[syslog-ng] UDP errors and lost UDP messages

Balazs Scheidler bazsi77 at gmail.com
Tue Apr 7 10:36:50 CEST 2015


Hi,

270 is not a lot unless there's some kind of bottleneck in the syslog-ng
side. DNS is often a culprit, that's why syslog-ng has a DNS cache which
should address the problem. Do you have any kind of related settings in
your configuration.

Also, 3.1 is pretty old, can you perhaps upgrade that to something more
recent? I think squeeze is supported by the madhouse.org packages.


On Fri, Apr 3, 2015 at 11:53 PM, Matt Zagrabelny <mzagrabe at d.umn.edu> wrote:

> Greetings list!
>
> Using syslog-ng 3.1 with Debian Squeeze, 2.6.32-5-amd64. The system
> has 8GB of RAM.
>
> I'm losing some UDP logs. I know to not use UDP - we use TLS for our
> Debian systems, but our Cisco gear leaves us with few options.
>
> According to netstat, the rate is anywhere from 600 to 3000 UDP errors
> per second. Using a tcpdump query of "dst port 514" show about the
> same rate of UDP traffic coming to the system.
>
> I've bumped the buffer size according to various docs:
> $ head -n -0 /proc/sys/net/core/[rw]mem_*
> ==> /proc/sys/net/core/rmem_default <==
> 16777216
>
> ==> /proc/sys/net/core/rmem_max <==
> 16777216
>
> ==> /proc/sys/net/core/wmem_default <==
> 16777216
>
> ==> /proc/sys/net/core/wmem_max <==
> 16777216
>
> And the udp specific memory limits:
>
> $ head -n -0 /proc/sys/net/ipv4/*udp*
> ==> /proc/sys/net/ipv4/udp_mem <==
> 768384 1024512 1536768
>
> ==> /proc/sys/net/ipv4/udp_rmem_min <==
> 16777216
>
> ==> /proc/sys/net/ipv4/udp_wmem_min <==
> 16777216
>
> My UDP source for syslog-ng is also using a larger buffer:
>
> $ grep -A4 -B1 'udp(' /etc/syslog-ng/syslog-ng.conf
> source s_udp {
>     udp(
>         keep_hostname(yes)
>         so_rcvbuf(16777216)
>     );
> };
>
> According to syslog-ng-ctl stats the system is processing ~270 UDP
> messages per second. This hasn't really changed since I've made the
> kernel variable tweaks, nor after changing the so_rcvbuf size either.
>
> Any ideas of what to look for next?
>
> Thanks!
>
> -m
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>


-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150407/3b03445c/attachment.htm 


More information about the syslog-ng mailing list