<div dir="ltr"><div>I switched to 3.4.1 (multi-threaded) but still no respite from the TCP collapse issue.<br></div><div><br></div><div style>I tried to set so_rcvbuf to '51200000' and got this error:</div><div style>
<br></div><div style>"Starting syslog-ng: The kernel refused to set the receive buffer (SO_RCVBUF) to the requested size, you probably need to adjust buffer related kernel parameters; so_rcvbuf='51200000', so_rcvbuf_set='20971520'"<br>
</div><div style><br></div><div style>In terms of lps processed, may be it's just a case of Monday but I am seeing numbers as high as 40k consistently now with no drops to zero. Disk IO is low but more consistent between 4-8 Mbytes/sec.</div>
<div style><br></div><div style>In terms of multi-threading, not sure how well the code does it because I am seeing individual cores spike to 100% even when several others are at idle.</div><div style><br></div><div style>
<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 31, 2013 at 12:41 PM, Xuri Nagarin <span dir="ltr"><<a href="mailto:secsubs@gmail.com" target="_blank">secsubs@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Thanks Daniel. I think I owe you a six-pack of your favourite beer just for the script :) <div>
<br></div><div>Very interesting stats. For both hosts, lps ranges from anywhere between few hundred to 30K per second but falls to zero for several seconds. All the packet loss happens when the lps is peaking. What has me concerned is that lps falls to zero for 15-20 seconds at a time. During this period disk IO falls to near zero too and packet hemorrhaging pauses. </div>
<div><br></div><div>All my sources are tcp and there are only four of them but those are proprietary products so they may be sending data in batches/bursts. I will tweak the tcp source options and see what more I can squeeze out of this build of syslog-ng and the disks. But you are right - I do need to upgrade to the multi-threaded version asap. At some point, a single core process is going to stall on writing to disk and not be able to reap tcp buffers during that time.</div>
<div><br></div><div>I think the disk scheduler probably did not have any impact but one system has the disk scheduler tweak and other doesn't but I don't see any significant differences with packet loss on either. </div>
<div><br></div><div>Right now, I think the issue simply is that when a burst of data comes in, the single core syslog-ng blocks of IO and cannot switch back to reading TCP buffers fast enough to clear up everything in the buffer. High network IO, high Disk IO, high lps and packet loss - all match up.</div>
<div><br></div><div>A larger receive buffer for the tcp source in syslog config will be a band-aid, I think until I can build a multi-threaded syslog-ng. Eventually, given that these are 7200RPM disks in RAID-1, the disk sub-system will start being a bottleneck but by then, hopefully, I will find a host with better disk througput :-)</div>
<div><br></div><div><br></div><div><br></div></div><div class=""><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 31, 2013 at 2:41 AM, Daniel Neubacher <span dir="ltr"><<a href="mailto:daniel.neubacher@xing.com" target="_blank">daniel.neubacher@xing.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<div style="direction:ltr;font-size:10pt;font-family:Tahoma">I've forgot to ask for your syslog source settings.
<div>Here is my cfg. Maybe it helps. </div>
<div><br>
</div>
<div>
<div>tcp(</div>
<div> log_fetch_limit(1000)</div>
<div> max-connections(5000)</div>
<div> so_rcvbuf(51200000)</div>
<div> keep_timestamp(yes)</div>
<div> port(514)</div>
<div> log-iw-size(500000)</div>
<div>);</div>
<div><br>
</div>
<div style="font-size:16px;font-family:'Times New Roman'">I've got it from a great artice <a href="http://codeascraft.com/2012/08/13/performance-tuning-syslog-ng/" style="font-family:Tahoma;font-size:10pt" target="_blank">http://codeascraft.com/2012/08/13/performance-tuning-syslog-ng/</a></div>
<div style="font-size:16px;font-family:'Times New Roman'"><br>
</div>
<div style="font-size:16px;font-family:'Times New Roman'"><br>
</div>
<div style="font-size:16px;font-family:'Times New Roman'"><br>
<hr>
<div style="direction:ltr"><font face="Tahoma" color="#000000"><div><b>Von:</b> <a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a> [<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>]" im Auftrag von "Xuri Nagarin [<a href="mailto:secsubs@gmail.com" target="_blank">secsubs@gmail.com</a>]<br>
</div><b>Gesendet:</b> Freitag, 31. Mai 2013 10:12<div><br>
<b>An:</b> Syslog-ng users' and developers' mailing list<br>
</div><b>Betreff:</b> Re: [syslog-ng] TCP packet collapse errors<br>
</font><br>
</div><div><div>
<div></div>
<div>
<div dir="ltr">
<div>Thanks for the quick response, Daniel.</div>
<div><br>
</div>
I look at statistics for an hour before tweaking flush_lines to zero and setting log_fifo_size to 10000. In that period, syslog-ng reported processing 7,898,310,589 messages across all destinations and dropped 4,200,260.
