[syslog-ng] TCP orig_log_iw_size='3', why?

Sat Mar 1 09:20:23 UTC 2025

Let me add some background: 

# cat /etc/redhat-release 

Red Hat Enterprise Linux release 9.4 (Plow) 

# syslog-ng --version 
syslog-ng 3 (3.35.1)
Config version: 3.35
Installer-Version: 3.35.1
Revision:
Compile-Date: Feb 6 2023 00:00:00
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Include-Path: /usr/share/syslog-ng/include
Available-Modules:
xml,add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,azure-auth-header,basicfuncs,cef,confgen,cryptofuncs,csvparser,dbparser,disk-buffer,examples,graphite,hook-commands,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,regexp-parser,sdjournal,secure-logging,stardate,syslogformat,system-source,tags-parser,tfgetent,timestamp
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-Linux-Caps: on
Enable-Systemd: on 

Extracts from /etc/syslog-ng/syslog-ng.conf: 

#### START OF SYSLOG-NG.CONF CONFIGURATION FILE ####
@version:3.5
@include "scl.conf"
options {
 flush_lines (100);
 time_reopen (10);
 log_fifo_size (30000); # Default is 1000
 chain_hostnames (off);
 use_dns (yes); # This enables IP to hostname translation; this has no
effect if keep_hostname() is enabled and message contains a hostname
 dns_cache(yes); # DNS caching to improve hostname translation
 dns-cache-size(2000); # Default is 1007
 dns-cache-expire(14400); # Default is 3600
 use_fqdn (yes); # This has no effect if keep_hostname() is enabled and
message contains a hostname
 create_dirs (yes);
 keep_hostname (yes);
 threaded (yes);
};
source s_nas {
 network(ip(X.X.X.X) transport(tcp) port(514));
 network(ip(X.X.X.X) transport(udp) port(514) so-rcvbuf(26214400));
 tcp(ip(X.X.X.X) port(44514) max-connections(300) tls(
 key_file("/etc/syslog-ng/key.d/priv.key")
 cert_file("/etc/syslog-ng/cert.d/cert.pem")
 peer_verify(optional-untrusted))
 ); 

destination d_nas {

file("/opt/$LOGHOST/logs/nas/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$YEAR$MONTH$DAY.log"
 template(t_splunk)
 dir-owner("splunk") dir-group("splunk") dir-perm(0750)
 owner("splunk") group("splunk") perm(0640));
}; 

log { source(s_nas); destination(d_nas); flags(flow-control);}; 

Thanks. 

Il 2025-03-01 08:32 claudio at witel.it ha scritto: 

> Hello syslog-ng community,
> 
> I get this warning at syslog-ng start (or restart) when running journalctl
> 
> [...]
> Feb 27 02:46:57 xxxsplunksyslog1 syslog-ng[2998304]: [2025-02-27T02:46:57.330923] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to value of min_iw_size_per_reader. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size='3', new_log_iw_size='100', min_iw_size_per_reader='100', min_log_fifo_size='30000'
> Feb 27 02:46:57 xxxsplunksyslog1 systemd[1]: Started System Logger Daemon.
> 
> I thought the orig_log_iw_size value was coming from the formula log_iw_size/max_connections which should be 100/300=1/3
> What is this orig_log_iw_size='3' ?
> 
> Thanks. 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng [1]
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng [2]
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq [3]

Links:
------
[1] https://lists.balabit.hu/mailman/listinfo/syslog-ng
[2] http://www.balabit.com/support/documentation/?product=syslog-ng
[3] http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20250301/4dc295ad/attachment.htm>