Hi All,<br><br>I am using syslog-ng OSE & seeing a high CPU usage ?
Could you please point out if this could be a config/rules issue or
syslog-ng internal issue.<br><br>CPU usage in sorted order : 0.0 11.9 16.6 22.2 25.0 25.0 25.0 25.0 33.3 33.3 50.0<br>------------------------------------------<br># syslog-ng --version<br>syslog-ng 3.3.5<br>Installer-Version: 3.3.5<br>
Revision:<br>Compile-Date: Apr 20 2012 04:47:44<br>Default-Modules: afsocket,affile,afprog,afuser,basicfuncs,syslogformat,dbparser<br>Available-Modules: syslogformat,dbparser,afuser,basicfuncs,afmongodb,convertfuncs,afprog,dummy,afsocket,confgen,affile,csvparser<br>
Enable-Debug: off<br>Enable-GProf: off<br>Enable-Memtrace: off<br>Enable-IPv6: on<br>Enable-Spoof-Source: off<br>Enable-TCP-Wrapper: off<br>Enable-Linux-Caps: off<br>Enable-Pcre: off<br>-----------<br>Here is the code snippet to send syslog messages to syslogger<br>
<br>for(i=0; i<500;i++) {<br> // this is the message format we are following<br>
syslog(LOG_INFO, "%s, %s, %d, %s, %s, %s %d,
%s", "00:00:18","XYZ",getpid(),"Info","xyz.c", "Func1", 100, "WelCome to
Syslog" );<br>}<br><br>---------------------<br># cat /proc/cpuinfo<br>Processor : ARMv7 Processor rev 10 (v7l)<br>processor : 0<br>BogoMIPS : 1988.29<br><br>processor : 1<br>BogoMIPS : 1988.29<br>
<br>Features : swp half thumb fastmult vfp edsp neon vfpv3<br>CPU implementer : 0x41<br>CPU architecture: 7<br>CPU variant : 0x2<br>CPU part : 0xc09<br>CPU revision : 10<br><br>------------------------------<br>
<br>syslog-ng-confg:<br><br>@version: 3.3<br><br>######<br># options<br><br>options {<br> # disable the chained hostname format in logs<br> # (default is enabled)<br> chain_hostnames(0);<br><br> # the time to wait before a died connection is re-established<br>
# (default is 60)<br> time_reopen(10);<br><br> # the time to wait before an idle destination file is closed<br> # (default is 60)<br> time_reap(360);<br><br> # the number of lines buffered before written to file<br>
# you might want to increase this if your disk isn't catching with<br> # all the log messages you get or if you want less disk activity<br> flush_lines(5);<br> flush_timeout(500);<br><br> # the number of lines fitting in the output queue<br>
log_fifo_size(10000);<br><br> # enable or disable directory creation for destination files<br> create_dirs(yes);<br><br> # default owner, group, and permissions for log files<br> # (defaults are 0, 0, 0600)<br>
#owner(root);<br> group(root);<br> perm(0640);<br><br> frac_digits(4);<br><br> # Override the global timestamp format<br> #(set in the global ts_format() parameter) for the specific destination.<br>
ts_format(iso);<br><br> # default owner, group, and permissions for created directories<br> # (defaults are 0, 0, 0700)<br> #dir_owner(root);<br> dir_perm(0755);<br><br> # enable or disable DNS usage<br>
# syslog-ng blocks on DNS queries, so enabling DNS may lead to<br> # a Denial of Service attack<br> # (default is yes)<br> use_dns(no);<br><br> # maximum length of message in bytes<br> # this is only limited by the program listening on the /dev/log Unix<br>
# socket, glibc can handle arbitrary length log messages, but -- for<br> # example -- syslogd accepts only 1024 bytes<br> # (default is 2048)<br> #log_msg_size(2048);<br><br> # print statistic information only once every hour (it is not really needed)<br>
stats_freq(3600);<br>};<br><br><br>######<br># sources<br><br># all known message sources<br>source s_all {<br> # message generated by Syslog-NG<br> internal();<br><br> # standard Linux log source (this is the default place for the syslog()<br>
# function to send logs to)<br> unix-dgram("/dev/log" program_override("mylogger: "));<br><br> # messages from the kernel<br> file("/proc/kmsg" program_override("kernel: "));<br>
# use the following line if you want to receive remote UDP logging messages<br> # (this is equivalent to the "-r" syslogd flag)<br> # udp();<br>};<br><br>########<br>#templates<br>#template t_default { template("${ISODATE} ${HOST} ${MSGHDR}${MSG}\n"); template_escape(no); };<br>
#template t_logtty { template("${MSG}\n"); template_escape(no); };<br><br>template t_restmsg_notempty { template("${PROGRAM} ${date} ${cname}[${processId}] ${type} (${source}:${line}) ${Restmsg}\n"); };<br>
