[syslog-ng] Solaris 10 UDP overflows, message drops
Matthew Hall
mhall at mhcomputing.net
Fri Apr 15 18:12:18 CEST 2011
Probably you need to adjust so_sndbuf and so_rcvbuf:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html#reference_source_tcpudp
That should make it run better.
Matthew.
On Fri, Apr 15, 2011 at 10:52:59AM -0400, Mishou Michael wrote:
> All,
>
> I've done a lot of reading, and I can't figure out what I can do to this
> config in order to fix the UDP drops due to udpInOverflows on netstat
> -s. Here are some statistics relating to the amount of traffic we
> receive via syslog-ng, it's pretty busy but in reading I'm finding that
> some folks are doing much more. These stats are based on a ~30 second
> window of traffic during peak times, but variance due to time is not so
> much in our environment. I used tcpdump with a bpf to capture only
> inbound udp/514, so this is what the interface is seeing in the way of
> syslog.
>
> Elapsed: 00:00:34
> Packets: 200000
> Avg. packets/sec: 5836.546
> Avg. packet size: 303.182 bytes
> Bytes: 60636477
> Avg. bytes/sec: 1769537.884
> Avg. MBit/sec: 14.156
>
> So, about 6k messages per second. Here are the drop numbers over a time
> sample (done right after a process restart, you can see the buffer takes
> a moment to fill up [64 MB so_rcvbuf]):
>
> # while true; do echo -en "$(date) :: "; netstat -s | grep
> udpInOverflows | head -n 1 | sed 's|.*=||'; sleep 10; done
> Fri Apr 15 14:12:46 GMT 2011 :: 472517477
> Fri Apr 15 14:12:56 GMT 2011 :: 472517477
> Fri Apr 15 14:13:06 GMT 2011 :: 472517477
> Fri Apr 15 14:13:16 GMT 2011 :: 472517477
> Fri Apr 15 14:13:26 GMT 2011 :: 472543152
> Fri Apr 15 14:13:36 GMT 2011 :: 472592800
> Fri Apr 15 14:13:46 GMT 2011 :: 472638848
> Fri Apr 15 14:13:56 GMT 2011 :: 472684407
>
> So that's about 5k overflows a second, which jives with our
> calculations, suggesting we're getting only ~10% of our messages logged
> to disk.
>
> I inherited a config with _very_ many filter statements, but have
> decided to cut all that out to see if my performance problems in the way
> of udp drops continue (they do). I've attached a sanitized config to
> this message, all the stuff here concerns this config running (even
> though I thought eliminating the filters would really help, it didn't).
>
> We're running Solaris 10 SPARC. The syslog-ng version is:
>
> # /usr/local/sbin/syslog-ng -V
> syslog-ng 3.1.2
> Installer-Version: 3.1.2
> Revision:
> ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainli
> ne--3.1#master#8bf13c304b6ab5fc1a372b49d55c78370efe14ca
> Compile-Date: Oct 25 2010 23:56:18
> Enable-Threads: off
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: on
> Enable-Sun-Door: on
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: off
> Enable-SSL: on
> Enable-SQL: off
> Enable-Linux-Caps: off
> Enable-Pcre: on
>
> The following options are set for the OS:
>
> # ndd /dev/udp udp_max_buf
> 1073741824
> # ndd /dev/udp udp_recv_hiwat
> 65536
>
> Some options lines from the config based on what I've seen:
>
> * note the TCP stuff can be safely ignored, it's legacy from some
> testing but isn't currently seeing traffic
> * all 3 udp sources set with so_rcvbuf(67108864) (64 MB)
>
> options { # things I've changed/tweaked
> flush_lines(1000);
> flush_timeout(20);
> log_fifo_size (67108864);
> log_msg_size(8192);
> chain_hostnames(yes);
> # end my changes
> <snip>
> };
>
> So I'm totally stumped. I can set the buffers with so_rcvbuf() to 1 GB,
> it still doesn't matter, they eventually fill up and I start losing
> packets. I'm hoping that someone can point me to some tweaks I can do
> to get the numbers of drops down or eliminated. Is it unreasonable to
> expect to be able to process this many messages per second via UDP?
> Maybe that's the problem. I might experiment some with default syslog
> to see if it can write this many messages without drops...this doesn't
> seem like an insane amount of traffic. But perhaps my expectations are
> unrealistic, that's what I'm hoping someone can tell me.
>
> Regards,
>
> --Mike
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
More information about the syslog-ng
mailing list