Folks,
I’m a newbie to syslog-ng. Everything is working
in my environment, running 2.0.8. But, when I try to stress the server I
drop messages.
I’m running from another physical server:
./loggen -D -s 111
-r 2000 -I 1 <hostname> 514 ; date
average rate =
1818.00 msg/sec, count=1818
Thu Mar 6
18:07:17 MST 2008
The syslog-ng server is in a Solaris 10 non-global zone; my
auth.info is going to /var/adm/ssh_DAY.log.
date ; tail
/var/adm/ssh_06.log | awk '/runid/ {print $9}' | sort -u | xargs -i egrep {}
/var/adm/ssh_06.log | wc -l
Thu Mar 6
18:07:23 MST 2008
1233
So, I’m dropping packets. I’ve stopped
syslog-ng and started standard syslog. Syslog logs all my messages to the
file when using a rate of 2000/sec. As you can from above, in my
syslog-ng environment I lose about a 3rd. When I use a rate of
1000/sec, it is not quite as bad, but I do drop a significant amount of
messages.
I’ve read: http://www.l3jane.net/doc/server/syslog-ng/#tuning
I’ve toyed with
log_fifo_size
(using values like 1000, 5000, 10000, 50000)
log_fetch_limit
(using values like 100, 200, 2000)
sync
(using values like 20, 40, 50, 100)
I have “use_dns
(no)” – turning that off first. Also, I commented out
all but two sources, the one filter, the one log line.
source s_ip148 { udp
(ip(<x>.<y>.<z>.148)); };
source s_ip248 { udp
(ip(<x>.<y>.<z>.248)); };
<x>, <y>, <z> are obviously replace in our
environment with the octets for the subnet.
Before trying standard syslog, I was running snoop in my
global zone to ensure all the UDP packets were arriving. The count always
matched the count shown by loggen.
Since I can see all the messages with standard syslog in
this Sol 10 non-global zone, I’ve ruled out:
·
the zone being an issue.
·
UDP tuning for the Solaris 10 host.
·
The internal hard drive i/o speed from being an
issue.
Looking at the log messages, I’m not hitting some cap
(e.g. 1233) and then not logging any more. Random gaps (both of frequency
and size) are seen throughout.
Can someone give me some pointers?
Thanks in advance,
Jim