[syslog-ng] TCP packet collapse errors
Xuri Nagarin
secsubs at gmail.com
Fri May 31 07:46:20 CEST 2013
I have a pair of Syslog-NG servers running 3.2.5-3. The hardware specs are
- Quad Xeon E5-2680 (32 cores), 32GB RAM, and two 1TB SAS 7200 RPM disks in
RAID-1.
OS is RHEL6.2 - Kernel 2.6.32-279.5.2. Filesystem is ext3.
Global options are set as:
options {
flush_lines (1000);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
keep_timestamp(yes);
dir_group("syslog");
perm(0640);
dir_perm(0750);
group("syslog");
};
I have already set TCP kernel buffers to 128MB max and set disk scheduler
to "deadline".
But even under light disk IO load, from ~8-25MB, I see "1320811067 packets
collapsed in receive queue due to low socket buffer". I had some other
processes on the host writing to disk. Stopping them reduced the packet
errors but this number still keeps incrementing.
To rule out other issues, I temporarily pointed my disk-based destinations
to /dev/null and then packet losses/errors stopped. So either Syslog-NG
isn't able to write to disk fast enough or there is an underlying
OS/hardware issue.
Both hosts have the same issue. Any pointers in troubleshooting it will be
appreciated.
TIA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130530/60ce1640/attachment.htm
More information about the syslog-ng
mailing list