[syslog-ng] Solaris 10 UDP overflows, message drops

[Michael Hocke]

-----BEGIN PGP SIGNED MESSAGE-----


On Apr 15, 2011, at 2:01 PM, Mishou Michael wrote:

> I left out the resources I have to work with on this system, and how
> bad/good things are with syslog-ng running (and dropping), I'll include
> those now.  As you can see, it's an older server, but it has a ton of
> RAM and the CPUs should have enough pop for this I think.

Hi Mishou,

I battled this fight for quite a long time when I built a syslog server using syslog-ng on Solaris 10 running on a Sun Fire V210 (dual 1.5GHz US-IIIi processors, 4GB memory). This syslog server is being used to collect the immense amount of Cisco firewall messages (in the neighborhood of 14000 messages per second). At first I tried to fiddle around with the UDP buffers in the system and the so_rcvbuf setting in syslog-ng.conf but to no avail. Any increase of the buffer would just delay the time when UDP packets were starting to drop again. I then found an old Sun x86 server (a V60x) lying around (dual Xeon 3GHz, 6GB memory) and replaced the V210 with it, suspecting that even my very simple syslog-ng configuration (no filters or anything) just overwhelms the V210. That did the trick. It was just a matter of processing power. Not sure if this applies to your situation but it kind of has the same smell to it.

Hope this helps a bit.

- - Michael


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.0.3 (Build 1)
Charset: us-ascii

wsBVAwUBTaxwOZbfnpCg64TVAQGU4QgAw3rl6mvucBuThAvR+0uC2JoGYcN7xpBb
hDzninYg1PlqAHEmfMHw3nt1fimnfxPQ4fnFq5UFoHaWqqbs1G3AqjiqOV7GOcoJ
Yxq6F8cmGz1HM8AiHZJM7XHYdrqsZ8FQjyqW/Youv/TCC1zU0oigMdkobTkAphGg
nJD9foAKIqMMgRawTRPY/8W9QFPvotLMN84Q/zzs6Wi62Kumncfjrg4bJQkpQdq/
pS0m/9ZvtQD7EohF/lVZRa5nPa/3/xm5WjTrEFmB16dzXOQvkSmcOWx8N88/joMR
tmGfiutg6Lu69oG7xj7oeb/yp1iWKoTYwb/nZgwu/onZmLMtrZ+ZeA==
=z1AA
-----END PGP SIGNATURE-----