[syslog-ng] Solaris 10 UDP overflows, message drops

Balazs Scheidler bazsi at balabit.hu
Sat Apr 30 14:15:10 CEST 2011


On Fri, 2011-04-29 at 08:51 +0200, Fekete Robert wrote:
> Hi,
> 
> UDP is a connection-less protocol, meaning that the sender has no knowledge if 
> the messages reach the destination or not. In the perspective of flow-control, 
> this means the following (someone please correct me if I'm wrong):
> 
> - when using flow-control on the client that sends messages via UDP, 
> flow-control can slow down reading messages from the client's sources if the 
> client cannot send out the messages fast enough. But the client does not know 
> (hence it cannot slow down) if the server cannot handle the messages it receives.

except when it explicitly receives an ICMP port unreachable, in which
case syslog-ng will cease sending. port unreachable is not something you
can count on, but works when the issue is that the server is not
running.

> 
> - when using flow-control on the server that receives UDP messages, flow-control 
> can slow down reading from the server's sources (thus probably cause the server 
> to drop UDP messages) if the destination on the server (file, database, 
> whatever) cannot handle the messages send to the destination fast enough.

and in this case it can help, since syslog-ng will not be
active-dropping message, but rather the kernel will do that, even before
the message reach syslog-ng.

-- 
Bazsi




More information about the syslog-ng mailing list