• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 21 subscribers
  • Views 831 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

messages overflowed and oversize message

castlemve

Recently I was poking around in setup on Kiwi Syslog and noticed a couple of alerts that were not turned on.  We have had Syslog for many years and I had left them off because it was a default setting. So now they are on and we are getting alerts about "# messages overflowed the message queue this hour."

I have several questions:

1.     If messages are overflowing, are they lost? In other words, these are messages that will not show up in the logs?

2.     I found information on how to increase the buffer size at this link: Kiwi Syslog Daemon. It refers to changing a registry key. But, I can't find the registry key to edit. Any ideas on how to get the reg keys in there or why I don't have them?

3.     In the statistics in the alert, there are counts of Errors - Oversize message. Could this be causing the messages to overflow? Is there a quick and easy way to figure out which device is sending the oversize messages?

4.     Is this why it is turned off by default? I'm half joking here about all of my questions.

Thanks,

castlemve

  • 0

    If the messages overflow the buffer they are never processed by the syslog engine and are lost.

    For the buffer registry entry make sure you are looking in the correct part of the registry.  Kiwi syslog is a 32bit app and runs in WOW.  The help file includes info on this.  If the key does not exist you can add it.

    OVersize messages are just messages that are larger than the maximum message length set in 'Modifiers'.  I believe the default is 1024 characters.  We set ours to 8192.  This would not be causing the overflows, that is simply too many messages for the server to handle. Increasing the buffer size will help but only to lessen the impact of a short spike.  If the messages are coming in faster than the server can process them the larger buffer will also eventually fill and drop messages.  Larger buffers also impact the time that a message is processed.  When our buffer(750000) is full we are processing messages that are 20-25 minutes old.

    There is not a default way to determine the hosts sending oversize messages.  I'm guessing it could be scripted but haven't looked at it.  With the max size set to 8192 we rarely see oversize messages.

    I think the alerting for the message queue is important but probably not something the majority of the Kiwi customers would need.  By the time you have overflows your server is over capacity and you've dropped messages.  The max message count alert is a better indicator of impending issues.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.