[syslog-ng] UDP packet loss with syslog-ng

Martin Holste mcholste at gmail.com
Fri Oct 15 23:07:00 CEST 2010


Actually, I missed what you were doing with awk because I don't think
I've ever seen /inet before.  Are you on FreeBSD?  My experience (and
cited performance numbers) is all on Linux.  My suspicion is that nc
would take into account more things like SO_RCVBUF, so I'd be
interested to see if there's any difference between redirecting the
raw socket and running netcat.

Your template refers to DNS hostnames, so it's certainly possible that
it's a factor, though I agree that a single hostname with caching
enabled should really not be a problem.

On Fri, Oct 15, 2010 at 3:54 PM, Lars Kellogg-Stedman <lars at oddbit.com> wrote:
>> the time.  A great sanity check is to use nc -l 514 -u >
>> /some/out/file
>
> Right, I did that...as I described in the message.
>
>> how many were received.  If that's looking good, I recommend running
>> tcpdump/wireshark to find the rate of DNS lookups from the box.
>
> I'll take a look.  I'm coming from a single host, and I do have dns
> caching enabled, so I would be surprised if this is the problem.  As a
> first step I may just disable DNS and see if that has any impact on
> the problem.
>
>> two.  A full answer would require seeing the values of your output
>> templates.
>
> template t_daily_log {
>        template("$FULLHOST_FROM $YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC
> [$FACILITY:$LEVEL] [$PROGRAM:$PID] $MSG\n");
> };
>
> template t_host_log {
>        template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC [$FACILITY:$LEVEL]
> [$PROGRAM:$PID] $MSG\n");
> };
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list