase receive buffer size.
--
Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4972 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100125/575f7927/attachment.bin
More information about the syslog-ng
mailing list