Re: Syslog dropping messages, udp buffer full

From: John Haxby <john.haxby_at_oracle.com>
Date: Sun, 6 Feb 2011 22:32:57 +0000

On 31 Jan 2011, at 16:07, Lynch, Jonathan wrote:

> Hi here,
>
> We have been using remote syslogging on RHEL5. However, after starting the service, it takes longer and longer for the messages to appear in the log file until they are missed entirely, or only part of a set of messages will be received.

Hmm.

>
> I checked the udp stats, and it showed many UDP receive errors. However, a newwork dump reveals that the packets are reaching the computer properly.
>
> I tried increasing the udp buffers, but that merely increased the time it takes before the buffer gets full and messages start getting dropped.
>
> Any ideas?

I wonder if you're looking hostnames or similar and it's taking a long time. Logging to a remote host involves a hostname lookup every time and ideally that should be nice and quick. I think there's also a hostname lookup on the receiving host, or rather an IP address lookup.

You could try checking that your DNS is properly set up (if you're using DNS for hostnames and IP addresses) as it does sound as though you have, for example, a bad name server in /etc/resolv.conf

If you're sending or receiving a lot of messages then you should consider running nscd which will cache things and help somewhat.

jch
Received on Sun Feb 06 2011 - 23:32:57 CET

This archive was generated by hypermail 2.2.0 : Sun Feb 06 2011 - 23:34:06 CET