[syslog-ng] Tips to diagnose missing syslog messages?

[brian hoffman]

 We've spent a lot of time troubleshooting UDP drops, and the so_reuseport option did help quite a bit.  There's a max number that the RECVQ can reach (which can be seen with: /usr/bin/netstat -tupln|egrep "(^udp.*syslog-ng)" ) that correlates to the so_rcvbuf.  Having more queues won't keep drops from happening, since the hashing in the OSE is related to source IP, so a talkative host can still fill up one of those queues and cause drops.  The PE uses eBPF which is apparently better at preventing this, but we found that by using the updated version at "copr:copr.fedorainfracloud.org:czanik:syslog-ng324/x86_64" instead of the stock RH one and bumping up the so_rcvbuf, it did perform much better (and I believe you may need that version for the so_reuseport).-Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210615/26f0160c/attachment.html>