[syslog-ng] TCP orig_log_iw_size='3', why?

claudio at witel.it claudio at witel.it
Sun Mar 2 13:40:55 UTC 2025 

 

Hello Balazs, 

thanks for your in depth answer, I sincerely appreciate your analysis
and the time you spent in it. Really thanks. 

I have one doubt though, in my configuration I have max-connections(300)
defined in this source: 

source s_nas {
 network(ip(X.X.X.X) transport(tcp) port(514));
 network(ip(X.X.X.X) transport(udp) port(514) so-rcvbuf(26214400));
 tcp(ip(X.X.X.X) port(44514) max-connections(300) tls(
 key_file("/etc/syslog-ng/key.d/priv.key")
 cert_file("/etc/syslog-ng/cert.d/cert.pem")
 peer_verify(optional-untrusted))
 ); 

and log-iw-size is not specified so it should be using the default
(100?). I tried to get info on the default value for log-iw-size but in
the administration manual the default value is left blank (am I looking
in the wrong place? maybe). 

Anyway, on 3 different webinars available online I saw the log-iw-size
defaults to 100 hence I would expect that 

orig_log_iw_size = log-iw-size / max-connections = 100/300 = 1/3 

that should (could) be approximated with 0 or maybe 1 but instead I get
orig_log_iw_size=3 as the startup log shows this: 

Feb 27 02:46:57 xxxsplunksyslog1 syslog-ng[2998304]:
[2025-02-27T02:46:57.330923] WARNING: window sizing for tcp sources were
changed in syslog-ng 3.3, the configuration value was divided by the
value of max-connections(). The result was too small, clamping to value
of min_iw_size_per_reader. Ensure you have a proper log_fifo_size
setting to avoid message loss.; orig_log_iw_size='3',
new_log_iw_size='100', min_iw_size_per_reader='100',
min_log_fifo_size='30000'

Can you please explain? 

Thanks. 

Claudio 

Il 2025-03-02 13:22 Balazs Scheidler ha scritto: 

> Hi, 
> 
> The default behaviour for window sizing is to divide the window into equal sized chunks for each of your possible connections. 
> 
> if your max-connections() is set to 100 and your log-iw-size() is set to 300, then each of your potential log connection would end up having 3 slots in their window. This can easily cause performance issues, therefore syslog-ng increases the window size to the value specified by min-iw-size-per-reader(), which defaults to 100. 
> 
> The warning message basically means that your log-iw-size() seems low compared to your max-connections() and syslog-ng is increasing the window size, so that each connection has 100 slots in their window. 
> 
> I'd recommend simply sizing max-connections() appropriately and then use a window size proportionate to that. A window size of 100 per connection should be good enough for moderate traffic. 
> 
> With that said, here's a breakdown of each of the values in that log message: 
> * orig_log_iw_size: the value your max-connections() and log-iw-size() determines, in case you have max-connections(100) and log-iw-size(300), that would yield 3 in this field (300/100) 
> * new_log_iw_size: the result of the clamping, e.g. since 3 is too small, syslog-ng upped the per-connection log-iw-size() to 100 (which happens to be the value of min_iw_size_per_reader() option) 
> * min_iw_size_per_reader: this is a configuration option that determines the threshold of this warning, what size window is considered too small 
> * min_log_fifo_size: this is the amount of messages that can be in flight with these settings, if all your connections (of which there's 300) fill their own window allocation (100 each), you can have 30000 messages in-flight. 
> 
> This should be less than the log-fifo-size() of your destination (each of them, if you are routing to multiple destinations), otherwise you could start losing data. 
> 
> The only downside of a higher number of in-flight messages is queue memory (or disk) usage. So as long as you have enough of these, you can just increase the log-iw-size() as recommended. 
> 
> NOTE: There were a few related changes in syslog-ng after this change was added: 
> * flow-controlled log paths never drop messages, even if their queues would become full. They will over-subscribe their queues instead (e.g. log-fifo-size() is ignored if the message is being forwarded along a flow controlled log path), this means that log-fifo-size(), is only considered for non-flow-controlled log paths. 
> * a dynamic-window() sizing feature was added, which allocates the window to individual connections in a less strict manner. 
> 
> Balazs 
> 
> On Sat, Mar 1, 2025 at 8:40 AM <claudio at witel.it> wrote: 
> 
>> Hello syslog-ng community,
>> 
>> I get this warning at syslog-ng start (or restart) when running journalctl
>> 
>> [...]
>> Feb 27 02:46:57 xxxsplunksyslog1 syslog-ng[2998304]: [2025-02-27T02:46:57.330923] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to value of min_iw_size_per_reader. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size='3', new_log_iw_size='100', min_iw_size_per_reader='100', min_log_fifo_size='30000'
>> Feb 27 02:46:57 xxxsplunksyslog1 systemd[1]: Started System Logger Daemon.
>> 
>> I thought the orig_log_iw_size value was coming from the formula log_iw_size/max_connections which should be 100/300=1/3
>> What is this orig_log_iw_size='3' ?
>> 
>> Thanks. ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng [1]
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng [2]
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq [3]
> 
> -- 
> 
> Bazsi 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng [1]
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng [2]
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq [3]
 

Links:
------
[1] https://lists.balabit.hu/mailman/listinfo/syslog-ng
[2] http://www.balabit.com/support/documentation/?product=syslog-ng
[3] http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20250302/ad4444d2/attachment.htm>

More information about the syslog-ng mailing list