On Tue, Aug 16, 2011 at 10:46, Wido den Hollander <wido@xxxxxxxxx> wrote: > I also had that issue, but when using rsyslogd and using TCP for > transport instead of UDP I wasn't able to see any dropped packets. > > To my experience it's not syslog dropping the packets, but UDP packets > which get lost due to buffers being full at the kernel. A TCP syslog connection will drop messages if the kernel's outgoing TCP buffer gets full. You can see this in "ss --tcp" (old school: "netstat -nt") output column Send-Q. UDP loses messages even faster because it effectively doesn't have an outgoing buffer (it does, but it'll blast the contents on the wire ASAP). That is, UDP syslog loses messages easily if the bottleneck is anywhere else than in the outgoing network interface; TCP syslog gives you a TCP window size of grace to handle peaks. Even syslog over UNIX domain sockets can lose messages, if the receiving process is too slow and the buffers fill up. Basically, in logging, you have two choices when buffers get full: pause the program/thread until buffer space is available (using e.g. straight writes to file, or runit/daemontools-style logging to stdout), or lose log messages (decision made by glibc/POSIX for you). -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
