On Wed, Apr 15, 2015 at 11:16 AM, Andrew Bell <abell@factset.com> wrote:
Also would like to throw out that I am open to using strace or some other debug hook program to figure out the cause here if that would help better, just would like a pointer as to how I would go about using it to identify dropped logs.
I wrote a small perl program (attached) to query syslog-ng-ctl and netstat to see buffer sizes and thus identify if logs are being dropped. It loops forever and once a second (or defined interval) it runs: syslog-ng-ctl to get the UDP messages processed syslog-ng-ctl to get the TLS (TCP) messages processed netstat to get the UDP errors netstat to get the UDP packets received It then prints out the rate of change of those four values and you can see if the "graph" is plateauing - which for the logs processed indicates some sort of bottleneck - or if there are peaks and valleys which indicate syslog-ng is able to handle the load. -m