반품
-
제목
UDP Log Throughput Degraded -
설명
NOTE: This is for UDP based transit logs only.
When performing a TCPDump the incoming volume of logs is higher than the outgoing logs, thus a discrepancy exists.
Syslog-ng stats may show that the number of incoming matches the number of outgoing logs.
-
원인
DNS resolution for logs coming in with an IP address is either taking too long, or the DNS requests are being blocked causing a timeout which in turn can cause UDP logs to be dropped due to the buffer filling up.
This is not an issue within Syslog-ng as DNS resolution happens before the log is accepted within Syslog-ng which is why statistics will show an equal amount of logs both processed and sent through to the destination. The logs are held in the kernel's Receive Queue (Recv-Q) and are lost therein should that buffer fill up. -
해결 방안
Resolution 1
Please ensure if using DNS resolution for logs (use-dns(yes) would be set in the configuration) that the DNS servers listed are correct and that they are responding in a timely manner to any and all requests from the host.
Resolution 2
Please ensure that DNS requests are not being blocked. A blocked DNS request can cause a timeout before the log is processed, thus the log is kept in the receive buffer and may be lost if the buffer fills up.
Resolution 3
Change the DNS resolution option to no: use-dns(no). By default this value is yes even if the option is not present in the configuration.