template t_restmsg_empty { template("${PROGRAM} ${FACILITY} ${LEVEL} ${MSG}\n"); };<br><br><br><br>######<br># destinations<br><br>destination d_log_notempty { file("/var/my_log" template(t_restmsg_notempty)); };<br>
#destination d_log_notempty { file("/dev/console" template(t_restmsg_notempty)); };<br>destination d_log_empty { file("/var/my_log" template(t_restmsg_empty)); };<br><br><br><br>destination authlog { file("/var/log/auth.log"); };<br>
destination debug { file("/var/log/debug"); };<br>destination messages { file("/var/log/messages"); };<br>destination _syslog { file("/var/log/syslog"); };<br>destination cron { file("/var/log/cron.log"); };<br>
destination daemon { file("/var/log/daemon.log"); };<br>destination lpr { file("/var/log/lpr.log"); };<br>destination user { file("/var/log/user.log"); };<br>destination uucp { file("/var/log/uucp.log"); };<br>
destination mail { file("/var/log/mail.log"); };<br>destination kern { file("/var/log/kern.log"); };<br>destination mailinfo { file("/var/log/<a href="http://mail.info">mail.info</a>"); };<br>
destination mailwarn { file("/var/log/mail.warn"); };<br>destination mailerr { file("/var/log/mail.err"); };<br>destination newscrit { file("/var/log/news/news.crit"); };<br>destination newserr { file("/var/log/news/news.err"); };<br>
destination newsnotice { file("/var/log/news/news.notice"); };<br><br><br>######<br># filters<br><br># all messages from the auth and authpriv facilities<br>filter f_restmsg_notempty {match(".+" value("Restmsg"));};<br>
filter f_restmsg_empty {not match(".+" value("Restmsg"));};<br><br># all messages except from the auth and authpriv facilities<br><br>filter f_auth { facility(auth); };<br>filter f_authpriv { not facility(auth, authpriv); };<br>
#filter f_debug { level(notice) and not facility(auth, authpriv, news, mail); };<br>filter f_emergency { level(emerg); };<br>filter f_info { level(info); };<br>filter f_notice { level(notice); };<br>filter f_warn { level(warn); };<br>
filter f_crit { level(crit); };<br>filter f_err { level(err); };<br>#filter f_syslog { not facility(authpriv, mail ); };<br>filter f_syslog { program(syslog-ng); };<br>filter f_cron { facility(cron); };<br>filter f_daemon { facility(daemon); };<br>
filter f_kern { facility(kern); };<br>filter f_mail { facility(mail); };<br>filter f_user { facility(user); and level(error) };<br>filter f_uucp { facility(uucp); };<br>filter f_news { facility(news); };<br>filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); };<br>
<br>filter f_all_info {<br> not match("Info", value("type"), type("string"));<br> };<br><br>filter f_all_generic{ not match("Generic", value("cname"), type("string")); };<br>
<br>parser p_db {db_parser(<br>file("/etc/syslog-ng/rules/rules.xml")<br>);};<br><br>log {source(s_all);parser(p_db);filter(f_restmsg_notempty);destination(d_log_notempty); };<br>#log { source(s_all); filter(f_authpriv); destination(authlog); };<br>
log { source(s_all); filter(f_syslog); destination(_syslog); };<br>log { source(s_all); filter(f_cron); destination(cron); };<br>log { source(s_all); filter(f_daemon); destination(daemon); };<br>log { source(s_all); filter(f_kern); destination(kern); };<br>
log { source(s_all); filter(f_mail); destination(mail); };<br>log { source(s_all); filter(f_user); destination(user); };<br>#log { source(s_all); filter(f_debug); destination(debug); };<br>-------------------------------------------------------------------------------------<br>
<br>rules.xml:<br><patterndb version='4' pub_date='2012-02-17'><br><ruleset name='root' id='123456678'><br><pattern>mylogger</pattern><br><rules><br><rule provider='test' id='182437592347598' class='system'><br>
<patterns><br><pattern>@ESTRING:date:,@
@ESTRING:cname:,@ @ESTRING:processId:,@ @ESTRING:type:,@
@ESTRING:source:,@ @ESTRING:line:,@ @ANYSTRING:Restmsg:
@</pattern><br></patterns><br></rule><br></rules><br></ruleset><br></patterndb><br>---------------------------------------------------------------------------------------------<br><br>
<br>Thanks,<br>pattarsatish<br clear="all"><br><br>