[syslog-ng] TCP orig_log_iw_size='3', why?

claudio at witel.it claudio at witel.it
Sun Mar 2 14:40:45 UTC 2025 

 

Hello again, 

digging further into the documentation I found this first passage saying
the log-iw-size() default value is 1000 

[...]
Set the max-connections() parameter of the source to 300. However, the
log-fetch-limit() (default value: 10) parameter applies to every
connection of the source individually, while the log-iw-size() (default
value: 1000) parameter applies to the source. In a worst-case scenario,
the destination does not accept any messages, while all 300 connections
send at least log-fetch-limit() number of messages to the source during
every poll loop. 
[...]
Reference:
https://syslog-ng.github.io/admin-guide/080_Log/010_Flow_control/001_Configuring_flow_control.html
[4] 

Whilst in this other passage it is said to have a default value of 100 

[...]
Every message that syslog-ng OSE reads from the source lowers the window
size by one, every message that syslog-ng OSE successfully sends from
the output buffer increases the window size by one. If the window is
full (that is, its size decreases to zero), syslog-ng OSE stops reading
messages from the source. The initial size of the control window is by
default 100. If a source accepts messages from multiple connections, all
messages use the same control window.
[...]
Reference:
https://syslog-ng.github.io/admin-guide/080_Log/010_Flow_control/README.html


>From the behavior I observed with my syslog-ng.conf minimally edited
from the original one, it seems log-iw-size defaults to 1000. 

Claudio 

Il 2025-03-02 14:40 claudio at witel.it ha scritto: 

> Hello Balazs, 
> 
> thanks for your in depth answer, I sincerely appreciate your analysis and the time you spent in it. Really thanks. 
> 
> I have one doubt though, in my configuration I have max-connections(300) defined in this source: 
> 
> source s_nas {
> network(ip(X.X.X.X) transport(tcp) port(514));
> network(ip(X.X.X.X) transport(udp) port(514) so-rcvbuf(26214400));
> tcp(ip(X.X.X.X) port(44514) max-connections(300) tls(
> key_file("/etc/syslog-ng/key.d/priv.key")
> cert_file("/etc/syslog-ng/cert.d/cert.pem")
> peer_verify(optional-untrusted))
> ); 
> 
> and log-iw-size is not specified so it should be using the default (100?). I tried to get info on the default value for log-iw-size but in the administration manual the default value is left blank (am I looking in the wrong place? maybe). 
> 
> Anyway, on 3 different webinars available online I saw the log-iw-size defaults to 100 hence I would expect that 
> 
> orig_log_iw_size = log-iw-size / max-connections = 100/300 = 1/3 
> 
> that should (could) be approximated with 0 or maybe 1 but instead I get orig_log_iw_size=3 as the startup log shows this: 
> 
> Feb 27 02:46:57 xxxsplunksyslog1 syslog-ng[2998304]: [2025-02-27T02:46:57.330923] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to value of min_iw_size_per_reader. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size='3', new_log_iw_size='100', min_iw_size_per_reader='100', min_log_fifo_size='30000'
> 
> Can you please explain? 
> 
> Thanks. 
> 
> Claudio 
> 
> Il 2025-03-02 13:22 Balazs Scheidler ha scritto: 
> 
> Hi, 
> 
> The default behaviour for window sizing is to divide the window into equal sized chunks for each of your possible connections. 
> 
> if your max-connections() is set to 100 and your log-iw-size() is set to 300, then each of your potential log connection would end up having 3 slots in their window. This can easily cause performance issues, therefore syslog-ng increases the window size to the value specified by min-iw-size-per-reader(), which defaults to 100. 
> 
> The warning message basically means that your log-iw-size() seems low compared to your max-connections() and syslog-ng is increasing the window size, so that each connection has 100 slots in their window. 
> 
> I'd recommend simply sizing max-connections() appropriately and then use a window size proportionate to that. A window size of 100 per connection should be good enough for moderate traffic. 
> 
> With that said, here's a breakdown of each of the values in that log message: 
> * orig_log_iw_size: the value your max-connections() and log-iw-size() determines, in case you have max-connections(100) and log-iw-size(300), that would yield 3 in this field (300/100) 
> * new_log_iw_size: the result of the clamping, e.g. since 3 is too small, syslog-ng upped the per-connection log-iw-size() to 100 (which happens to be the value of min_iw_size_per_reader() option) 
> * min_iw_size_per_reader: this is a configuration option that determines the threshold of this warning, what size window is considered too small 
> * min_log_fifo_size: this is the amount of messages that can be in flight with these settings, if all your connections (of which there's 300) fill their own window allocation (100 each), you can have 30000 messages in-flight. 
> 
> This should be less than the log-fifo-size() of your destination (each of them, if you are routing to multiple destinations), otherwise you could start losing data. 
> 
> The only downside of a higher number of in-flight messages is queue memory (or disk) usage. So as long as you have enough of these, you can just increase the log-iw-size() as recommended. 
> 
> NOTE: There were a few related changes in syslog-ng after this change was added: 
> * flow-controlled log paths never drop messages, even if their queues would become full. They will over-subscribe their queues instead (e.g. log-fifo-size() is ignored if the message is being forwarded along a flow controlled log path), this means that log-fifo-size(), is only considered for non-flow-controlled log paths. 
> * a dynamic-window() sizing feature was added, which allocates the window to individual connections in a less strict manner. 
> 
> Balazs 
> 
> On Sat, Mar 1, 2025 at 8:40 AM <claudio at witel.it> wrote: 
> 
> Hello syslog-ng community,
> 
> I get this warning at syslog-ng start (or restart) when running journalctl
> 
> [...]
> Feb 27 02:46:57 xxxsplunksyslog1 syslog-ng[2998304]: [2025-02-27T02:46:57.330923] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-connections(). The result was too small, clamping to value of min_iw_size_per_reader. Ensure you have a proper log_fifo_size setting to avoid message loss.; orig_log_iw_size='3', new_log_iw_size='100', min_iw_size_per_reader='100', min_log_fifo_size='30000'
> Feb 27 02:46:57 xxxsplunksyslog1 systemd[1]: Started System Logger Daemon.
> 
> I thought the orig_log_iw_size value was coming from the formula log_iw_size/max_connections which should be 100/300=1/3
> What is this orig_log_iw_size='3' ?
> 
> Thanks. ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng [1]
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng [2]
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq [3]
> 
> -- 
> 
> Bazsi 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng [1]
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng [2]
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq [3]

______________________________________________________________________________
 Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng [1]
 Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng [2]
 FAQ: http://www.balabit.com/wiki/syslog-ng-faq [3]

 

Links:
------
[1] https://lists.balabit.hu/mailman/listinfo/syslog-ng
[2] http://www.balabit.com/support/documentation/?product=syslog-ng
[3] http://www.balabit.com/wiki/syslog-ng-faq
[4]
https://syslog-ng.github.io/admin-guide/080_Log/010_Flow_control/001_Configuring_flow_control.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20250302/a4b137cb/attachment-0001.htm>

More information about the syslog-ng mailing list