[syslog-ng] spoof-source performance issues
Martin Holste
mcholste at gmail.com
Tue Jun 29 04:31:57 CEST 2010
Actually, I did more research on this and found that two separate
people back in 2007 had this same problem on the mailing list. See
threads "Lost packets; UDP Checksum (chksum) errors; forwarding -
source spoofing; libnet bug" as well as "Forwarding + Spoofing =
Errors & Dropped Packets?" I believe I've definitively proven the
problem to be invalid UDP checksums sent by libnet 1.1.2.1 as
indicated in the first thread by Marvin Nipper. Further research
shows that there is a Linux kernel-level setting that can act as a
workaround by setting the socket option SO_NO_CHECK, which disables
checksum verifications. So, either Syslog-NG needs to incorporate a
newer, fixed libnet version (it was indicated that it did not compile
using 1.1.3 Beta), or a socket option for receiving needs to be set or
made as an available option to set like the receive buffer.
On Mon, Jun 28, 2010 at 1:40 PM, Zoltán Pallagi <pzolee at balabit.hu> wrote:
> Hi,
>
> I think it will be an udp kernel buffer problem (and not syslog problem),
> see the earlier thread of "[syslog-ng] Tests using loggen - not receiving
> all the packets" in this mail list.
>
>
>
>
> 2010.06.28. 20:21 keltezéssel, Martin Holste írta:
>>
>> I'm finding that with a destination of udp("10.x.x.x", port(514)
>> spoof_source(yes)) about half of messages get lost when going from one
>> syslog-ng host to another at a high message rate (> 3k/sec). This is
>> on 3.1 OSE and the hosts are on the same subnet and switch, so there
>> shouldn't be any network devices interfering. Has anyone else had
>> this same issue? My hunch is that it's either a performance issue
>> with the way the libnet (I'm using 1.1.2.1 on SuSE 10.2) API is
>> implemented or it's an issue within the libnet API. Has anyone else
>> noticed performance problems when using spoof_source?
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>
>
> --
> pzolee
>
More information about the syslog-ng
mailing list