Hello,

My issue here is that rsyslog seems to be dropping data. I first installed Debian 5 on a old HP Proliant server that has 1gb of ram and 1TB of storage in old ass disk array. While the server is old it is not THAT old and runs all tasks fine. I pushed my firewall traffic logs plus some Windows server event logs to this server. When I view the syslog in real time there is always a 5-6 minute delay in the logs I am seeing. On top of that it seems to be dropping logs, so I setup a test in Host Monitor software that I use to send a test message log to the Debian server every 15 minutes, and they are numbered sequentially. So when I grep those messages I should see them all in numbered sequence, however I do not, many messages missing meaning somewhere those logs are being lost.

So in thinking that the server hardware might be too old I installed Ubuntu 10.10 on a Dell Optiplex 380, Dual Core, 3gb's of ram, plenty of disk space and by all means a pretty fast machine. I pushed all the traffic to this box now and the 5-6 minute lag seems to have disappeared, however when I run the Host Monitor test I am still seeing logs being lost. So I imagine that hardware is not the issue here. Could it be UDP just being unreliable? Or do I have a configuration issue? I imagine that any version of linux on just about any respectable box should be able to keep up with the log traffic I am forwarding to it, no?

Thanks,

-Chris

Part of the UDP spec is that is designed to be 'unreliable'; more accurately, it's not designed to be reliable. If the network gets busy, it's allowed to drop UDP pkts.
TCP is built to be a reliable cxn more like a telephone. UDP is like snailmail, with optional dropped pkts.