[syslog-ng] uestion

Balazs Scheidler bazsi77 at gmail.com
Tue Jun 6 05:32:16 UTC 2023


Hi,

On Mon, Jun 5, 2023, 22:16 Johnson, Linwood <linwood.johnson at dowjones.com>
wrote:

> I get the following when I check
> [root at server1~]# syslog-ng
>  WARNING: the match() filter without the use of the value() option is
> deprecated and hinders performance, please update your configuration;
> The kernel refused to set the receive buffer (SO_RCVBUF) to the requested
> size, you probably need to adjust buffer related kernel parameters;
> so_rcvbuf='536870912', so_rcvbuf_set='425984'
>
> [root@ server1~]# sysctl -a |grep rmem_max
> net.core.rmem_max = 212992
> sysctl: reading key "net.ipv6.conf.all.stable_secret"
> sysctl: reading key "net.ipv6.conf.default.stable_secret"
> sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
> sysctl: reading key "net.ipv6.conf.lo.stable_secret"
> [root@ server1 ~]# sysctl -a |grep vbuf
> net.ipv4.tcp_moderate_rcvbuf = 1
> sysctl: reading key "net.ipv6.conf.all.stable_secret"
> sysctl: reading key "net.ipv6.conf.default.stable_secret"
> sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
> sysctl: reading key "net.ipv6.conf.lo.stable_secret"
> net.sctp.rcvbuf_policy = 0
> [root@ server1~ ]# cat /proc/sys/net/ipv4/tcp_rmem
> 4096    87380   6291456
> [root@ server1~ ]# cat /proc/sys/net/core/rmem_default
> 212992
> [root@ server1~ ]# cat /proc/sys/net/core/rmem_max
> 212992
> [root@ server1~ ]# grep . /proc/sys/net/ipv4/tcp*mem
> /proc/sys/net/ipv4/tcp_mem:173202       230936  346404
> /proc/sys/net/ipv4/tcp_rmem:4096        87380   6291456
> /proc/sys/net/ipv4/tcp_wmem:4096        16384   4194304
> [root@ server1~ hisotry]#
>
> I attempted to make the changes on the server.
> What can I do to resolve this issue?
>
>
The receive buffer parameter is critical for UDP based traffic, not for TCP.

You need to bump /proc/sys/net/core/rmem_max which enables the use of
larger receive buffers.

Also, you might want to read these blog posts:

https://axoflow.com/syslog-over-udp-message-loss-1/

and


https://axoflow.com/syslog-over-udp-kernel-syslog-ng-tuning-avoid-losing-messages/

Also, we added the capability of tracking per-port UDP message loss in
syslog-ng 4.2, e.g:

syslogng_socket_receive_dropped_packets_total

For more info on 4.2 and some more metrics:

https://axoflow.com/axosyslog-release-4-2/

The new metrics were added along with a new interface to syslog-ng stats
that makes it easier to integrate it with the new generation of monitoring
tools (e.g. the prometheus stack).

Hope this helps. You are welcome in our discord channel, should you have
more questions, here:

https://discord.gg/E65kP9aZGm

A number of syslog-ng devs/axoflow folks lurk there, who made all of the
above a reality.

Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230606/3a105321/attachment.htm>


More information about the syslog-ng mailing list