<div><br>
</div>
<div>After making the change (flush_lines set to 0 and log_fifo_size to 10000), I looked at three sets (half hour) of stats (default, every 10 minutes). The dropped messages are now zero across all destinations.</div>
<div><br>
</div>
<div>But the collapsed TCP packets count keeps incrementing. I ran 'iostat -xm 5' and "watch -d 'netstat -s | grep collpased' " in two windows side-by-side. Each time that disk IO spikes up, the TCP collapsed counter starts incrementing. Disk IO remains almost
zero for about half a minute and then spikes up to ~4-25 Mbytes/sec for half a minute.</div>
<div><br>
</div>
<div>Does this mean I need to bump up log_fifo_size even higher? I think ideally we want the disk to be consistently written to instead of bursts of write activity. Right?</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, May 30, 2013 at 10:56 PM, Daniel Neubacher <span dir="ltr">
<<a href="mailto:daniel.neubacher@xing.com" target="_blank">daniel.neubacher@xing.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<div style="direction:ltr;font-size:10pt;font-family:Tahoma">
<div><span style="font-family:'Times New Roman';font-size:16px">I don't know how much logs you are getting but should tweak "</span><span style="font-family:'Times New Roman';font-size:16px">log_fifo_size (1000);" to a higher number. Your </span><span style="font-family:'Times New Roman';font-size:16px">flush_lines
is really high too.. I tested around with flush lines but I ended setting it to 0 with 50k log per second. And they greatest of all tweaks would be a newer syslog version because of the threading.</span></div>
<div style="font-size:16px;font-family:'Times New Roman'">
<hr>
<div style="direction:ltr"><font face="Tahoma" color="#000000"><b>Von:</b> <a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">
syslog-ng-bounces@lists.balabit.hu</a> [<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>]" im Auftrag von "Xuri Nagarin [<a href="mailto:secsubs@gmail.com" target="_blank">secsubs@gmail.com</a>]<br>
<b>Gesendet:</b> Freitag, 31. Mai 2013 07:46<br>
<b>An:</b> Syslog-ng users' and developers' mailing list<br>
<b>Betreff:</b> [syslog-ng] TCP packet collapse errors<br>
</font><br>
</div>
<div>
<div>
<div></div>
<div>
<div dir="ltr">I have a pair of Syslog-NG servers running 3.2.5-3. The hardware specs are - Quad Xeon E5-2680 (32 cores), 32GB RAM, and two 1TB SAS 7200 RPM disks in RAID-1.
<div> </div>
<div>OS is RHEL6.2 - Kernel 2.6.32-279.5.2. Filesystem is ext3.</div>
<div><br>
</div>
<div>Global options are set as:</div>
<div>
<div>options {</div>
<div><span style="white-space:pre-wrap"></span>flush_lines (1000);</div>
<div><span style="white-space:pre-wrap"></span>time_reopen (10);</div>
<div><span style="white-space:pre-wrap"></span>log_fifo_size (1000);</div>
<div><span style="white-space:pre-wrap"></span>long_hostnames (off);</div>
<div><span style="white-space:pre-wrap"></span>use_dns (no);</div>
<div><span style="white-space:pre-wrap"></span>use_fqdn (no);</div>
<div><span style="white-space:pre-wrap"></span>create_dirs (yes);</div>
<div><span style="white-space:pre-wrap"></span>keep_hostname (yes);</div>
<div><span style="white-space:pre-wrap"></span>keep_timestamp(yes);</div>
<div><span style="white-space:pre-wrap"></span>dir_group("syslog");</div>
<div><span style="white-space:pre-wrap"></span>perm(0640);</div>
<div><span style="white-space:pre-wrap"></span>dir_perm(0750);</div>
<div><span style="white-space:pre-wrap"></span>group("syslog");</div>
<div>};</div>
<div><br>
</div>
<div>I have already set TCP kernel buffers to 128MB max and set disk scheduler to "deadline".</div>
<div><br>
</div>
<div>But even under light disk IO load, from ~8-25MB, I see "1320811067 packets collapsed in receive queue due to low socket buffer". I had some other processes on the host writing to disk. Stopping them reduced the packet errors but this number still keeps
incrementing.</div>
<div><br>
</div>
<div>To rule out other issues, I temporarily pointed my disk-based destinations to /dev/null and then packet losses/errors stopped. So either Syslog-NG isn't able to write to disk fast enough or there is an underlying OS/hardware issue.</div>
<div><br>
</div>
<div>Both hosts have the same issue. Any pointers in troubleshooting it will be appreciated.</div>
<div><br>
</div>
<div>TIA.</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div></div></div>
</div>
</div>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>